379 lines
14 KiB
Plaintext
379 lines
14 KiB
Plaintext
.\" Man page generated from reStructuredText.
|
|
.
|
|
.TH "NSUPDATE" "1" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
|
|
.SH NAME
|
|
nsupdate \- dynamic DNS update utility
|
|
.
|
|
.nr rst2man-indent-level 0
|
|
.
|
|
.de1 rstReportMargin
|
|
\\$1 \\n[an-margin]
|
|
level \\n[rst2man-indent-level]
|
|
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
-
|
|
\\n[rst2man-indent0]
|
|
\\n[rst2man-indent1]
|
|
\\n[rst2man-indent2]
|
|
..
|
|
.de1 INDENT
|
|
.\" .rstReportMargin pre:
|
|
. RS \\$1
|
|
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
|
|
. nr rst2man-indent-level +1
|
|
.\" .rstReportMargin post:
|
|
..
|
|
.de UNINDENT
|
|
. RE
|
|
.\" indent \\n[an-margin]
|
|
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
.nr rst2man-indent-level -1
|
|
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
|
|
..
|
|
.SH SYNOPSIS
|
|
.sp
|
|
\fBnsupdate\fP [\fB\-d\fP] [\fB\-D\fP] [\fB\-i\fP] [\fB\-L\fP level] [ [\fB\-g\fP] | [\fB\-o\fP] | [\fB\-l\fP] | [\fB\-y\fP [hmac:]keyname:secret] | [\fB\-k\fP keyfile] ] [\fB\-t\fP timeout] [\fB\-u\fP udptimeout] [\fB\-r\fP udpretries] [\fB\-v\fP] [\fB\-T\fP] [\fB\-P\fP] [\fB\-V\fP] [ [\fB\-4\fP] | [\fB\-6\fP] ] [filename]
|
|
.SH DESCRIPTION
|
|
.sp
|
|
\fBnsupdate\fP is used to submit Dynamic DNS Update requests as defined in
|
|
\fI\%RFC 2136\fP to a name server. This allows resource records to be added or
|
|
removed from a zone without manually editing the zone file. A single
|
|
update request can contain requests to add or remove more than one
|
|
resource record.
|
|
.sp
|
|
Zones that are under dynamic control via \fBnsupdate\fP or a DHCP server
|
|
should not be edited by hand. Manual edits could conflict with dynamic
|
|
updates and cause data to be lost.
|
|
.sp
|
|
The resource records that are dynamically added or removed with
|
|
\fBnsupdate\fP have to be in the same zone. Requests are sent to the
|
|
zone\(aqs master server. This is identified by the MNAME field of the
|
|
zone\(aqs SOA record.
|
|
.sp
|
|
Transaction signatures can be used to authenticate the Dynamic DNS
|
|
updates. These use the TSIG resource record type described in \fI\%RFC 2845\fP
|
|
or the SIG(0) record described in \fI\%RFC 2535\fP and \fI\%RFC 2931\fP or GSS\-TSIG as
|
|
described in \fI\%RFC 3645\fP\&.
|
|
.sp
|
|
TSIG relies on a shared secret that should only be known to \fBnsupdate\fP
|
|
and the name server. For instance, suitable \fBkey\fP and \fBserver\fP
|
|
statements would be added to \fB/etc/named.conf\fP so that the name server
|
|
can associate the appropriate secret key and algorithm with the IP
|
|
address of the client application that will be using TSIG
|
|
authentication. You can use \fBddns\-confgen\fP to generate suitable
|
|
configuration fragments. \fBnsupdate\fP uses the \fB\-y\fP or \fB\-k\fP options
|
|
to provide the TSIG shared secret. These options are mutually exclusive.
|
|
.sp
|
|
SIG(0) uses public key cryptography. To use a SIG(0) key, the public key
|
|
must be stored in a KEY record in a zone served by the name server.
