10139N/A<!
DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" 10139N/A - Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") 10139N/A - Copyright (C) 2000-2003 Internet Software Consortium. 10139N/A - Permission to use, copy, modify, and/or distribute this software for any 10139N/A - purpose with or without fee is hereby granted, provided that the above 10139N/A - copyright notice and this permission notice appear in all copies. 10139N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10139N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 10139N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 10139N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 10139N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 10139N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 10139N/A - PERFORMANCE OF THIS SOFTWARE. 10139N/A <
refentrytitle><
application>nsupdate</
application></
refentrytitle>
10139N/A <
refmiscinfo>BIND9</
refmiscinfo>
10139N/A <
refname><
application>nsupdate</
application></
refname>
10139N/A <
refpurpose>Dynamic DNS update utility</
refpurpose>
10139N/A <
holder>Internet Systems Consortium, Inc. ("ISC")</
holder>
10139N/A <
holder>Internet Software Consortium.</
holder>
10139N/A <
arg><
option>-y <
replaceable class="parameter"><
optional>hmac:</
optional>keyname:secret</
replaceable></
option></
arg>
10139N/A <
arg><
option>-k <
replaceable class="parameter">keyfile</
replaceable></
option></
arg>
13570N/A <
arg><
option>-t <
replaceable class="parameter">timeout</
replaceable></
option></
arg>
10139N/A <
arg><
option>-u <
replaceable class="parameter">udptimeout</
replaceable></
option></
arg>
10139N/A <
arg><
option>-r <
replaceable class="parameter">udpretries</
replaceable></
option></
arg>
10139N/A <
arg><
option>-R <
replaceable class="parameter">randomdev</
replaceable></
option></
arg>
15942N/A <
para><
command>nsupdate</
command>
15942N/A is used to submit Dynamic DNS Update requests as defined in RFC 2136
10139N/A This allows resource records to be added or removed from a zone
10139N/A without manually editing the zone file.
15942N/A A single update request can contain requests to add or remove more than
15942N/A Zones that are under dynamic control via
15942N/A or a DHCP server should not be edited by hand.
10139N/A conflict with dynamic updates and cause data to be lost.
10139N/A The resource records that are dynamically added or removed with
10139N/A Requests are sent to the zone's master server.
16309N/A This is identified by the MNAME field of the zone's SOA record.
16309N/A This provides tracing information about the update requests that are
18861N/A made and the replies received from the name server.
15942N/A The <
option>-D</
option> option makes <
command>nsupdate</
command>
10139N/A report additional debugging information to <
option>-d</
option>.
10139N/A The <
option>-L</
option> option with an integer argument of zero or
10139N/A higher sets the logging debug level. If zero, logging is disabled.
10139N/A Transaction signatures can be used to authenticate the Dynamic
15942N/A DNS updates. These use the TSIG resource record type described
10139N/A in RFC 2845 or the SIG(0) record described in RFC 2535 and
10139N/A RFC 2931 or GSS-TSIG as described in RFC 3645. TSIG relies on
10139N/A a shared secret that should only be known to
10139N/A <
command>nsupdate</
command> and the name server. Currently,
15942N/A the only supported encryption algorithm for TSIG is HMAC-MD5,
10139N/A which is defined in RFC 2104. Once other algorithms are
10139N/A defined for TSIG, applications will need to ensure they select
10139N/A the appropriate algorithm as well as the key when authenticating
10139N/A each other. For instance, suitable <
type>key</
type> and
10139N/A <
type>server</
type> statements would be added to
10139N/A can associate the appropriate secret key and algorithm with
15942N/A the IP address of the client application that will be using
10139N/A TSIG authentication. SIG(0) uses public key cryptography.
15942N/A To use a SIG(0) key, the public key must be stored in a KEY
10139N/A record in a zone served by the name server.
11925N/A <
command>nsupdate</
command> does not read
10139N/A GSS-TSIG uses Kerberos credentials. Standard GSS-TSIG mode
10139N/A is switched on with the <
option>-g</
option> flag. A
15942N/A non-standards-compliant variant of GSS-TSIG used by Windows
10139N/A 2000 can be switched on with the <
option>-o</
option> flag.
