5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek<html>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek<head>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek<title>nsupdate</title>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek</head>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek<a name="man.nsupdate"></a><div class="titlepage"></div>

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek<div class="refnamediv">

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek<h2>Name</h2>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek<p><span class="application">nsupdate</span> &#8212; Dynamic DNS update utility</p>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek</div>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek<div class="refsynopsisdiv">

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek<h2>Synopsis</h2>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek<div class="cmdsynopsis"><p><code class="command">nsupdate</code> [<code class="option">-d</code>] [[<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [filename]</p></div>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek</div>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek<div class="refsect1" lang="en">

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek<a name="id2543433"></a><h2>DESCRIPTION</h2>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek<p><span><strong class="command">nsupdate</strong></span>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek is used to submit Dynamic DNS Update requests as defined in RFC2136

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek to a name server.

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek This allows resource records to be added or removed from a zone

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek without manually editing the zone file.

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek A single update request can contain requests to add or remove more than

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek one

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek resource record.

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek </p>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek<p>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek Zones that are under dynamic control via

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek <span><strong class="command">nsupdate</strong></span>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek or a DHCP server should not be edited by hand.

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek Manual edits could

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek conflict with dynamic updates and cause data to be lost.

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek </p>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek<p>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek The resource records that are dynamically added or removed with

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek <span><strong class="command">nsupdate</strong></span>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek have to be in the same zone.

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek Requests are sent to the zone's master server.

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek This is identified by the MNAME field of the zone's SOA record.

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek </p>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek<p>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek The

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek <code class="option">-d</code>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek option makes

20a2be57d764f58c4a6532310331e26a3273ada8Lukas Slebodnik <span><strong class="command">nsupdate</strong></span>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek operate in debug mode.

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek This provides tracing information about the update requests that are

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek made and the replies received from the name server.

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek </p>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek<p>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek Transaction signatures can be used to authenticate the Dynamic DNS

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek updates.

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek These use the TSIG resource record type described in RFC2845 or the

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek SIG(0) record described in RFC3535 and RFC2931.

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek TSIG relies on a shared secret that should only be known to

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek <span><strong class="command">nsupdate</strong></span> and the name server.

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek Currently, the only supported encryption algorithm for TSIG is

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek HMAC-MD5, which is defined in RFC 2104.

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek Once other algorithms are defined for TSIG, applications will need to

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek ensure they select the appropriate algorithm as well as the key when

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek authenticating each other.

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek For instance, suitable

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek <span class="type">key</span>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek and

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek <span class="type">server</span>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek statements would be added to

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek <code class="filename">/etc/named.conf</code>

20a2be57d764f58c4a6532310331e26a3273ada8Lukas Slebodnik so that the name server can associate the appropriate secret key

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek and algorithm with the IP address of the

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek client application that will be using TSIG authentication.

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek SIG(0) uses public key cryptography. To use a SIG(0) key, the public

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek key must be stored in a KEY record in a zone served by the name server.

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek <span><strong class="command">nsupdate</strong></span>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek does not read

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek <code class="filename">/etc/named.conf</code>.

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek </p>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek<p><span><strong class="command">nsupdate</strong></span>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek uses the <code class="option">-y</code> or <code class="option">-k</code> option

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek to provide the shared secret needed to generate a TSIG record

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek for authenticating Dynamic DNS update requests, default type

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek HMAC-MD5. These options are mutually exclusive. With the

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek <code class="option">-k</code> option, <span><strong class="command">nsupdate</strong></span> reads

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek the shared secret from the file <em class="parameter"><code>keyfile</code></em>,

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek whose name is of the form

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek <code class="filename">K{name}.+157.+{random}.private</code>. For

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek historical reasons, the file

20a2be57d764f58c4a6532310331e26a3273ada8Lukas Slebodnik <code class="filename">K{name}.+157.+{random}.key</code> must also be

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek present. When the <code class="option">-y</code> option is used, a

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek signature is generated from

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek [<span class="optional"><em class="parameter"><code>hmac:</code></em></span>]<em class="parameter"><code>keyname:secret.</code></em>

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek <em class="parameter"><code>keyname</code></em> is the name of the key, and

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek <em class="parameter"><code>secret</code></em> is the base64 encoded shared

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek secret. Use of the <code class="option">-y</code> option is discouraged

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek because the shared secret is supplied as a command line

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek argument in clear text. This may be visible in the output

4e5e846de22407f825fe3b4040d79606818a2419Jakub Hrozek from

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span> or in a history file maintained by the user's

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek shell.

