man.nsupdate.html revision 7e71f05d8643aca84914437c900cb716444507e4
80833bb9a1bf25dcf19e814438a4b311d2e1f4cffuankg - Copyright (C) 2000-2015 Internet Systems Consortium, Inc. ("ISC")
9b0076ddd1103e5fa9c1f9bafde4b06ce244fbaecovener - This Source Code Form is subject to the terms of the Mozilla Public
9b0076ddd1103e5fa9c1f9bafde4b06ce244fbaecovener - License, v. 2.0. If a copy of the MPL was not distributed with this
9b0076ddd1103e5fa9c1f9bafde4b06ce244fbaecovener - file, You can obtain one at http://mozilla.org/MPL/2.0/.
249d09d51808cb7981af99762c3b3736ca126cd5jkaluza<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
56589be3d7a3e9343370df240010c6928cc78b39jkaluza<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
56589be3d7a3e9343370df240010c6928cc78b39jkaluza<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
8c4967445b49a1612b3f98c1dada65e597ecfe26trawick<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
8c4967445b49a1612b3f98c1dada65e597ecfe26trawick<link rel="prev" href="man.named-rrchecker.html" title="named-rrchecker">
61fefed8ce5211c31b44f3a38a6e76ca055e5780trawick<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
6001d914962deabb83a46251001612e969bdf67ajim<tr><th colspan="3" align="center"><span class="application">nsupdate</span></th></tr>
c4e8006db0cf457c68876d7d4c30dcc451d8cba7jkaluza<a accesskey="p" href="man.named-rrchecker.html">Prev</a>�</td>
c4e8006db0cf457c68876d7d4c30dcc451d8cba7jkaluza<td width="20%" align="right">�<a accesskey="n" href="man.rndc.html">Next</a>
f4db898517ccc6ef1a403630de56918286d3a47eminfrin<a name="man.nsupdate"></a><div class="titlepage"></div>
28a723b775c7666281298eab813c63ac42270f95humbedooh<p><span class="application">nsupdate</span> — Dynamic DNS update utility</p>
7a437ce535a5fac890296402ba483c2f41bb6500trawick<div class="cmdsynopsis"><p><code class="command">nsupdate</code> [<code class="option">-d</code>] [<code class="option">-D</code>] [<code class="option">-L <em class="replaceable"><code>level</code></em></code>] [[<code class="option">-g</code>] | [<code class="option">-o</code>] | [<code class="option">-l</code>] | [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [<code class="option">-T</code>] [<code class="option">-P</code>] [<code class="option">-V</code>] [filename]</p></div>
6e1e45624d6f32110383bb0bd06c254c1dba8123humbedooh<p><span class="command"><strong>nsupdate</strong></span>
77ca16c5676da23155311e13cee61e7eaba9fa3ejailletc is used to submit Dynamic DNS Update requests as defined in RFC 2136
77ca16c5676da23155311e13cee61e7eaba9fa3ejailletc to a name server.
77ca16c5676da23155311e13cee61e7eaba9fa3ejailletc This allows resource records to be added or removed from a zone
77ca16c5676da23155311e13cee61e7eaba9fa3ejailletc without manually editing the zone file.
921d32d80d8271da08f12fc374a69cb36d1d63b3covener A single update request can contain requests to add or remove more than
921d32d80d8271da08f12fc374a69cb36d1d63b3covener resource record.
3e097af23e40c45aa32602545155f0964ab5c69dcovener Zones that are under dynamic control via
faea99bb676ec50ece38da6b1879aa37546483a2covener <span class="command"><strong>nsupdate</strong></span>
faea99bb676ec50ece38da6b1879aa37546483a2covener or a DHCP server should not be edited by hand.
faea99bb676ec50ece38da6b1879aa37546483a2covener Manual edits could
86a5604df726638a2b8085e993b4b79c4b3a5262covener conflict with dynamic updates and cause data to be lost.
344f755169e100ea8ce51e847a0bf30a13b46917covener The resource records that are dynamically added or removed with
344f755169e100ea8ce51e847a0bf30a13b46917covener <span class="command"><strong>nsupdate</strong></span>
fcd5c4e9e126e867eb270ed2d4138348cb1e46e5trawick have to be in the same zone.
fcd5c4e9e126e867eb270ed2d4138348cb1e46e5trawick Requests are sent to the zone's master server.
fcd5c4e9e126e867eb270ed2d4138348cb1e46e5trawick This is identified by the MNAME field of the zone's SOA record.
