summaryrefslogtreecommitdiffstats
path: root/doc/man/nsupdate.1in
diff options
context:
space:
mode:
Diffstat (limited to 'doc/man/nsupdate.1in')
-rw-r--r--doc/man/nsupdate.1in437
1 files changed, 437 insertions, 0 deletions
diff --git a/doc/man/nsupdate.1in b/doc/man/nsupdate.1in
new file mode 100644
index 0000000..b80f329
--- /dev/null
+++ b/doc/man/nsupdate.1in
@@ -0,0 +1,437 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "NSUPDATE" "1" "@RELEASE_DATE@" "@PACKAGE_VERSION@" "BIND 9"
+.SH NAME
+nsupdate \- dynamic DNS update utility
+.SH SYNOPSIS
+.sp
+\fBnsupdate\fP [\fB\-d\fP] [\fB\-D\fP] [\fB\-i\fP] [\fB\-L\fP level] [ [\fB\-g\fP] | [\fB\-o\fP] | [\fB\-l\fP] | [\fB\-y\fP [hmac:]keyname:secret] | [\fB\-k\fP keyfile] ] [\fB\-t\fP timeout] [\fB\-u\fP udptimeout] [\fB\-r\fP udpretries] [\fB\-v\fP] [\fB\-T\fP] [\fB\-P\fP] [\fB\-V\fP] [ [\fB\-4\fP] | [\fB\-6\fP] ] [filename]
+.SH DESCRIPTION
+.sp
+\fBnsupdate\fP is used to submit Dynamic DNS Update requests, as defined in
+\fI\%RFC 2136\fP, to a name server. This allows resource records to be added or
+removed from a zone without manually editing the zone file. A single
+update request can contain requests to add or remove more than one
+resource record.
+.sp
+Zones that are under dynamic control via \fBnsupdate\fP or a DHCP server
+should not be edited by hand. Manual edits could conflict with dynamic
+updates and cause data to be lost.
+.sp
+The resource records that are dynamically added or removed with
+\fBnsupdate\fP must be in the same zone. Requests are sent to the
+zone\(aqs primary server, which is identified by the MNAME field of the
+zone\(aqs SOA record.
+.sp
+Transaction signatures can be used to authenticate the Dynamic DNS
+updates. These use the TSIG resource record type described in \fI\%RFC 2845\fP,
+the SIG(0) record described in \fI\%RFC 2535\fP and \fI\%RFC 2931\fP, or GSS\-TSIG as
+described in \fI\%RFC 3645\fP\&.
+.sp
+TSIG relies on a shared secret that should only be known to \fBnsupdate\fP
+and the name server. For instance, suitable \fBkey\fP and \fBserver\fP
+statements are added to \fB@sysconfdir@/named.conf\fP so that the name server
+can associate the appropriate secret key and algorithm with the IP
+address of the client application that is using TSIG
+authentication. \fI\%ddns\-confgen\fP can generate suitable
+configuration fragments. \fBnsupdate\fP uses the \fI\%\-y\fP or \fI\%\-k\fP options
+to provide the TSIG shared secret; these options are mutually exclusive.
+.sp
+SIG(0) uses public key cryptography. To use a SIG(0) key, the public key
+must be stored in a KEY record in a zone served by the name server.