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek </p>

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek<p>

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek The <code class="option">-k</code> may also be used to specify a SIG(0) key used

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek to authenticate Dynamic DNS update requests. In this case, the key

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek specified is not an HMAC-MD5 key.

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek </p>

4e5e846de22407f825fe3b4040d79606818a2419Jakub Hrozek<p>

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek By default

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek <span><strong class="command">nsupdate</strong></span>

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek uses UDP to send update requests to the name server unless they are too

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek large to fit in a UDP request in which case TCP will be used.

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek The

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek <code class="option">-v</code>

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek option makes

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek <span><strong class="command">nsupdate</strong></span>

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek use a TCP connection.

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek This may be preferable when a batch of update requests is made.

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek </p>

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek<p>

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek The <code class="option">-t</code> option sets the maximum time an update request

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek can

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek take before it is aborted. The default is 300 seconds. Zero can be

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek used

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek to disable the timeout.

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek </p>

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek<p>

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek The <code class="option">-u</code> option sets the UDP retry interval. The default

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek is

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek 3 seconds. If zero, the interval will be computed from the timeout

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek interval

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek and number of UDP retries.

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek </p>

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek<p>

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek The <code class="option">-r</code> option sets the number of UDP retries. The

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek default is

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek 3. If zero, only one update request will be made.

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek </p>

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek<p>

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek The <code class="option">-R <em class="replaceable"><code>randomdev</code></em></code> option

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek specifies a source of randomness. If the operating system

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek does not provide a <code class="filename">/dev/random</code> or

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek equivalent device, the default source of randomness is keyboard

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek input. <code class="filename">randomdev</code> specifies the name of

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek a character device or file containing random data to be used

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek instead of the default. The special value

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek <code class="filename">keyboard</code> indicates that keyboard input

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek should be used. This option may be specified multiple times.

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek </p>

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek</div>

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek<div class="refsect1" lang="en">

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek<a name="id2543682"></a><h2>INPUT FORMAT</h2>

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek<p><span><strong class="command">nsupdate</strong></span>

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek reads input from

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek <em class="parameter"><code>filename</code></em>

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek or standard input.

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek Each command is supplied on exactly one line of input.

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek Some commands are for administrative purposes.

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek The others are either update instructions or prerequisite checks on the

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek contents of the zone.

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek These checks set conditions that some name or set of

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek resource records (RRset) either exists or is absent from the zone.

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek These conditions must be met if the entire update request is to succeed.

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek Updates will be rejected if the tests for the prerequisite conditions

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek fail.

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek </p>

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek<p>

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek Every update request consists of zero or more prerequisites

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek and zero or more updates.

4e5e846de22407f825fe3b4040d79606818a2419Jakub Hrozek This allows a suitably authenticated update request to proceed if some

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek specified resource records are present or missing from the zone.

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek A blank input line (or the <span><strong class="command">send</strong></span> command)

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek causes the

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek accumulated commands to be sent as one Dynamic DNS update request to the

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek name server.

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek </p>

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek<p>

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek The command formats and their meaning are as follows:

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek </p>

4e5e846de22407f825fe3b4040d79606818a2419Jakub Hrozek<div class="variablelist"><dl>

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek<dt><span class="term">

4a5cced91df68a85ef0b30de8efe104c8a0aab7aJakub Hrozek <span><strong class="command">server</strong></span>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek {servername}

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek [port]

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek </span></dt>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek<dd><p>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek Sends all dynamic update requests to the name server

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek <em class="parameter"><code>servername</code></em>.

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek When no server statement is provided,

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek <span><strong class="command">nsupdate</strong></span>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek will send updates to the master server of the correct zone.

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek The MNAME field of that zone's SOA record will identify the

4e5e846de22407f825fe3b4040d79606818a2419Jakub Hrozek master

4e5e846de22407f825fe3b4040d79606818a2419Jakub Hrozek server for that zone.

4e5e846de22407f825fe3b4040d79606818a2419Jakub Hrozek <em class="parameter"><code>port</code></em>

4e5e846de22407f825fe3b4040d79606818a2419Jakub Hrozek is the port number on

4e5e846de22407f825fe3b4040d79606818a2419Jakub Hrozek <em class="parameter"><code>servername</code></em>

4e5e846de22407f825fe3b4040d79606818a2419Jakub Hrozek where the dynamic update requests get sent.

