0N/A - Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") 0N/A - Copyright (C) 2000-2003 Internet Software Consortium. 0N/A - Permission to use, copy, modify, and/or distribute this software for any 0N/A - purpose with or without fee is hereby granted, provided that the above 0N/A - copyright notice and this permission notice appear in all copies. 0N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 0N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 0N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 0N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 0N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 0N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 0N/A - PERFORMANCE OF THIS SOFTWARE. 0N/A<
meta http-
equiv="Content-Type" content="text/html; charset=ISO-8859-1">
0N/A<
title>nsupdate</
title>
0N/A<
meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
0N/A<
link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
0N/A<
body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
0N/A<
div class="navheader">
0N/A<
table width="100%" summary="Navigation header">
0N/A<
tr><
th colspan="3" align="center"><
span class="application">nsupdate</
span></
th></
tr>
0N/A<
td width="20%" align="left">
0N/A<
th width="60%" align="center">Manual pages</
th>
0N/A<
div class="refentry" lang="en">
0N/A<
div class="refnamediv">
0N/A<
p><
span class="application">nsupdate</
span> — Dynamic DNS update utility</
p>
0N/A<
div class="refsynopsisdiv">
0N/A<
div class="cmdsynopsis"><
p><
code class="command">nsupdate</
code> [<
code class="option">-d</
code>] [<
code class="option">-D</
code>] [[<
code class="option">-g</
code>] | [<
code class="option">-o</
code>] | [<
code class="option">-l</
code>] | [<
code class="option">-y <
em class="replaceable"><
code>[<
span class="optional">hmac:</
span>]keyname:secret</
code></
em></
code>] | [<
code class="option">-k <
em class="replaceable"><
code>keyfile</
code></
em></
code>]] [<
code class="option">-t <
em class="replaceable"><
code>timeout</
code></
em></
code>] [<
code class="option">-u <
em class="replaceable"><
code>udptimeout</
code></
em></
code>] [<
code class="option">-r <
em class="replaceable"><
code>udpretries</
code></
em></
code>] [<
code class="option">-R <
em class="replaceable"><
code>randomdev</
code></
em></
code>] [<
code class="option">-v</
code>] [filename]</
p></
div>
0N/A<
div class="refsect1" lang="en">
0N/A<
a name="id2639018"></
a><
h2>DESCRIPTION</
h2>
0N/A<
p><
span><
strong class="command">nsupdate</
strong></
span>
0N/A is used to submit Dynamic DNS Update requests as defined in RFC 2136
0N/A This allows resource records to be added or removed from a zone
0N/A without manually editing the zone file.
0N/A A single update request can contain requests to add or remove more than
0N/A Zones that are under dynamic control via
0N/A <
span><
strong class="command">nsupdate</
strong></
span>
0N/A or a DHCP server should not be edited by hand.
0N/A conflict with dynamic updates and cause data to be lost.
0N/A The resource records that are dynamically added or removed with
0N/A <
span><
strong class="command">nsupdate</
strong></
span>
0N/A have to be in the same zone.
0N/A Requests are sent to the zone's master server.
0N/A This is identified by the MNAME field of the zone's SOA record.
0N/A <
code class="option">-d</
code>
0N/A <
span><
strong class="command">nsupdate</
strong></
span>
0N/A operate in debug mode.
0N/A This provides tracing information about the update requests that are
0N/A made and the replies received from the name server.
0N/A The <
code class="option">-D</
code> option makes <
span><
strong class="command">nsupdate</
strong></
span>
0N/A report additional debugging information to <
code class="option">-d</
code>.
0N/A The <
code class="option">-L</
code> option with an integer argument of zero or
0N/A higher sets the logging debug level. If zero, logging is disabled.
0N/A Transaction signatures can be used to authenticate the Dynamic
0N/A DNS updates. These use the TSIG resource record type described
0N/A in RFC 2845 or the SIG(0) record described in RFC 2535 and
0N/A RFC 2931 or GSS-TSIG as described in RFC 3645. TSIG relies on
0N/A a shared secret that should only be known to
0N/A <
span><
strong class="command">nsupdate</
strong></
span> and the name server. Currently,
0N/A the only supported encryption algorithm for TSIG is HMAC-MD5,
0N/A which is defined in RFC 2104. Once other algorithms are
0N/A defined for TSIG, applications will need to ensure they select
0N/A the appropriate algorithm as well as the key when authenticating
0N/A each other. For instance, suitable <
span class="type">key</
span> and
0N/A <
span class="type">server</
span> statements would be added to
0N/A can associate the appropriate secret key and algorithm with
0N/A the IP address of the client application that will be using
0N/A TSIG authentication. SIG(0) uses public key cryptography.
