1NSUPDATE(1)                         BIND 9                         NSUPDATE(1)
2
3
4

NAME

6       nsupdate - dynamic DNS update utility
7

SYNOPSIS

9       nsupdate  [-d]  [-D]  [-i]  [-L  level]  [  [-g]  |  [-o]  | [-l] | [-y
10       [hmac:]keyname:secret] | [-k keyfile] ]  [  [-S]  [-K  tlskeyfile]  [-E
11       tlscertfile]  [-A  tlscafile]  [-H tlshostname] [-O] ] [-t timeout] [-u
12       udptimeout] [-r udpretries] [-v] [-T] [-P] [-V] [ [-4] | [-6] ]  [file‐
13       name]
14

DESCRIPTION

16       nsupdate  is  used to submit Dynamic DNS Update requests, as defined in
17       RFC 2136, to a name server. This allows resource records to be added or
18       removed  from  a  zone without manually editing the zone file. A single
19       update request can contain requests to add or remove more than one  re‐
20       source record.
21
22       Zones  that  are  under  dynamic  control via nsupdate or a DHCP server
23       should not be edited by hand. Manual edits could conflict with  dynamic
24       updates and cause data to be lost.
25
26       The  resource  records that are dynamically added or removed with nsup‐
27       date must be in the same zone. Requests are sent to the zone's  primary
28       server,  which  is  identified  by  the  MNAME  field of the zone's SOA
29       record.
30
31       Transaction signatures can be used to authenticate the Dynamic DNS  up‐
32       dates.  These  use the TSIG resource record type described in RFC 2845,
33       the SIG(0) record described in RFC 2535 and RFC 2931,  or  GSS-TSIG  as
34       described in RFC 3645.
35
36       TSIG  relies  on  a shared secret that should only be known to nsupdate
37       and the name server. For instance, suitable key and  server  statements
38       are  added to /etc/named.conf so that the name server can associate the
39       appropriate secret key and algorithm with the IP address of the  client
40       application  that is using TSIG authentication. ddns-confgen can gener‐
41       ate suitable configuration fragments. nsupdate uses the -y  or  -k  op‐
42       tions to provide the TSIG shared secret; these options are mutually ex‐
43       clusive.
44
45       SIG(0) uses public key cryptography. To use a SIG(0)  key,  the  public
46       key must be stored in a KEY record in a zone served by the name server.
47
48       GSS-TSIG  uses Kerberos credentials. Standard GSS-TSIG mode is switched
49       on with the -g flag. A non-standards-compliant variant of GSS-TSIG used
50       by Windows 2000 can be switched on with the -o flag.
51

