d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
e57ec8c5016d781ccbe9785898fd7c6df887d99fTinderbox User - Copyright (C) 2000-2012, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - This Source Code Form is subject to the terms of the Mozilla Public
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - License, v. 2.0. If a copy of the MPL was not distributed with this
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - file, You can obtain one at http://mozilla.org/MPL/2.0/.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater<a name="man.nsupdate"></a><div class="titlepage"></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User — Dynamic DNS update utility
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-L <em class="replaceable"><code>level</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User | [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p><span class="command"><strong>nsupdate</strong></span>
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater is used to submit Dynamic DNS Update requests as defined in RFC 2136
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to a name server.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This allows resource records to be added or removed from a zone
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein without manually editing the zone file.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A single update request can contain requests to add or remove more than
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein resource record.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Zones that are under dynamic control via
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>nsupdate</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein or a DHCP server should not be edited by hand.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Manual edits could
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein conflict with dynamic updates and cause data to be lost.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The resource records that are dynamically added or removed with
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>nsupdate</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein have to be in the same zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Requests are sent to the zone's master server.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This is identified by the MNAME field of the zone's SOA record.
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater Transaction signatures can be used to authenticate the Dynamic
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater DNS updates. These use the TSIG resource record type described
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater in RFC 2845 or the SIG(0) record described in RFC 2535 and
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User RFC 2931 or GSS-TSIG as described in RFC 3645.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User TSIG relies on
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater a shared secret that should only be known to
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>nsupdate</strong></span> and the name server.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User For instance, suitable <span class="type">key</span> and
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater <span class="type">server</span> statements would be added to
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater <code class="filename">/etc/named.conf</code> so that the name server
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater can associate the appropriate secret key and algorithm with
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater the IP address of the client application that will be using
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User TSIG authentication. You can use <span class="command"><strong>ddns-confgen</strong></span>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User to generate suitable configuration fragments.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>nsupdate</strong></span>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User uses the <code class="option">-y</code> or <code class="option">-k</code> options
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User to provide the TSIG shared secret. These options are mutually exclusive.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User SIG(0) uses public key cryptography.
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater To use a SIG(0) key, the public key must be stored in a KEY
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater record in a zone served by the name server.
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater GSS-TSIG uses Kerberos credentials. Standard GSS-TSIG mode
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater is switched on with the <code class="option">-g</code> flag. A
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater non-standards-compliant variant of GSS-TSIG used by Windows
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater 2000 can be switched on with the <code class="option">-o</code> flag.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="variablelist"><dl class="variablelist">
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Debug mode. This provides tracing information about the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User update requests that are made and the replies received
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User from the name server.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Extra debug mode.
e57ec8c5016d781ccbe9785898fd7c6df887d99fTinderbox User Force interactive mode, even when standard input is not a terminal.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User<dt><span class="term">-k <em class="replaceable"><code>keyfile</code></em></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User The file containing the TSIG authentication key.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Keyfiles may be in two formats: a single file containing
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User a <code class="filename">named.conf</code>-format <span class="command"><strong>key</strong></span>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User statement, which may be generated automatically by
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>ddns-confgen</strong></span>, or a pair of files whose names are
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User of the format <code class="filename">K{name}.+157.+{random}.key</code> and
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <code class="filename">K{name}.+157.+{random}.private</code>, which can be
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User generated by <span class="command"><strong>dnssec-keygen</strong></span>.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User The <code class="option">-k</code> may also be used to specify a SIG(0) key used
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User to authenticate Dynamic DNS update requests. In this case, the key
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User specified is not an HMAC-MD5 key.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Local-host only mode. This sets the server address to
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User localhost (disabling the <span class="command"><strong>server</strong></span> so that the server
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User address cannot be overridden). Connections to the local server will
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User use a TSIG key found in <code class="filename">/var/run/named/session.key</code>,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User which is automatically generated by <span class="command"><strong>named</strong></span> if any
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User local master zone has set <span class="command"><strong>update-policy</strong></span> to
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>local</strong></span>. The location of this key file can be
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User overridden with the <code class="option">-k</code> option.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User<dt><span class="term">-L <em class="replaceable"><code>level</code></em></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Set the logging debug level. If zero, logging is disabled.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Set the port to use for connections to a name server. The
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User default is 53.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Print the list of private BIND-specific resource record
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User types whose format is understood
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User by <span class="command"><strong>nsupdate</strong></span>. See also
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User<dt><span class="term">-r <em class="replaceable"><code>udpretries</code></em></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User The number of UDP retries. The default is 3. If zero, only
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User one update request will be made.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User<dt><span class="term">-R <em class="replaceable"><code>randomdev</code></em></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Where to obtain randomness. If the operating system
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User does not provide a <code class="filename">/dev/random</code> or
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User equivalent device, the default source of randomness is keyboard
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User input. <code class="filename">randomdev</code> specifies the name of
