From 874d2a93ca50407b68377459d4b0ffbc021dfd92 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Mon, 9 Mar 2009 04:21:56 +0000
Subject: [PATCH] 2574.   [doc]           Document nsupdate -g and -o. [RT
 #19351]

---
 CHANGES                       |  2 ++
 bin/nsupdate/nsupdate.docbook | 53 ++++++++++++++++++-----------------
 2 files changed, 30 insertions(+), 25 deletions(-)

diff --git a/CHANGES b/CHANGES
index 077af1bebc..56129c7aaa 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2574.	[doc]		Document nsupdate -g and -o. [RT #19351]
+
 2573.	[bug]		Replacing a non-CNAME record with a CNAME record in a
 			single transaction in a signed zone failed. [RT #19397]
 
diff --git a/bin/nsupdate/nsupdate.docbook b/bin/nsupdate/nsupdate.docbook
index 959666ebf3..c42a053f18 100644
--- a/bin/nsupdate/nsupdate.docbook
+++ b/bin/nsupdate/nsupdate.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: nsupdate.docbook,v 1.34.48.2 2009/01/22 23:47:05 tbox Exp $ -->
+<!-- $Id: nsupdate.docbook,v 1.34.48.3 2009/03/09 04:21:56 marka Exp $ -->
 <refentry id="man.nsupdate">
   <refentryinfo>
     <date>Jun 30, 2000</date>
@@ -58,6 +58,8 @@
       <arg><option>-d</option></arg>
       <arg><option>-D</option></arg>
       <group>
+	<arg><option>-g</option></arg>
+	<arg><option>-o</option></arg>
         <arg><option>-y <replaceable class="parameter"><optional>hmac:</optional>keyname:secret</replaceable></option></arg>
         <arg><option>-k <replaceable class="parameter">keyfile</replaceable></option></arg>
       </group>
@@ -109,31 +111,27 @@
       report additional debugging information to <option>-d</option>.
     </para>
     <para>
-      Transaction signatures can be used to authenticate the Dynamic DNS
-      updates.
-      These use the TSIG resource record type described in RFC2845 or the
-      SIG(0) record described in RFC3535 and RFC2931.
-      TSIG relies on a shared secret that should only be known to
-      <command>nsupdate</command> and the name server.
-      Currently, the only supported encryption algorithm for TSIG is
-      HMAC-MD5, which is defined in RFC 2104.
-      Once other algorithms are defined for TSIG, applications will need to
-      ensure they select the appropriate algorithm as well as the key when
-      authenticating each other.
-      For instance, suitable
-      <type>key</type>
-      and
-      <type>server</type>
-      statements would be added to
-      <filename>/etc/named.conf</filename>
-      so that the name server can associate the appropriate secret key
-      and algorithm with the IP address of the
-      client application that will be using TSIG authentication.
-      SIG(0) uses public key cryptography.  To use a SIG(0) key, the public
-      key must be stored in a KEY record in a zone served by the name server.
-      <command>nsupdate</command>
-      does not read
+      Transaction signatures can be used to authenticate the Dynamic
+      DNS updates.  These use the TSIG resource record type described
+      in RFC2845 or the SIG(0) record described in RFC3535 and
+      RFC2931 or GSS-TSIG as described in RFC3645.  TSIG relies on
+      a shared secret that should only be known to
+      <command>nsupdate</command> and the name server.  Currently,
+      the only supported encryption algorithm for TSIG is HMAC-MD5,
+      which is defined in RFC 2104.  Once other algorithms are
+      defined for TSIG, applications will need to ensure they select
+      the appropriate algorithm as well as the key when authenticating
+      each other.  For instance, suitable <type>key</type> and
+      <type>server</type> statements would be added to
+      <filename>/etc/named.conf</filename> so that the name server
+      can associate the appropriate secret key and algorithm with
+      the IP address of the client application that will be using
+      TSIG authentication.  SIG(0) uses public key cryptography.
+      To use a SIG(0) key, the public key must be stored in a KEY
+      record in a zone served by the name server.
+      <command>nsupdate</command> does not read
       <filename>/etc/named.conf</filename>.
+      GSS-TSIG uses Kerberos credentials.
     </para>
     <para><command>nsupdate</command>
       uses the <option>-y</option> or <option>-k</option> option
@@ -165,6 +163,11 @@
       to authenticate Dynamic DNS update requests.  In this case, the key
       specified is not an HMAC-MD5 key.
     </para>
+    <para>
+      The <option>-g</option> and <option>-o</option> specify that
+      GSS-TSIG is to be used.  The <option>-o</option> should only
+      be used with old Microsoft Windows 2000 servers.
+    </para>
     <para>
       By default,
       <command>nsupdate</command>