5065N/A - Copyright (C) 2009, 2014 Internet Systems Consortium, Inc. ("ISC") 5065N/A - Permission to use, copy, modify, and/or distribute this software for any 5065N/A - purpose with or without fee is hereby granted, provided that the above 5065N/A - copyright notice and this permission notice appear in all copies. 5065N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 5065N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 5065N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 5065N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 5065N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 5065N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 5065N/A - PERFORMANCE OF THIS SOFTWARE. 5065N/A<!-- Converted by db4-upgrade version 1.0 --> 5065N/A <
corpauthor>Internet Systems Consortium, Inc.</
corpauthor>
5540N/A <
refentrytitle><
application>ddns-confgen</
application></
refentrytitle>
5065N/A <
refmiscinfo>BIND9</
refmiscinfo>
5065N/A <
refname><
application>ddns-confgen</
application></
refname>
5065N/A <
refpurpose>ddns key generation tool</
refpurpose>
5065N/A <
holder>Internet Systems Consortium, Inc. ("ISC")</
holder>
5065N/A <
command>tsig-keygen</
command>
5065N/A <
arg choice="opt" rep="norepeat"><
option>-a <
replaceable class="parameter">algorithm</
replaceable></
option></
arg>
5065N/A <
arg choice="opt" rep="norepeat"><
option>-h</
option></
arg>
5065N/A <
arg choice="opt" rep="norepeat"><
option>-r <
replaceable class="parameter">randomfile</
replaceable></
option></
arg>
5065N/A <
arg choice="opt" rep="norepeat">name</
arg>
5065N/A <
command>ddns-confgen</
command>
5073N/A <
arg choice="opt" rep="norepeat"><
option>-a <
replaceable class="parameter">algorithm</
replaceable></
option></
arg>
5073N/A <
arg choice="opt" rep="norepeat"><
option>-h</
option></
arg>
5065N/A <
arg choice="opt" rep="norepeat"><
option>-k <
replaceable class="parameter">keyname</
replaceable></
option></
arg>
5065N/A <
arg choice="opt" rep="norepeat"><
option>-q</
option></
arg>
5065N/A <
arg choice="opt" rep="norepeat"><
option>-r <
replaceable class="parameter">randomfile</
replaceable></
option></
arg>
5065N/A <
group choice="opt" rep="norepeat">
5065N/A <
arg choice="plain" rep="norepeat">-s <
replaceable class="parameter">name</
replaceable></
arg>
5065N/A <
arg choice="plain" rep="norepeat">-z <
replaceable class="parameter">zone</
replaceable></
arg>
5065N/A <
refsection><
info><
title>DESCRIPTION</
title></
info>
5065N/A <
command>tsig-keygen</
command> and <
command>ddns-confgen</
command>
5065N/A are invocation methods for a utility that generates keys for use
5065N/A in TSIG signing. The resulting keys can be used, for example,
5065N/A to secure dynamic DNS updates to a zone or for the
5065N/A <
command>rndc</
command> command channel.
5065N/A When run as <
command>tsig-keygen</
command>, a domain name
5065N/A can be specified on the command line which will be used as
5065N/A the name of the generated key. If no name is specified,
5065N/A the default is <
constant>tsig-key</
constant>.
5065N/A When run as <
command>ddns-confgen</
command>, the generated
5065N/A key is accompanied by configuration text and instructions
5065N/A that can be used with <
command>nsupdate</
command> and
5065N/A <
command>named</
command> when setting up dynamic DNS,
5065N/A including an example <
command>update-policy</
command>
5065N/A statement. (This usage similar to the
5065N/A <
command>rndc-confgen</
command> command for setting
5065N/A up command channel security.)
5065N/A Note that <
command>named</
command> itself can configure a
5065N/A local DDNS key for use with <
command>nsupdate -l</
command>:
5065N/A it does this when a zone is configured with
5065N/A <
command>update-policy local;</
command>.
5065N/A <
command>ddns-confgen</
command> is only needed when a
5065N/A more elaborate configuration is required: for instance,
5065N/A if <
command>nsupdate</
command> is to be used from a remote
5065N/A <
refsection><
info><
title>OPTIONS</
title></
info>
5065N/A <
term>-a <
replaceable class="parameter">algorithm</
replaceable></
term>
5065N/A Specifies the algorithm to use for the TSIG key. Available
5065N/A choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
5065N/A hmac-sha384 and hmac-sha512. The default is hmac-sha256.
5065N/A Options are case-insensitive, and the "hmac-" prefix
5065N/A Prints a short summary of options and arguments.
5065N/A <
term>-k <
replaceable class="parameter">keyname</
replaceable></
term>
5065N/A Specifies the key name of the DDNS authentication key.
5065N/A The default is <
constant>ddns-key</
constant> when neither
5065N/A the <
option>-s</
option> nor <
option>-z</
option> option is
5065N/A specified; otherwise, the default
5065N/A is <
constant>ddns-key</
constant> as a separate label
5065N/A The key name must have the format of a valid domain name,
5065N/A consisting of letters, digits, hyphens and periods.
5065N/A (<
command>ddns-confgen</
command> only.) Quiet mode: Print
5065N/A only the key, with no explanatory text or usage examples;
5065N/A This is essentially identical to <
command>tsig-keygen</
command>.
5065N/A <
term>-r <
replaceable class="parameter">randomfile</
replaceable></
term>
5065N/A Specifies a source of random data for generating the
5065N/A authorization. If the operating system does not provide a
5065N/A default source of randomness is keyboard input.
5065N/A <
filename>randomdev</
filename> specifies the name of a
5065N/A character device or file containing random data to be used
5065N/A instead of the default. The special value
5065N/A <
filename>keyboard</
filename> indicates that keyboard input
5065N/A <
term>-s <
replaceable class="parameter">name</
replaceable></
term>
5065N/A (<
command>ddns-confgen</
command> only.)
5065N/A Generate configuration example to allow dynamic updates
5065N/A text shows how to set an update policy for the specified
5065N/A <
replaceable class="parameter">name</
replaceable>
5065N/A using the "name" nametype. The default key name is
5065N/A ddns-key.<
replaceable class="parameter">name</
replaceable>.
5065N/A Note that the "self" nametype cannot be used, since
5065N/A the name to be updated may differ from the key name.
5065N/A This option cannot be used with the <
option>-z</
option> option.
5065N/A <
term>-z <
replaceable class="parameter">zone</
replaceable></
term>
5065N/A (<
command>ddns-confgen</
command> only.)
5065N/A Generate configuration example to allow dynamic updates
5065N/A shows how to set an update policy for the specified
5065N/A <
replaceable class="parameter">zone</
replaceable>
5065N/A using the "zonesub" nametype, allowing updates to
5065N/A all subdomain names within that
5065N/A <
replaceable class="parameter">zone</
replaceable>.
5065N/A This option cannot be used with the <
option>-s</
option> option.
5065N/A <
refsection><
info><
title>SEE ALSO</
title></
info>
5065N/A <
refentrytitle>nsupdate</
refentrytitle><
manvolnum>1</
manvolnum>
5065N/A <
refentrytitle>named</
refentrytitle><
manvolnum>8</
manvolnum>
5065N/A <
citetitle>BIND 9 Administrator Reference Manual</
citetitle>.