nsupdate.html revision b68a2d272b958eb2c40cce59ee33e71c5f5f521b
3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews - Copyright (C) 2004-2012, 2014 Internet Systems Consortium, Inc. ("ISC")
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Permission to use, copy, modify, and/or distribute this software for any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews<!-- $Id$ -->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="man.nsupdate"></a><div class="titlepage"></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span class="application">nsupdate</span> — Dynamic DNS update utility</p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="cmdsynopsis"><p><code class="command">nsupdate</code> [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-g</code>] | [<code class="option">-o</code>] | [<code class="option">-l</code>] | [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [<code class="option">-T</code>] [<code class="option">-P</code>] [<code class="option">-V</code>] [filename]</p></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span><strong class="command">nsupdate</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is used to submit Dynamic DNS Update requests as defined in RFC 2136
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to a name server.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This allows resource records to be added or removed from a zone
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein without manually editing the zone file.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A single update request can contain requests to add or remove more than
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein resource record.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Zones that are under dynamic control via
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">nsupdate</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein or a DHCP server should not be edited by hand.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Manual edits could
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein conflict with dynamic updates and cause data to be lost.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The resource records that are dynamically added or removed with
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">nsupdate</strong></span>
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews have to be in the same zone.
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews Requests are sent to the zone's master server.
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews This is identified by the MNAME field of the zone's SOA record.
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews option makes
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews <span><strong class="command">nsupdate</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein operate in debug mode.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This provides tracing information about the update requests that are
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews made and the replies received from the name server.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The <code class="option">-D</code> option makes <span><strong class="command">nsupdate</strong></span>
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews report additional debugging information to <code class="option">-d</code>.
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews The <code class="option">-L</code> option with an integer argument of zero or
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein higher sets the logging debug level. If zero, logging is disabled.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Transaction signatures can be used to authenticate the Dynamic
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein DNS updates. These use the TSIG resource record type described
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in RFC 2845 or the SIG(0) record described in RFC 2535 and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein RFC 2931 or GSS-TSIG as described in RFC 3645. TSIG relies on
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews a shared secret that should only be known to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">nsupdate</strong></span> and the name server. Currently,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the only supported encryption algorithm for TSIG is HMAC-MD5,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein which is defined in RFC 2104. Once other algorithms are
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein defined for TSIG, applications will need to ensure they select
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the appropriate algorithm as well as the key when authenticating
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein each other. For instance, suitable <span class="type">key</span> and
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <span class="type">server</span> statements would be added to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">/etc/named.conf</code> so that the name server
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein can associate the appropriate secret key and algorithm with
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the IP address of the client application that will be using
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein TSIG authentication. SIG(0) uses public key cryptography.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein To use a SIG(0) key, the public key must be stored in a KEY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein record in a zone served by the name server.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span><strong class="command">nsupdate</strong></span> does not read
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews GSS-TSIG uses Kerberos credentials. Standard GSS-TSIG mode
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews is switched on with the <code class="option">-g</code> flag. A
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews non-standards-compliant variant of GSS-TSIG used by Windows
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews 2000 can be switched on with the <code class="option">-o</code> flag.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span><strong class="command">nsupdate</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein uses the <code class="option">-y</code> or <code class="option">-k</code> option
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to provide the shared secret needed to generate a TSIG record
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein for authenticating Dynamic DNS update requests, default type
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein HMAC-MD5. These options are mutually exclusive.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When the <code class="option">-y</code> option is used, a signature is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein generated from
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein [<span class="optional"><em class="parameter"><code>hmac:</code></em></span>]<em class="parameter"><code>keyname:secret.</code></em>
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews <em class="parameter"><code>keyname</code></em> is the name of the key, and
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews <em class="parameter"><code>secret</code></em> is the base64 encoded shared secret.
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews <em class="parameter"><code>hmac</code></em> is the name of the key algorithm;
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews valid choices are <code class="literal">hmac-md5</code>,
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>, or
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews <code class="literal">hmac-sha512</code>. If <em class="parameter"><code>hmac</code></em>
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews is not specified, the default is <code class="literal">hmac-md5</code>.
