1NSUPDATE(1)                         BIND 9                         NSUPDATE(1)
2
3
4

NAME

6       nsupdate - dynamic DNS update utility
7

SYNOPSIS

9       nsupdate  [-d]  [-D]  [-i]  [-L  level]  [  [-g]  |  [-o]  | [-l] | [-y
10       [hmac:]keyname:secret] | [-k keyfile] ] [-t  timeout]  [-u  udptimeout]
11       [-r udpretries] [-v] [-T] [-P] [-V] [ [-4] | [-6] ] [filename]
12

DESCRIPTION

14       nsupdate  is  used to submit Dynamic DNS Update requests, as defined in
15       RFC 2136, to a name server. This allows resource records to be added or
16       removed  from  a  zone without manually editing the zone file. A single
17       update request can contain requests to add or remove more than one  re‐
18       source record.
19
20       Zones  that  are  under  dynamic  control via nsupdate or a DHCP server
21       should not be edited by hand. Manual edits could conflict with  dynamic
22       updates and cause data to be lost.
23
24       The  resource  records that are dynamically added or removed with nsup‐
25       date must be in the same zone. Requests are sent to the zone's  primary
26       server,  which  is  identified  by  the  MNAME  field of the zone's SOA
27       record.
28
29       Transaction signatures can be used to authenticate the Dynamic DNS  up‐
30       dates.  These  use the TSIG resource record type described in RFC 2845,
31       the SIG(0) record described in RFC 2535 and RFC 2931,  or  GSS-TSIG  as
32       described in RFC 3645.
33
34       TSIG  relies  on  a shared secret that should only be known to nsupdate
35       and the name server. For instance, suitable key and  server  statements
36       are  added to /etc/named.conf so that the name server can associate the
37       appropriate secret key and algorithm with the IP address of the  client
38       application  that is using TSIG authentication. ddns-confgen can gener‐
39       ate suitable configuration fragments. nsupdate uses the -y  or  -k  op‐
40       tions to provide the TSIG shared secret; these options are mutually ex‐
41       clusive.
42
43       SIG(0) uses public key cryptography. To use a SIG(0)  key,  the  public
44       key must be stored in a KEY record in a zone served by the name server.
45
46       GSS-TSIG  uses Kerberos credentials. Standard GSS-TSIG mode is switched
47       on with the -g flag. A non-standards-compliant variant of GSS-TSIG used
48       by Windows 2000 can be switched on with the -o flag.
49

OPTIONS

51       -4     This option sets use of IPv4 only.
52
53       -6     This option sets use of IPv6 only.
54
55       -d     This  option sets debug mode, which provides tracing information
56              about the update requests that are made and the replies received
57              from the name server.
58
59       -D     This option sets extra debug mode.
60
61       -i     This option forces interactive mode, even when standard input is
62              not a terminal.
63
64       -k keyfile
65              This option indicates the file containing the  TSIG  authentica‐
66              tion key. Keyfiles may be in two formats: a single file contain‐
67              ing a named.conf-format key statement, which  may  be  generated
68              automatically  by  ddns-confgen;  or a pair of files whose names
69              are    of    the    format    K{name}.+157.+{random}.key     and
70              K{name}.+157.+{random}.private,   which   can  be  generated  by
71              dnssec-keygen. The -k option can  also  be  used  to  specify  a
72              SIG(0)  key used to authenticate Dynamic DNS update requests. In
73              this case, the key specified is not an HMAC-MD5 key.
74
75       -l     This option sets local-host only mode, which sets the server ad‐
76              dress  to localhost (disabling the server so that the server ad‐
77              dress cannot be overridden). Connections to the local server use
78              a  TSIG  key found in /var/run/named/session.key, which is auto‐
79              matically generated by named if any local primary zone  has  set
80              update-policy  to  local.  The  location of this key file can be
81              overridden with the -k option.
82
83       -L level
84              This option sets the logging debug level. If  zero,  logging  is
85              disabled.
86
87       -p port
88              This  option  sets  the  port  to  use for connections to a name
89              server. The default is 53.
90
91       -P     This option prints the list of  private  BIND-specific  resource
92              record  types  whose  format is understood by nsupdate. See also
93              the -T option.
94
95       -r udpretries
96              This option sets the number of UDP retries. The default is 3. If
97              zero, only one update request is made.
98
99       -t timeout
100              This option sets the maximum time an update request can take be‐
101              fore it is aborted. The default is 300  seconds.  If  zero,  the
102              timeout is disabled.
103
104       -T     This  option  prints  the  list of IANA standard resource record
105              types whose format is understood by nsupdate. nsupdate exits af‐
106              ter  the  lists  are printed. The -T option can be combined with
107              the -P option.
108
109              Other types can be entered using TYPEXXXXX where  XXXXX  is  the
110              decimal  value  of the type with no leading zeros. The rdata, if
111              present, is parsed using the UNKNOWN rdata format,  (<backslash>
112              <hash> <space> <length> <space> <hexstring>).
113
114       -u udptimeout
115              This  option  sets the UDP retry interval. The default is 3 sec‐
116              onds. If zero, the interval is computed from the timeout  inter‐
117              val and number of UDP retries.
118
119       -v     This option specifies that TCP should be used even for small up‐
120              date requests. By default, nsupdate uses UDP to send update  re‐
121              quests  to the name server unless they are too large to fit in a
122              UDP request, in which case TCP is used. TCP  may  be  preferable
123              when a batch of update requests is made.
124
125       -V     This option prints the version number and exits.
126
127       -y [hmac:]keyname:secret
128              This option sets the literal TSIG authentication key. keyname is
129              the name of the key, and secret is the base64 encoded shared se‐
130              cret.  hmac  is the name of the key algorithm; valid choices are
131              hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,  hmac-sha384,  or
132              hmac-sha512.  If hmac is not specified, the default is hmac-md5,
133              or if MD5 was disabled, hmac-sha256.
134
135              NOTE: Use of the -y option is discouraged because the shared se‐
136              cret  is supplied as a command-line argument in clear text. This
137              may be visible in the output from ps1 or in a history file main‐
138              tained by the user's shell.
139