4e5e846de22407f825fe3b4040d79606818a2419Jakub Hrozek If no port number is specified, the default DNS port number of

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek 53 is

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek used.

49dd8ee2834d9477418961dbaffa4a03cfa9fd1eRené Genz </p></dd>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek<dt><span class="term">

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek <span><strong class="command">local</strong></span>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek {address}

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek [port]

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek </span></dt>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek<dd><p>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek Sends all dynamic update requests using the local

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek <em class="parameter"><code>address</code></em>.

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek When no local statement is provided,

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek <span><strong class="command">nsupdate</strong></span>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek will send updates using an address and port chosen by the

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek system.

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek <em class="parameter"><code>port</code></em>

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek can additionally be used to make requests come from a specific

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek port.

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek If no port number is specified, the system will assign one.

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek </p></dd>

4e5e846de22407f825fe3b4040d79606818a2419Jakub Hrozek<dt><span class="term">

5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek <span><strong class="command">zone</strong></span>

{zonename}

</span></dt>

<dd><p>

Specifies that all updates are to be made to the zone

<em class="parameter"><code>zonename</code></em>.

If no

<em class="parameter"><code>zone</code></em>

statement is provided,

<span><strong class="command">nsupdate</strong></span>

will attempt determine the correct zone to update based on the

rest of the input.

</p></dd>

<dt><span class="term">

<span><strong class="command">class</strong></span>

{classname}

</span></dt>

<dd><p>

Specify the default class.

If no <em class="parameter"><code>class</code></em> is specified, the

default class is

<em class="parameter"><code>IN</code></em>.

</p></dd>

<dt><span class="term">

<span><strong class="command">key</strong></span>

{name}

{secret}

</span></dt>

<dd><p>

Specifies that all updates are to be TSIG-signed using the

<em class="parameter"><code>keyname</code></em> <em class="parameter"><code>keysecret</code></em> pair.

The <span><strong class="command">key</strong></span> command

overrides any key specified on the command line via

<code class="option">-y</code> or <code class="option">-k</code>.

</p></dd>

<dt><span class="term">

<span><strong class="command">prereq nxdomain</strong></span>

{domain-name}

</span></dt>

<dd><p>

Requires that no resource record of any type exists with name

<em class="parameter"><code>domain-name</code></em>.

</p></dd>

<dt><span class="term">

<span><strong class="command">prereq yxdomain</strong></span>

{domain-name}

</span></dt>

<dd><p>

Requires that

<em class="parameter"><code>domain-name</code></em>

exists (has as at least one resource record, of any type).

</p></dd>

<dt><span class="term">

<span><strong class="command">prereq nxrrset</strong></span>

{domain-name}

[class]

{type}

</span></dt>

<dd><p>

Requires that no resource record exists of the specified

<em class="parameter"><code>type</code></em>,

<em class="parameter"><code>class</code></em>

and

<em class="parameter"><code>domain-name</code></em>.

If

<em class="parameter"><code>class</code></em>

is omitted, IN (internet) is assumed.

</p></dd>

<dt><span class="term">

<span><strong class="command">prereq yxrrset</strong></span>

{domain-name}

[class]

{type}

</span></dt>

<dd><p>

This requires that a resource record of the specified

<em class="parameter"><code>type</code></em>,

<em class="parameter"><code>class</code></em>

and

<em class="parameter"><code>domain-name</code></em>

must exist.

If

<em class="parameter"><code>class</code></em>

is omitted, IN (internet) is assumed.

</p></dd>

<dt><span class="term">

<span><strong class="command">prereq yxrrset</strong></span>

{domain-name}

[class]

{type}

{data...}

</span></dt>

<dd><p>

The

<em class="parameter"><code>data</code></em>

from each set of prerequisites of this form

sharing a common

<em class="parameter"><code>type</code></em>,

<em class="parameter"><code>class</code></em>,

and

<em class="parameter"><code>domain-name</code></em>

are combined to form a set of RRs. This set of RRs must

exactly match the set of RRs existing in the zone at the

given

<em class="parameter"><code>type</code></em>,

<em class="parameter"><code>class</code></em>,

and

<em class="parameter"><code>domain-name</code></em>.

The

<em class="parameter"><code>data</code></em>

are written in the standard text representation of the resource

record's

RDATA.

</p></dd>

<dt><span class="term">

<span><strong class="command">update delete</strong></span>

{domain-name}

[ttl]

[class]

[type [data...]]