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User a character device or file containing random data to be used
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User instead of the default. The special value
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <code class="filename">keyboard</code> indicates that keyboard input
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User should be used. This option may be specified multiple times.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User<dt><span class="term">-t <em class="replaceable"><code>timeout</code></em></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User The maximum time an update request can take before it is
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User aborted. The default is 300 seconds. Zero can be used to
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User disable the timeout.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Print the list of IANA standard resource record types
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User whose format is understood by <span class="command"><strong>nsupdate</strong></span>.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>nsupdate</strong></span> will exit after the lists are
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User printed. The <code class="option">-T</code> option can be combined
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User with the <code class="option">-P</code> option.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Other types can be entered using "TYPEXXXXX" where "XXXXX" is the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User decimal value of the type with no leading zeros. The rdata,
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User if present, will be parsed using the UNKNOWN rdata format,
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User (<backslash> <hash> <space> <length>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <space> <hexstring>).
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User<dt><span class="term">-u <em class="replaceable"><code>udptimeout</code></em></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User The UDP retry interval. The default is 3 seconds. If zero,
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User the interval will be computed from the timeout interval and
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User number of UDP retries.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Use TCP even for small update requests.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User By default, <span class="command"><strong>nsupdate</strong></span>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User uses UDP to send update requests to the name server unless they are too
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User large to fit in a UDP request in which case TCP will be used.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User TCP may be preferable when a batch of update requests is made.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Print the version number and exit.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User<dt><span class="term">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Literal TSIG authentication key.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="parameter"><code>keyname</code></em> is the name of the key, and
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="parameter"><code>secret</code></em> is the base64 encoded shared secret.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="parameter"><code>hmac</code></em> is the name of the key algorithm;
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User valid choices are <code class="literal">hmac-md5</code>,
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>, or
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <code class="literal">hmac-sha512</code>. If <em class="parameter"><code>hmac</code></em>
281ed127e3ed6c7e07792c19c3bc4562f71cfa90Tinderbox User is not specified, the default is <code class="literal">hmac-md5</code>
281ed127e3ed6c7e07792c19c3bc4562f71cfa90Tinderbox User or if MD5 was disabled <code class="literal">hmac-sha256</code>.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User NOTE: Use of the <code class="option">-y</code> option is discouraged because the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User shared secret is supplied as a command line argument in clear text.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User This may be visible in the output from
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User or in a history file maintained by the user's shell.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p><span class="command"><strong>nsupdate</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein reads input from
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <em class="parameter"><code>filename</code></em>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein or standard input.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Each command is supplied on exactly one line of input.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Some commands are for administrative purposes.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The others are either update instructions or prerequisite checks on the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein contents of the zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein These checks set conditions that some name or set of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein resource records (RRset) either exists or is absent from the zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein These conditions must be met if the entire update request is to succeed.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Updates will be rejected if the tests for the prerequisite conditions
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Every update request consists of zero or more prerequisites
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and zero or more updates.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This allows a suitably authenticated update request to proceed if some
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein specified resource records are present or missing from the zone.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User A blank input line (or the <span class="command"><strong>send</strong></span> command)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein accumulated commands to be sent as one Dynamic DNS update request to the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein name server.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The command formats and their meaning are as follows:
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="variablelist"><dl class="variablelist">
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>server</strong></span>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Sends all dynamic update requests to the name server
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="parameter"><code>servername</code></em>.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User When no server statement is provided,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>nsupdate</strong></span>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User will send updates to the master server of the correct zone.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User The MNAME field of that zone's SOA record will identify the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User server for that zone.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User is the port number on
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="parameter"><code>servername</code></em>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User where the dynamic update requests get sent.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User If no port number is specified, the default DNS port number of
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>local</strong></span>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Sends all dynamic update requests using the local
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="parameter"><code>address</code></em>.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User When no local statement is provided,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>nsupdate</strong></span>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User will send updates using an address and port chosen by the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User can additionally be used to make requests come from a specific
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User If no port number is specified, the system will assign one.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>zone</strong></span>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Specifies that all updates are to be made to the zone
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="parameter"><code>zonename</code></em>.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User statement is provided,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>nsupdate</strong></span>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User will attempt determine the correct zone to update based on the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User rest of the input.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>class</strong></span>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Specify the default class.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User If no <em class="parameter"><code>class</code></em> is specified, the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User default class is
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>ttl</strong></span>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Specify the default time to live for records to be added.