INPUT FORMAT

141       nsupdate  reads  input from filename or standard input. Each command is
142       supplied on exactly one line of input. Some commands are  for  adminis‐
143       trative purposes; others are either update instructions or prerequisite
144       checks on the contents of the zone. These checks  set  conditions  that
145       some name or set of resource records (RRset) either exists or is absent
146       from the zone. These conditions must be met if the  entire  update  re‐
147       quest  is to succeed. Updates are rejected if the tests for the prereq‐
148       uisite conditions fail.
149
150       Every update request consists of zero or more prerequisites and zero or
151       more  updates.  This  allows a suitably authenticated update request to
152       proceed if some specified resource records are either present or  miss‐
153       ing  from the zone. A blank input line (or the send command) causes the
154       accumulated commands to be sent as one Dynamic DNS  update  request  to
155       the name server.
156
157       The command formats and their meanings are as follows:
158
159       server servername port
160              This  command  sends  all  dynamic  update  requests to the name
161              server servername.  When no server statement is provided,  nsup‐
162              date  sends  updates  to the primary server of the correct zone.
163              The MNAME field of that zone's SOA record identify  the  primary
164              server  for  that  zone.   port is the port number on servername
165              where the dynamic update requests are sent. If no port number is
166              specified, the default DNS port number of 53 is used.
167
168       local address port
169              This  command  sends all dynamic update requests using the local
170              address. When no local statement is provided, nsupdate sends up‐
171              dates  using  an address and port chosen by the system. port can
172              also be used to force requests to come from a specific port.  If
173              no port number is specified, the system assigns one.
174
175       zone zonename
176              This  command  specifies  that all updates are to be made to the
177              zone zonename.  If no zone statement is provided,  nsupdate  at‐
178              tempts to determine the correct zone to update based on the rest
179              of the input.
180
181       class classname
182              This command specifies the default class. If no class is  speci‐
183              fied, the default class is IN.
184
185       ttl seconds
186              This command specifies the default time-to-live, in seconds, for
187              records to be added. The value none clears the default TTL.
188
189       key hmac:keyname secret
190              This command specifies that all updates are  to  be  TSIG-signed
191              using the keyname-secret pair. If hmac is specified, it sets the
192              signing algorithm in use. The default is hmac-md5;  if  MD5  was
193              disabled,  the default is hmac-sha256. The key command overrides
194              any key specified on the command line via -y or -k.
195
196       gsstsig
197              This command uses GSS-TSIG to sign the updates. This is  equiva‐
198              lent to specifying -g on the command line.
199
200       oldgsstsig
201              This  command  uses the Windows 2000 version of GSS-TSIG to sign
202              the updates. This is equivalent to specifying -o on the  command
203              line.
204
205       realm [realm_name]
206              When   using   GSS-TSIG,  this  command  specifies  the  use  of
207              realm_name rather than the default realm  in  krb5.conf.  If  no
208              realm is specified, the saved realm is cleared.
209
210       check-names [yes_or_no]
211              This  command  turns on or off check-names processing on records
212              to be added.  Check-names has  no  effect  on  prerequisites  or
213              records to be deleted.  By default check-names processing is on.
214              If check-names processing fails, the record is not added to  the
215              UPDATE message.
216
217       prereq nxdomain domain-name
218              This  command requires that no resource record of any type exist
219              with the name domain-name.
220
221       prereq yxdomain domain-name
222              This command requires that domain-name exist (as  at  least  one
223              resource record, of any type).
224
225       prereq nxrrset domain-name class type
226              This command requires that no resource record exist of the spec‐
227              ified type, class, and domain-name. If class is omitted, IN (In‐
228              ternet) is assumed.
229
230       prereq yxrrset domain-name class type
231              This  command  requires  that a resource record of the specified
232              type, class and domain-name exist. If class is omitted, IN  (in‐
233              ternet) is assumed.
234
235       prereq yxrrset domain-name class type data
236              With  this  command,  the data from each set of prerequisites of
237              this form sharing a common type, class, and domain-name are com‐
238              bined  to  form a set of RRs. This set of RRs must exactly match
239              the set of RRs existing in the zone at the  given  type,  class,
240              and  domain-name. The data are written in the standard text rep‐
241              resentation of the resource record's RDATA.
242
243       update delete domain-name ttl class type data
244              This command deletes any resource records named domain-name.  If
245              type  and  data are provided, only matching resource records are
246              removed.  The Internet class is assumed if  class  is  not  sup‐
247              plied.  The  ttl is ignored, and is only allowed for compatibil‐
248              ity.
249
250       update add domain-name ttl class type data
251              This command adds a new resource record with the specified  ttl,
252              class, and data.
253
254       show   This command displays the current message, containing all of the
255              prerequisites and updates specified since the last send.
256
257       send   This command sends the current message. This  is  equivalent  to
258              entering a blank line.
259
260       answer This command displays the answer.
261
262       debug  This command turns on debugging.
263
264       version
265              This command prints the version number.
266
267       help   This command prints a list of commands.
268
269       Lines beginning with a semicolon (;) are comments and are ignored.
270