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews NOTE: Use of the <code class="option">-y</code> option is discouraged because the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein shared secret is supplied as a command line argument in clear text.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This may be visible in the output from
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein or in a history file maintained by the user's shell.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">-k</code> option, <span><strong class="command">nsupdate</strong></span> reads
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the shared secret from the file <em class="parameter"><code>keyfile</code></em>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Keyfiles may be in two formats: a single file containing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a <code class="filename">named.conf</code>-format <span><strong class="command">key</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein statement, which may be generated automatically by
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">ddns-confgen</strong></span>, or a pair of files whose names are
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of the format <code class="filename">K{name}.+157.+{random}.key</code> and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">K{name}.+157.+{random}.private</code>, which can be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein generated by <span><strong class="command">dnssec-keygen</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The <code class="option">-k</code> may also be used to specify a SIG(0) key used
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to authenticate Dynamic DNS update requests. In this case, the key
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein specified is not an HMAC-MD5 key.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">nsupdate</strong></span> can be run in a local-host only mode
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein using the <code class="option">-l</code> flag. This sets the server address to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein localhost (disabling the <span><strong class="command">server</strong></span> so that the server
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein address cannot be overridden). Connections to the local server will
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein use a TSIG key found in <code class="filename">/var/run/named/session.key</code>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein which is automatically generated by <span><strong class="command">named</strong></span> if any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein local master zone has set <span><strong class="command">update-policy</strong></span> to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">local</strong></span>. The location of this key file can be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein overridden with the <code class="option">-k</code> option.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein By default, <span><strong class="command">nsupdate</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein uses UDP to send update requests to the name server unless they are too
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein large to fit in a UDP request in which case TCP will be used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein option makes
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">nsupdate</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein use a TCP connection.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This may be preferable when a batch of update requests is made.
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews The <code class="option">-p</code> sets the default port number to use for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein connections to a name server. The default is 53.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The <code class="option">-t</code> option sets the maximum time an update request
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein take before it is aborted. The default is 300 seconds. Zero can be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to disable the timeout.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The <code class="option">-u</code> option sets the UDP retry interval. The default
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein 3 seconds. If zero, the interval will be computed from the timeout
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and number of UDP retries.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The <code class="option">-r</code> option sets the number of UDP retries. The
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein 3. If zero, only one update request will be made.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The <code class="option">-R <em class="replaceable"><code>randomdev</code></em></code> option
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein specifies a source of randomness. If the operating system
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein does not provide a <code class="filename">/dev/random</code> or
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews equivalent device, the default source of randomness is keyboard
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein input. <code class="filename">randomdev</code> specifies the name of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a character device or file containing random data to be used
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein instead of the default. The special value
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">keyboard</code> indicates that keyboard input
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein should be used. This option may be specified multiple times.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Other types can be entered using "TYPEXXXXX" where "XXXXX" is the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein decimal value of the type with no leading zeros. The rdata,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein if present, will be parsed using the UNKNOWN rdata format,
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews (<backslash> <hash> <space> <length>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <space> <hexstring>).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The <code class="option">-T</code> and <code class="option">-P</code> options print out
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein lists of non-meta types for which the type-specific presentation
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein formats are known. <code class="option">-T</code> prints out the list of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein IANA-assigned types. <code class="option">-P</code> prints out the list of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein private types specific to <span><strong class="command">named</strong></span>. These options
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews may be combined. <span><strong class="command">nsupdate</strong></span> will exit after the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein lists are printed.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The -V option causes <span><strong class="command">nsupdate</strong></span> to print the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews version number and exit.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span><strong class="command">nsupdate</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein reads input from
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <em class="parameter"><code>filename</code></em>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein or standard input.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Each command is supplied on exactly one line of input.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Some commands are for administrative purposes.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The others are either update instructions or prerequisite checks on the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews contents of the zone.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews These checks set conditions that some name or set of
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews resource records (RRset) either exists or is absent from the zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein These conditions must be met if the entire update request is to succeed.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Updates will be rejected if the tests for the prerequisite conditions
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Every update request consists of zero or more prerequisites
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and zero or more updates.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This allows a suitably authenticated update request to proceed if some
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein specified resource records are present or missing from the zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A blank input line (or the <span><strong class="command">send</strong></span> command)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein accumulated commands to be sent as one Dynamic DNS update request to the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein name server.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The command formats and their meaning are as follows:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">server</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein {servername}
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sends all dynamic update requests to the name server
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <em class="parameter"><code>servername</code></em>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When no server statement is provided,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">nsupdate</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein will send updates to the master server of the correct zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The MNAME field of that zone's SOA record will identify the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein server for that zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is the port number on
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <em class="parameter"><code>servername</code></em>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein where the dynamic update requests get sent.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If no port number is specified, the default DNS port number of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">local</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sends all dynamic update requests using the local
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <em class="parameter"><code>address</code></em>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When no local statement is provided,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">nsupdate</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein will send updates using an address and port chosen by the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein can additionally be used to make requests come from a specific
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If no port number is specified, the system will assign one.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">zone</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies that all updates are to be made to the zone
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <em class="parameter"><code>zonename</code></em>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein statement is provided,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">nsupdate</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein will attempt determine the correct zone to update based on the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein rest of the input.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">class</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specify the default class.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If no <em class="parameter"><code>class</code></em> is specified, the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein default class is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">ttl</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specify the default time to live for records to be added.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The value <em class="parameter"><code>none</code></em> will clear the default
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">key</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein [hmac:] {keyname}
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies that all updates are to be TSIG-signed using the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <em class="parameter"><code>keyname</code></em> <em class="parameter"><code>secret</code></em> pair.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If <em class="parameter"><code>hmac</code></em> is specified, then it sets the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein signing algorithm in use; the default is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="literal">hmac-md5</code>. The <span><strong class="command">key</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein command overrides any key specified on the command line via
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">-y</code> or <code class="option">-k</code>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">gsstsig</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Use GSS-TSIG to sign the updated. This is equivalent to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein specifying <code class="option">-g</code> on the commandline.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">oldgsstsig</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Use the Windows 2000 version of GSS-TSIG to sign the updated.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This is equivalent to specifying <code class="option">-o</code> on the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein commandline.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">realm</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When using GSS-TSIG use <em class="parameter"><code>realm_name</code></em> rather
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein than the default realm in <code class="filename">krb5.conf</code>. If no
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein realm is specified the saved realm is cleared.