0N/A To use a SIG(0) key, the public key must be stored in a KEY
0N/A record in a zone served by the name server.
0N/A <
span><
strong class="command">nsupdate</
strong></
span> does not read
0N/A GSS-TSIG uses Kerberos credentials. Standard GSS-TSIG mode
0N/A is switched on with the <
code class="option">-g</
code> flag. A
0N/A non-standards-compliant variant of GSS-TSIG used by Windows
0N/A 2000 can be switched on with the <
code class="option">-o</
code> flag.
0N/A<
p><
span><
strong class="command">nsupdate</
strong></
span>
0N/A uses the <
code class="option">-y</
code> or <
code class="option">-k</
code> option
0N/A to provide the shared secret needed to generate a TSIG record
0N/A for authenticating Dynamic DNS update requests, default type
0N/A HMAC-MD5. These options are mutually exclusive.
0N/A When the <
code class="option">-y</
code> option is used, a signature is
0N/A [<
span class="optional"><
em class="parameter"><
code>hmac:</
code></
em></
span>]<
em class="parameter"><
code>keyname:secret.</
code></
em>
0N/A <
em class="parameter"><
code>keyname</
code></
em> is the name of the key, and
0N/A <
em class="parameter"><
code>secret</
code></
em> is the base64 encoded shared secret.
0N/A Use of the <
code class="option">-y</
code> option is discouraged because the
0N/A shared secret is supplied as a command line argument in clear text.
0N/A This may be visible in the output from
0N/A <
span class="citerefentry"><
span class="refentrytitle">ps</
span>(1)</
span>
0N/A or in a history file maintained by the user's shell.
0N/A <
code class="option">-k</
code> option, <
span><
strong class="command">nsupdate</
strong></
span> reads
0N/A the shared secret from the file <
em class="parameter"><
code>keyfile</
code></
em>.
0N/A Keyfiles may be in two formats: a single file containing
0N/A a <
code class="filename">
named.conf</
code>-format <
span><
strong class="command">key</
strong></
span>
0N/A statement, which may be generated automatically by
0N/A <
span><
strong class="command">ddns-confgen</
strong></
span>, or a pair of files whose names are
0N/A of the format <
code class="filename">K{name}.+157.+{random}.key</
code> and
0N/A <
code class="filename">K{name}.+157.+{random}.private</
code>, which can be
0N/A generated by <
span><
strong class="command">dnssec-keygen</
strong></
span>.
0N/A The <
code class="option">-k</
code> may also be used to specify a SIG(0) key used
0N/A to authenticate Dynamic DNS update requests. In this case, the key
0N/A specified is not an HMAC-MD5 key.
0N/A <
span><
strong class="command">nsupdate</
strong></
span> can be run in a local-host only mode
0N/A using the <
code class="option">-l</
code> flag. This sets the server address to
0N/A localhost (disabling the <
span><
strong class="command">server</
strong></
span> so that the server
0N/A address cannot be overridden). Connections to the local server will
0N/A which is automatically generated by <
span><
strong class="command">named</
strong></
span> if any
0N/A local master zone has set <
span><
strong class="command">update-policy</
strong></
span> to
0N/A <
span><
strong class="command">local</
strong></
span>. The location of this key file can be
0N/A overridden with the <
code class="option">-k</
code> option.
0N/A By default, <
span><
strong class="command">nsupdate</
strong></
span>
0N/A uses UDP to send update requests to the name server unless they are too
0N/A large to fit in a UDP request in which case TCP will be used.
0N/A <
code class="option">-v</
code>
0N/A <
span><
strong class="command">nsupdate</
strong></
span>
0N/A use a TCP connection.
0N/A This may be preferable when a batch of update requests is made.
0N/A The <
code class="option">-p</
code> sets the default port number to use for
0N/A connections to a name server. The default is 53.
0N/A The <
code class="option">-t</
code> option sets the maximum time an update request
0N/A take before it is aborted. The default is 300 seconds. Zero can be
0N/A to disable the timeout.
0N/A The <
code class="option">-u</
code> option sets the UDP retry interval. The default
0N/A 3 seconds. If zero, the interval will be computed from the timeout
0N/A and number of UDP retries.
