summaryrefslogtreecommitdiffstats
path: root/bin/nsupdate/nsupdate.1
diff options
context:
space:
mode:
Diffstat (limited to 'bin/nsupdate/nsupdate.1')
-rw-r--r--bin/nsupdate/nsupdate.1524
1 files changed, 524 insertions, 0 deletions
diff --git a/bin/nsupdate/nsupdate.1 b/bin/nsupdate/nsupdate.1
new file mode 100644
index 0000000..28f6191
--- /dev/null
+++ b/bin/nsupdate/nsupdate.1
@@ -0,0 +1,524 @@
+.\" Copyright (C) 2000-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\" Title: nsupdate
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Date: 2014-04-18
+.\" Manual: BIND9
+.\" Source: ISC
+.\" Language: English
+.\"
+.TH "NSUPDATE" "1" "2014\-04\-18" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+nsupdate \- Dynamic DNS update utility
+.SH "SYNOPSIS"
+.HP \w'\fBnsupdate\fR\ 'u
+\fBnsupdate\fR [\fB\-d\fR] [\fB\-D\fR] [\fB\-i\fR] [\fB\-L\ \fR\fB\fIlevel\fR\fR] [[\fB\-g\fR] | [\fB\-o\fR] | [\fB\-l\fR] | [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-R\ \fR\fB\fIrandomdev\fR\fR] [\fB\-v\fR] [\fB\-T\fR] [\fB\-P\fR] [\fB\-V\fR] [filename]
+.SH "DESCRIPTION"
+.PP
+\fBnsupdate\fR
+is used to submit Dynamic DNS Update requests as defined in RFC 2136 to a name server\&. This allows resource records to be added or removed from a zone without manually editing the zone file\&. A single update request can contain requests to add or remove more than one resource record\&.
+.PP
+Zones that are under dynamic control via
+\fBnsupdate\fR
+or a DHCP server should not be edited by hand\&. Manual edits could conflict with dynamic updates and cause data to be lost\&.
+.PP
+The resource records that are dynamically added or removed with
+\fBnsupdate\fR
+have to be in the same zone\&. Requests are sent to the zone\*(Aqs master server\&. This is identified by the MNAME field of the zone\*(Aqs SOA record\&.
+.PP
+Transaction signatures can be used to authenticate the Dynamic DNS updates\&. These use the TSIG resource record type described in RFC 2845 or the SIG(0) record described in RFC 2535 and RFC 2931 or GSS\-TSIG as described in RFC 3645\&.
+.PP
+TSIG relies on a shared secret that should only be known to
+\fBnsupdate\fR
+and the name server\&. For instance, suitable
+\fBkey\fR
+and
+\fBserver\fR
+statements would be added to
+/etc/named\&.conf
+so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication\&. You can use
+\fBddns\-confgen\fR
+to generate suitable configuration fragments\&.
+\fBnsupdate\fR
+uses the
+\fB\-y\fR
+or
+\fB\-k\fR
+options to provide the TSIG shared secret\&. These options are mutually exclusive\&.
+.PP
+SIG(0) uses public key cryptography\&. To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server\&.
+.PP
+GSS\-TSIG uses Kerberos credentials\&. Standard GSS\-TSIG mode is switched on with the
+\fB\-g\fR
+flag\&. A non\-standards\-compliant variant of GSS\-TSIG used by Windows 2000 can be switched on with the
+\fB\-o\fR
+flag\&.
+.SH "OPTIONS"
+.PP
+\-d
+.RS 4
+Debug mode\&. This provides tracing information about the update requests that are made and the replies received from the name server\&.
+.RE
+.PP
+\-D
+.RS 4
+Extra debug mode\&.
+.RE
+.PP
+\-i
+.RS 4
+Force interactive mode, even when standard input is not a terminal\&.
+.RE
+.PP
+\-k \fIkeyfile\fR
+.RS 4
+The file containing the TSIG authentication key\&. Keyfiles may be in two formats: a single file containing a
+named\&.conf\-format
+\fBkey\fR
+statement, which may be generated automatically by
+\fBddns\-confgen\fR, or a pair of files whose names are of the format
+K{name}\&.+157\&.+{random}\&.key
+and
+K{name}\&.+157\&.+{random}\&.private, which can be generated by
+\fBdnssec\-keygen\fR\&. The
+\fB\-k\fR
+may also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests\&. In this case, the key specified is not an HMAC\-MD5 key\&.
