---
title: "Audit logs for dynamic zone files"
slug: "enabling-audit-logs-in-bind-9"
description: "Is it possible to enable the audit logs on BIND so we can track changes performed at the DNS records level (Add/Delete/Modify A,MX,NS, records)?"
tags: ["dynamic zones", "configuration audit logs", "dynamic zone files", "zone update", "logging", "zone files", "logs", "zonefiles"]
updated: 2019-01-21T19:39:03Z
published: 2019-01-21T19:39:04Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://kb.isc.org/llms.txt
> Use this file to discover all available pages before exploring further.

# Dynamic Zone File Audit Logs in BIND 9

#### Is it possible to enable the audit logs on BIND so we can track changes performed at the DNS records level (Add/Delete/Modify A,MX,NS, records)?

You can get that by default, depending on how the changes were performed.

If you use `nsupdate` or some other dynamic DNS UPDATE client, `named` will log changes like this:

```
08-Jan-2019 11:55:09.826 update: info:
	client @0x55b747f47ec0 ::1#5685/key local-ddns:
	updating zone 'private.cam.ac.uk/IN':
	adding an RR at 'private.cam.ac.uk' SOA primary.dns.cam.ac.uk. hostmaster.cam.ac.uk. 1546948509 1800 900 604800 3600
08-Jan-2019 11:55:09.826 update: info:
	client @0x55b747f47ec0 ::1#5685/key local-ddns:
	updating zone 'private.cam.ac.uk/IN':
	adding an RR at 'QQQQ.lcil.private.cam.ac.uk' A 172.22.QQ.QQ
```

The changes are also recorded in the zone's journal, which you can extract this way:

```
$ named-journalprint /home/named/zone/private.cam.ac.uk.jnl
[...]
del private.cam.ac.uk.  3600    IN      SOA     primary.dns.cam.ac.uk. hostmaster.cam.ac.uk. 1546944908 1800 900 604800 3600
add private.cam.ac.uk.  3600    IN      SOA     primary.dns.cam.ac.uk. hostmaster.cam.ac.uk. 1546948509 1800 900 604800 3600
add QQQQ.lcil.private.cam.ac.uk. 3600 IN        A       172.22.QQ.QQ
```

You may want to use the `ixfr-from-differences` and `max-journal-size` options if you care about preserving journal contents.

If you are not using the 'dynamic zone' model, but are updating static zone files, the best approach is to use a version control system (CVS, git) to provide version control on the files.

Note: this article is based on advice posted on bind-users@lists.isc.org by Tony Finch.