0N/A The <
code class="option">-r</
code> option sets the number of UDP retries. The
0N/A 3. If zero, only one update request will be made.
0N/A The <
code class="option">-R <
em class="replaceable"><
code>randomdev</
code></
em></
code> option
0N/A specifies a source of randomness. If the operating system
0N/A does not provide a <
code class="filename">/
dev/
random</
code> or
0N/A equivalent device, the default source of randomness is keyboard
0N/A input. <
code class="filename">randomdev</
code> specifies the name of
0N/A a character device or file containing random data to be used
0N/A instead of the default. The special value
0N/A <
code class="filename">keyboard</
code> indicates that keyboard input
0N/A should be used. This option may be specified multiple times.
0N/A<
div class="refsect1" lang="en">
0N/A<
a name="id2641264"></
a><
h2>INPUT FORMAT</
h2>
0N/A<
p><
span><
strong class="command">nsupdate</
strong></
span>
0N/A <
em class="parameter"><
code>filename</
code></
em>
0N/A Each command is supplied on exactly one line of input.
0N/A Some commands are for administrative purposes.
0N/A The others are either update instructions or prerequisite checks on the
0N/A contents of the zone.
0N/A These checks set conditions that some name or set of
0N/A resource records (RRset) either exists or is absent from the zone.
0N/A These conditions must be met if the entire update request is to succeed.
0N/A Updates will be rejected if the tests for the prerequisite conditions
0N/A Every update request consists of zero or more prerequisites
0N/A and zero or more updates.
0N/A This allows a suitably authenticated update request to proceed if some
0N/A specified resource records are present or missing from the zone.
0N/A A blank input line (or the <
span><
strong class="command">send</
strong></
span> command)
0N/A accumulated commands to be sent as one Dynamic DNS update request to the
0N/A The command formats and their meaning are as follows:
0N/A<
div class="variablelist"><
dl>
0N/A<
dt><
span class="term">
0N/A <
span><
strong class="command">server</
strong></
span>
0N/A Sends all dynamic update requests to the name server
0N/A <
em class="parameter"><
code>servername</
code></
em>.
0N/A When no server statement is provided,
0N/A <
span><
strong class="command">nsupdate</
strong></
span>
0N/A will send updates to the master server of the correct zone.
0N/A The MNAME field of that zone's SOA record will identify the
0N/A server for that zone.
0N/A <
em class="parameter"><
code>port</
code></
em>
0N/A is the port number on
0N/A <
em class="parameter"><
code>servername</
code></
em>
0N/A where the dynamic update requests get sent.
0N/A If no port number is specified, the default DNS port number of
0N/A<
dt><
span class="term">
0N/A <
span><
strong class="command">local</
strong></
span>
0N/A Sends all dynamic update requests using the local
0N/A <
em class="parameter"><
code>address</
code></
em>.
0N/A When no local statement is provided,
0N/A <
span><
strong class="command">nsupdate</
strong></
span>
0N/A will send updates using an address and port chosen by the
0N/A <
em class="parameter"><
code>port</
code></
em>
0N/A can additionally be used to make requests come from a specific
0N/A If no port number is specified, the system will assign one.
0N/A<
dt><
span class="term">
0N/A <
span><
strong class="command">zone</
strong></
span>
0N/A Specifies that all updates are to be made to the zone
0N/A <
em class="parameter"><
code>zonename</
code></
em>.
0N/A <
em class="parameter"><
code>zone</
code></
em>
0N/A statement is provided,
0N/A <
span><
strong class="command">nsupdate</
strong></
span>
0N/A will attempt determine the correct zone to update based on the
0N/A<
dt><
span class="term">
0N/A <
span><
strong class="command">class</
strong></
span>
0N/A Specify the default class.
0N/A If no <
em class="parameter"><
code>class</
code></
em> is specified, the
0N/A <
em class="parameter"><
code>IN</
code></
em>.
0N/A<
dt><
span class="term">
0N/A <
span><
strong class="command">ttl</
strong></
span>
0N/A Specify the default time to live for records to be added.
0N/A The value <
em class="parameter"><
code>none</
code></
em> will clear the default
0N/A<
dt><
span class="term">
0N/A <
span><
strong class="command">key</
strong></
span>
0N/A Specifies that all updates are to be TSIG-signed using the
0N/A <
em class="parameter"><
code>keyname</
code></
em> <
em class="parameter"><
code>keysecret</
code></
em> pair.