50cfe8bbbaf4279375802531268e2bf0155215fetrawick Transaction signatures can be used to authenticate the Dynamic
50cfe8bbbaf4279375802531268e2bf0155215fetrawick DNS updates. These use the TSIG resource record type described
5cb0075c38fc868730c4981e346845dad6c7ea58chrisd in RFC 2845 or the SIG(0) record described in RFC 2535 and
5cb0075c38fc868730c4981e346845dad6c7ea58chrisd RFC 2931 or GSS-TSIG as described in RFC 3645.
ffaa9771884a8664f0e6267efbe9d26b40000461trawick TSIG relies on
ffaa9771884a8664f0e6267efbe9d26b40000461trawick a shared secret that should only be known to
ffaa9771884a8664f0e6267efbe9d26b40000461trawick <span class="command"><strong>nsupdate</strong></span> and the name server.
ffaa9771884a8664f0e6267efbe9d26b40000461trawick For instance, suitable <span class="type">key</span> and
f87299dab99bc04b51a6b8cad51b6795db862c0atrawick <span class="type">server</span> statements would be added to
f87299dab99bc04b51a6b8cad51b6795db862c0atrawick <code class="filename">/etc/named.conf</code> so that the name server
f87299dab99bc04b51a6b8cad51b6795db862c0atrawick can associate the appropriate secret key and algorithm with
4d12805e6c18253040223ea637acd6b3b3c18f60jorton the IP address of the client application that will be using
4d12805e6c18253040223ea637acd6b3b3c18f60jorton TSIG authentication. You can use <span class="command"><strong>ddns-confgen</strong></span>
4d12805e6c18253040223ea637acd6b3b3c18f60jorton to generate suitable configuration fragments.
4d12805e6c18253040223ea637acd6b3b3c18f60jorton <span class="command"><strong>nsupdate</strong></span>
4d12805e6c18253040223ea637acd6b3b3c18f60jorton uses the <code class="option">-y</code> or <code class="option">-k</code> options
e5d909f2b06bd880fb3675cd49363df981caa631trawick to provide the TSIG shared secret. These options are mutually exclusive.
a4df2cd1e1391575a327c2a90ba4315f805a0a78covener SIG(0) uses public key cryptography.
cb666b29f81df1d11d65002250153353568021fccovener To use a SIG(0) key, the public key must be stored in a KEY
cb666b29f81df1d11d65002250153353568021fccovener record in a zone served by the name server.
1c2cab00d988fc48cbe59032cf76cc0bab20d6f7covener GSS-TSIG uses Kerberos credentials. Standard GSS-TSIG mode
6a80c3c6f4b8ea7ba5e89402b8b779b09ce020e0covener is switched on with the <code class="option">-g</code> flag. A
75a230a728338d84dcfe81edd375352f34de22d0covener non-standards-compliant variant of GSS-TSIG used by Windows
75a230a728338d84dcfe81edd375352f34de22d0covener 2000 can be switched on with the <code class="option">-o</code> flag.
63a5ea80bddcc84a462e40f402b4f330e0e05411covener Debug mode. This provides tracing information about the
986f3ea2c314d4d4b3b937149853a0f23f6119aaminfrin update requests that are made and the replies received
986f3ea2c314d4d4b3b937149853a0f23f6119aaminfrin from the name server.
65a4e663b82f8bce28ac22ab2edfd7502de36998sf Extra debug mode.
c7de1955eb0eaeabf7042902476397692672d549sf<dt><span class="term">-k <em class="replaceable"><code>keyfile</code></em></span></dt>
509622419be000045d461ef38fb97df778fdf81djailletc The file containing the TSIG authentication key.
509622419be000045d461ef38fb97df778fdf81djailletc Keyfiles may be in two formats: a single file containing
509622419be000045d461ef38fb97df778fdf81djailletc a <code class="filename">named.conf</code>-format <span class="command"><strong>key</strong></span>
0b9de55d178312ec929dbe417dd61199b269991djailletc statement, which may be generated automatically by
0b9de55d178312ec929dbe417dd61199b269991djailletc <span class="command"><strong>ddns-confgen</strong></span>, or a pair of files whose names are
0b9de55d178312ec929dbe417dd61199b269991djailletc of the format <code class="filename">K{name}.+157.+{random}.key</code> and
0b9de55d178312ec929dbe417dd61199b269991djailletc <code class="filename">K{name}.+157.+{random}.private</code>, which can be
74e7f6c55fd67b10cb400b3f6d1dc718a303d944minfrin generated by <span class="command"><strong>dnssec-keygen</strong></span>.
