Comment 47 for bug 1710278

In Reply to Seth's suggestion:

> Am I reading this bug correctly, that MAAS currently asks BIND to reload its entire configure
> file on every machine provision and removal?
>
> This seems like a problem worth solving rather than trying to work around.
>
> At least PowerDNS provides several mechanisms for dynamically adding and removing records from
> a zone:
>
> - dnsupdate: https://doc.powerdns.com/authoritative/dnsupdate.html

[...]

> Since dnsupdate is an RFC-standardized protocol there's a pretty good shot BIND supports it as
> well. Was this tried and found lacking? The API and SQL approaches are likely to not have
> equivalents in BIND.
>
> I'm not sure what your DNSSEC goals are, but PowerDNS's documentation describes choices,
> including pkcs#11 in case that's important:
> https://doc.powerdns.com/authoritative/dnssec/index.html

Yes bind has even a tool for RFC 2136 packaged [1]. A little howto mentioning DNSSEC in that regard can be found at [2]. It also mentions an apparmor Deny with the setup, but if that would be the blocker I'm sure we can come up with a safe rule that can be added.
This might really be much closer to the design of the DNS server then high-frequency restart/reload. So giving this a thought/experiment on the MAAS side might be great.

[1]: http://manpages.ubuntu.com/manpages/bionic/man1/nsupdate.1.html
[2]: https://dnns.no/dynamic-dns-with-bind-and-nsupdate.html