0N/A The <
span><
strong class="command">key</
strong></
span> command
0N/A overrides any key specified on the command line via
0N/A <
code class="option">-y</
code> or <
code class="option">-k</
code>.
0N/A<
dt><
span class="term">
0N/A <
span><
strong class="command">gsstsig</
strong></
span>
0N/A Use GSS-TSIG to sign the updated. This is equivalent to
0N/A specifying <
code class="option">-g</
code> on the commandline.
0N/A<
dt><
span class="term">
0N/A <
span><
strong class="command">oldgsstsig</
strong></
span>
0N/A Use the Windows 2000 version of GSS-TSIG to sign the updated.
0N/A This is equivalent to specifying <
code class="option">-o</
code> on the
0N/A<
dt><
span class="term">
0N/A <
span><
strong class="command">realm</
strong></
span>
0N/A {[<
span class="optional">realm_name</
span>]}
0N/A When using GSS-TSIG use <
em class="parameter"><
code>realm_name</
code></
em> rather
0N/A than the default realm in <
code class="filename">
krb5.conf</
code>. If no
0N/A realm is specified the saved realm is cleared.
0N/A<
dt><
span class="term">
0N/A <
span><
strong class="command">prereq nxdomain</
strong></
span>
0N/A Requires that no resource record of any type exists with name
0N/A <
em class="parameter"><
code>domain-name</
code></
em>.
0N/A<
dt><
span class="term">
0N/A <
span><
strong class="command">prereq yxdomain</
strong></
span>
0N/A <
em class="parameter"><
code>domain-name</
code></
em>
0N/A exists (has as at least one resource record, of any type).
0N/A<
dt><
span class="term">
0N/A <
span><
strong class="command">prereq nxrrset</
strong></
span>
0N/A Requires that no resource record exists of the specified
0N/A <
em class="parameter"><
code>type</
code></
em>,
0N/A <
em class="parameter"><
code>class</
code></
em>
0N/A <
em class="parameter"><
code>domain-name</
code></
em>.
0N/A <
em class="parameter"><
code>class</
code></
em>
0N/A is omitted, IN (internet) is assumed.
0N/A<
dt><
span class="term">
0N/A <
span><
strong class="command">prereq yxrrset</
strong></
span>
0N/A This requires that a resource record of the specified
0N/A <
em class="parameter"><
code>type</
code></
em>,
0N/A <
em class="parameter"><
code>class</
code></
em>
0N/A <
em class="parameter"><
code>domain-name</
code></
em>
0N/A <
em class="parameter"><
code>class</
code></
em>
0N/A is omitted, IN (internet) is assumed.
0N/A<
dt><
span class="term">
0N/A <
span><
strong class="command">prereq yxrrset</
strong></
span>
0N/A <
em class="parameter"><
code>data</
code></
em>
0N/A from each set of prerequisites of this form
0N/A <
em class="parameter"><
code>type</
code></
em>,
0N/A <
em class="parameter"><
code>class</
code></
em>,
0N/A <
em class="parameter"><
code>domain-name</
code></
em>
0N/A are combined to form a set of RRs. This set of RRs must
0N/A exactly match the set of RRs existing in the zone at the
0N/A <
em class="parameter"><
code>type</
code></
em>,
0N/A <
em class="parameter"><
code>class</
code></
em>,
0N/A <
em class="parameter"><
code>domain-name</
code></
em>.
0N/A <
em class="parameter"><
code>data</
code></
em>
0N/A are written in the standard text representation of the resource
0N/A<
dt><
span class="term">
0N/A <
span><
strong class="command">update delete</
strong></
span>
0N/A Deletes any resource records named
0N/A <
em class="parameter"><
code>domain-name</
code></
em>.
0N/A <
em class="parameter"><
code>type</
code></
em>
0N/A <
em class="parameter"><
code>data</
code></
em>
0N/A is provided, only matching resource records will be removed.
0N/A The internet class is assumed if
0N/A <
em class="parameter"><
code>class</
code></
em>
0N/A is not supplied. The
0N/A <
em class="parameter"><
code>ttl</
code></
em>
0N/A is ignored, and is only allowed for compatibility.
0N/A<
dt><
span class="term">
0N/A <
span><
strong class="command">update add</
strong></
span>
0N/A Adds a new resource record with the specified
0N/A <
em class="parameter"><
code>ttl</
code></
em>,
0N/A <
em class="parameter"><
code>class</
code></
em>
0N/A <
em class="parameter"><
code>data</
code></
em>.
