nsupdate(1)nsupdate(1)NAMEnsupdate - Dynamic DNS update utility
SYNOPSIS
keyfile | udpretries] timeout] udptimeout] [filename]
DESCRIPTION
submits Dynamic DNS update requests to a name server, as defined in RFC
2136. This allows resource records to be added to or removed from a
zone without manually editing the zone file. A single update request
can contain requests to add or remove more than one resource record.
Zones that are under dynamic control via or a DHCP server should not be
edited by hand. Manual edits could conflict with dynamic updates and
cause data to be lost.
The resource records that are dynamically added or removed with have to
be in the same zone. Requests are sent to the zone's master server.
This is identified by the field of the zone's record.
Transaction signatures can be used to authenticate the Dynamic DNS
updates. These use the resource record type described in RFC 2845 or
the SIG(0) record described in RFC 2535 and RFC 2931. relies on a
shared secret that should only be known to and the name server. Cur‐
rently, the only supported encryption algorithm for is which is defined
in RFC 2104.
Once other algorithms are defined for applications will need to ensure
they select the appropriate algorithm as well as the key when authenti‐
cating each other. For instance, suitable and statements would be
added to so that the name server can associate the appropriate secret
key and algorithm with the IP address of the client application that
will be using authentication. SIG(0) uses public key cryptography. To
use a SIG(0) key, the public key must be stored in a record in a zone
served by the name server. does not read
Options
Operate in debug mode.
This provides tracing information about the update requests
that are made and the replies received from the name server.
Provide the shared secret needed to
generate a record for authenticating Dynamic DNS update
requests. With this option, reads the shared secret from the
file keyfile, whose name is of the form
For historical reasons, the file must also be present. This
option is mutually exclusive with the option. may also be
used to specify a SIG(0) key used to authenticate Dynamic DNS
update requests. In this case, the key specified is not an
key.
Set the number of UDP retries.
The default is 3. If set to zero only one update request
will be made.
Set the maximum time in seconds a update request can take before it is
aborted. The default is 300 seconds. Zero can be used to
disable the timeout.
Set the UDP retry interval in seconds.
The default is 3 seconds. If set to zero the interval will
be computed from the timeout interval and number of UDP
retries.
Use a TCP connection to send update requests to the name server.
By default, uses UDP to send update requests. This may be
preferable when a batch of update requests is made.
Generate a signature from
keyname and secret. keyname is the name of the key, and
secret is the base-64-encoded shared secret. The use of the
option is discouraged because the shared secret is supplied
as a command line argument in clear text. This may be visi‐
ble in the output from ps(1) or in a history file maintained
by the user's shell.
Operands
filename
A file of commands, as described in the section. The default is
standard input.
Input Format
reads commands from filename or standard input. Each command is sup‐
plied on exactly one line of input. Some commands are for administra‐
tive purposes; others are either update instructions or prerequisite
checks on the contents of the zone. The checks set conditions that
some name or set of resource records (RRset) either exists or is absent
from the zone. These conditions must be met if the entire update
request is to succeed. Updates will be rejected if the tests for the
prerequisite conditions fail.
Every update request consists of zero or more prerequisites and zero or
more updates. This allows a suitably authenticated update request to
proceed if some specified resource records are present or missing from
the zone. The command or a blank input line causes the accumulated
commands to be sent as one Dynamic DNS update request to the name
server.
The Commands
The command formats and their meaning are as follows:
Lines beginning with a semicolon are comments and are ignored.
Sends all dynamic update requests to the name server
servername. When no statement is provided, sends
updates to the master server of the correct zone. The
field of that zone's record identifies the master server
for that zone. port is the port number on servername
where the dynamic update requests are sent. If no port
number is specified, the default DNS port number of 53
is used.
Sends all dynamic update requests using the local address.
When no statement is provided, sends updates using an
address and port chosen by the system. port can addi‐
tionally be used to make requests come from a specific
port. If no port number is specified, the system
assigns one.
Specifies that all updates are to be made to the zone
zonename. If no statement is provided, attempts to
determine the correct zone to update, based on the rest
of the input.
Specifies the default class.
If no class is specified, the default class is
Specifies that all updates are to be TSIG-signed using the
keyname keysecret pair. The command overrides any key
specified on the command line with or
Requires that no resource record of any type exists with name
domain-name.
Requires that domain-name exists (has as at least one resource record
of any type).
Requires that no resource record exists of the specified
type, class, and domain-name. If class is omitted,
(Internet) is assumed.
Requires that a resource record of the specified
type, class, and domain-name must exist. If class is
omitted, (Internet) is assumed.
The data from each set of prerequisites of this form sharing
a common type, class, and domain-name are combined to
form a set of RRs (resource records). This set of RRs
must exactly match the set of RRs existing in the zone
at the given type, class, and domain-name. The data are
written in the standard text representation of the
resource record's RDATA.
Deletes any resource records named
domain-name. If type and data are provided, only match‐
ing resource records will be removed. The Internet
class is assumed if class is not supplied.
Adds a new resource record with the specified
ttl, class and data.
Displays the current message,
containing all the prerequisites and updates specified
since the last operation.
Sends the current message.
This is equivalent to entering a blank line.
Displays the answer.
EXAMPLES
The examples below show how could be used to insert and delete resource
records from the zone. Notice that the input in each example contains
a trailing blank line so that a group of commands are sent as one
dynamic update request to the master name server for
Example 1
Any A records for are deleted. An A record for with IP address
172.16.1.1 is added. The newly-added record has a 1 day TTL (86400
seconds)
Example 2
The prerequisite condition gets the name server to check that there are
no resource records of any type for If there are, the update request
fails. If this name does not exist, a for it is added. This ensures
that when the record is added, it cannot conflict with the long-stand‐
ing rule in RFC 1034 that a name must not exist as any other record
type if it exists as a
(The rule has been updated for DNSSEC in RFC 2535 to allow records to
have and records.)
WARNINGS
The key is redundantly stored in two separate files. This is a conse‐
quence of using the DST library for its cryptographic operations, and
may change in future.
AUTHOR
was developed by the Internet Systems Consortium (ISC).
FILES
Used to identify default name server.
Base-64 encoding of key created by
Base-64 encoding of key created by
SEE ALSOdnssec-keygen(1), named(1M).
Requests for Comments (RFC): 1034, 2104, 2136, 2137, 2535, 2845, 2931,
available online at
available online at
available from the Internet Systems Consortium at
BIND 9.3 nsupdate(1)