+.RE
+.PP
+\-l
+.RS 4
+Local\-host only mode\&. This sets the server address to localhost (disabling the
+\fBserver\fR
+so that the server address cannot be overridden)\&. Connections to the local server will use a TSIG key found in
+/var/run/named/session\&.key, which is automatically generated by
+\fBnamed\fR
+if any local master zone has set
+\fBupdate\-policy\fR
+to
+\fBlocal\fR\&. The location of this key file can be overridden with the
+\fB\-k\fR
+option\&.
+.RE
+.PP
+\-L \fIlevel\fR
+.RS 4
+Set the logging debug level\&. If zero, logging is disabled\&.
+.RE
+.PP
+\-p \fIport\fR
+.RS 4
+Set the port to use for connections to a name server\&. The default is 53\&.
+.RE
+.PP
+\-P
+.RS 4
+Print the list of private BIND\-specific resource record types whose format is understood by
+\fBnsupdate\fR\&. See also the
+\fB\-T\fR
+option\&.
+.RE
+.PP
+\-r \fIudpretries\fR
+.RS 4
+The number of UDP retries\&. The default is 3\&. If zero, only one update request will be made\&.
+.RE
+.PP
+\-R \fIrandomdev\fR
+.RS 4
+Where to obtain randomness\&. If the operating system does not provide a
+/dev/random
+or equivalent device, the default source of randomness is keyboard input\&.
+randomdev
+specifies the name of a character device or file containing random data to be used instead of the default\&. The special value
+keyboard
+indicates that keyboard input should be used\&. This option may be specified multiple times\&.
+.RE
+.PP
+\-t \fItimeout\fR
+.RS 4
+The maximum time an update request can take before it is aborted\&. The default is 300 seconds\&. Zero can be used to disable the timeout\&.
+.RE
+.PP
+\-T
+.RS 4
+Print the list of IANA standard resource record types whose format is understood by
+\fBnsupdate\fR\&.
+\fBnsupdate\fR
+will exit after the lists are printed\&. The
+\fB\-T\fR
+option can be combined with the
+\fB\-P\fR
+option\&.
+.sp
+Other types can be entered using "TYPEXXXXX" where "XXXXX" is the decimal value of the type with no leading zeros\&. The rdata, if present, will be parsed using the UNKNOWN rdata format, (<backslash> <hash> <space> <length> <space> <hexstring>)\&.
+.RE
+.PP
+\-u \fIudptimeout\fR
+.RS 4
+The UDP retry interval\&. The default is 3 seconds\&. If zero, the interval will be computed from the timeout interval and number of UDP retries\&.
+.RE
+.PP
+\-v
+.RS 4
+Use TCP even for small update requests\&. By default,
+\fBnsupdate\fR
+uses UDP to send update requests to the name server unless they are too large to fit in a UDP request in which case TCP will be used\&. TCP may be preferable when a batch of update requests is made\&.
+.RE
+.PP
+\-V
+.RS 4
+Print the version number and exit\&.
+.RE
+.PP
+\-y \fI[hmac:]\fR\fIkeyname:secret\fR
+.RS 4
+Literal TSIG authentication key\&.
+\fIkeyname\fR
+is the name of the key, and
+\fIsecret\fR
+is the base64 encoded shared secret\&.
+\fIhmac\fR
+is the name of the key algorithm; valid choices are
+hmac\-md5,
+hmac\-sha1,
+hmac\-sha224,
+hmac\-sha256,
+hmac\-sha384, or
+hmac\-sha512\&. If
+\fIhmac\fR
+is not specified, the default is
+hmac\-md5
+or if MD5 was disabled
+hmac\-sha256\&.
+.sp
+NOTE: Use of the
+\fB\-y\fR
+option is discouraged because the shared secret is supplied as a command line argument in clear text\&. This may be visible in the output from
+\fBps\fR(1)
+or in a history file maintained by the user\*(Aqs shell\&.
+.RE
+.SH "INPUT FORMAT"
+.PP
+\fBnsupdate\fR
+reads input from
+\fIfilename\fR
+or standard input\&. Each command is supplied on exactly one line of input\&. Some commands are for administrative purposes\&. The others are either update instructions or prerequisite checks on the contents of the zone\&. These checks set conditions that some name or set of resource records (RRset) either exists or is absent from the zone\&. These conditions must be met if the entire update request is to succeed\&. Updates will be rejected if the tests for the prerequisite conditions fail\&.
+.PP
+Every update request consists of zero or more prerequisites and zero or more updates\&. This allows a suitably authenticated update request to proceed if some specified resource records are present or missing from the zone\&. A blank input line (or the
+\fBsend\fR
+command) causes the accumulated commands to be sent as one Dynamic DNS update request to the name server\&.
