nsupdate(1M) System Administration Commands nsupdate(1M)NAMEnsupdate - Dynamic DNS update utility
SYNOPSISnsupdate [-dv] [-y keyname:secret | -k keyfile] [-t timeout]
[-u udptimeout] [-r udpretries] [filename]
DESCRIPTION
The nsupdate utility submits Dynamic DNS Update requests as defined in
RFC 2136 to a name server. This utility allows resource records to be
added or removed from a zone without manually editing the zone file. A
single update request can contain requests to add or remove more than
one resource record.
Zones that are under dynamic control with nsupdate or a DHCP server
should not be edited by hand. Manual edits could conflict with dynamic
updates and cause data to be lost.
The resource records that are dynamically added or removed with nsup‐
date must be in the same zone. Requests are sent to the zone's master
servers identified by the MNAME field of the zone's SOA record.
Transaction signatures can be used to authenticate the Dynamic DNS
updates using the TSIG resource record type described in RFC 2845. The
signatures rely on a shared secret that should only be known to nsup‐
date and the name server. Currently, the only supported encryption
algorithm for TSIG is HMAC-MD5, which is defined in RFC 2104. Once
other algorithms are defined for TSIG, applications will need to ensure
that they select the appropriate algorithm as well as the key when
authenticating each other. For instance, suitable key and server state‐
ments would be added to /etc/named.conf so that the name server can as‐
sociate the appropriate secret key and algorithm with the IP address of
the client application that will be using TSIG authentication. The
nsupdate utility does not read /etc/named.conf.
The nsupdate utility uses the -y or -k option to provide the shared
secret needed to generate a TSIG record for authenticating Dynamic DNS
update requests. These options are mutually exclusive. See OPTIONS.
OPTIONS
The following options are supported:
-d Operate in debug mode. This provides tracing
information about the update requests that are
made and the replies received from the name
server.
-k keyfile Read the shared secret from the file keyfile,
whose name is of the form K{name}.+157.+{ran‐
dom}.private. For historical reasons, the file
K{name}.+157.+{random}.key must also be present.
-r udpretries Set the number of UDP retries. The default is 3
retries. If udpretries is set to zero, only one
update request is made.
-t timeout Set timeout interval in seconds before update is
aborted. The default is 300 seconds. A setting of
zero disables the timeout.
-u udptimeout Set interval in seconds between UDP retires, the
default is 3 seconds. A setting of zero causes the
interval to be calculated based on the timeout
(-t) and the number of UDP retries (-r).
-v Use a TCP connection. Using a TCP connection could
be preferable when a batch of update requests is
made. By default, nsupdate uses UDP to send update
requests to the name server.
-y keyname:secret Generate a signature from keyname:secret,
wherekeyname is the name of the key and secret is
the base64 encoded shared secret.
Use of the -y option is discouraged because the
shared secret is supplied as a command line argu‐
ment in clear text and could be visible in the
output from ps(1) or in a history file maintained
by the user's shell.
INPUT FORMAT
The nsupdate utility reads input from filename or the standard input.
Each command is supplied on exactly one line of input. Some commands
are for administrative purposes. The others are either update instruc‐
tions or prerequisite checks on the contents of the zone. These checks
set conditions that some name or set of resource records (RRset) either
exists or is absent from the zone. These conditions must be met if the
entire update request is to succeed. Updates will be rejected if the
tests for the prerequisite conditions fail.
Every update request consists of zero or more prerequisites and zero or
more updates. This condition allows a suitably authenticated update
request to proceed if some specified resource records are present or
missing from the zone. A blank input line (or the send command) causes
the accumulated commands to be sent as one Dynamic DNS update request
to the name server.
The command formats and their meaning are as follows:
server servername [ port ]
Send all dynamic update requests to the name server servername.