|
|
.sp
|
|
GSS\-TSIG uses Kerberos credentials. Standard GSS\-TSIG mode is switched
|
|
on with the \fB\-g\fP flag. A non\-standards\-compliant variant of GSS\-TSIG
|
|
used by Windows 2000 can be switched on with the \fB\-o\fP flag.
|
|
.SH OPTIONS
|
|
.INDENT 0.0
|
|
.TP
|
|
\fB\-4\fP
|
|
Use IPv4 only.
|
|
.TP
|
|
\fB\-6\fP
|
|
Use IPv6 only.
|
|
.TP
|
|
\fB\-d\fP
|
|
Debug mode. This provides tracing information about the update
|
|
requests that are made and the replies received from the name server.
|
|
.TP
|
|
\fB\-D\fP
|
|
Extra debug mode.
|
|
.TP
|
|
\fB\-i\fP
|
|
Force interactive mode, even when standard input is not a terminal.
|
|
.TP
|
|
\fB\-k\fP keyfile
|
|
The file containing the TSIG authentication key. Keyfiles may be in
|
|
two formats: a single file containing a \fBnamed.conf\fP\-format \fBkey\fP
|
|
statement, which may be generated automatically by \fBddns\-confgen\fP,
|
|
or a pair of files whose names are of the format
|
|
\fBK{name}.+157.+{random}.key\fP and
|
|
\fBK{name}.+157.+{random}.private\fP, which can be generated by
|
|
\fBdnssec\-keygen\fP\&. The \fB\-k\fP may also be used to specify a SIG(0)
|
|
key used to authenticate Dynamic DNS update requests. In this case,
|
|
the key specified is not an HMAC\-MD5 key.
|
|
.TP
|
|
\fB\-l\fP
|
|
Local\-host only mode. This sets the server address to localhost
|
|
(disabling the \fBserver\fP so that the server address cannot be
|
|
overridden). Connections to the local server will use a TSIG key
|
|
found in \fB/var/run/named/session.key\fP, which is automatically
|
|
generated by \fBnamed\fP if any local master zone has set
|
|
\fBupdate\-policy\fP to \fBlocal\fP\&. The location of this key file can be
|
|
overridden with the \fB\-k\fP option.
|
|
.TP
|
|
\fB\-L\fP level
|
|
Set the logging debug level. If zero, logging is disabled.
|
|
.TP
|
|
\fB\-p\fP port
|
|
Set the port to use for connections to a name server. The default is
|
|
53.
|
|
.TP
|
|
\fB\-P\fP
|
|
Print the list of private BIND\-specific resource record types whose
|
|
format is understood by \fBnsupdate\fP\&. See also the \fB\-T\fP option.
|
|
.TP
|
|
\fB\-r\fP udpretries
|
|
The number of UDP retries. The default is 3. If zero, only one update
|
|
request will be made.
|
|
.TP
|
|
\fB\-t\fP timeout
|
|
The maximum time an update request can take before it is aborted. The
|
|
default is 300 seconds. Zero can be used to disable the timeout.
|
|
.TP
|
|
\fB\-T\fP
|
|
Print the list of IANA standard resource record types whose format is
|
|
understood by \fBnsupdate\fP\&. \fBnsupdate\fP will exit after the lists
|
|
are printed. The \fB\-T\fP option can be combined with the \fB\-P\fP
|
|
option.
|
|
.sp
|
|
Other types can be entered using "TYPEXXXXX" where "XXXXX" is the
|
|
decimal value of the type with no leading zeros. The rdata, if
|
|
present, will be parsed using the UNKNOWN rdata format, (<backslash>
|
|
<hash> <space> <length> <space> <hexstring>).
|
|
.TP
|
|
\fB\-u\fP udptimeout
|
|
The UDP retry interval. The default is 3 seconds. If zero, the
|
|
interval will be computed from the timeout interval and number of UDP
|
|
retries.
