10139N/A<!
DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" 10139N/A - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") 10139N/A - Copyright (C) 2000-2003 Internet Software Consortium. 10139N/A - Permission to use, copy, modify, and/or distribute this software for any 10139N/A - purpose with or without fee is hereby granted, provided that the above 10139N/A - copyright notice and this permission notice appear in all copies. 10139N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10139N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 10139N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 10139N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 10139N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 10139N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 10139N/A - PERFORMANCE OF THIS SOFTWARE. 10139N/A <
refentrytitle><
application>nsupdate</
application></
refentrytitle>
10139N/A <
refmiscinfo>BIND9</
refmiscinfo>
10139N/A <
refname><
application>nsupdate</
application></
refname>
10139N/A <
refpurpose>Dynamic DNS update utility</
refpurpose>
10139N/A <
holder>Internet Systems Consortium, Inc. ("ISC")</
holder>
10139N/A <
holder>Internet Software Consortium.</
holder>
10139N/A <
arg><
option>-y <
replaceable class="parameter"><
optional>hmac:</
optional>keyname:secret</
replaceable></
option></
arg>
10139N/A <
arg><
option>-k <
replaceable class="parameter">keyfile</
replaceable></
option></
arg>
10139N/A <
arg><
option>-t <
replaceable class="parameter">timeout</
replaceable></
option></
arg>
10139N/A <
arg><
option>-u <
replaceable class="parameter">udptimeout</
replaceable></
option></
arg>
13570N/A <
arg><
option>-r <
replaceable class="parameter">udpretries</
replaceable></
option></
arg>
10139N/A <
arg><
option>-R <
replaceable class="parameter">randomdev</
replaceable></
option></
arg>
13680N/A <
para><
command>nsupdate</
command>
10139N/A is used to submit Dynamic DNS Update requests as defined in RFC 2136
11933N/A This allows resource records to be added or removed from a zone
10139N/A without manually editing the zone file.
10139N/A A single update request can contain requests to add or remove more than
10139N/A Zones that are under dynamic control via
10139N/A or a DHCP server should not be edited by hand.
10139N/A conflict with dynamic updates and cause data to be lost.
10139N/A The resource records that are dynamically added or removed with
10139N/A Requests are sent to the zone's master server.
10139N/A This is identified by the MNAME field of the zone's SOA record.
10139N/A This provides tracing information about the update requests that are
11232N/A made and the replies received from the name server.
10139N/A The <
option>-D</
option> option makes <
command>nsupdate</
command>
10139N/A report additional debugging information to <
option>-d</
option>.
10139N/A The <
option>-L</
option> option with an integer argument of zero or
11925N/A higher sets the logging debug level. If zero, logging is disabled.
10139N/A Transaction signatures can be used to authenticate the Dynamic
10139N/A DNS updates. These use the TSIG resource record type described
10139N/A in RFC 2845 or the SIG(0) record described in RFC 2535 and
10139N/A RFC 2931 or GSS-TSIG as described in RFC 3645. TSIG relies on
10139N/A a shared secret that should only be known to
10139N/A <
command>nsupdate</
command> and the name server. Currently,
10139N/A the only supported encryption algorithm for TSIG is HMAC-MD5,
10139N/A which is defined in RFC 2104. Once other algorithms are
10139N/A defined for TSIG, applications will need to ensure they select
10139N/A the appropriate algorithm as well as the key when authenticating
10139N/A each other. For instance, suitable <
type>key</
type> and
10139N/A <
type>server</
type> statements would be added to
10139N/A can associate the appropriate secret key and algorithm with
10139N/A the IP address of the client application that will be using
13727N/A TSIG authentication. SIG(0) uses public key cryptography.
10139N/A To use a SIG(0) key, the public key must be stored in a KEY
10139N/A record in a zone served by the name server.
10139N/A <
command>nsupdate</
command> does not read
12374N/A GSS-TSIG uses Kerberos credentials. Standard GSS-TSIG mode
10915N/A is switched on with the <
option>-g</
option> flag. A
11161N/A non-standards-compliant variant of GSS-TSIG used by Windows
12385N/A 2000 can be switched on with the <
option>-o</
option> flag.
13700N/A <
para><
command>nsupdate</
command>
12780N/A uses the <
option>-y</
option> or <
option>-k</
option> option
12780N/A to provide the shared secret needed to generate a TSIG record
13092N/A for authenticating Dynamic DNS update requests, default type
13360N/A HMAC-MD5. These options are mutually exclusive.
13695N/A When the <
option>-y</
option> option is used, a signature is
13705N/A <
optional><
parameter>hmac:</
parameter></
optional><
parameter>keyname:secret.</
parameter>
13711N/A <
parameter>keyname</
parameter> is the name of the key, and
13738N/A <
parameter>secret</
parameter> is the base64 encoded shared secret.
13738N/A Use of the <
option>-y</
option> option is discouraged because the
10139N/A shared secret is supplied as a command line argument in clear text.
