diff options
Diffstat (limited to 'usr.sbin/bind/bin/nsupdate/nsupdate.8')
| -rw-r--r-- | usr.sbin/bind/bin/nsupdate/nsupdate.8 | 72 |
1 files changed, 50 insertions, 22 deletions
diff --git a/usr.sbin/bind/bin/nsupdate/nsupdate.8 b/usr.sbin/bind/bin/nsupdate/nsupdate.8 index d47793ff592..ccd9d85251b 100644 --- a/usr.sbin/bind/bin/nsupdate/nsupdate.8 +++ b/usr.sbin/bind/bin/nsupdate/nsupdate.8 @@ -1,25 +1,26 @@ -.\" -.\" Copyright (C) 2000, 2001 Internet Software Consortium. +.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2000-2003 Internet Software Consortium. .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. .\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM -.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL -.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, -.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING -.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, -.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION -.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +.\" PERFORMANCE OF THIS SOFTWARE. +.\" +.\" $ISC: nsupdate.8,v 1.24.2.2.2.5 2004/03/08 09:04:15 marka Exp $ .\" .TH "NSUPDATE" "8" "Jun 30, 2000" "BIND9" "" .SH NAME nsupdate \- Dynamic DNS update utility .SH SYNOPSIS .sp -\fBnsupdate\fR [ \fB-d\fR ] [ \fB [ -y \fIkeyname:secret\fB ] [ -k \fIkeyfile\fB ] \fR ] [ \fB-v\fR ] [ \fBfilename\fR ] +\fBnsupdate\fR [ \fB-d\fR ] [ \fB [ -y \fIkeyname:secret\fB ] [ -k \fIkeyfile\fB ] \fR ] [ \fB-t \fItimeout\fB\fR ] [ \fB-u \fIudptimeout\fB\fR ] [ \fB-r \fIudpretries\fB\fR ] [ \fB-v\fR ] [ \fBfilename\fR ] .SH "DESCRIPTION" .PP \fBnsupdate\fR @@ -52,10 +53,10 @@ made and the replies received from the name server. .PP Transaction signatures can be used to authenticate the Dynamic DNS updates. -These use the TSIG resource record type described in RFC2845. -The signatures rely on a shared secret that should only be known to -\fBnsupdate\fR -and the name server. +These use the TSIG resource record type described in RFC2845 or the +SIG(0) record described in RFC3535 and RFC2931. +TSIG relies on a shared secret that should only be known to +\fBnsupdate\fR and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to @@ -70,6 +71,8 @@ statements would be added to so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication. +SIG(0) uses public key cryptography. To use a SIG(0) key, the public +key must be stored in a KEY record in a zone served by the name server. \fBnsupdate\fR does not read \fI/etc/named.conf\fR. @@ -79,8 +82,8 @@ uses the \fB-y\fR or \fB-k\fR -option to provide the shared secret needed to generate a TSIG record -for authenticating Dynamic DNS update requests. +option (with an HMAC-MD5 key) to provide the shared secret needed to generate +a TSIG record for authenticating Dynamic DNS update requests. These options are mutually exclusive. With the \fB-k\fR @@ -110,15 +113,31 @@ This may be visible in the output from \fBps\fR(1) or in a history file maintained by the user's shell. .PP +The \fB-k\fR may also be used to specify a SIG(0) key used +to authenticate Dynamic DNS update requests. In this case, the key +specified is not an HMAC-MD5 key. +.PP By default \fBnsupdate\fR -uses UDP to send update requests to the name server. +uses UDP to send update requests to the name server unless they are too +large to fit in a UDP request in which case TCP will be used. The \fB-v\fR option makes \fBnsupdate\fR use a TCP connection. This may be preferable when a batch of update requests is made. +.PP +The \fB-t\fR option sets the maximum time a update request can +take before it is aborted. The default is 300 seconds. Zero can be used +to disable the timeout. +.PP +The \fB-u\fR option sets the UDP retry interval. The default is +3 seconds. If zero the interval will be computed from the timeout interval +and number of UDP retries. +.PP +The \fB-r\fR option sets the number of UDP retries. The default is +3. If zero only one update request will be made. .SH "INPUT FORMAT" .PP \fBnsupdate\fR @@ -178,6 +197,11 @@ statement is provided, \fBnsupdate\fR will attempt determine the correct zone to update based on the rest of the input. .TP +\fBclass classname\fR +Specify the default class. +If no \fIclass\fR is specified the default class is +\fIIN\fR. +.TP \fBkey name secret\fR Specifies that all updates are to be TSIG signed using the \fIkeyname\fR \fIkeysecret\fR pair. @@ -263,8 +287,11 @@ updates specified since the last send. .TP \fBsend\fR Sends the current message. This is equivalent to entering a blank line. +.TP +\fBanswer\fR +Displays the answer. .PP -Lines beginning with a semicolon are comments, and are ignored. +Lines beginning with a semicolon are comments and are ignored. .SH "EXAMPLES" .PP The examples below show how @@ -281,7 +308,7 @@ master name server for # nsupdate > update delete oldhost.example.com A > update add newhost.example.com 86400 A 172.16.1.1 -> +> send .sp .fi .PP @@ -297,7 +324,7 @@ The newly-added record has a 1 day TTL (86400 seconds) # nsupdate > prereq nxdomain nickname.example.com > update add nickname.example.com 86400 CNAME somehost.example.com -> +> send .sp .fi .PP @@ -310,7 +337,7 @@ This ensures that when the CNAME is added, it cannot conflict with the long-standing rule in RFC1034 that a name must not exist as any other record type if it exists as a CNAME. (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have -SIG, KEY and NXT records.) +RRSIG, DNSKEY and NSEC records.) .SH "FILES" .TP \fB/etc/resolv.conf\fR @@ -331,6 +358,7 @@ base-64 encoding of HMAC-MD5 key created by \fBRFC2845\fR, \fBRFC1034\fR, \fBRFC2535\fR, +\fBRFC2931\fR, \fBnamed\fR(8), \fBdnssec-keygen\fR(8). .SH "BUGS" |