10139N/A <
para><
command>nsupdate</
command>
10139N/A uses the <
option>-y</
option> or <
option>-k</
option> option
10139N/A to provide the shared secret needed to generate a TSIG record
10139N/A for authenticating Dynamic DNS update requests, default type
10139N/A HMAC-MD5. These options are mutually exclusive.
15942N/A When the <
option>-y</
option> option is used, a signature is
15942N/A <
optional><
parameter>hmac:</
parameter></
optional><
parameter>keyname:secret.</
parameter>
10139N/A <
parameter>keyname</
parameter> is the name of the key, and
15944N/A <
parameter>secret</
parameter> is the base64 encoded shared secret.
15999N/A Use of the <
option>-y</
option> option is discouraged because the
15942N/A shared secret is supplied as a command line argument in clear text.
13727N/A This may be visible in the output from
15942N/A <
refentrytitle>ps</
refentrytitle><
manvolnum>1</
manvolnum>
15942N/A or in a history file maintained by the user's shell.
15942N/A <
option>-k</
option> option, <
command>nsupdate</
command> reads
10139N/A the shared secret from the file <
parameter>keyfile</
parameter>.
15942N/A Keyfiles may be in two formats: a single file containing
10139N/A statement, which may be generated automatically by
18861N/A <
command>ddns-confgen</
command>, or a pair of files whose names are
15942N/A of the format <
filename>K{name}.+157.+{random}.key</
filename> and
15942N/A <
filename>K{name}.+157.+{random}.private</
filename>, which can be
10139N/A generated by <
command>dnssec-keygen</
command>.
20867N/A The <
option>-k</
option> may also be used to specify a SIG(0) key used
18861N/A to authenticate Dynamic DNS update requests. In this case, the key
15942N/A specified is not an HMAC-MD5 key.
18861N/A <
command>nsupdate</
command> can be run in a local-host only mode
18861N/A using the <
option>-l</
option> flag. This sets the server address to
15942N/A localhost (disabling the <
command>server</
command> so that the server
16018N/A address cannot be overridden). Connections to the local server will
15942N/A which is automatically generated by <
command>named</
command> if any
15974N/A local master zone has set <
command>update-policy</
command> to
15989N/A <
command>local</
command>. The location of this key file can be
15989N/A overridden with the <
option>-k</
option> option.
19082N/A By default, <
command>nsupdate</
command>
19082N/A uses UDP to send update requests to the name server unless they are too
19082N/A large to fit in a UDP request in which case TCP will be used.
10139N/A This may be preferable when a batch of update requests is made.
10139N/A The <
option>-p</
option> sets the default port number to use for
10139N/A connections to a name server. The default is 53.
10139N/A The <
option>-t</
option> option sets the maximum time an update request
10139N/A take before it is aborted. The default is 300 seconds. Zero can be
10139N/A The <
option>-u</
option> option sets the UDP retry interval. The default
10139N/A 3 seconds. If zero, the interval will be computed from the timeout
10139N/A The <
option>-r</
option> option sets the number of UDP retries. The
10139N/A 3. If zero, only one update request will be made.
10139N/A class="parameter">randomdev</
replaceable></
option> option
10139N/A specifies a source of randomness. If the operating system
10139N/A equivalent device, the default source of randomness is keyboard
10139N/A input. <
filename>randomdev</
filename> specifies the name of
10139N/A a character device or file containing random data to be used
10139N/A instead of the default. The special value
10139N/A <
filename>keyboard</
filename> indicates that keyboard input
10139N/A should be used. This option may be specified multiple times.
10139N/A Other types can be entered using "TYPEXXXXX" where "XXXXX" is the
10139N/A decimal value of the type with no leading zeros. The rdata,
10139N/A if present, will be parsed using the UNKNOWN rdata format,
10139N/A (<backslash> <hash> <space> <length>
10139N/A <space> <hexstring>).
