summaryrefslogtreecommitdiffstats
path: root/doc/man_knsupdate.rst
blob: e2d71f95317275f2d095ca292330f87486f8782a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
.. highlight:: none

``knsupdate`` – Dynamic DNS update utility
==========================================

Synopsis
--------

:program:`knsupdate` [**-v**] [*options*] [*filename*]

:program:`knsupdate` [**-q**] [*quic_options*] [*options*] [*filename*]

Description
-----------

This utility sends Dynamic DNS update messages to a DNS server. Update content
is read from a file (if the parameter *filename* is given) or from the standard
input.

The format of updates is textual and is made up of commands. Every command is
placed on the separate line of the input. Lines starting with a semicolon are
comments and are not processed.

Parameters
..........

*filename*
  Path to the file with knsupdate commands.

Options
.......

**-T**, **--tcp**
  Use a TCP connection. (**-v** can be used for compatibility with nsupdate).

**-S**, **--tls**
  Use a TLS connection.

**-Q**, **--quic**
  Use a QUIC connection.

**-p**, **--port** *number*
  Set the port to use for connections to the server (if not explicitly specified
  in the update). The default is 53 for UDP/TCP or 853 for QUIC.

**-r**, **--retry** *count*
  The number of retries for UDP requests. The default is 3.

**-t**, **--timeout** *seconds*
  The total timeout (for all UDP update tries) of the update request in seconds.
  The default is 12. If set to zero, the timeout is infinite.

**-y**, **--tsig** [*alg*:]\ *name*:*key*
  Use the TSIG key with a name *name* to authenticate the request. The *alg*
  part specifies the algorithm (the default is hmac-sha256) and *key* specifies
  the shared secret encoded in Base64.

**-k**, **--tsigfile** *path*
  Use the TSIG key stored in a file *keyfile* to authenticate the request. The
  file should contain the key in the same format, which is accepted by the
  **-y** option.

**-d**, **--debug**
  Enable debug messages.

**-h**, **--help**
  Print the program help.

**-V**, **--version**
  Print the program version. The option **-VV** makes the program
  print the compile time configuration summary.

QUIC/TLS options
................

**-H**, **--hostname** *string*
  Enable remote server hostname validation.

**-P**, **--pin** *base64*
  Use Out-of-Band key-pinned privacy profile
  (RFC 7858#section-4.2). The PIN must be a Base64 encoded SHA-256 hash of the
  X.509 SubjectPublicKeyInfo. Can be specified multiple times.

**-A**, **--ca** [*path*]
  Enable certificate validation. Certification authority certificates
  are loaded from the specified PEM file (default is system certificate storage
  if no argument is provided). Can be specified multiple times.

**-E**, **--certfile** *path*
  Path to a client certificate file.

**-K**, **--keyfile** *path*
  Path to a client key file.

**-s**, **--sni** *string*
  Use specified Server Name Indication.

Commands
........

**server** *name* [*port*]
  Specifies a receiving server of the dynamic update message. The *name* parameter
  can be either a host name or an IP address. If the *port* is not specified,
  the default port is used. The default port value can be controlled using
  the **-p** program option.

**local** *address* [*port*]
  Specifies outgoing *address* and *port*. If no local is specified, the
  address and port are set by the system automatically. The default port number
  is 0.

**zone** *name*
  Specifies that all updates are done within a zone *name*. The zone name doesn't
  have a default and must be set explicitly.

**origin** *name*
  Specifies fully qualified domain name suffix which is appended to non-fqd
  owners in update commands. The default is the terminal label (**.**).

**class** *name*
  Sets *name* as the default class for all updates. If not used, the default
  class is IN.

**ttl** *value*
  Sets *value* as the default TTL (in seconds). If not used, the default value
  is 3600.

**key** [*alg*:]\ *name* *key*
  Specifies the TSIG *key* named *name* to authenticate the request. An optional
  *alg* algorithm can be specified. This command has the same effect as
  the program option **-y**.

[**prereq**] **nxdomain** *name*
  Adds a prerequisite for a non-existing record owned by *name*.

[**prereq**] **yxdomain** *name*
  Adds a prerequisite for an existing record owned by *name*.

[**prereq**] **nxrrset** *name* [*class*] *type*
  Adds a prerequisite for a non-existing record of the *type* owned by *name*.
  Internet *class* is expected.

[**prereq**] **yxrrset** *name* [*class*] *type* [*data*]
  Adds a prerequisite for an existing record of the *type* owned by *name*
  with optional *data*. Internet *class* is expected.

[**update**] **add** *name* [*ttl*] [*class*] *type* *data*
  Adds a request to add a new resource record into the zone.
  Please note that if the *name* is not fully qualified domain name, the
  current origin name is appended to it.

[**update**] **del**\[**ete**] *name* [*ttl*] [*class*] [*type*] [*data*]
  Adds a request to remove all (or matching *class*, *type* or *data*)
  resource records from the zone. There is the same requirement for the *name*
  parameter as in **update add** command. The *ttl* item is ignored.

**show**
  Displays current content of the update message.

**send**
  Sends the current update message and cleans the list of updates.

**answer**
  Displays the last answer from the server.

**debug**
  Enable debugging. This command has the same meaning as the **-d** program option.

**exit**
  End the program.

Notes
-----

Options **-k** and **-y** can not be used simultaneously.

Neither `tsig-keygen(8)` nor `dnssec-keygen(1)` keyfile formats are supported.
Use :manpage:`keymgr(8)` to construct a string for **-y** or the file passed to **-k**.

Zone name/server guessing is not supported if the zone name/server is not specified.

An empty line doesn't send the update.

Interactive mode
................

The utility provides interactive mode with basic line editing functionality,
command completion, and command history.

Interactive mode behavior can be customized in `~/.editrc`. Refer to
:manpage:`editrc(5)` for details.

Command history is saved in `~/.knsupdate_history`.

Exit values
-----------

Exit status of 0 means successful operation. Any other exit status indicates
an error.

Examples
--------

1. Send one update of the zone example.com to the server 192.168.1.1. The update
   contains two new records::

     $ knsupdate
     knsupdate> server 192.168.1.1
     knsupdate> zone example.com.
     knsupdate> origin example.com.
     knsupdate> ttl 3600
     knsupdate> add test1.example.com. 7200 A 192.168.2.2
     knsupdate> add test2 TXT "hello"
     knsupdate> show
     knsupdate> send
     knsupdate> answer
     knsupdate> exit

See Also
--------

:manpage:`kdig(1)`, :manpage:`khost(1)`, :manpage:`keymgr(8)`, :manpage:`editrc(5)`.