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater The value <em class="parameter"><code>none</code></em> will clear the default
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>key</strong></span>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User [hmac:] {keyname}
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Specifies that all updates are to be TSIG-signed using the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="parameter"><code>keyname</code></em> <em class="parameter"><code>secret</code></em> pair.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User If <em class="parameter"><code>hmac</code></em> is specified, then it sets the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User signing algorithm in use; the default is
281ed127e3ed6c7e07792c19c3bc4562f71cfa90Tinderbox User <code class="literal">hmac-md5</code> or if MD5 was disabled
281ed127e3ed6c7e07792c19c3bc4562f71cfa90Tinderbox User <code class="literal">hmac-sha256</code>. The <span class="command"><strong>key</strong></span>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User command overrides any key specified on the command line via
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <code class="option">-y</code> or <code class="option">-k</code>.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>gsstsig</strong></span>
7c6b9b263898daf28d657f65dbd75c330ca4aa13Automatic Updater Use GSS-TSIG to sign the updated. This is equivalent to
24abfe433efd98bb2099b867fb14d049b2f1f531Tinderbox User specifying <code class="option">-g</code> on the command line.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>oldgsstsig</strong></span>
7c6b9b263898daf28d657f65dbd75c330ca4aa13Automatic Updater Use the Windows 2000 version of GSS-TSIG to sign the updated.
7c6b9b263898daf28d657f65dbd75c330ca4aa13Automatic Updater This is equivalent to specifying <code class="option">-o</code> on the
24abfe433efd98bb2099b867fb14d049b2f1f531Tinderbox User command line.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>realm</strong></span>
7c6b9b263898daf28d657f65dbd75c330ca4aa13Automatic Updater When using GSS-TSIG use <em class="parameter"><code>realm_name</code></em> rather
7c6b9b263898daf28d657f65dbd75c330ca4aa13Automatic Updater than the default realm in <code class="filename">krb5.conf</code>. If no
7c6b9b263898daf28d657f65dbd75c330ca4aa13Automatic Updater realm is specified the saved realm is cleared.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>check-names</strong></span>
b68a2d272b958eb2c40cce59ee33e71c5f5f521bTinderbox User Turn on or off check-names processing on records to
b68a2d272b958eb2c40cce59ee33e71c5f5f521bTinderbox User be added. Check-names has no effect on prerequisites
b68a2d272b958eb2c40cce59ee33e71c5f5f521bTinderbox User or records to be deleted. By default check-names
b68a2d272b958eb2c40cce59ee33e71c5f5f521bTinderbox User processing is on. If check-names processing fails
b68a2d272b958eb2c40cce59ee33e71c5f5f521bTinderbox User the record will not be added to the UPDATE message.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>[<span class="optional">prereq</span>] nxdomain</strong></span>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User {domain-name}
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Requires that no resource record of any type exists with name
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="parameter"><code>domain-name</code></em>.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>[<span class="optional">prereq</span>] yxdomain</strong></span>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User {domain-name}
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Requires that
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="parameter"><code>domain-name</code></em>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User exists (has as at least one resource record, of any type).
