| blob | 522b20fa19d513cec1590548aa25d200236eb735 |
1 <!--
2 - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
3 - Copyright (C) 2000-2003 Internet Software Consortium.
4 -
5 - Permission to use, copy, modify, and/or distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
8 -
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
16 -->
17 <!-- $Id: nsupdate.html,v 1.37.56.3 2009/07/11 01:43:29 tbox Exp $ -->
18 <html>
19 <head>
23 </head>
24 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
29 </div>
32 <div class="cmdsynopsis"><p><code class="command">nsupdate</code> [<code class="option">-d</code>] [[<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] | [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [filename]</p></div>
33 </div>
37 is used to submit Dynamic DNS Update requests as defined in RFC2136
38 to a name server.
39 This allows resource records to be added or removed from a zone
40 without manually editing the zone file.
41 A single update request can contain requests to add or remove more than
42 one
43 resource record.
44 </p>
45 <p>
46 Zones that are under dynamic control via
48 or a DHCP server should not be edited by hand.
49 Manual edits could
50 conflict with dynamic updates and cause data to be lost.
51 </p>
52 <p>
53 The resource records that are dynamically added or removed with
55 have to be in the same zone.
56 Requests are sent to the zone's master server.
57 This is identified by the MNAME field of the zone's SOA record.
58 </p>
59 <p>
60 The
62 option makes
64 operate in debug mode.
65 This provides tracing information about the update requests that are
66 made and the replies received from the name server.
67 </p>
68 <p>
69 Transaction signatures can be used to authenticate the Dynamic DNS
70 updates.
71 These use the TSIG resource record type described in RFC2845 or the
72 SIG(0) record described in RFC3535 and RFC2931.
73 TSIG relies on a shared secret that should only be known to
75 Currently, the only supported encryption algorithm for TSIG is
76 HMAC-MD5, which is defined in RFC 2104.
77 Once other algorithms are defined for TSIG, applications will need to
78 ensure they select the appropriate algorithm as well as the key when
79 authenticating each other.
80 For instance, suitable
82 and
84 statements would be added to
86 so that the name server can associate the appropriate secret key
87 and algorithm with the IP address of the
88 client application that will be using TSIG authentication.
90 key must be stored in a KEY record in a zone served by the name server.
92 does not read
94 </p>
97 to provide the shared secret needed to generate a TSIG record
98 for authenticating Dynamic DNS update requests, default type
99 HMAC-MD5. These options are mutually exclusive. With the
100 <code class="option">-k</code> option, <span><strong class="command">nsupdate</strong></span> reads
102 whose name is of the form
104 historical reasons, the file
107 signature is generated from
108 [<span class="optional"><em class="parameter"><code>hmac:</code></em></span>]<em class="parameter"><code>keyname:secret.</code></em>
112 because the shared secret is supplied as a command line
113 argument in clear text. This may be visible in the output
114 from
115 <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span> or in a history file maintained by the user's
116 shell.
117 </p>
118 <p>
120 to authenticate Dynamic DNS update requests. In this case, the key
121 specified is not an HMAC-MD5 key.
122 </p>
123 <p>
124 By default,
126 uses UDP to send update requests to the name server unless they are too
127 large to fit in a UDP request in which case TCP will be used.
128 The
130 option makes
132 use a TCP connection.
133 This may be preferable when a batch of update requests is made.
134 </p>
135 <p>
137 can
138 take before it is aborted. The default is 300 seconds. Zero can be
139 used
140 to disable the timeout.
141 </p>
142 <p>
144 is
145 3 seconds. If zero, the interval will be computed from the timeout
146 interval
147 and number of UDP retries.
148 </p>
149 <p>
151 default is
152 3. If zero, only one update request will be made.
153 </p>
154 <p>
156 specifies a source of randomness. If the operating system
158 equivalent device, the default source of randomness is keyboard
160 a character device or file containing random data to be used
161 instead of the default. The special value
163 should be used. This option may be specified multiple times.
164 </p>
165 </div>
169 reads input from
171 or standard input.
172 Each command is supplied on exactly one line of input.
173 Some commands are for administrative purposes.
174 The others are either update instructions or prerequisite checks on the
175 contents of the zone.
176 These checks set conditions that some name or set of
177 resource records (RRset) either exists or is absent from the zone.
178 These conditions must be met if the entire update request is to succeed.
179 Updates will be rejected if the tests for the prerequisite conditions
180 fail.
181 </p>
182 <p>
183 Every update request consists of zero or more prerequisites
184 and zero or more updates.
185 This allows a suitably authenticated update request to proceed if some
186 specified resource records are present or missing from the zone.
188 causes the
189 accumulated commands to be sent as one Dynamic DNS update request to the
190 name server.
191 </p>
192 <p>
193 The command formats and their meaning are as follows:
194 </p>
198 {servername}
199 [port]
200 </span></dt>
201 <dd><p>
202 Sends all dynamic update requests to the name server
204 When no server statement is provided,
206 will send updates to the master server of the correct zone.
207 The MNAME field of that zone's SOA record will identify the
208 master
209 server for that zone.