+.sp
+GSS\-TSIG uses Kerberos credentials. Standard GSS\-TSIG mode is switched
+on with the \fI\%\-g\fP flag. A non\-standards\-compliant variant of GSS\-TSIG
+used by Windows 2000 can be switched on with the \fI\%\-o\fP flag.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \-4
+This option sets use of IPv4 only.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-6
+This option sets use of IPv6 only.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-C
+Overrides the default \fIresolv.conf\fP file. This is only intended for testing.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-d
+This option sets debug mode, which provides tracing information about the update
+requests that are made and the replies received from the name server.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-D
+This option sets extra debug mode.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-g
+This option enables standard GSS\-TSIG mode.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-i
+This option forces interactive mode, even when standard input is not a terminal.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-k keyfile
+This option indicates the file containing the TSIG authentication key. Keyfiles may be in
+two formats: a single file containing a \fI\%named.conf\fP\-format \fBkey\fP
+statement, which may be generated automatically by \fI\%ddns\-confgen\fP;
+or a pair of files whose names are of the format
+\fBK{name}.+157.+{random}.key\fP and
+\fBK{name}.+157.+{random}.private\fP, which can be generated by
+\fI\%dnssec\-keygen\fP\&. The \fI\%\-k\fP option can also be used to specify a SIG(0)
+key used to authenticate Dynamic DNS update requests. In this case,
+the key specified is not an HMAC\-MD5 key.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-l
+This option sets local\-host only mode, which sets the server address to localhost
+(disabling the \fBserver\fP so that the server address cannot be
+overridden). Connections to the local server use a TSIG key
+found in \fB@runstatedir@/session.key\fP, which is automatically
+generated by \fI\%named\fP if any local \fBprimary\fP zone has set
+\fBupdate\-policy\fP to \fBlocal\fP\&. The location of this key file can be
+overridden with the \fI\%\-k\fP option.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-L level
+This option sets the logging debug level. If zero, logging is disabled.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-o
+This option enables a non\-standards\-compliant variant of GSS\-TSIG
+used by Windows 2000.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-p port
+This option sets the port to use for connections to a name server. The default is
+53.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-P
+This option prints the list of private BIND\-specific resource record types whose
+format is understood by \fBnsupdate\fP\&. See also the \fI\%\-T\fP option.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-r udpretries
+This option sets the number of UDP retries. The default is 3. If zero, only one update
+request is made.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-t timeout
+This option sets the maximum time an update request can take before it is aborted. The
+default is 300 seconds. If zero, the timeout is disabled for TCP mode. For UDP mode,
+the option \fI\%\-u\fP takes precedence over this option, unless the option \fI\%\-u\fP
+is set to zero, in which case the interval is computed from the \fI\%\-t\fP timeout interval
+and the number of UDP retries. For UDP mode, the timeout can not be disabled, and will
+be rounded up to 1 second in case if both \fI\%\-t\fP and \fI\%\-u\fP are set to zero.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-T
+This option prints the list of IANA standard resource record types whose format is
+understood by \fBnsupdate\fP\&. \fBnsupdate\fP exits after the lists
+are printed. The \fI\%\-T\fP option can be combined with the \fI\%\-P\fP
+option.
+.sp
+Other types can be entered using \fBTYPEXXXXX\fP where \fBXXXXX\fP is the
+decimal value of the type with no leading zeros. The rdata, if
+present, is parsed using the UNKNOWN rdata format, (<backslash>
+<hash> <space> <length> <space> <hexstring>).
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-u udptimeout
+This option sets the UDP retry interval. The default is 3 seconds. If zero, the
+interval is computed from the timeout interval and number of UDP
+retries.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-v
+This option specifies that TCP should be used even for small update requests. By default, \fBnsupdate\fP uses
+UDP to send update requests to the name server unless they are too
+large to fit in a UDP request, in which case TCP is used. TCP may
+be preferable when a batch of update requests is made.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-V
+This option prints the version number and exits.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-y [hmac:]keyname:secret
+This option sets the literal TSIG authentication key. \fBkeyname\fP is the name of the key,
+and \fBsecret\fP is the base64 encoded shared secret. \fBhmac\fP is the
+name of the key algorithm; valid choices are \fBhmac\-md5\fP,
+\fBhmac\-sha1\fP, \fBhmac\-sha224\fP, \fBhmac\-sha256\fP, \fBhmac\-sha384\fP, or
+\fBhmac\-sha512\fP\&. If \fBhmac\fP is not specified, the default is
+\fBhmac\-md5\fP, or if MD5 was disabled, \fBhmac\-sha256\fP\&.
+.sp
+NOTE: Use of the \fI\%\-y\fP option is discouraged because the shared
+secret is supplied as a command\-line argument in clear text. This may
+be visible in the output from ps1 or in a history file maintained by
+the user\(aqs shell.
+.UNINDENT
+.SH INPUT FORMAT
+.sp
+\fBnsupdate\fP reads input from \fBfilename\fP or standard input. Each
+command is supplied on exactly one line of input. Some commands are for
+administrative purposes; others are either update instructions or
+prerequisite checks on the contents of the zone. These checks set
+conditions that some name or set of resource records (RRset) either
+exists or is absent from the zone. These conditions must be met if the
+entire update request is to succeed. Updates are rejected if the
+tests for the prerequisite conditions fail.