|
|
.TP
|
|
\fB\-v\fP
|
|
Use TCP even for small update requests. By default, \fBnsupdate\fP uses
|
|
UDP to send update requests to the name server unless they are too
|
|
large to fit in a UDP request in which case TCP will be used. TCP may
|
|
be preferable when a batch of update requests is made.
|
|
.TP
|
|
\fB\-V\fP
|
|
Print the version number and exit.
|
|
.TP
|
|
\fB\-y\fP [hmac:]keyname:secret
|
|
Literal TSIG authentication key. \fBkeyname\fP is the name of the key,
|
|
and \fBsecret\fP is the base64 encoded shared secret. \fBhmac\fP is the
|
|
name of the key algorithm; valid choices are \fBhmac\-md5\fP,
|
|
\fBhmac\-sha1\fP, \fBhmac\-sha224\fP, \fBhmac\-sha256\fP, \fBhmac\-sha384\fP, or
|
|
\fBhmac\-sha512\fP\&. If \fBhmac\fP is not specified, the default is
|
|
\fBhmac\-md5\fP or if MD5 was disabled \fBhmac\-sha256\fP\&.
|
|
.sp
|
|
NOTE: Use of the \fB\-y\fP option is discouraged because the shared
|
|
secret is supplied as a command line argument in clear text. This may
|
|
be visible in the output from ps1 or in a history file maintained by
|
|
the user\(aqs shell.
|
|
.UNINDENT
|
|
.SH INPUT FORMAT
|
|
.sp
|
|
\fBnsupdate\fP reads input from \fBfilename\fP or standard input. Each
|
|
command is supplied on exactly one line of input. Some commands are for
|
|
administrative purposes. The others are either update instructions or
|
|
prerequisite checks on the contents of the zone. These checks set
|
|
conditions that some name or set of resource records (RRset) either
|
|
exists or is absent from the zone. These conditions must be met if the
|
|
entire update request is to succeed. Updates will be rejected if the
|
|
tests for the prerequisite conditions fail.
|
|
.sp
|
|
Every update request consists of zero or more prerequisites and zero or
|
|
more updates. This allows a suitably authenticated update request to
|
|
proceed if some specified resource records are present or missing from
|
|
the zone. A blank input line (or the \fBsend\fP command) causes the
|
|
accumulated commands to be sent as one Dynamic DNS update request to the
|
|
name server.
|
|
.sp
|
|
The command formats and their meaning are as follows:
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \fBserver\fP servername port
|
|
Sends all dynamic update requests to the name server \fBservername\fP\&.
|
|
When no server statement is provided, \fBnsupdate\fP will send updates
|
|
to the master server of the correct zone. The MNAME field of that
|
|
zone\(aqs SOA record will identify the master server for that zone.
|
|
\fBport\fP is the port number on \fBservername\fP where the dynamic
|
|
update requests get sent. If no port number is specified, the default
|
|
DNS port number of 53 is used.
|
|
.TP
|
|
.B \fBlocal\fP address port
|
|
Sends all dynamic update requests using the local \fBaddress\fP\&. When
|
|
no local statement is provided, \fBnsupdate\fP will send updates using
|
|
an address and port chosen by the system. \fBport\fP can additionally
|
|
be used to make requests come from a specific port. If no port number
|
|
is specified, the system will assign one.
|
|
.TP
|
|
.B \fBzone\fP zonename
|
|
Specifies that all updates are to be made to the zone \fBzonename\fP\&.
|
|
If no \fBzone\fP statement is provided, \fBnsupdate\fP will attempt
|
|
determine the correct zone to update based on the rest of the input.
|
|
.TP
|
|
.B \fBclass\fP classname
|
|
Specify the default class. If no \fBclass\fP is specified, the default
|
|
class is \fBIN\fP\&.
|
|
.TP
|
|
.B \fBttl\fP seconds
|
|
Specify the default time to live for records to be added. The value
|
|
\fBnone\fP will clear the default ttl.
