From 2012 to 2023 I had been using djbdns/dbdns' tinydns, and even wrote a small script to update my home server's IP address via a simple SSH connection - DynDNS, securely authenticated and without any external services.
In 2023 I switched to NLnet Labs Name Server Daemon (NSD) because tinydns is not updated anymore and doesn't properly integrate with systemd. This was the time I lost my DynDNS service :(
Now I finally managed to update my ssh-dyndns script to support NSD.
Technical details
It was a bit complicated because updating Bind .zone files is hard.
When using SSH to connect to the dyndns user account on the server, the script takes the client's IP address and overwrites a .zonepart file - it contains two DNS entries only, one for the IP and one for the date:
home.cweiske.de. 300 A 212.99.194.43 home.cweiske.de. TXT "Last update 2026-05-07 21:27:20+02:00 300"
An $INCLUDE for the .zonepart files is hard-coded into the actual .zone file:
;Dyndns $INCLUDE /etc/nsd/zones/dyndns/home.cweiske.de-v4.zonepart $INCLUDE /etc/nsd/zones/dyndns/home.cweiske.de-v6.zonepart
To make it as secure as possible, the dyndns directory is writable by the dyndns user - but not the actual zone files. I use sudo and zsu to update the zone's serial number.
sudoers is configured to allow passwordless calls to zsu and nsd-control from the dyndns user, but only with hard-coded zone names:
dyndns ALL = NOPASSWD: \ /usr/local/src/ssh-dyndns/nsd/zsu -fn /etc/nsd/zones/cweiske.de.zone,\ /usr/sbin/nsd-control reload cweiske.de