Open System Services Shell and Utilities Reference Manual (G06.29+, H06.08+, J06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series

921

922

923

924

925

926

927

928

929

930

Administrator Commands and Files nsupdate(8)

NAME

nsupdate - Starts the nonsecure BIND 9 dynamic domain name system (DNS) update utility

SYNOPSIS

/etc/dns923/nsupdate

[ -d ]

[ [-ykeyname:secret ][-kkeyﬁle ] ]

[ -v ]

[ ﬁlename ]

DESCRIPTION

nsupdate is used to submit Dynamic DNS Update requests (as deﬁned in RFC2136) to a BIND 9

domain name server. This allows resource records to be added or removed from a zone without

manually editing the zone ﬁle. A single update request can contain requests to add or remove

more than one resource record.

Zones that are under dynamic control via nsupdate or a DHCP server should not be edited by

hand. Manual edits could conﬂict with dynamic updates and cause data to be lost.

The resource records that are dynamically added or removed with nsupdate have to be in the

same zone. Requests are sent to the zone’s master server. This is identiﬁed by the MNAME

ﬁeld of the zone’s SOA record.

The -d ﬂag makes nsupdate operate in debug mode. This mode provides tracing information

about the update requests that are made and the replies received from the name server.

Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the

TSIG resource record type described in RFC2845. The signatures rely on a shared secret that

should only be known to nsupdate and the name server. Currently, the only supported encryp-

tion algorithm for TSIG is HMAC-MD5, which is deﬁned in RFC 2104. Once other algorithms

are deﬁned for TSIG, applications will need to ensure they select the appropriate algorithm as

well as the key when authenticating each other. For instance, suitable key and server statements

would be added to /etc/named.conf so that the name server can associate the appropriate secret

key and algorithm with the IP address of the client application that will use TSIG authentication.

nsupdate does not read /etc/name d.conf.

nsupdate uses the -y or -k ﬂag to provide the shared secret needed to generate a TSIG record for

authenticating Dynamic DNS update requests. These ﬂags are mutually exclusive. With the -k

ﬂag, nsupdate reads the shared secret from the ﬁle keyﬁle , whose name is of the form

Kname.+157.+random.private. For historical reasons, the ﬁle Kname.+157.+random.key must

also be present. When the -y ﬂag is used, a signature is generated from keyname:secret. key-

name is the name of the key, and secret is the base64 encoded shared secret. Use of the -y ﬂag is

discouraged because the shared secret is supplied as a command line argument in clear text. This

may be visible in the output from ps(1) or in a history ﬁle maintained by the user’s shell.

By default, nsupdate uses UDP to send update requests to the name server. The -v ﬂag makes

nsupdate use a TCP connection. This may be preferable when a batch of update requests is

made.

Input Format

nsupdate reads input from ﬁlename or standard input. Each command is supplied on exactly one

line of input. Some commands are for administrative purposes. The others are either update

instructions or prerequisite checks on the contents of the zone. These checks set conditions that

some name or set of resource records (RRset) either exists or is absent from the zone. These con-

ditions must be met if the entire update request is to succeed. Updates are rejected if the tests for

the prerequisite conditions fail.

Every update request consists of zero or more prerequisites and zero or more updates. This

allows a suitably authenticated update request to proceed if some speciﬁed resource records are

527188-021

Hewlett-Packard Company 12−49