|
|
.TP
|
|
.B \fBkey\fP hmac:keyname secret
|
|
Specifies that all updates are to be TSIG\-signed using the
|
|
\fBkeyname\fP \fBsecret\fP pair. If \fBhmac\fP is specified, then it sets
|
|
the signing algorithm in use; the default is \fBhmac\-md5\fP or if MD5
|
|
was disabled \fBhmac\-sha256\fP\&. The \fBkey\fP command overrides any key
|
|
specified on the command line via \fB\-y\fP or \fB\-k\fP\&.
|
|
.TP
|
|
.B \fBgsstsig\fP
|
|
Use GSS\-TSIG to sign the updated. This is equivalent to specifying
|
|
\fB\-g\fP on the command line.
|
|
.TP
|
|
.B \fBoldgsstsig\fP
|
|
Use the Windows 2000 version of GSS\-TSIG to sign the updated. This is
|
|
equivalent to specifying \fB\-o\fP on the command line.
|
|
.TP
|
|
.B \fBrealm\fP [realm_name]
|
|
When using GSS\-TSIG use \fBrealm_name\fP rather than the default realm
|
|
in \fBkrb5.conf\fP\&. If no realm is specified the saved realm is
|
|
cleared.
|
|
.TP
|
|
.B \fBcheck\-names\fP [yes_or_no]
|
|
Turn on or off check\-names processing on records to be added.
|
|
Check\-names has no effect on prerequisites or records to be deleted.
|
|
By default check\-names processing is on. If check\-names processing
|
|
fails the record will not be added to the UPDATE message.
|
|
.TP
|
|
.B \fBprereq nxdomain\fP domain\-name
|
|
Requires that no resource record of any type exists with name
|
|
\fBdomain\-name\fP\&.
|
|
.TP
|
|
.B \fBprereq yxdomain\fP domain\-name
|
|
Requires that \fBdomain\-name\fP exists (has as at least one resource
|
|
record, of any type).
|
|
.TP
|
|
.B \fBprereq nxrrset\fP domain\-name class type
|
|
Requires that no resource record exists of the specified \fBtype\fP,
|
|
\fBclass\fP and \fBdomain\-name\fP\&. If \fBclass\fP is omitted, IN (internet)
|
|
is assumed.
|
|
.TP
|
|
.B \fBprereq yxrrset\fP domain\-name class type
|
|
This requires that a resource record of the specified \fBtype\fP,
|
|
\fBclass\fP and \fBdomain\-name\fP must exist. If \fBclass\fP is omitted, IN
|
|
(internet) is assumed.
|
|
.TP
|
|
.B \fBprereq yxrrset\fP domain\-name class type data
|
|
The \fBdata\fP from each set of prerequisites of this form sharing a
|
|
common \fBtype\fP, \fBclass\fP, and \fBdomain\-name\fP are combined to form
|
|
a set of RRs. This set of RRs must exactly match the set of RRs
|
|
existing in the zone at the given \fBtype\fP, \fBclass\fP, and
|
|
\fBdomain\-name\fP\&. The \fBdata\fP are written in the standard text
|
|
representation of the resource record\(aqs RDATA.
|
|
.TP
|
|
.B \fBupdate delete\fP domain\-name ttl class type data
|
|
Deletes any resource records named \fBdomain\-name\fP\&. If \fBtype\fP and
|
|
\fBdata\fP is provided, only matching resource records will be removed.
|
|
The internet class is assumed if \fBclass\fP is not supplied. The
|
|
\fBttl\fP is ignored, and is only allowed for compatibility.
|
|
.TP
|
|
.B \fBupdate add\fP domain\-name ttl class type data
|
|
Adds a new resource record with the specified \fBttl\fP, \fBclass\fP and
|
|
\fBdata\fP\&.
|
|
.TP
|
|
.B \fBshow\fP
|
|
Displays the current message, containing all of the prerequisites and
|
|
updates specified since the last send.
