Use nsupdate to create and execute
DNS update operations on a host record to a name server. You can add
or remove resource records from a zone without manually editing the
zone file. A single update request can contain requests to add or
remove more than one resource record.
You can use this command
in an interactive fashion (where you are prompted through a series
of subcommands and associated input values), or if you know the sequence
of operations and input values beforehand, you can use nsupdate in
batch mode. You can read input from a file. The file name must appear
at the end of the nsupdate command line and must not follow
the -d option.
Format
.------------------------------.
V |
>>-nsupdate----+--------------------------+-+------------------->
+- -d----------------------+
+- -v----------------------+
+-+- -y --keyname:secret-+-+
| '- -k --keyfile--------' |
+- -D----------------------+
+- -M----------------------+
'- -V--+-----+-------------'
'- v9-'
>--+-----------------+-----------------------------------------><
'-batch_file_name-'
Parameters
- batch_file_name
- The name of a z/OS UNIX file that
contains nsupdate subcommands, which can be used as input to
the nsupdate command. If the batch_file_name does
not specify a directory, the file must be in the current directory.
The file name can contain v9 nsupdate commands, one per line.
- -d
- Turn debug trace on. This provides tracing information about the
update requests that are made and the replies received from the name
server. Use this option if you want to see the response from the server
on the nsupdate client side.
- -v
- By default nsupdate uses UDP to send update requests to
the name server. The -v option makes nsupdate use
a TCP connection. This might be preferable when a batch of update
requests is made.
- -y keyname:secret
- nsupdate uses the -y or -k option
to provide the shared-secret needed to generate a TSIG record for
authenticating Dynamic DNS update requests. These options are mutually
exclusive. When the -y option is used, a
signature is generated from keyname:secret.
The name of the key is keyname, and secret is
the base-64 encoded shared-secret. Use of the -y option
is discouraged because the shared-secret is supplied as a command
line argument in clear text. This might be visible in the output
from ps -ef or in a history file maintained by the
user's shell.
- -k keyfile
- nsupdate uses the -y or -k option
to provide the shared-secret needed to generate a TSIG record for
authenticating Dynamic DNS update requests. These options are mutually
exclusive. With the -k option, nsupdate reads
the shared-secret from the file keyfile,
whose name is of the form K{name}.+157.+{random}.private. For historical
reasons, the file K{name}.+157.+{random}.key must also be present.
- -D
- Turn debug trace and procedure trace on.
- -M
- Turn debug, procedure, and memory trace on.
- -V
- Specifies the version of nsupdate. The only valid version
is v9.
Transaction signatures can be used to authenticate
the Dynamic DNS updates. These use the TSIG resource record type
described in RFC 2845. The signatures rely on a shared-secret that
should be known only to nsupdate and the name server. Currently,
the only supported encryption algorithm for TSIG is HMAC-MD5, which
is defined in RFC 2104. Suitable key{} statements and allow-update{}
or update-policy{} options must be added to the BIND 9 name server
configuration file (for example, /etc/named.conf) so that the name
server can authorize nsupdate clients that use TSIG authentication. nsupdate does
not read /etc/named.conf.