+.PP
+The command formats and their meaning are as follows:
+.PP
+\fBserver\fR {servername} [port]
+.RS 4
+Sends all dynamic update requests to the name server
+\fIservername\fR\&. When no server statement is provided,
+\fBnsupdate\fR
+will send updates to the master server of the correct zone\&. The MNAME field of that zone\*(Aqs SOA record will identify the master server for that zone\&.
+\fIport\fR
+is the port number on
+\fIservername\fR
+where the dynamic update requests get sent\&. If no port number is specified, the default DNS port number of 53 is used\&.
+.RE
+.PP
+\fBlocal\fR {address} [port]
+.RS 4
+Sends all dynamic update requests using the local
+\fIaddress\fR\&. When no local statement is provided,
+\fBnsupdate\fR
+will send updates using an address and port chosen by the system\&.
+\fIport\fR
+can additionally be used to make requests come from a specific port\&. If no port number is specified, the system will assign one\&.
+.RE
+.PP
+\fBzone\fR {zonename}
+.RS 4
+Specifies that all updates are to be made to the zone
+\fIzonename\fR\&. If no
+\fIzone\fR
+statement is provided,
+\fBnsupdate\fR
+will attempt determine the correct zone to update based on the rest of the input\&.
+.RE
+.PP
+\fBclass\fR {classname}
+.RS 4
+Specify the default class\&. If no
+\fIclass\fR
+is specified, the default class is
+\fIIN\fR\&.
+.RE
+.PP
+\fBttl\fR {seconds}
+.RS 4
+Specify the default time to live for records to be added\&. The value
+\fInone\fR
+will clear the default ttl\&.
+.RE
+.PP
+\fBkey\fR [hmac:] {keyname} {secret}
+.RS 4
+Specifies that all updates are to be TSIG\-signed using the
+\fIkeyname\fR\fIsecret\fR
+pair\&. If
+\fIhmac\fR
+is specified, then it sets the signing algorithm in use; the default is
+hmac\-md5
+or if MD5 was disabled
+hmac\-sha256\&. The
+\fBkey\fR
+command overrides any key specified on the command line via
+\fB\-y\fR
+or
+\fB\-k\fR\&.
+.RE
+.PP
+\fBgsstsig\fR
+.RS 4
+Use GSS\-TSIG to sign the updated\&. This is equivalent to specifying
+\fB\-g\fR
+on the command line\&.
+.RE
+.PP
+\fBoldgsstsig\fR
+.RS 4
+Use the Windows 2000 version of GSS\-TSIG to sign the updated\&. This is equivalent to specifying
+\fB\-o\fR
+on the command line\&.
+.RE
+.PP
+\fBrealm\fR {[realm_name]}
+.RS 4
+When using GSS\-TSIG use
+\fIrealm_name\fR
+rather than the default realm in
+krb5\&.conf\&. If no realm is specified the saved realm is cleared\&.
+.RE
+.PP
+\fBcheck\-names\fR {[yes_or_no]}
+.RS 4
+Turn on or off check\-names processing on records to be added\&. Check\-names has no effect on prerequisites or records to be deleted\&. By default check\-names processing is on\&. If check\-names processing fails the record will not be added to the UPDATE message\&.
+.RE
+.PP
+\fB[prereq]\fR\fB nxdomain\fR {domain\-name}
+.RS 4
+Requires that no resource record of any type exists with name
+\fIdomain\-name\fR\&.
+.RE
+.PP
+\fB[prereq]\fR\fB yxdomain\fR {domain\-name}
+.RS 4
+Requires that
+\fIdomain\-name\fR
+exists (has as at least one resource record, of any type)\&.
+.RE
+.PP
+\fB[prereq]\fR\fB nxrrset\fR {domain\-name} [class] {type}
+.RS 4
+Requires that no resource record exists of the specified
+\fItype\fR,
+\fIclass\fR
+and
+\fIdomain\-name\fR\&. If
+\fIclass\fR
+is omitted, IN (internet) is assumed\&.
+.RE
+.PP
+\fB[prereq]\fR\fB yxrrset\fR {domain\-name} [class] {type}
+.RS 4
+This requires that a resource record of the specified
+\fItype\fR,
+\fIclass\fR
+and
+\fIdomain\-name\fR
+must exist\&. If
+\fIclass\fR
+is omitted, IN (internet) is assumed\&.