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce <span><strong class="command">check-names</strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Turn on or off check-names processing on records to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce be added. Check-names has no effect on prerequisites
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce or records to be deleted. By default check-names
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce processing is on. If check-names processing fails
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson the record will not be added to the UPDATE message.
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson <span><strong class="command">[<span class="optional">prereq</span>] nxdomain</strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Requires that no resource record of any type exists with name
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <em class="parameter"><code>domain-name</code></em>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span><strong class="command">[<span class="optional">prereq</span>] yxdomain</strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce {domain-name}
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Requires that
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <em class="parameter"><code>domain-name</code></em>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce exists (has as at least one resource record, of any type).
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span><strong class="command">[<span class="optional">prereq</span>] nxrrset</strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce {domain-name}
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Requires that no resource record exists of the specified
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <em class="parameter"><code>domain-name</code></em>.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce is omitted, IN (internet) is assumed.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span><strong class="command">[<span class="optional">prereq</span>] yxrrset</strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce {domain-name}
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce This requires that a resource record of the specified
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <em class="parameter"><code>domain-name</code></em>
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce is omitted, IN (internet) is assumed.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <span><strong class="command">[<span class="optional">prereq</span>] yxrrset</strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce {domain-name}
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce from each set of prerequisites of this form
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce sharing a common
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson <em class="parameter"><code>type</code></em>,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <em class="parameter"><code>domain-name</code></em>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce are combined to form a set of RRs. This set of RRs must
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce exactly match the set of RRs existing in the zone at the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce <em class="parameter"><code>domain-name</code></em>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein are written in the standard text representation of the resource
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">[<span class="optional">update</span>] del[<span class="optional">ete</span>]</strong></span>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce {domain-name}
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein [type [data...]]
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Deletes any resource records named
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <em class="parameter"><code>domain-name</code></em>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is provided, only matching resource records will be removed.
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews The internet class is assumed if
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is not supplied. The
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is ignored, and is only allowed for compatibility.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">[<span class="optional">update</span>] add</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein {domain-name}
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Adds a new resource record with the specified
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">show</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Displays the current message, containing all of the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein prerequisites and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein updates specified since the last send.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">send</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sends the current message. This is equivalent to entering a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">answer</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Displays the answer.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">debug</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Turn on debugging.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">version</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Print version number.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">help</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Print a list of commands.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Lines beginning with a semicolon are comments and are ignored.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The examples below show how
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">nsupdate</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein could be used to insert and delete resource records from the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Notice that the input in each example contains a trailing blank line so
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews a group of commands are sent as one dynamic update request to the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein master name server for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> update delete oldhost.example.com A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> update add newhost.example.com 86400 A 172.16.1.1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Any A records for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein are deleted.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein And an A record for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein with IP address 172.16.1.1 is added.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The newly-added record has a 1 day TTL (86400 seconds).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> prereq nxdomain nickname.example.com
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> update add nickname.example.com 86400 CNAME somehost.example.com
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The prerequisite condition gets the name server to check that there
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein are no resource records of any type for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If there are, the update request fails.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If this name does not exist, a CNAME for it is added.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This ensures that when the CNAME is added, it cannot conflict with the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce long-standing rule in RFC 1034 that a name must not exist as any other
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce record type if it exists as a CNAME.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein (The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein RRSIG, DNSKEY and NSEC records.)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein used to identify default name server
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><code class="constant">/var/run/named/session.key</code></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein sets the default TSIG key for use in local-only mode
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><code class="constant">K{name}.+157.+{random}.key</code></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein base-64 encoding of HMAC-MD5 key created by
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><code class="constant">K{name}.+157.+{random}.private</code></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein base-64 encoding of HMAC-MD5 key created by
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="citerefentry"><span class="refentrytitle">ddns-confgen</span>(8)</span>,
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The TSIG key is redundantly stored in two separate files.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This is a consequence of nsupdate using the DST library
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein for its cryptographic operations, and may change in future