create an "nsupdate" script from DNS zone file differences

The nsdiff program examines the old and new versions of a DNS zone, and outputs the differences as a script for use by BIND's nsupdate program. It provides a bridge between static zone files and dynamic updates.

The nspatch script is a wrapper around `nsdiff | nsupdate` that checks and reports errors in a manner suitable for running from cron.

The nsvi script makes it easy to edit a dynamic zone.

If you use BIND 9.7 or 9.8, you can use nsdiff as an alternative to the DNSSEC inline-signing feature which appeared in BIND 9.9. The server updates the DNSSEC records dynamically, but you can continue to manage the unsigned static zone file as before and use `nsdiff | nsupdate` to push changes to the server.

There are other situations where you have a zone which is partly dynamic and partly static, for example, a reverse DNS zone mostly updated by a DHCP server, which also has a few static entries. You can use nsdiff to update the static part of the zone.


To run nsdiff you need perl-5.10 or newer, and BIND version 9.7 or newer, specifically the dig, named-compilezone, and nsupdate utilities.



The nsdiff homepage is https://dotat.at/prog/nsdiff/

Read the nsdiff manual: https://dotat.at/prog/nsdiff/nsdiff.html

Read the nspatch manual: https://dotat.at/prog/nsdiff/nspatch.html

Read the nsvi manual: https://dotat.at/prog/nsdiff/nsvi.html


Download the bare nsdiff perl source: https://dotat.at/prog/nsdiff/nsdiff

Download the full source archives:

Source repositories

You can clone or browse the repository from:


Please send bug reports or patches to me at <dot@dotat.at>.

You may do anything with nsdiff. It has no warranty. https://creativecommons.org/publicdomain/zero/1.0/