+.RE
+.PP
+\fB[prereq]\fR\fB yxrrset\fR {domain\-name} [class] {type} {data...}
+.RS 4
+The
+\fIdata\fR
+from each set of prerequisites of this form sharing a common
+\fItype\fR,
+\fIclass\fR, and
+\fIdomain\-name\fR
+are combined to form a set of RRs\&. This set of RRs must exactly match the set of RRs existing in the zone at the given
+\fItype\fR,
+\fIclass\fR, and
+\fIdomain\-name\fR\&. The
+\fIdata\fR
+are written in the standard text representation of the resource record\*(Aqs RDATA\&.
+.RE
+.PP
+\fB[update]\fR\fB del\fR\fB[ete]\fR {domain\-name} [ttl] [class] [type\ [data...]]
+.RS 4
+Deletes any resource records named
+\fIdomain\-name\fR\&. If
+\fItype\fR
+and
+\fIdata\fR
+is provided, only matching resource records will be removed\&. The internet class is assumed if
+\fIclass\fR
+is not supplied\&. The
+\fIttl\fR
+is ignored, and is only allowed for compatibility\&.
+.RE
+.PP
+\fB[update]\fR\fB add\fR {domain\-name} {ttl} [class] {type} {data...}
+.RS 4
+Adds a new resource record with the specified
+\fIttl\fR,
+\fIclass\fR
+and
+\fIdata\fR\&.
+.RE
+.PP
+\fBshow\fR
+.RS 4
+Displays the current message, containing all of the prerequisites and updates specified since the last send\&.
+.RE
+.PP
+\fBsend\fR
+.RS 4
+Sends the current message\&. This is equivalent to entering a blank line\&.
+.RE
+.PP
+\fBanswer\fR
+.RS 4
+Displays the answer\&.
+.RE
+.PP
+\fBdebug\fR
+.RS 4
+Turn on debugging\&.
+.RE
+.PP
+\fBversion\fR
+.RS 4
+Print version number\&.
+.RE
+.PP
+\fBhelp\fR
+.RS 4
+Print a list of commands\&.
+.RE
+.PP
+Lines beginning with a semicolon are comments and are ignored\&.
+.SH "EXAMPLES"
+.PP
+The examples below show how
+\fBnsupdate\fR
+could be used to insert and delete resource records from the
+\fBexample\&.com\fR
+zone\&. Notice that the input in each example contains a trailing blank line so that a group of commands are sent as one dynamic update request to the master name server for
+\fBexample\&.com\fR\&.
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+# nsupdate
+> update delete oldhost\&.example\&.com A
+> update add newhost\&.example\&.com 86400 A 172\&.16\&.1\&.1
+> send
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+Any A records for
+\fBoldhost\&.example\&.com\fR
+are deleted\&. And an A record for
+\fBnewhost\&.example\&.com\fR
+with IP address 172\&.16\&.1\&.1 is added\&. The newly\-added record has a 1 day TTL (86400 seconds)\&.
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+# nsupdate
+> prereq nxdomain nickname\&.example\&.com
+> update add nickname\&.example\&.com 86400 CNAME somehost\&.example\&.com
+> send
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+The prerequisite condition gets the name server to check that there are no resource records of any type for
+\fBnickname\&.example\&.com\fR\&. If there are, the update request fails\&. If this name does not exist, a CNAME for it is added\&. This ensures that when the CNAME is added, it cannot conflict with the long\-standing rule in RFC 1034 that a name must not exist as any other record type if it exists as a CNAME\&. (The rule has been updated for DNSSEC in RFC 2535 to allow CNAMEs to have RRSIG, DNSKEY and NSEC records\&.)
+.SH "FILES"
+.PP
+\fB/etc/resolv\&.conf\fR
+.RS 4
+used to identify default name server
+.RE
+.PP
+\fB/var/run/named/session\&.key\fR
+.RS 4
+sets the default TSIG key for use in local\-only mode
+.RE
+.PP
+\fBK{name}\&.+157\&.+{random}\&.key\fR
+.RS 4
+base\-64 encoding of HMAC\-MD5 key created by
+\fBdnssec-keygen\fR(8)\&.
+.RE
+.PP
+\fBK{name}\&.+157\&.+{random}\&.private\fR
+.RS 4
+base\-64 encoding of HMAC\-MD5 key created by
+\fBdnssec-keygen\fR(8)\&.
+.RE
+.SH "SEE ALSO"
+.PP
+RFC 2136,
+RFC 3007,
+RFC 2104,
+RFC 2845,
+RFC 1034,
+RFC 2535,
+RFC 2931,
+\fBnamed\fR(8),
+\fBddns-confgen\fR(8),
+\fBdnssec-keygen\fR(8)\&.
+.SH "BUGS"
+.PP
+The TSIG key is redundantly stored in two separate files\&. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2000-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
+.br