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>[<span class="optional">prereq</span>] nxrrset</strong></span>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User {domain-name}
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Requires that no resource record exists of the specified
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="parameter"><code>type</code></em>,
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="parameter"><code>class</code></em>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="parameter"><code>domain-name</code></em>.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="parameter"><code>class</code></em>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User is omitted, IN (internet) is assumed.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>[<span class="optional">prereq</span>] yxrrset</strong></span>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User {domain-name}
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User This requires that a resource record of the specified
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="parameter"><code>type</code></em>,
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="parameter"><code>class</code></em>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="parameter"><code>domain-name</code></em>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="parameter"><code>class</code></em>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User is omitted, IN (internet) is assumed.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>[<span class="optional">prereq</span>] yxrrset</strong></span>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User {domain-name}
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User from each set of prerequisites of this form
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User sharing a common
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="parameter"><code>type</code></em>,
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="parameter"><code>class</code></em>,
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="parameter"><code>domain-name</code></em>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User are combined to form a set of RRs. This set of RRs must
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User exactly match the set of RRs existing in the zone at the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="parameter"><code>type</code></em>,
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="parameter"><code>class</code></em>,
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="parameter"><code>domain-name</code></em>.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User are written in the standard text representation of the resource
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>[<span class="optional">update</span>] del[<span class="optional">ete</span>]</strong></span>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User {domain-name}
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User [type [data...]]
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Deletes any resource records named
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="parameter"><code>domain-name</code></em>.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User is provided, only matching resource records will be removed.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User The internet class is assumed if
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="parameter"><code>class</code></em>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User is not supplied. The
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User is ignored, and is only allowed for compatibility.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>[<span class="optional">update</span>] add</strong></span>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User {domain-name}
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Adds a new resource record with the specified
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="parameter"><code>class</code></em>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="parameter"><code>data</code></em>.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>show</strong></span>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Displays the current message, containing all of the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User prerequisites and
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User updates specified since the last send.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>send</strong></span>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Sends the current message. This is equivalent to entering a
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>answer</strong></span>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Displays the answer.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>debug</strong></span>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Turn on debugging.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>version</strong></span>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Print version number.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>help</strong></span>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Print a list of commands.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Lines beginning with a semicolon are comments and are ignored.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The examples below show how
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>nsupdate</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein could be used to insert and delete resource records from the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Notice that the input in each example contains a trailing blank line so
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a group of commands are sent as one dynamic update request to the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein master name server for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> update delete oldhost.example.com A
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> update add newhost.example.com 86400 A 172.16.1.1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Any A records for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein are deleted.
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews And an A record for
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews with IP address 172.16.1.1 is added.
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews The newly-added record has a 1 day TTL (86400 seconds).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> prereq nxdomain nickname.example.com
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> update add nickname.example.com 86400 CNAME somehost.example.com
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The prerequisite condition gets the name server to check that there
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein are no resource records of any type for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If there are, the update request fails.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If this name does not exist, a CNAME for it is added.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This ensures that when the CNAME is added, it cannot conflict with the
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater long-standing rule in RFC 1034 that a name must not exist as any other
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein record type if it exists as a CNAME.
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater (The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein RRSIG, DNSKEY and NSEC records.)
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="variablelist"><dl class="variablelist">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User used to identify default name server
90c38ab4e6904126bec2f2f57f60cd834ce759cbAutomatic Updater<dt><span class="term"><code class="constant">/var/run/named/session.key</code></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User sets the default TSIG key for use in local-only mode
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><code class="constant">K{name}.+157.+{random}.key</code></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User base-64 encoding of HMAC-MD5 key created by
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="refentrytitle">dnssec-keygen</span>(8)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><code class="constant">K{name}.+157.+{random}.private</code></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User base-64 encoding of HMAC-MD5 key created by
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="refentrytitle">dnssec-keygen</span>(8)
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="refentrytitle">ddns-confgen</span>(8)
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="refentrytitle">dnssec-keygen</span>(8)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The TSIG key is redundantly stored in two separate files.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This is a consequence of nsupdate using the DST library
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein for its cryptographic operations, and may change in future