</span></dt>

<dd><p>

Deletes any resource records named

<em class="parameter"><code>domain-name</code></em>.

If

<em class="parameter"><code>type</code></em>

and

<em class="parameter"><code>data</code></em>

is provided, only matching resource records will be removed.

The internet class is assumed if

<em class="parameter"><code>class</code></em>

is not supplied. The

<em class="parameter"><code>ttl</code></em>

is ignored, and is only allowed for compatibility.

</p></dd>

<dt><span class="term">

<span><strong class="command">update add</strong></span>

{domain-name}

{ttl}

[class]

{type}

{data...}

</span></dt>

<dd><p>

Adds a new resource record with the specified

<em class="parameter"><code>ttl</code></em>,

<em class="parameter"><code>class</code></em>

and

<em class="parameter"><code>data</code></em>.

</p></dd>

<dt><span class="term">

<span><strong class="command">show</strong></span>

</span></dt>

<dd><p>

Displays the current message, containing all of the

prerequisites and

updates specified since the last send.

</p></dd>

<dt><span class="term">

<span><strong class="command">send</strong></span>

</span></dt>

<dd><p>

Sends the current message. This is equivalent to entering a

blank line.

</p></dd>

<dt><span class="term">

<span><strong class="command">answer</strong></span>

</span></dt>

<dd><p>

Displays the answer.

</p></dd>

</dl></div>

<p>

</p>

<p>

Lines beginning with a semicolon are comments and are ignored.

</p>

</div>

<div class="refsect1" lang="en">

<a name="id2544684"></a><h2>EXAMPLES</h2>

<p>

The examples below show how

<span><strong class="command">nsupdate</strong></span>

could be used to insert and delete resource records from the

<span class="type">example.com</span>

zone.

Notice that the input in each example contains a trailing blank line so

that

a group of commands are sent as one dynamic update request to the

master name server for

<span class="type">example.com</span>.

</p>

<pre class="programlisting">

# nsupdate

&gt; update delete oldhost.example.com A

&gt; update add newhost.example.com 86400 A 172.16.1.1

&gt; send

</pre>

<p>

</p>

<p>

Any A records for

<span class="type">oldhost.example.com</span>

are deleted.

And an A record for

<span class="type">newhost.example.com</span>

with IP address 172.16.1.1 is added.

The newly-added record has a 1 day TTL (86400 seconds).

</p>

<pre class="programlisting">

# nsupdate

&gt; prereq nxdomain nickname.example.com

&gt; update add nickname.example.com 86400 CNAME somehost.example.com

&gt; send

</pre>

<p>

</p>

<p>

The prerequisite condition gets the name server to check that there

are no resource records of any type for

<span class="type">nickname.example.com</span>.

If there are, the update request fails.

If this name does not exist, a CNAME for it is added.

This ensures that when the CNAME is added, it cannot conflict with the

long-standing rule in RFC1034 that a name must not exist as any other

record type if it exists as a CNAME.

(The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have

RRSIG, DNSKEY and NSEC records.)

</p>

</div>

<div class="refsect1" lang="en">

<a name="id2544728"></a><h2>FILES</h2>

<div class="variablelist"><dl>

<dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>

<dd><p>

used to identify default name server

</p></dd>

<dt><span class="term"><code class="constant">K{name}.+157.+{random}.key</code></span></dt>

<dd><p>

base-64 encoding of HMAC-MD5 key created by

<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.

</p></dd>

<dt><span class="term"><code class="constant">K{name}.+157.+{random}.private</code></span></dt>

<dd><p>

base-64 encoding of HMAC-MD5 key created by

<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.

</p></dd>

</dl></div>

</div>

<div class="refsect1" lang="en">

<a name="id2544797"></a><h2>SEE ALSO</h2>

<p><span class="citerefentry"><span class="refentrytitle">RFC2136</span></span>,

<span class="citerefentry"><span class="refentrytitle">RFC3007</span></span>,

<span class="citerefentry"><span class="refentrytitle">RFC2104</span></span>,

<span class="citerefentry"><span class="refentrytitle">RFC2845</span></span>,

<span class="citerefentry"><span class="refentrytitle">RFC1034</span></span>,

<span class="citerefentry"><span class="refentrytitle">RFC2535</span></span>,

<span class="citerefentry"><span class="refentrytitle">RFC2931</span></span>,

<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,

<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.

</p>

</div>

<div class="refsect1" lang="en">

<a name="id2544868"></a><h2>BUGS</h2>

<p>

The TSIG key is redundantly stored in two separate files.

This is a consequence of nsupdate using the DST library

for its cryptographic operations, and may change in future

releases.

</p>

</div>

</div></body>

</html>