OPTIONS

53       -4     This option sets use of IPv4 only.
54
55       -6     This option sets use of IPv6 only.
56
57       -A tlscafile
58              This  option  specifies  the file of the certificate authorities
59              (CA) certificates (in PEM format) in order to verify the  remote
60              server TLS certificate when using DNS-over-TLS (DoT), to achieve
61              Strict or Mutual TLS. When used, it will override  the  certifi‐
62              cates  from  the  global certificates store, which are otherwise
63              used by default when -S is enabled. This option can not be  used
64              in conjuction with -O, and it implies -S.
65
66       -C     Overrides  the  default  resolv.conf file. This is only intended
67              for testing.
68
69       -d     This option sets debug mode, which provides tracing  information
70              about the update requests that are made and the replies received
71              from the name server.
72
73       -D     This option sets extra debug mode.
74
75       -E tlscertfile
76              This option sets the certificate(s) file for authentication  for
77              the  DNS-over-TLS (DoT) transport to the remote server. The cer‐
78              tificate chain file is expected to be in PEM format. This option
79              implies -S, and can only be used with -K.
80
81       -g     This option enables standard GSS-TSIG mode.
82
83       -H tlshostname
84              This  option makes nsupdate use the provided hostname during re‐
85              mote server TLS certificate  verification.  Otherwise,  the  DNS
86              server name is used. This option implies -S.
87
88       -i     This option forces interactive mode, even when standard input is
89              not a terminal.
90
91       -k keyfile
92              This option indicates the file containing the  TSIG  authentica‐
93              tion key. Keyfiles may be in two formats: a single file contain‐
94              ing a named.conf-format key statement, which  may  be  generated
95              automatically  by  ddns-confgen;  or a pair of files whose names
96              are    of    the    format    K{name}.+157.+{random}.key     and
97              K{name}.+157.+{random}.private,   which   can  be  generated  by
98              dnssec-keygen. The -k option can  also  be  used  to  specify  a
99              SIG(0)  key used to authenticate Dynamic DNS update requests. In
100              this case, the key specified is not an HMAC-MD5 key.
101
102       -K tlskeyfile
103              This option sets the key file for authenticated  encryption  for
104              the  DNS-over-TLS  (DoT)  transport  with the remote server. The
105              private key file is expected to be in PEM  format.  This  option
106              implies -S, and can only be used with -E.
107
108       -l     This option sets local-host only mode, which sets the server ad‐
109              dress to localhost (disabling the server so that the server  ad‐
110              dress cannot be overridden). Connections to the local server use
111              a TSIG key found in  /run/session.key,  which  is  automatically
112              generated by named if any local primary zone has set update-pol‐
113              icy to local. The location of this key file  can  be  overridden
114              with the -k option.
115
116       -L level
117              This  option  sets  the logging debug level. If zero, logging is
118              disabled.
119
120       -o     This option is deprecated. Previously, it  enabled  a  non-stan‐
121              dards-compliant  variant  of  GSS-TSIG  that was used by Windows
122              2000. Since that OS is now long past its end of life,  this  op‐
123              tion is now treated as a synonym for -g.
124
125       -O     This  option  enables  Opportunistic  TLS. When used, the remote
126              peer's TLS certificate will not be verified. This option  should
127              be  used  for debugging purposes only, and it is not recommended
128              to use it in production. This option can not be used in  conjuc‐
129              tion with -A, and it implies -S.
130
131       -p port
132              This  option  sets  the  port  to  use for connections to a name
133              server. The default is 53.
134
135       -P     This option prints the list of  private  BIND-specific  resource
136              record  types  whose  format is understood by nsupdate. See also
137              the -T option.
138
139       -r udpretries
140              This option sets the number of UDP retries. The default is 3. If
141              zero, only one update request is made.
142
143       -S     This  option  indicates  whether  to use DNS-over-TLS (DoT) when
144              querying name servers specified by server servername port syntax
145              in  the  input file, and the primary server discovered through a
146              SOA request. When the -K and -E options are used, then the spec‐
147              ified  TLS  client certificate and private key pair are used for
148              authentication (Mutual TLS). This option implies -v.
149
150       -t timeout
151              This option sets the maximum time an update request can take be‐
152              fore  it  is  aborted.  The default is 300 seconds. If zero, the
153              timeout is disabled for TCP mode. For UDP mode,  the  option  -u
154              takes  precedence  over this option, unless the option -u is set
155              to zero, in which case the interval  is  computed  from  the  -t
156              timeout  interval  and  the number of UDP retries. For UDP mode,
157              the timeout can not be disabled, and will be  rounded  up  to  1
158              second in case if both -t and -u are set to zero.
159
160       -T     This  option  prints  the  list of IANA standard resource record
161              types whose format is understood by nsupdate. nsupdate exits af‐
162              ter  the  lists  are printed. The -T option can be combined with
163              the -P option.
164
165              Other types can be entered using TYPEXXXXX where  XXXXX  is  the
166              decimal  value  of the type with no leading zeros. The rdata, if
167              present, is parsed using the UNKNOWN rdata format,  (<backslash>
168              <hash> <space> <length> <space> <hexstring>).
169
170       -u udptimeout
171              This  option  sets the UDP retry interval. The default is 3 sec‐
172              onds. If zero, the interval is computed from the timeout  inter‐
173              val and number of UDP retries.
174
175       -v     This option specifies that TCP should be used even for small up‐
176              date requests. By default, nsupdate uses UDP to send update  re‐
177              quests  to the name server unless they are too large to fit in a
178              UDP request, in which case TCP is used. TCP  may  be  preferable
179              when a batch of update requests is made.
180
181       -V     This option prints the version number and exits.
182
183       -y [hmac:]keyname:secret
184              This option sets the literal TSIG authentication key. keyname is
185              the name of the key, and secret is the base64 encoded shared se‐
186              cret.  hmac  is the name of the key algorithm; valid choices are
187              hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,  hmac-sha384,  or
188              hmac-sha512.  If hmac is not specified, the default is hmac-md5,
189              or if MD5 was disabled, hmac-sha256.
190
191              NOTE: Use of the -y option is discouraged because the shared se‐
192              cret  is supplied as a command-line argument in clear text. This
193              may be visible in the output from ps1 or in a history file main‐
194              tained by the user's shell.
195