|
|
.TP
|
|
.B \fBsend\fP
|
|
Sends the current message. This is equivalent to entering a blank
|
|
line.
|
|
.TP
|
|
.B \fBanswer\fP
|
|
Displays the answer.
|
|
.TP
|
|
.B \fBdebug\fP
|
|
Turn on debugging.
|
|
.TP
|
|
.B \fBversion\fP
|
|
Print version number.
|
|
.TP
|
|
.B \fBhelp\fP
|
|
Print a list of commands.
|
|
.UNINDENT
|
|
.sp
|
|
Lines beginning with a semicolon are comments and are ignored.
|
|
.SH EXAMPLES
|
|
.sp
|
|
The examples below show how \fBnsupdate\fP could be used to insert and
|
|
delete resource records from the \fBexample.com\fP zone. Notice that the
|
|
input in each example contains a trailing blank line so that a group of
|
|
commands are sent as one dynamic update request to the master name
|
|
server for \fBexample.com\fP\&.
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
.sp
|
|
.nf
|
|
.ft C
|
|
# nsupdate
|
|
> update delete oldhost.example.com A
|
|
> update add newhost.example.com 86400 A 172.16.1.1
|
|
> send
|
|
.ft P
|
|
.fi
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
Any A records for \fBoldhost.example.com\fP are deleted. And an A record
|
|
for \fBnewhost.example.com\fP with IP address 172.16.1.1 is added. The
|
|
newly\-added record has a 1 day TTL (86400 seconds).
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
.sp
|
|
.nf
|
|
.ft C
|
|
# nsupdate
|
|
> prereq nxdomain nickname.example.com
|
|
> update add nickname.example.com 86400 CNAME somehost.example.com
|
|
> send
|
|
.ft P
|
|
.fi
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
The prerequisite condition gets the name server to check that there are
|
|
no resource records of any type for \fBnickname.example.com\fP\&. If there
|
|
are, the update request fails. If this name does not exist, a CNAME for
|
|
it is added. This ensures that when the CNAME is added, it cannot
|
|
conflict with the long\-standing rule in \fI\%RFC 1034\fP that a name must not
|
|
exist as any other record type if it exists as a CNAME. (The rule has
|
|
been updated for DNSSEC in \fI\%RFC 2535\fP to allow CNAMEs to have RRSIG,
|
|
DNSKEY and NSEC records.)
|
|
.SH FILES
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \fB/etc/resolv.conf\fP
|
|
used to identify default name server
|
|
.TP
|
|
.B \fB/var/run/named/session.key\fP
|
|
sets the default TSIG key for use in local\-only mode
|
|
.TP
|
|
.B \fBK{name}.+157.+{random}.key\fP
|
|
base\-64 encoding of HMAC\-MD5 key created by dnssec\-keygen8.
|
|
.TP
|
|
.B \fBK{name}.+157.+{random}.private\fP
|
|
base\-64 encoding of HMAC\-MD5 key created by dnssec\-keygen8.
|
|
.UNINDENT
|
|
.SH SEE ALSO
|
|
.sp
|
|
\fI\%RFC 2136\fP, \fI\%RFC 3007\fP, \fI\%RFC 2104\fP, \fI\%RFC 2845\fP, \fI\%RFC 1034\fP, \fI\%RFC 2535\fP, \fI\%RFC 2931\fP,
|
|
\fBnamed(8)\fP, \fBddns\-confgen(8)\fP, \fBdnssec\-keygen(8)\fP\&.
|
|
.SH BUGS
|
|
.sp
|
|
The TSIG key is redundantly stored in two separate files. This is a
|
|
consequence of nsupdate using the DST library for its cryptographic
|
|
operations, and may change in future releases.
|
|
.SH AUTHOR
|
|
Internet Systems Consortium
|
|
.SH COPYRIGHT
|
|
2020, Internet Systems Consortium
|
|
.\" Generated by docutils manpage writer.
|
|
.
|