DNS Configuration and Management Manual (G06.27+, H06.05+, J06.03+)
BIND 9.x on the NonStop Server
HP DNS Configuration and Management Manual—529432-003
2-13
DNS Security Extensions (DNSSEC) Tools
-k option sign updates with TSIG
-d sets the debug mode
-v tells nsupdate to use TCP/IP to communicate with the server
Example: Running nsupdate
The following example illustrates the interactive use of nsupdate. In this example,
nsupdate connects to a name server running on 10.53.0.1. Then the existing record
old.example.com is deleted, and a new record new.example.com is added.
DNS Security Extensions (DNSSEC) Tools
DNSSEC provides the following tools. (For more information about these tools, see the
OSS man pages; also see Table 2-1, OSS Commands to Access man Pages, on
page 2-3 for guidelines for locating the man pages.)
dnssec-keygen—DNSSEC Key Generation Tool
dnssec-keygen generates a key pair which can be used for TSIG or DNSSEC and
generates two output files: .private file and .key file. The private key (in the .private file)
is used to generate signatures, and the public key (in the .key file) is used for signature
verification.
The -a option specifies the cryptographic algorithm to use (RSA in this case). The
option -b is the length of the keys to generate, in bits. RSA keys can be from 512 to
2,000 bits long. The option -n specifies the type of key. DNSSEC keys are always
zone keys. The only argument that is not an option is the domain name of the zone to
be signed, which is example.com in this case.
Example 2-11. Using the nsupdate Tool
$nsupdate
>server 10.53.0.1
>update delete old.example.com A
>update add new.example.com 3600 A 10.1.1.1
>
>quit
Example 2-12. dnssec-keygen
$ dnssec-keygen -a RSA -b 512 -n ZONE example.com.