10139N/A This may be visible in the output from
10139N/A <
refentrytitle>ps</
refentrytitle><
manvolnum>1</
manvolnum>
10139N/A or in a history file maintained by the user's shell.
10139N/A <
option>-k</
option> option, <
command>nsupdate</
command> reads
10139N/A the shared secret from the file <
parameter>keyfile</
parameter>.
10139N/A Keyfiles may be in two formats: a single file containing
10139N/A statement, which may be generated automatically by
10139N/A <
command>ddns-confgen</
command>, or a pair of files whose names are
10139N/A of the format <
filename>K{name}.+157.+{random}.key</
filename> and
10139N/A <
filename>K{name}.+157.+{random}.private</
filename>, which can be
10139N/A generated by <
command>dnssec-keygen</
command>.
10139N/A The <
option>-k</
option> may also be used to specify a SIG(0) key used
10139N/A to authenticate Dynamic DNS update requests. In this case, the key
10139N/A specified is not an HMAC-MD5 key.
10139N/A <
command>nsupdate</
command> can be run in a local-host only mode
10139N/A using the <
option>-l</
option> flag. This sets the server address to
10139N/A localhost (disabling the <
command>server</
command> so that the server
10139N/A address cannot be overridden). Connections to the local server will
10139N/A which is automatically generated by <
command>named</
command> if any
10139N/A local master zone has set <
command>update-policy</
command> to
10139N/A <
command>local</
command>. The location of this key file can be
10139N/A overridden with the <
option>-k</
option> option.
10139N/A By default, <
command>nsupdate</
command>
10139N/A uses UDP to send update requests to the name server unless they are too
10139N/A large to fit in a UDP request in which case TCP will be used.
10139N/A This may be preferable when a batch of update requests is made.
10139N/A The <
option>-p</
option> sets the default port number to use for
10139N/A connections to a name server. The default is 53.
10139N/A The <
option>-t</
option> option sets the maximum time an update request
10139N/A take before it is aborted. The default is 300 seconds. Zero can be
10139N/A The <
option>-u</
option> option sets the UDP retry interval. The default
10139N/A 3 seconds. If zero, the interval will be computed from the timeout
10139N/A The <
option>-r</
option> option sets the number of UDP retries. The
10139N/A 3. If zero, only one update request will be made.
10139N/A class="parameter">randomdev</
replaceable></
option> option
10139N/A specifies a source of randomness. If the operating system
10139N/A equivalent device, the default source of randomness is keyboard
10139N/A input. <
filename>randomdev</
filename> specifies the name of
10139N/A a character device or file containing random data to be used
10139N/A instead of the default. The special value
10139N/A <
filename>keyboard</
filename> indicates that keyboard input
10139N/A should be used. This option may be specified multiple times.
10139N/A <
para><
command>nsupdate</
command>
10139N/A <
parameter>filename</
parameter>
10139N/A Each command is supplied on exactly one line of input.
10139N/A Some commands are for administrative purposes.
10139N/A The others are either update instructions or prerequisite checks on the
10139N/A These checks set conditions that some name or set of
10139N/A resource records (RRset) either exists or is absent from the zone.
10139N/A These conditions must be met if the entire update request is to succeed.
10139N/A Updates will be rejected if the tests for the prerequisite conditions
10139N/A Every update request consists of zero or more prerequisites
10139N/A This allows a suitably authenticated update request to proceed if some
10139N/A specified resource records are present or missing from the zone.
10139N/A A blank input line (or the <
command>send</
command> command)
10139N/A accumulated commands to be sent as one Dynamic DNS update request to the
10139N/A The command formats and their meaning are as follows:
10139N/A <
arg choice="req">servername</
arg>
11965N/A Sends all dynamic update requests to the name server
11965N/A <
parameter>servername</
parameter>.
11965N/A When no server statement is provided,
11965N/A will send updates to the master server of the correct zone.
11965N/A The MNAME field of that zone's SOA record will identify the
11965N/A <
parameter>servername</
parameter>
11965N/A where the dynamic update requests get sent.
13678N/A If no port number is specified, the default DNS port number of
10139N/A <
arg choice="req">address</
arg>
10139N/A Sends all dynamic update requests using the local
10139N/A <
parameter>address</
parameter>.
10139N/A When no local statement is provided,
13726N/A will send updates using an address and port chosen by the
10139N/A can additionally be used to make requests come from a specific
13680N/A If no port number is specified, the system will assign one.
11933N/A <
arg choice="req">zonename</
arg>
10139N/A Specifies that all updates are to be made to the zone
10139N/A <
parameter>zonename</
parameter>.
10139N/A will attempt determine the correct zone to update based on the
10139N/A <
arg choice="req">classname</
arg>
11161N/A If no <
parameter>class</
parameter> is specified, the
10139N/A <
arg choice="req">seconds</
arg>
10139N/A Specify the default time to live for records to be added.
10139N/A The value <
parameter>none</
parameter> will clear the default
11160N/A Specifies that all updates are to be TSIG-signed using the
10139N/A <
parameter>keyname</
parameter> <
parameter>keysecret</
parameter> pair.
