How do I automate BIND DNS zone updates with GitLab CI/CD?

I keep my zone file in a GitLab repo and use a pipeline with two stages: validate and deploy. Validate runs named-checkzone so I catch mistakes before touching the server. Deploy SCPs the zone file to the DNS server and then runs a remote reload command over SSH.

How do you SSH from a GitLab runner to a DNS server without a password?

I generate an SSH keypair and add the public key to the DNS server’s ~/.ssh/authorized_keys. Then I store the private key in GitLab CI/CD variables as a file and write it to ~/.ssh/id_rsa during the job. That makes the whole thing non-interactive, which is what you want for automation.

Where should I store the SSH private key in GitLab for deployments?

I put it in Settings → CI/CD → Variables and set the variable type to “File.” I also keep the variable name consistent (like GITLAB_KEY) so I can just cat it out in the pipeline. Ideally you’d mask it, but masking can be annoying with newlines—base64 encoding is an option if you want to go that route.

How do you validate a BIND zone file in CI before deploying?

I install bind-utils in the validate stage and run named-checkzone against my zone (like dragon.local) and the zone file. If that step fails, the deploy stage never runs. That separation is the whole point—don’t push broken DNS.

What permissions do SSH keys need for GitLab CI deployments?

On the server side, your authorized_keys file needs sane permissions (I call out 600 because that’s where people usually get burned). On the runner side, the private key you write to ~/.ssh/id_rsa also needs tight permissions or SSH will refuse to use it. If permissions are too open, you’ll waste time debugging something that looks unrelated.

Why do you disable StrictHostKeyChecking in your pipeline?

Because in automation it can get annoying when host keys change or don’t match, and I don’t want the job to hang. It’s not the best security practice, but for my homelab I know exactly where it’s connecting. If you’re doing this in a stricter environment, you’ll want to handle known_hosts properly instead.

Can I do the same DNS automation with GitHub Actions instead of GitLab?

Yeah, the concept is the same: validate the zone file, copy it to the server, then reload DNS. You’d just translate the pipeline into GitHub Actions syntax. I use GitLab because I find it pretty user friendly and it fits how I run my homelab projects.

I Automated My DNS with GitLab and BIND (Here’s How)

🛍️ Products Mentioned (1)

Github Repo

Available on github →

In this video I’ll walk through the setup and show how I automate updating my DNS using Gitlab CICD pipelines! Github Repo: https://github.com/sassdrew/homelab/tree/main/43-Automate-DNS-Updates-with-Gitlab Interested in other Homelab videos? Check out this playlist: https://www.youtube.com/playlist?list=PLhkW8M2MBf-H33LeTrVMc0LwN3EuOqGQV Wanting to automate your builds with Gitlab and Ansible? Check out this playlist: https://www.youtube.com/playlist?list=PLhkW8M2MBf-Gjb5qI-f1vPbXN530Hd1-3 For Business Inquiries you can email me at: sassdrew501@gmail.com

About This Video

In this homelab remake, I walk through how I automated my DNS updates so GitLab becomes the source of truth for my BIND zone files. The whole goal is simple: I don’t want to SSH into my DNS server every time I add a record. Instead, I use a GitLab project with CI/CD that validates my zone file, copies it to the DNS server, and then reloads BIND—all automatically. I start by generating an SSH keypair (non-interactive on purpose), adding the public key to the DNS server’s authorized_keys, and making sure permissions are correct (600) so SSH doesn’t freak out. On the GitLab side, I store the private key as a CI/CD variable (as a file) and call it by name in my pipeline. My .gitlab-ci.yml has two stages: validate (using bind-utils and named-checkzone) and deploy (write the SSH key to ~/.ssh/id_rsa, SCP the zone file over, then SSH in and reload the zones). I also show a quick test change—bump the serial, add a record—and you can see the pipeline push it through cleanly. It’s less manual work, more repeatable automation, and it scales way better than “log in and edit stuff.”

I Automated My DNS with GitLab and BIND (Here’s How)

🛍️ Products Mentioned (1)

Github Repo

About This Video

Frequently Asked Questions

🎬 More from sass drew