74e7f6c55fd67b10cb400b3f6d1dc718a303d944minfrin The <code class="option">-k</code> may also be used to specify a SIG(0) key used
74e7f6c55fd67b10cb400b3f6d1dc718a303d944minfrin to authenticate Dynamic DNS update requests. In this case, the key
74e7f6c55fd67b10cb400b3f6d1dc718a303d944minfrin specified is not an HMAC-MD5 key.
a511a29faf2ff7ead3b67680154a624effb31aafminfrin Local-host only mode. This sets the server address to
a511a29faf2ff7ead3b67680154a624effb31aafminfrin localhost (disabling the <span class="command"><strong>server</strong></span> so that the server
63921358ef93fcb41bc71d9894221ba3d7fbb87bminfrin address cannot be overridden). Connections to the local server will
63921358ef93fcb41bc71d9894221ba3d7fbb87bminfrin use a TSIG key found in <code class="filename">/var/run/named/session.key</code>,
63921358ef93fcb41bc71d9894221ba3d7fbb87bminfrin which is automatically generated by <span class="command"><strong>named</strong></span> if any
deec48c67d4786bc77112ffbf3a4e70b931097edminfrin local master zone has set <span class="command"><strong>update-policy</strong></span> to
6d601599d3d65df0410eae6e573e75b2dbfb1fb4minfrin <span class="command"><strong>local</strong></span>. The location of this key file can be
6d601599d3d65df0410eae6e573e75b2dbfb1fb4minfrin overridden with the <code class="option">-k</code> option.
6d601599d3d65df0410eae6e573e75b2dbfb1fb4minfrin<dt><span class="term">-L <em class="replaceable"><code>level</code></em></span></dt>
4c02bab56a528a180bbe394d8b6e6fd9c1a3ac1esf Set the logging debug level. If zero, logging is disabled.
4c02bab56a528a180bbe394d8b6e6fd9c1a3ac1esf<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
684e0cfc200f66287a93bbd1708d1dd8a92a7eefcovener Set the port to use for connections to a name server. The
684e0cfc200f66287a93bbd1708d1dd8a92a7eefcovener default is 53.
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq Print the list of private BIND-specific resource record
26c5829347f6a355c00f1ba0301d575056b69536niq types whose format is understood
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq by <span class="command"><strong>nsupdate</strong></span>. See also
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq<dt><span class="term">-r <em class="replaceable"><code>udpretries</code></em></span></dt>
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq The number of UDP retries. The default is 3. If zero, only
413ee814748f37be168ff12407fa6dba0ceeabe6trawick one update request will be made.
c12917da693bae4028a1d5a5e8224bceed8c739dsf<dt><span class="term">-R <em class="replaceable"><code>randomdev</code></em></span></dt>
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf Where to obtain randomness. If the operating system
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf does not provide a <code class="filename">/dev/random</code> or
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf equivalent device, the default source of randomness is keyboard
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf input. <code class="filename">randomdev</code> specifies the name of
d7ffd2da16d58b1a0de212e4d56f7aebb72bef26sf a character device or file containing random data to be used
d7ffd2da16d58b1a0de212e4d56f7aebb72bef26sf instead of the default. The special value
d7ffd2da16d58b1a0de212e4d56f7aebb72bef26sf <code class="filename">keyboard</code> indicates that keyboard input
4576c1a9ef54cd1e5555ee07d016a7f559f80338sf should be used. This option may be specified multiple times.
4576c1a9ef54cd1e5555ee07d016a7f559f80338sf<dt><span class="term">-t <em class="replaceable"><code>timeout</code></em></span></dt>
9811aed12bbc71783d2e544ccb5fecd193843eadsf The maximum time an update request can take before it is
9811aed12bbc71783d2e544ccb5fecd193843eadsf aborted. The default is 300 seconds. Zero can be used to
1366443dc565c33e7b449ae428bbfc4c86f33935drh disable the timeout.
bd3f5647b96d378d9c75c954e3f13582af32c643sf Print the list of IANA standard resource record types
bd3f5647b96d378d9c75c954e3f13582af32c643sf whose format is understood by <span class="command"><strong>nsupdate</strong></span>.
bd3f5647b96d378d9c75c954e3f13582af32c643sf <span class="command"><strong>nsupdate</strong></span> will exit after the lists are
bd3f5647b96d378d9c75c954e3f13582af32c643sf printed. The <code class="option">-T</code> option can be combined
2a7beea91d46beb41f043a84eaad060047ee04aafabien Other types can be entered using "TYPEXXXXX" where "XXXXX" is the
584a85dd4047e38d3ed3a29b6662fcc9d100ae4csf decimal value of the type with no leading zeros. The rdata,
584a85dd4047e38d3ed3a29b6662fcc9d100ae4csf if present, will be parsed using the UNKNOWN rdata format,
584a85dd4047e38d3ed3a29b6662fcc9d100ae4csf (<backslash> <hash> <space> <length>
f21e9e3d0bfb7a507ecc5bc963f2159d693503d1sf <space> <hexstring>).
f6b9c755a0b793e8a3a3aebd327ca20a86478117sf<dt><span class="term">-u <em class="replaceable"><code>udptimeout</code></em></span></dt>
f6b9c755a0b793e8a3a3aebd327ca20a86478117sf The UDP retry interval. The default is 3 seconds. If zero,
132ee6ac1c26d6e8953836316ba50734eefab47bsf the interval will be computed from the timeout interval and
132ee6ac1c26d6e8953836316ba50734eefab47bsf number of UDP retries.