+.sp
+Every update request consists of zero or more prerequisites and zero or
+more updates. This allows a suitably authenticated update request to
+proceed if some specified resource records are either present or missing from
+the zone. A blank input line (or the \fBsend\fP command) causes the
+accumulated commands to be sent as one Dynamic DNS update request to the
+name server.
+.sp
+The command formats and their meanings are as follows:
+.INDENT 0.0
+.TP
+.B \fBserver servername port\fP
+This command sends all dynamic update requests to the name server \fBservername\fP\&.
+When no server statement is provided, \fBnsupdate\fP sends updates
+to the primary server of the correct zone. The MNAME field of that
+zone\(aqs SOA record identify the primary server for that zone.
+\fBport\fP is the port number on \fBservername\fP where the dynamic
+update requests are sent. If no port number is specified, the default
+DNS port number of 53 is used.
+.sp
+\fBNOTE:\fP
+.INDENT 7.0
+.INDENT 3.5
+This command has no effect when GSS\-TSIG is in use.
+.UNINDENT
+.UNINDENT
+.TP
+.B \fBlocal address port\fP
+This command sends all dynamic update requests using the local \fBaddress\fP\&. When
+no local statement is provided, \fBnsupdate\fP sends updates using
+an address and port chosen by the system. \fBport\fP can also
+be used to force requests to come from a specific port. If no port number
+is specified, the system assigns one.
+.TP
+.B \fBzone zonename\fP
+This command specifies that all updates are to be made to the zone \fBzonename\fP\&.
+If no \fBzone\fP statement is provided, \fBnsupdate\fP attempts to
+determine the correct zone to update based on the rest of the input.
+.TP
+.B \fBclass classname\fP
+This command specifies the default class. If no \fBclass\fP is specified, the default
+class is \fBIN\fP\&.
+.TP
+.B \fBttl seconds\fP
+This command specifies the default time\-to\-live, in seconds, for records to be added. The value
+\fBnone\fP clears the default TTL.
+.TP
+.B \fBkey hmac:keyname secret\fP
+This command specifies that all updates are to be TSIG\-signed using the
+\fBkeyname\fP\-\fBsecret\fP pair. If \fBhmac\fP is specified, it sets
+the signing algorithm in use. The default is \fBhmac\-md5\fP; if MD5
+was disabled, the default is \fBhmac\-sha256\fP\&. The \fBkey\fP command overrides any key
+specified on the command line via \fI\%\-y\fP or \fI\%\-k\fP\&.
+.TP
+.B \fBgsstsig\fP
+This command uses GSS\-TSIG to sign the updates. This is equivalent to specifying
+\fI\%\-g\fP on the command line.
+.TP
+.B \fBoldgsstsig\fP
+This command uses the Windows 2000 version of GSS\-TSIG to sign the updates. This is
+equivalent to specifying \fI\%\-o\fP on the command line.
+.TP
+.B \fBrealm [realm_name]\fP
+When using GSS\-TSIG, this command specifies the use of \fBrealm_name\fP rather than the default realm
+in \fBkrb5.conf\fP\&. If no realm is specified, the saved realm is
+cleared.
+.TP
+.B \fBcheck\-names [boolean]\fP
+This command turns on or off check\-names processing on records to be added.
+Check\-names has no effect on prerequisites or records to be deleted.
+By default check\-names processing is on. If check\-names processing
+fails, the record is not added to the UPDATE message.
+.TP
+.B \fBprereq nxdomain domain\-name\fP
+This command requires that no resource record of any type exist with the name
+\fBdomain\-name\fP\&.
+.TP
+.B \fBprereq yxdomain domain\-name\fP
+This command requires that \fBdomain\-name\fP exist (as at least one resource
+record, of any type).
+.TP
+.B \fBprereq nxrrset domain\-name class type\fP
+This command requires that no resource record exist of the specified \fBtype\fP,
+\fBclass\fP, and \fBdomain\-name\fP\&. If \fBclass\fP is omitted, IN (Internet)
+is assumed.
+.TP
+.B \fBprereq yxrrset domain\-name class type\fP
+This command requires that a resource record of the specified \fBtype\fP,
+\fBclass\fP and \fBdomain\-name\fP exist. If \fBclass\fP is omitted, IN
+(internet) is assumed.