INPUT FORMAT

197       nsupdate  reads  input from filename or standard input. Each command is
198       supplied on exactly one line of input. Some commands are  for  adminis‐
199       trative purposes; others are either update instructions or prerequisite
200       checks on the contents of the zone. These checks  set  conditions  that
201       some name or set of resource records (RRset) either exists or is absent
202       from the zone. These conditions must be met if the  entire  update  re‐
203       quest  is to succeed. Updates are rejected if the tests for the prereq‐
204       uisite conditions fail.
205
206       Every update request consists of zero or more prerequisites and zero or
207       more  updates.  This  allows a suitably authenticated update request to
208       proceed if some specified resource records are either present or  miss‐
209       ing  from the zone. A blank input line (or the send command) causes the
210       accumulated commands to be sent as one Dynamic DNS  update  request  to
211       the name server.
212
213       The command formats and their meanings are as follows:
214
215       server servername port
216              This  command  sends  all  dynamic  update  requests to the name
217              server servername.  When no server statement is provided,  nsup‐
218              date  sends  updates  to the primary server of the correct zone.
219              The MNAME field of that zone's SOA record identify  the  primary
220              server  for  that  zone.   port is the port number on servername
221              where the dynamic update requests are sent. If no port number is
222              specified, the default DNS port number of 53 is used.
223
224              NOTE:
225                 This command has no effect when GSS-TSIG is in use.
226
227       local address port
228              This  command  sends all dynamic update requests using the local
229              address. When no local statement is provided, nsupdate sends up‐
230              dates  using  an address and port chosen by the system. port can
231              also be used to force requests to come from a specific port.  If
232              no port number is specified, the system assigns one.
233
234       zone zonename
235              This  command  specifies  that all updates are to be made to the
236              zone zonename.  If no zone statement is provided,  nsupdate  at‐
237              tempts to determine the correct zone to update based on the rest
238              of the input.
239
240       class classname
241              This command specifies the default class. If no class is  speci‐
242              fied, the default class is IN.
243
244       ttl seconds
245              This command specifies the default time-to-live, in seconds, for
246              records to be added. The value none clears the default TTL.
247
248       key hmac:keyname secret
249              This command specifies that all updates are  to  be  TSIG-signed
250              using the keyname-secret pair. If hmac is specified, it sets the
251              signing algorithm in use. The default is hmac-md5;  if  MD5  was
252              disabled,  the default is hmac-sha256. The key command overrides
253              any key specified on the command line via -y or -k.
254
255       gsstsig
256              This command uses GSS-TSIG to sign the updates. This is  equiva‐
257              lent to specifying -g on the command line.
258
259       oldgsstsig
260              This  command  is deprecated and will be removed in a future re‐
261              lease.  Previously, it caused nsupdate to use the  Windows  2000
262              version of GSS-TSIG to sign updates. It is now treated as a syn‐
263              onym for gsstsig.
264
265       realm [realm_name]
266              When  using  GSS-TSIG,  this  command  specifies  the   use   of
267              realm_name  rather  than  the  default realm in krb5.conf. If no
268              realm is specified, the saved realm is cleared.
269
270       check-names [boolean]
271              This command turns on or off check-names processing  on  records
272              to  be  added.   Check-names  has  no effect on prerequisites or
273              records to be deleted.  By default check-names processing is on.
274              If  check-names processing fails, the record is not added to the
275              UPDATE message.
276
277       check-svbc [boolean]
278              This command turns on or off check-svcb processing on records to
279              be  added.  Check-svcb has no effect on prerequisites or records
280              to be deleted.  By  default  check-svcb  processing  is  on.  If
281              check-svcb  processing fails, the record is not added to the UP‐
282              DATE message.
283
284       prereq nxdomain domain-name
285              This command requires that no resource record of any type  exist
286              with the name domain-name.
287
288       prereq yxdomain domain-name
289              This  command  requires  that domain-name exist (as at least one
290              resource record, of any type).
291
292       prereq nxrrset domain-name class type
293              This command requires that no resource record exist of the spec‐
294              ified type, class, and domain-name. If class is omitted, IN (In‐
295              ternet) is assumed.
296
297       prereq yxrrset domain-name class type
298              This command requires that a resource record  of  the  specified
299              type,  class and domain-name exist. If class is omitted, IN (in‐
300              ternet) is assumed.
301
302       prereq yxrrset domain-name class type data
303              With this command, the data from each set  of  prerequisites  of
304              this form sharing a common type, class, and domain-name are com‐
305              bined to form a set of RRs. This set of RRs must  exactly  match
306              the  set  of  RRs existing in the zone at the given type, class,
307              and domain-name. The data are written in the standard text  rep‐
308              resentation of the resource record's RDATA.
309
310       update delete domain-name ttl class type data
311              This  command deletes any resource records named domain-name. If
312              type and data are provided, only matching resource  records  are
313              removed.   The  Internet  class  is assumed if class is not sup‐
314              plied. The ttl is ignored, and is only allowed  for  compatibil‐
315              ity.
316
317       update add domain-name ttl class type data
318              This  command adds a new resource record with the specified ttl,
319              class, and data.
320
321       show   This command displays the current message, containing all of the
322              prerequisites and updates specified since the last send.
323
324       send   This  command  sends  the current message. This is equivalent to
325              entering a blank line.
326
327       answer This command displays the answer.
328
329       debug  This command turns on debugging.
330
331       version
332              This command prints the version number.
333
334       help   This command prints a list of commands.
335
336       Lines beginning with a semicolon (;) are comments and are ignored.
337