211 is the port number on
213 where the dynamic update requests get sent.
214 If no port number is specified, the default DNS port number of
215 53 is
216 used.
217 </p></dd>
220 {address}
221 [port]
222 </span></dt>
223 <dd><p>
224 Sends all dynamic update requests using the local
227 When no local statement is provided,
229 will send updates using an address and port chosen by the
230 system.
232 can additionally be used to make requests come from a specific
233 port.
234 If no port number is specified, the system will assign one.
235 </p></dd>
238 {zonename}
239 </span></dt>
240 <dd><p>
241 Specifies that all updates are to be made to the zone
243 If no
245 statement is provided,
247 will attempt determine the correct zone to update based on the
248 rest of the input.
249 </p></dd>
252 {classname}
253 </span></dt>
254 <dd><p>
255 Specify the default class.
257 default class is
259 </p></dd>
262 {name}
263 {secret}
264 </span></dt>
265 <dd><p>
266 Specifies that all updates are to be TSIG-signed using the
267 <em class="parameter"><code>keyname</code></em> <em class="parameter"><code>keysecret</code></em> pair.
269 overrides any key specified on the command line via
271 </p></dd>
274 {domain-name}
275 </span></dt>
276 <dd><p>
277 Requires that no resource record of any type exists with name
279 </p></dd>
282 {domain-name}
283 </span></dt>
284 <dd><p>
285 Requires that
287 exists (has as at least one resource record, of any type).
288 </p></dd>
291 {domain-name}
292 [class]
293 {type}
294 </span></dt>
295 <dd><p>
296 Requires that no resource record exists of the specified
299 and
301 If
303 is omitted, IN (internet) is assumed.
304 </p></dd>
307 {domain-name}
308 [class]
309 {type}
310 </span></dt>
311 <dd><p>
312 This requires that a resource record of the specified
315 and
317 must exist.
318 If
320 is omitted, IN (internet) is assumed.
321 </p></dd>
324 {domain-name}
325 [class]
326 {type}
327 {data...}
328 </span></dt>
329 <dd><p>
330 The
332 from each set of prerequisites of this form
333 sharing a common
336 and
338 are combined to form a set of RRs. This set of RRs must
339 exactly match the set of RRs existing in the zone at the
340 given
343 and
345 The
347 are written in the standard text representation of the resource
348 record's
349 RDATA.
350 </p></dd>
353 {domain-name}
354 [ttl]
355 [class]
356 [type [data...]]
357 </span></dt>
358 <dd><p>
359 Deletes any resource records named
361 If
363 and
365 is provided, only matching resource records will be removed.
366 The internet class is assumed if
368 is not supplied. The
370 is ignored, and is only allowed for compatibility.
371 </p></dd>
374 {domain-name}
375 {ttl}
376 [class]
377 {type}
378 {data...}
379 </span></dt>
380 <dd><p>
381 Adds a new resource record with the specified
384 and
386 </p></dd>
389 </span></dt>
390 <dd><p>
391 Displays the current message, containing all of the
392 prerequisites and
393 updates specified since the last send.
394 </p></dd>
397 </span></dt>
398 <dd><p>
399 Sends the current message. This is equivalent to entering a
400 blank line.
401 </p></dd>
404 </span></dt>
405 <dd><p>
406 Displays the answer.
407 </p></dd>
408 </dl></div>
409 <p>
410 </p>
411 <p>
412 Lines beginning with a semicolon are comments and are ignored.
413 </p>
414 </div>
417 <p>
418 The examples below show how
420 could be used to insert and delete resource records from the
422 zone.
423 Notice that the input in each example contains a trailing blank line so
424 that
425 a group of commands are sent as one dynamic update request to the
426 master name server for
429 </p>
431 # nsupdate
432 > update delete oldhost.example.com A
434 > send
435 </pre>
436 <p>
437 </p>
438 <p>
439 Any A records for
441 are deleted.
442 And an A record for
444 with IP address 172.16.1.1 is added.
446 </p>
448 # nsupdate
449 > prereq nxdomain nickname.example.com
451 > send
452 </pre>
453 <p>
454 </p>
455 <p>
456 The prerequisite condition gets the name server to check that there
457 are no resource records of any type for
460 If there are, the update request fails.
461 If this name does not exist, a CNAME for it is added.
462 This ensures that when the CNAME is added, it cannot conflict with the
463 long-standing rule in RFC1034 that a name must not exist as any other
464 record type if it exists as a CNAME.
465 (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have
466 RRSIG, DNSKEY and NSEC records.)
467 </p>
468 </div>
473 <dd><p>
474 used to identify default name server
475 </p></dd>
477 <dd><p>
478 base-64 encoding of HMAC-MD5 key created by
480 </p></dd>
482 <dd><p>
483 base-64 encoding of HMAC-MD5 key created by
485 </p></dd>
486 </dl></div>
487 </div>
499 </p>
500 </div>
503 <p>
504 The TSIG key is redundantly stored in two separate files.
505 This is a consequence of nsupdate using the DST library
506 for its cryptographic operations, and may change in future
507 releases.
508 </p>
509 </div>
510 </div></body>
511 </html>