10139N/A The <
command>key</
command> command
10139N/A overrides any key specified on the command line via
10139N/A <
option>-y</
option> or <
option>-k</
option>.
10139N/A <
command>prereq nxdomain</
command>
10139N/A <
arg choice="req">domain-name</
arg>
10139N/A Requires that no resource record of any type exists with name
10139N/A <
parameter>domain-name</
parameter>.
10139N/A <
command>prereq yxdomain</
command>
10139N/A <
arg choice="req">domain-name</
arg>
10139N/A <
parameter>domain-name</
parameter>
10139N/A exists (has as at least one resource record, of any type).
10139N/A <
command>prereq nxrrset</
command>
10139N/A <
arg choice="req">domain-name</
arg>
10139N/A Requires that no resource record exists of the specified
10139N/A <
parameter>domain-name</
parameter>.
10139N/A is omitted, IN (internet) is assumed.
10139N/A <
command>prereq yxrrset</
command>
10139N/A <
arg choice="req">domain-name</
arg>
10139N/A This requires that a resource record of the specified
10139N/A <
parameter>domain-name</
parameter>
10139N/A is omitted, IN (internet) is assumed.
10139N/A <
command>prereq yxrrset</
command>
10139N/A <
arg choice="req">domain-name</
arg>
11904N/A <
arg choice="req" rep="repeat">data</
arg>
10139N/A from each set of prerequisites of this form
10139N/A <
parameter>domain-name</
parameter>
10139N/A are combined to form a set of RRs. This set of RRs must
10139N/A exactly match the set of RRs existing in the zone at the
10139N/A <
parameter>domain-name</
parameter>.
10139N/A are written in the standard text representation of the resource
10139N/A <
command>update delete</
command>
10139N/A <
arg choice="req">domain-name</
arg>
10139N/A <
arg choice="opt">type <
arg choice="opt" rep="repeat">data</
arg></
arg>
10139N/A Deletes any resource records named
10139N/A <
parameter>domain-name</
parameter>.
12787N/A is provided, only matching resource records will be removed.
12787N/A The internet class is assumed if
12787N/A is ignored, and is only allowed for compatibility.
12787N/A <
arg choice="req">domain-name</
arg>
12787N/A <
arg choice="req" rep="repeat">data</
arg>
10139N/A Adds a new resource record with the specified
12741N/A Displays the current message, containing all of the
12741N/A updates specified since the last send.
11232N/A Sends the current message. This is equivalent to entering a
10139N/A Lines beginning with a semicolon are comments and are ignored.
10139N/A could be used to insert and delete resource records from the
10139N/A Notice that the input in each example contains a trailing blank line so
10139N/A a group of commands are sent as one dynamic update request to the
10363N/A with IP address 172.16.1.1 is added.
10139N/A The newly-added record has a 1 day TTL (86400 seconds).
13738N/A The prerequisite condition gets the name server to check that there
11925N/A are no resource records of any type for
10139N/A If there are, the update request fails.
13732N/A If this name does not exist, a CNAME for it is added.
13732N/A This ensures that when the CNAME is added, it cannot conflict with the
13732N/A long-standing rule in RFC 1034 that a name must not exist as any other
13732N/A record type if it exists as a CNAME.
13732N/A (The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have
10139N/A RRSIG, DNSKEY and NSEC records.)
10139N/A used to identify default name server
10139N/A sets the default TSIG key for use in local-only mode
10139N/A <
term><
constant>K{name}.+157.+{random}.key</
constant></
term>
10139N/A base-64 encoding of HMAC-MD5 key created by
10139N/A <
refentrytitle>dnssec-keygen</
refentrytitle><
manvolnum>8</
manvolnum>
10139N/A <
term><
constant>K{name}.+157.+{random}.private</
constant></
term>
10139N/A base-64 encoding of HMAC-MD5 key created by
10139N/A <
refentrytitle>dnssec-keygen</
refentrytitle><
manvolnum>8</
manvolnum>
10139N/A <
citetitle>RFC 2136</
citetitle>,
10885N/A <
citetitle>RFC 3007</
citetitle>,
10139N/A <
citetitle>RFC 2104</
citetitle>,
10139N/A <
citetitle>RFC 2845</
citetitle>,
10139N/A <
citetitle>RFC 1034</
citetitle>,
10139N/A <
citetitle>RFC 2535</
citetitle>,
10139N/A <
citetitle>RFC 2931</
citetitle>,
10139N/A <
refentrytitle>named</
refentrytitle><
manvolnum>8</
manvolnum>
10139N/A <
refentrytitle>ddns-confgen</
refentrytitle><
manvolnum>8</
manvolnum>
10139N/A <
refentrytitle>dnssec-keygen</
refentrytitle><
manvolnum>8</
manvolnum>
10139N/A The TSIG key is redundantly stored in two separate files.
10139N/A This is a consequence of nsupdate using the DST library
10139N/A for its cryptographic operations, and may change in future