10139N/A The <
option>-T</
option> and <
option>-P</
option> options print out
10139N/A lists of non-meta types for which the type-specific presentation
10139N/A formats are known. <
option>-T</
option> prints out the list of
10139N/A IANA-assigned types. <
option>-P</
option> prints out the list of
10139N/A private types specific to <
command>named<
command>. These options
10139N/A may be combined. <
command>nsupdate</
command> will exit after the
10139N/A <
para><
command>nsupdate</
command>
10139N/A <
parameter>filename</
parameter>
10139N/A Each command is supplied on exactly one line of input.
10139N/A Some commands are for administrative purposes.
10139N/A The others are either update instructions or prerequisite checks on the
10139N/A These checks set conditions that some name or set of
10139N/A resource records (RRset) either exists or is absent from the zone.
10139N/A These conditions must be met if the entire update request is to succeed.
10139N/A Updates will be rejected if the tests for the prerequisite conditions
10139N/A Every update request consists of zero or more prerequisites
10139N/A This allows a suitably authenticated update request to proceed if some
10139N/A specified resource records are present or missing from the zone.
10139N/A A blank input line (or the <
command>send</
command> command)
10139N/A accumulated commands to be sent as one Dynamic DNS update request to the
10139N/A The command formats and their meaning are as follows:
10139N/A <
arg choice="req">servername</
arg>
10139N/A Sends all dynamic update requests to the name server
10139N/A <
parameter>servername</
parameter>.
10139N/A When no server statement is provided,
10139N/A will send updates to the master server of the correct zone.
10139N/A The MNAME field of that zone's SOA record will identify the
10139N/A <
parameter>servername</
parameter>
10139N/A where the dynamic update requests get sent.
10139N/A If no port number is specified, the default DNS port number of
14177N/A <
arg choice="req">address</
arg>
17597N/A Sends all dynamic update requests using the local
17597N/A <
parameter>address</
parameter>.
17597N/A When no local statement is provided,
11965N/A will send updates using an address and port chosen by the
11965N/A can additionally be used to make requests come from a specific
11965N/A If no port number is specified, the system will assign one.
16075N/A <
arg choice="req">zonename</
arg>
13678N/A Specifies that all updates are to be made to the zone
13678N/A <
parameter>zonename</
parameter>.
10139N/A will attempt determine the correct zone to update based on the
10139N/A <
arg choice="req">classname</
arg>
16539N/A If no <
parameter>class</
parameter> is specified, the
10139N/A <
arg choice="req">seconds</
arg>
11933N/A Specify the default time to live for records to be added.
11933N/A The value <
parameter>none</
parameter> will clear the default
15288N/A Specifies that all updates are to be TSIG-signed using the
15288N/A <
parameter>keyname</
parameter> <
parameter>keysecret</
parameter> pair.
15288N/A The <
command>key</
command> command
10139N/A overrides any key specified on the command line via
10139N/A <
option>-y</
option> or <
option>-k</
option>.
10139N/A Use GSS-TSIG to sign the updated. This is equivalent to
10139N/A specifying <
option>-g</
option> on the commandline.
10139N/A Use the Windows 2000 version of GSS-TSIG to sign the updated.
10139N/A This is equivalent to specifying <
option>-o</
option> on the
16309N/A <
arg choice="req"><
optional>realm_name</
optional></
arg>
16309N/A When using GSS-TSIG use <
parameter>realm_name</
parameter> rather
16309N/A realm is specified the saved realm is cleared.
16309N/A <
command><
optional>prereq</
optional> nxdomain</
command>
16309N/A <
arg choice="req">domain-name</
arg>
16309N/A Requires that no resource record of any type exists with name
16309N/A <
parameter>domain-name</
parameter>.
20779N/A <
command><
optional>prereq</
optional> yxdomain</
command>
10139N/A <
arg choice="req">domain-name</
arg>
16309N/A <
parameter>domain-name</
parameter>
16309N/A exists (has as at least one resource record, of any type).
16309N/A <
command><
optional>prereq</
optional> nxrrset</
command>
16309N/A <
arg choice="req">domain-name</
arg>
10139N/A Requires that no resource record exists of the specified
10139N/A <
parameter>domain-name</
parameter>.
10139N/A is omitted, IN (internet) is assumed.