0N/A<
dt><
span class="term">
0N/A <
span><
strong class="command">show</
strong></
span>
0N/A Displays the current message, containing all of the
0N/A updates specified since the last send.
0N/A<
dt><
span class="term">
0N/A <
span><
strong class="command">send</
strong></
span>
0N/A Sends the current message. This is equivalent to entering a
0N/A<
dt><
span class="term">
0N/A <
span><
strong class="command">answer</
strong></
span>
0N/A Displays the answer.
0N/A<
dt><
span class="term">
0N/A <
span><
strong class="command">debug</
strong></
span>
0N/A Lines beginning with a semicolon are comments and are ignored.
0N/A<
div class="refsect1" lang="en">
0N/A<
a name="id2678289"></
a><
h2>EXAMPLES</
h2>
0N/A The examples below show how
0N/A <
span><
strong class="command">nsupdate</
strong></
span>
0N/A could be used to insert and delete resource records from the
0N/A Notice that the input in each example contains a trailing blank line so
0N/A a group of commands are sent as one dynamic update request to the
0N/A master name server for
0N/A<
pre class="programlisting">
0N/A with IP address 172.16.1.1 is added.
0N/A The newly-added record has a 1 day TTL (86400 seconds).
0N/A<
pre class="programlisting">
0N/A The prerequisite condition gets the name server to check that there
0N/A are no resource records of any type for
0N/A If there are, the update request fails.
0N/A If this name does not exist, a CNAME for it is added.
0N/A This ensures that when the CNAME is added, it cannot conflict with the
0N/A long-standing rule in RFC 1034 that a name must not exist as any other
0N/A record type if it exists as a CNAME.
0N/A (The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have
0N/A RRSIG, DNSKEY and NSEC records.)
0N/A<
div class="refsect1" lang="en">
0N/A<
a name="id2678339"></
a><
h2>FILES</
h2>
0N/A<
div class="variablelist"><
dl>
0N/A used to identify default name server
0N/A sets the default TSIG key for use in local-only mode
0N/A<
dt><
span class="term"><
code class="constant">K{name}.+157.+{random}.key</
code></
span></
dt>
0N/A base-64 encoding of HMAC-MD5 key created by
0N/A <
span class="citerefentry"><
span class="refentrytitle">dnssec-keygen</
span>(8)</
span>.
0N/A<
dt><
span class="term"><
code class="constant">K{name}.+157.+{random}.private</
code></
span></
dt>
0N/A base-64 encoding of HMAC-MD5 key created by
0N/A <
span class="citerefentry"><
span class="refentrytitle">dnssec-keygen</
span>(8)</
span>.
0N/A<
div class="refsect1" lang="en">
0N/A<
a name="id2678490"></
a><
h2>SEE ALSO</
h2>
0N/A <
em class="citetitle">RFC 2136</
em>,
0N/A <
em class="citetitle">RFC 3007</
em>,
0N/A <
em class="citetitle">RFC 2104</
em>,
0N/A <
em class="citetitle">RFC 2845</
em>,
0N/A <
em class="citetitle">RFC 1034</
em>,
0N/A <
em class="citetitle">RFC 2535</
em>,
0N/A <
em class="citetitle">RFC 2931</
em>,
0N/A <
span class="citerefentry"><
span class="refentrytitle">named</
span>(8)</
span>,
0N/A <
span class="citerefentry"><
span class="refentrytitle">ddns-confgen</
span>(8)</
span>,
0N/A <
span class="citerefentry"><
span class="refentrytitle">dnssec-keygen</
span>(8)</
span>.
0N/A<
div class="refsect1" lang="en">
0N/A<
a name="id2678548"></
a><
h2>BUGS</
h2>
0N/A The TSIG key is redundantly stored in two separate files.
0N/A This is a consequence of nsupdate using the DST library
0N/A for its cryptographic operations, and may change in future
0N/A<
div class="navfooter">
0N/A<
table width="100%" summary="Navigation footer">
0N/A<
td width="40%" align="left">
0N/A<
td width="40%" align="left" valign="top">
0N/A<
span class="application">named-journalprint</
span>�</
td>
0N/A<
td width="20%" align="center"><
a accesskey="h" href="Bv9ARM.html">Home</
a></
td>
0N/A<
td width="40%" align="right" valign="top">�<
span class="application">rndc</
span>