85eacfc96a04547ef25aabbc06440039715084c2jorton Use TCP even for small update requests.
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick By default, <span class="command"><strong>nsupdate</strong></span>
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick uses UDP to send update requests to the name server unless they are too
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick large to fit in a UDP request in which case TCP will be used.
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick TCP may be preferable when a batch of update requests is made.
70caa242e6b90e0d6f0fabb56b8c5c2fb51717b3jorton Print the version number and exit.
79c5787b92ac5f0e1cc82393816c77a006399316trawick<dt><span class="term">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></span></dt>
c967bf3bc89e8aa60dbd30d9da388e448ddc1cc4trawick Literal TSIG authentication key.
79c5787b92ac5f0e1cc82393816c77a006399316trawick <em class="parameter"><code>keyname</code></em> is the name of the key, and
79c5787b92ac5f0e1cc82393816c77a006399316trawick <em class="parameter"><code>secret</code></em> is the base64 encoded shared secret.
79c5787b92ac5f0e1cc82393816c77a006399316trawick <em class="parameter"><code>hmac</code></em> is the name of the key algorithm;
79c5787b92ac5f0e1cc82393816c77a006399316trawick valid choices are <code class="literal">hmac-md5</code>,
79c5787b92ac5f0e1cc82393816c77a006399316trawick <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>, or
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton <code class="literal">hmac-sha512</code>. If <em class="parameter"><code>hmac</code></em>
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton is not specified, the default is <code class="literal">hmac-md5</code>
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton or if MD5 was disabled <code class="literal">hmac-sha256</code>.
e81785da447b469da66f218b3f0244aab507958djorton NOTE: Use of the <code class="option">-y</code> option is discouraged because the
e81785da447b469da66f218b3f0244aab507958djorton shared secret is supplied as a command line argument in clear text.
3e4e54d4e3fc0123c63d57aa84ac7ad7a8c73ff8jorton This may be visible in the output from
3e4e54d4e3fc0123c63d57aa84ac7ad7a8c73ff8jorton <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>
3e4e54d4e3fc0123c63d57aa84ac7ad7a8c73ff8jorton or in a history file maintained by the user's shell.
ca61ccd0c306c2c72df153688ba1b49f3eceed80sf reads input from
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin or standard input.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin Each command is supplied on exactly one line of input.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin Some commands are for administrative purposes.
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin The others are either update instructions or prerequisite checks on the
23f1535d6a60817d2846bac0aea230ea475d7dccminfrin contents of the zone.
23f1535d6a60817d2846bac0aea230ea475d7dccminfrin These checks set conditions that some name or set of
23f1535d6a60817d2846bac0aea230ea475d7dccminfrin resource records (RRset) either exists or is absent from the zone.
23f1535d6a60817d2846bac0aea230ea475d7dccminfrin These conditions must be met if the entire update request is to succeed.
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung Updates will be rejected if the tests for the prerequisite conditions
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung Every update request consists of zero or more prerequisites
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung and zero or more updates.
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung This allows a suitably authenticated update request to proceed if some
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung specified resource records are present or missing from the zone.
6249dfa569d3b4f1f539665b979a80c6e335d93etrawick A blank input line (or the <span class="command"><strong>send</strong></span> command)
0827cb14e550f6f65018431c22c2c913631c8f25kbrand accumulated commands to be sent as one Dynamic DNS update request to the
6249dfa569d3b4f1f539665b979a80c6e335d93etrawick name server.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The command formats and their meaning are as follows:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span class="command"><strong>server</strong></span>
74499a117b3b2cd9666715a14f90c0e5d1a4ee8ajim {servername}
<em class="parameter"><code>keyname</code></em> <em class="parameter"><code>secret</code></em> pair.
<span class="command"><strong>[<span class="optional">update</span>] del[<span class="optional">ete</span>]</strong></span>
> update delete oldhost.example.com A
> update add newhost.example.com 86400 A 172.16.1.1
> prereq nxdomain nickname.example.com