10139N/A <
command><
optional>prereq</
optional> yxrrset</
command>
10139N/A <
arg choice="req">domain-name</
arg>
10139N/A This requires that a resource record of the specified
10139N/A <
parameter>domain-name</
parameter>
10139N/A is omitted, IN (internet) is assumed.
10139N/A <
command><
optional>prereq</
optional> yxrrset</
command>
10139N/A <
arg choice="req">domain-name</
arg>
10139N/A <
arg choice="req" rep="repeat">data</
arg>
10139N/A from each set of prerequisites of this form
10139N/A <
parameter>domain-name</
parameter>
10139N/A are combined to form a set of RRs. This set of RRs must
10139N/A exactly match the set of RRs existing in the zone at the
11904N/A <
parameter>domain-name</
parameter>.
11904N/A are written in the standard text representation of the resource
10139N/A <
command><
optional>update</
optional> del<
optional>ete</
optional></
command>
10139N/A <
arg choice="req">domain-name</
arg>
10139N/A <
arg choice="opt">type <
arg choice="opt" rep="repeat">data</
arg></
arg>
17583N/A Deletes any resource records named
10139N/A <
parameter>domain-name</
parameter>.
10139N/A is provided, only matching resource records will be removed.
10139N/A The internet class is assumed if
10139N/A is ignored, and is only allowed for compatibility.
12787N/A <
command><
optional>update</
optional> add</
command>
12787N/A <
arg choice="req">domain-name</
arg>
12787N/A <
arg choice="req" rep="repeat">data</
arg>
12787N/A Adds a new resource record with the specified
12741N/A Displays the current message, containing all of the
12741N/A updates specified since the last send.
10139N/A Sends the current message. This is equivalent to entering a
10139N/A Lines beginning with a semicolon are comments and are ignored.
10139N/A could be used to insert and delete resource records from the
10139N/A Notice that the input in each example contains a trailing blank line so
10139N/A a group of commands are sent as one dynamic update request to the
10139N/A with IP address 172.16.1.1 is added.
10139N/A The newly-added record has a 1 day TTL (86400 seconds).
11925N/A The prerequisite condition gets the name server to check that there
11925N/A are no resource records of any type for
13732N/A If there are, the update request fails.
13732N/A If this name does not exist, a CNAME for it is added.
13732N/A This ensures that when the CNAME is added, it cannot conflict with the
13732N/A long-standing rule in RFC 1034 that a name must not exist as any other
13732N/A record type if it exists as a CNAME.
10139N/A (The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have
10139N/A RRSIG, DNSKEY and NSEC records.)
13872N/A used to identify default name server
10139N/A sets the default TSIG key for use in local-only mode
10139N/A <
term><
constant>K{name}.+157.+{random}.key</
constant></
term>
10139N/A base-64 encoding of HMAC-MD5 key created by
10139N/A <
refentrytitle>dnssec-keygen</
refentrytitle><
manvolnum>8</
manvolnum>
10139N/A <
term><
constant>K{name}.+157.+{random}.private</
constant></
term>
10139N/A base-64 encoding of HMAC-MD5 key created by
10139N/A <
refentrytitle>dnssec-keygen</
refentrytitle><
manvolnum>8</
manvolnum>
10139N/A <
citetitle>RFC 2136</
citetitle>,
10139N/A <
citetitle>RFC 3007</
citetitle>,
10139N/A <
citetitle>RFC 2104</
citetitle>,
10139N/A <
citetitle>RFC 2845</
citetitle>,
10139N/A <
citetitle>RFC 1034</
citetitle>,
10139N/A <
citetitle>RFC 2535</
citetitle>,
10139N/A <
citetitle>RFC 2931</
citetitle>,
10139N/A <
refentrytitle>named</
refentrytitle><
manvolnum>8</
manvolnum>
10139N/A <
refentrytitle>ddns-confgen</
refentrytitle><
manvolnum>8</
manvolnum>
10139N/A <
refentrytitle>dnssec-keygen</
refentrytitle><
manvolnum>8</
manvolnum>
10139N/A The TSIG key is redundantly stored in two separate files.
10139N/A This is a consequence of nsupdate using the DST library
10139N/A for its cryptographic operations, and may change in future