EXAMPLES

272       The  examples  below show how nsupdate can be used to insert and delete
273       resource records from the example.com zone. Notice that  the  input  in
274       each  example  contains  a trailing blank line, so that a group of com‐
275       mands is sent as one dynamic update request to the primary name  server
276       for example.com.
277
278          # nsupdate
279          > update delete oldhost.example.com A
280          > update add newhost.example.com 86400 A 172.16.1.1
281          > send
282
283       Any  A records for oldhost.example.com are deleted, and an A record for
284       newhost.example.com with IP address  172.16.1.1  is  added.  The  newly
285       added record has a TTL of 1 day (86400 seconds).
286
287          # nsupdate
288          > prereq nxdomain nickname.example.com
289          > update add nickname.example.com 86400 CNAME somehost.example.com
290          > send
291
292       The  prerequisite  condition tells the name server to verify that there
293       are no resource records of any type for nickname.example.com. If  there
294       are, the update request fails. If this name does not exist, a CNAME for
295       it is added. This ensures that when the CNAME is added, it cannot  con‐
296       flict  with the long-standing rule in RFC 1034 that a name must not ex‐
297       ist as any other record type if it exists as a  CNAME.  (The  rule  has
298       been  updated  for  DNSSEC  in  RFC 2535 to allow CNAMEs to have RRSIG,
299       DNSKEY, and NSEC records.)
300

FILES

302       /etc/resolv.conf
303              Used to identify the default name server
304
305       /var/run/named/session.key
306              Sets the default TSIG key for use in local-only mode
307
308       K{name}.+157.+{random}.key
309              Base-64 encoding of the HMAC-MD5 key created by dnssec-keygen.
310
311       K{name}.+157.+{random}.private
312              Base-64 encoding of the HMAC-MD5 key created by dnssec-keygen.
313

SEE ALSO

315       RFC 2136, RFC 3007, RFC 2104, RFC 2845, RFC 1034, RFC 2535,  RFC  2931,
316       named(8), ddns-confgen(8), dnssec-keygen(8).
317

BUGS

319       The  TSIG  key  is  redundantly stored in two separate files. This is a
320       consequence of nsupdate using the DST library for its cryptographic op‐
321       erations, and may change in future releases.
322

AUTHOR

324       Internet Systems Consortium
325
327       2021, Internet Systems Consortium
328
329
330
331
3329.16.16-RH                                                         NSUPDATE(1)
Impressum