Use nsupdate to create and execute DNS update operations on a host record to a name server. You can add or remove resource records from a zone without manually editing the zone file. A single update request can contain requests to add or remove more than one resource record.
You can use this command in an interactive fashion (where you are prompted through a series of subcommands and associated input values), or if you know the sequence of operations and input values beforehand, you can use nsupdate in batch mode. You can read input from a file. The file name must appear at the end of the nsupdate command line and must not follow the -d option.
Format
.------------------------------. V | >>-nsupdate----+--------------------------+-+-------------------> +- -d----------------------+ +- -v----------------------+ +-+- -y --keyname:secret-+-+ | '- -k --keyfile--------' | +- -D----------------------+ +- -M----------------------+ '- -V--+-----+-------------' '- v9-' >--+-----------------+----------------------------------------->< '-batch_file_name-'
Parameters
- batch_file_name
- The name of a z/OS UNIX file that contains nsupdate subcommands, which can be used as input to the nsupdate command. If the batch_file_name does not specify a directory, the file must be in the current directory. The file name can contain v9 nsupdate commands, one per line.
- -d
- Turn debug trace on. This provides tracing information about the update requests that are made and the replies received from the name server. Use this option if you want to see the response from the server on the nsupdate client side.
- -v
- By default nsupdate uses UDP to send update requests to the name server. The -v option makes nsupdate use a TCP connection. This might be preferable when a batch of update requests is made.
- -y keyname:secret
- nsupdate uses the -y or -k option to provide the shared-secret needed to generate a TSIG record for authenticating Dynamic DNS update requests. These options are mutually exclusive. When the -y option is used, a signature is generated from keyname:secret. The name of the key is keyname, and secret is the base-64 encoded shared-secret. Use of the -y option is discouraged because the shared-secret is supplied as a command line argument in clear text. This might be visible in the output from ps -ef or in a history file maintained by the user's shell.
- -k keyfile
- nsupdate uses the -y or -k option to provide the shared-secret needed to generate a TSIG record for authenticating Dynamic DNS update requests. These options are mutually exclusive. With the -k option, nsupdate reads the shared-secret from the file keyfile, whose name is of the form K{name}.+157.+{random}.private. For historical reasons, the file K{name}.+157.+{random}.key must also be present.
- -D
- Turn debug trace and procedure trace on.
- -M
- Turn debug, procedure, and memory trace on.
- -V
- Specifies the version of nsupdate. The only valid version is v9.
Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC 2845. The signatures rely on a shared-secret that should be known only to nsupdate and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC-MD5, which is defined in RFC 2104. Suitable key{} statements and allow-update{} or update-policy{} options must be added to the BIND 9 name server configuration file (for example, /etc/named.conf) so that the name server can authorize nsupdate clients that use TSIG authentication. nsupdate does not read /etc/named.conf.