GitZone :: Git manage DNS zones



GitZone is a Git DNS zone file management tool for BIND9. Users can update their zones in a git repository then during a push the zone files are checked, updated & reloaded from git receive hooks. If there’s an error in a file being pushed then the push is rejected, thus only correct files are stored on the server.

GitZone-shell is similar to git-shell but it restricts the user to the zones repository and provides some additional commands for dynamic DNS updates & SSH key management. To use it the Z shell must be installed (zsh).

Git DNS Installation (semi-automatic)

First install Bind9 (not covered by this documentation).

Then install all scripts in the prefix /bin path and /libexec

make install

Once the binaries are in place, to enable gitzone for a user there is a relatively simple script: gitzone-install. Usage synopsis:

gitzone-install username

This script assumes that a user with ‘username’ (first argument) already exists: anyone with access to this user will be in control of gitzone, since access is managed via ssh authentication.

Second argument is the first public ssh key which will have write permissions to change zones (more keys can be added later).

If you intend to use the dynamic DNS feature via the gitzone-shell, then you’d better create a specific user only for gitzone.

Once ready, run the script with all the arguments in place.

Then create /etc/bind/repos/${user}.conf and put inside:

    zone "" {
            type master;
            notify yes;
            file "/var/cache/bind/$user/";
            allow-transfer { transfer; };

Where ‘’ is the first domain you are managing with gitzone. There can be more domains and for each of them the above configuration section must be created.

Now clone the gitzone repository from another user that has access to the ssh secret key configured in gitzone-install. The git url will be composed of the hostname of the machine where is has been installed and the username chosen:

    git clone gitzone-admin

The command above will clone the new gitzone repository into a directory gitzone-admin. If you aren’t familiar with git, this is a good time to go study it.

Create a file named ‘’ inside gitzone-admin and fill it in as a canonical DNS zone file for bind9. Then add, commit and push:

    cd gitzone-admin; vim
    # edit the zone file according to bind9 documentation)
    git add
    git commit -m "initial zone commit for"
    git push

If the file contains any errors, gitzone will not accept the push and will report an error among the screen messages.

If all went well, restart the bind9 daemon and you’ll see that the zone for is served by your new DNS. One can check using nslookup.

Gitzone can be installed on multiple users on the same machine, this way there can be different admins (or groups of admins) for different zones all on the same machine.

Installation (in close detail)

make install
 mkdir -p ~$user/zones
 cd ~$user/zones
 git init $user
 cd $user
 git config receive.denyCurrentBranch ignore
 cd .git/hooks
 ln -s /usr/libexec/gitzone/pre-receive
 ln -s /usr/libexec/gitzone/post-receive
 ln -s /usr/libexec/gitzone/pre-commit
 ln -s /usr/libexec/gitzone/post-commit
 git config -f ~$user/.gitconfig $user
 git config -f ~$user/.gitconfig "$"
 touch ~$user/.ssh/authorized_keys_edit_allowed
 chown -R $user:users ~$user
 cd $zone_dir
 mkdir $user
 chown $user:$group $user
            options {
             directory "/var/named";
             // ...
*   put user zone configuration in a separate file for each user and include them:
            include "/etc/bind/repos/user1.conf";
            include "/etc/bind/repos/user2.conf";
            include "/etc/bind/repos/user3.conf";


GitZone on GitHub

GitZone code and releases are available on GitHub.

Contributors are encouraged to file pull requests with detailed descriptions.

Developers are reachable on our chat channel #dyne.


Git repository

To make changes to the zones you need to clone the git repository, edit the files, commit the changes and finally push the changes to the server. If you use the auto increment feature you also need to pull after a push as the receive hooks on the server make commits to the repository during a push.

 git clone$user zones
 # or if you're using gitzone-shell you can use any path:
 git clone
 cd zones
 # edit files
 git add .
 git commit -m 'commit msg'
 git push origin && git pull

SSH commands

The following SSH commands are provided by gitzone-shell:

     ssh update-record somehost IN A
         ssh list-keys
     ssh add-key `cat`
or only allow one specific command:
     ssh add-key 'command="update-record \ somehost IN A"' `cat`
*   `del-key`: delete an ssh key from the config
         ssh del-key user@somewhere

Dynamic DNS

In order to do automatic dynamic DNS updates, create an SSH key without a password and use the add-key command to add it with a command= parameter which has an update-record command in it, see the example in the previous section. This way the host doing the updates does not have access to the git repository as it is restricted to the specified command only. Then all you have to do to update your IP is:


Run this command whenever the IP changes or the interface comes up.

Debian, Ubuntu

On Debian-like systems you can use a post-up command in /etc/network/interfaces.


On Gentoo you can put a postup() function in /etc/conf.d/net.

Zone files

There are a few keywords you can use in the zone files:  IN  SOA (
                              2011013101  ;AUTO_INCREMENT
                              1d 2h 4w 2d )