EXAMPLES

339       The examples below show how nsupdate can be used to insert  and  delete
340       resource  records  from  the example.com zone. Notice that the input in
341       each example contains a trailing blank line, so that a  group  of  com‐
342       mands  is sent as one dynamic update request to the primary name server
343       for example.com.
344
345          # nsupdate
346          > update delete oldhost.example.com A
347          > update add newhost.example.com 86400 A 172.16.1.1
348          > send
349
350       Any A records for oldhost.example.com are deleted, and an A record  for
351       newhost.example.com  with  IP  address  172.16.1.1  is added. The newly
352       added record has a TTL of 1 day (86400 seconds).
353
354          # nsupdate
355          > prereq nxdomain nickname.example.com
356          > update add nickname.example.com 86400 CNAME somehost.example.com
357          > send
358
359       The prerequisite condition tells the name server to verify  that  there
360       are  no resource records of any type for nickname.example.com. If there
361       are, the update request fails. If this name does not exist, a CNAME for
362       it  is added. This ensures that when the CNAME is added, it cannot con‐
363       flict with the long-standing rule in RFC 1034 that a name must not  ex‐
364       ist  as  any  other  record type if it exists as a CNAME. (The rule has
365       been updated for DNSSEC in RFC 2535 to  allow  CNAMEs  to  have  RRSIG,
366       DNSKEY, and NSEC records.)
367

FILES

369       /etc/resolv.conf
370              Used to identify the default name server
371
372       /run/session.key
373              Sets the default TSIG key for use in local-only mode
374
375       K{name}.+157.+{random}.key
376              Base-64 encoding of the HMAC-MD5 key created by dnssec-keygen.
377
378       K{name}.+157.+{random}.private
379              Base-64 encoding of the HMAC-MD5 key created by dnssec-keygen.
380

SEE ALSO

382       RFC  2136,  RFC 3007, RFC 2104, RFC 2845, RFC 1034, RFC 2535, RFC 2931,
383       named(8), dnssec-keygen(8), tsig-keygen(8).
384

BUGS

386       The TSIG key is redundantly stored in two separate  files.  This  is  a
387       consequence of nsupdate using the DST library for its cryptographic op‐
388       erations, and may change in future releases.
389

AUTHOR

391       Internet Systems Consortium
392
394       2023, Internet Systems Consortium
395
396
397
398
3999.19.18                                                            NSUPDATE(1)
Impressum