When no server statement is provided, nsupdate sends updates to the
master server of the correct zone. The MNAME field of that zone's
SOA record identifies the master server for that zone. The port
argument is the port number on servername where the dynamic update
requests get sent. If no port number is specified, the default DNS
port number of 53 is used.
local address [ port ]
Send all dynamic update requests using the local address. When no
local statement is provided, nsupdate sends updates using an
address and port chosen by the system. The port argument can also
be used to make requests come from a specific port. If no port num‐
ber is specified, the system assigns one.
zone zonename
Specify that all updates are to be made to the zone zonename. If no
zone statement is provided, nsupdate attempts to determine the cor‐
rect zone to update based on the rest of the input.
class classname
Specify the default class. If no class is specified the default
class is IN.
key name secret
Specify that all updates are to be TSIG signed using the name
secret pair. The key command overrides any key specified on the
command line with -y or -k.
prereq nxdomain domain-name
Require that no resource record of any type exists withthe name
domain-name.
prereq yxdomain domain-name
Require that domain-name exists (has as at least one resource
record, of any type).
prereq nxrrset domain-name [ class ] type
Require that no resource record exists of the specified type, class
and domain-name. If class is omitted, IN (internet) is assumed.
prereq yxrrset domain-name [ class ] type
Require that a resource record of the specified type, class and
domain-name must exist. If class is omitted, IN (internet) is
assumed.
prereq yxrrset domain-name [ class ] type data...
The data from each set of prerequisites of this form sharing a com‐
mon type, class, and domain-name are combined to form a set of RRs.
This set of RRs must exactly match the set of RRs existing in the
zone at the given type, class, and domain-name. The data are writ‐
ten in the standard text representation of the resource record's
RDATA.
update delete domain-name [ ttl ] [ class ] [ type [ data... ] ]
Delete any resource records named domain-name. If type and data are
provided, only matching resource records are removed. The internet
class is assumed if class is not supplied. The ttl is ignored, and
is only provided for compatibility.
update add domain-name ttl [ class ] type data...
Add a new resource record with the specified ttl, class and data.
show
Display the current message, containing all of the prerequisites
and updates specified since the last send.
send
Sends the current message. This is equivalent to entering a blank
line.
answer
Displays the answer.
Lines beginning with a semicolon are comments and are ignored.
EXAMPLES
Example 1 Inserting and Deleting Resource Records from the Zone
The examples below show how nsupdate could be used to insert and delete
resource records from the example.com zone. Notice that the input in
each example contains a trailing blank line so that a group of commands
are sent as one dynamic update request to the master name server for
example.com.
# nsupdate
> update delete oldhost.example.com A
> update add newhost.example.com 86400 A 172.16.1.1
> send
Any A records for oldhost.example.com are deleted. An A record for
newhost.example.com with IP address 172.16.1.1 is added. The newly-
added record has a 1 day TTL (86400 seconds).
Example 2 Adding CNAME Only If No Records Exist
The following command adds a CNAME only if no records already exist for
it.
# nsupdate
> prereq nxdomain nickname.example.com
> update add nickname.example.com 86400 CNAME somehost.example.com
> send
The prerequisite condition gets the name server to check that there are
no resource records of any type for nickname.example.com. If there are,
the update request fails. If this name does not exist, a CNAME for it
is added. This action ensures that when the CNAME is added, it cannot
conflict with the long-standing rule in RFC 1034 that a name must not
exist as any other record type if it exists as a CNAME. (The rule has
been updated for DNSSEC in RFC 4035 to allow CNAMEs to have RSIG,
DNSKEY, and NSEC records.)
FILES
/etc/resolv.conf
used to identify default name server
K{name}.+157.+{random}.key
base-64 encoding of HMAC-MD5 key created by dnssec-keygen(1M).
K{name}.+157.+{random}.private
base-64 encoding of HMAC-MD5 key created by dnssec-keygen(1M)BUGS
The TSIG key is redundantly stored in two separate files. This is a
consequence of nsupdate using the DST library for its cryptographic
operations and could change in future releases.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │service/network/dns/bind │
├─────────────────────────────┼─────────────────────────────┤
│Interface Stability │Volatile │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOnamed(1M), dnssec-keygen(1M), attributes(5)
RFC 2136, RFC 3007, RFC 2104, RFC 2845, RFC 1034, RFC 2535, RFC 2931,
RFC 4035
SunOS 5.11 24 Dec 2008 nsupdate(1M)