+.TP
+.B \fBprereq yxrrset domain\-name class type data\fP
+With this command, the \fBdata\fP from each set of prerequisites of this form sharing a
+common \fBtype\fP, \fBclass\fP, and \fBdomain\-name\fP are combined to form
+a set of RRs. This set of RRs must exactly match the set of RRs
+existing in the zone at the given \fBtype\fP, \fBclass\fP, and
+\fBdomain\-name\fP\&. The \fBdata\fP are written in the standard text
+representation of the resource record\(aqs RDATA.
+.TP
+.B \fBupdate delete domain\-name ttl class type data\fP
+This command deletes any resource records named \fBdomain\-name\fP\&. If \fBtype\fP and
+\fBdata\fP are provided, only matching resource records are removed.
+The Internet class is assumed if \fBclass\fP is not supplied. The
+\fBttl\fP is ignored, and is only allowed for compatibility.
+.TP
+.B \fBupdate add domain\-name ttl class type data\fP
+This command adds a new resource record with the specified \fBttl\fP, \fBclass\fP, and
+\fBdata\fP\&.
+.TP
+.B \fBshow\fP
+This command displays the current message, containing all of the prerequisites and
+updates specified since the last send.
+.TP
+.B \fBsend\fP
+This command sends the current message. This is equivalent to entering a blank
+line.
+.TP
+.B \fBanswer\fP
+This command displays the answer.
+.TP
+.B \fBdebug\fP
+This command turns on debugging.
+.TP
+.B \fBversion\fP
+This command prints the version number.
+.TP
+.B \fBhelp\fP
+This command prints a list of commands.
+.UNINDENT
+.sp
+Lines beginning with a semicolon (;) are comments and are ignored.
+.SH EXAMPLES
+.sp
+The examples below show how \fBnsupdate\fP can be used to insert and
+delete resource records from the \fBexample.com\fP zone. Notice that the
+input in each example contains a trailing blank line, so that a group of
+commands is sent as one dynamic update request to the primary name
+server for \fBexample.com\fP\&.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+# nsupdate
+> update delete oldhost.example.com A
+> update add newhost.example.com 86400 A 172.16.1.1
+> send
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+Any A records for \fBoldhost.example.com\fP are deleted, and an A record
+for \fBnewhost.example.com\fP with IP address 172.16.1.1 is added. The
+newly added record has a TTL of 1 day (86400 seconds).
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+# nsupdate
+> prereq nxdomain nickname.example.com
+> update add nickname.example.com 86400 CNAME somehost.example.com
+> send
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+The prerequisite condition tells the name server to verify that there are
+no resource records of any type for \fBnickname.example.com\fP\&. If there
+are, the update request fails. If this name does not exist, a CNAME for
+it is added. This ensures that when the CNAME is added, it cannot
+conflict with the long\-standing rule in \fI\%RFC 1034\fP that a name must not
+exist as any other record type if it exists as a CNAME. (The rule has
+been updated for DNSSEC in \fI\%RFC 2535\fP to allow CNAMEs to have RRSIG,
+DNSKEY, and NSEC records.)
+.SH FILES
+.INDENT 0.0
+.TP
+.B \fB/etc/resolv.conf\fP
+Used to identify the default name server
+.TP
+.B \fB@runstatedir@/session.key\fP
+Sets the default TSIG key for use in local\-only mode
+.TP
+.B \fBK{name}.+157.+{random}.key\fP
+Base\-64 encoding of the HMAC\-MD5 key created by \fI\%dnssec\-keygen\fP\&.
+.TP
+.B \fBK{name}.+157.+{random}.private\fP
+Base\-64 encoding of the HMAC\-MD5 key created by \fI\%dnssec\-keygen\fP\&.
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fI\%RFC 2136\fP, \fI\%RFC 3007\fP, \fI\%RFC 2104\fP, \fI\%RFC 2845\fP, \fI\%RFC 1034\fP, \fI\%RFC 2535\fP, \fI\%RFC 2931\fP,
+\fI\%named(8)\fP, \fI\%dnssec\-keygen(8)\fP, \fI\%tsig\-keygen(8)\fP\&.
+.SH BUGS
+.sp
+The TSIG key is redundantly stored in two separate files. This is a
+consequence of \fBnsupdate\fP using the DST library for its cryptographic
+operations, and may change in future releases.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.