diff options
Diffstat (limited to 'usr.sbin/bind/bin/nsupdate/nsupdate.html')
| -rw-r--r-- | usr.sbin/bind/bin/nsupdate/nsupdate.html | 471 |
1 files changed, 237 insertions, 234 deletions
diff --git a/usr.sbin/bind/bin/nsupdate/nsupdate.html b/usr.sbin/bind/bin/nsupdate/nsupdate.html index e3c67d4a1d4..7697ead9982 100644 --- a/usr.sbin/bind/bin/nsupdate/nsupdate.html +++ b/usr.sbin/bind/bin/nsupdate/nsupdate.html @@ -1,27 +1,30 @@ <!-- - - Copyright (C) 2000, 2001 Internet Software Consortium. - - + - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2001-2003 Internet Software Consortium. + - - Permission to use, copy, modify, and distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - - - - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM - - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL - - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL - - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING - - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, - - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION - - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. --> + +<!-- $ISC: nsupdate.html,v 1.9.2.3.2.5 2004/08/22 23:38:59 marka Exp $ --> + +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML ><HEAD ><TITLE >nsupdate</TITLE ><META NAME="GENERATOR" -CONTENT="Modular DocBook HTML Stylesheet Version 1.73 -"></HEAD +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD ><BODY CLASS="REFENTRY" BGCOLOR="#FFFFFF" @@ -32,8 +35,8 @@ ALINK="#0000FF" ><H1 ><A NAME="AEN1" ->nsupdate</A -></H1 +></A +>nsupdate</H1 ><DIV CLASS="REFNAMEDIV" ><A @@ -53,34 +56,48 @@ NAME="AEN11" ><B CLASS="COMMAND" >nsupdate</B -> [<TT +> [<VAR +CLASS="OPTION" +>-d</VAR +>] [<VAR +CLASS="OPTION" +>-y <VAR +CLASS="REPLACEABLE" +>keyname:secret</VAR +></VAR +> | <VAR CLASS="OPTION" ->-d</TT ->] [<TT +>-k <VAR +CLASS="REPLACEABLE" +>keyfile</VAR +></VAR +>] [<VAR +CLASS="OPTION" +>-t <VAR +CLASS="REPLACEABLE" +>timeout</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-y <TT +>-u <VAR CLASS="REPLACEABLE" -><I ->keyname:secret</I -></TT -></TT -> | <TT +>udptimeout</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-k <TT +>-r <VAR CLASS="REPLACEABLE" -><I ->keyfile</I -></TT -></TT ->] [<TT +>udpretries</VAR +></VAR +>] [<VAR CLASS="OPTION" ->-v</TT +>-v</VAR >] [filename]</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN26" +NAME="AEN35" ></A ><H2 >DESCRIPTION</H2 @@ -115,9 +132,9 @@ Requests are sent to the zone's master server. This is identified by the MNAME field of the zone's SOA record.</P ><P >The -<TT +<VAR CLASS="OPTION" ->-d</TT +>-d</VAR > option makes <B @@ -130,13 +147,13 @@ made and the replies received from the name server.</P ><P >Transaction signatures can be used to authenticate the Dynamic DNS updates. -These use the TSIG resource record type described in RFC2845. -The signatures rely on a shared secret that should only be known to +These use the TSIG resource record type described in RFC2845 or the +SIG(0) record described in RFC3535 and RFC2931. +TSIG relies on a shared secret that should only be known to <B CLASS="COMMAND" >nsupdate</B -> -and the name server. +> and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to @@ -160,6 +177,8 @@ CLASS="FILENAME" so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication. +SIG(0) uses public key cryptography. To use a SIG(0) key, the public +key must be stored in a KEY record in a zone served by the name server. <B CLASS="COMMAND" >nsupdate</B @@ -175,22 +194,22 @@ CLASS="COMMAND" >nsupdate</B > uses the -<TT +<VAR CLASS="OPTION" ->-y</TT +>-y</VAR > or -<TT +<VAR CLASS="OPTION" ->-k</TT +>-k</VAR > -option to provide the shared secret needed to generate a TSIG record -for authenticating Dynamic DNS update requests. +option (with an HMAC-MD5 key) to provide the shared secret needed to generate +a TSIG record for authenticating Dynamic DNS update requests. These options are mutually exclusive. With the -<TT +<VAR CLASS="OPTION" ->-k</TT +>-k</VAR > option, <B @@ -198,11 +217,9 @@ CLASS="COMMAND" >nsupdate</B > reads the shared secret from the file -<TT +<VAR CLASS="PARAMETER" -><I ->keyfile</I -></TT +>keyfile</VAR >, whose name is of the form <TT @@ -216,36 +233,30 @@ CLASS="FILENAME" >K{name}.+157.+{random}.key</TT > must also be present. When the -<TT +<VAR CLASS="OPTION" ->-y</TT +>-y</VAR > option is used, a signature is generated from -<TT +<VAR CLASS="PARAMETER" -><I ->keyname:secret.</I -></TT +>keyname:secret.</VAR > -<TT +<VAR CLASS="PARAMETER" -><I ->keyname</I -></TT +>keyname</VAR > is the name of the key, and -<TT +<VAR CLASS="PARAMETER" -><I ->secret</I -></TT +>secret</VAR > is the base64 encoded shared secret. Use of the -<TT +<VAR CLASS="OPTION" ->-y</TT +>-y</VAR > option is discouraged because the shared secret is supplied as a command line argument in clear text. @@ -259,16 +270,24 @@ CLASS="REFENTRYTITLE" > or in a history file maintained by the user's shell.</P ><P +>The <VAR +CLASS="OPTION" +>-k</VAR +> may also be used to specify a SIG(0) key used +to authenticate Dynamic DNS update requests. In this case, the key +specified is not an HMAC-MD5 key.</P +><P >By default <B CLASS="COMMAND" >nsupdate</B > -uses UDP to send update requests to the name server. +uses UDP to send update requests to the name server unless they are too +large to fit in a UDP request in which case TCP will be used. The -<TT +<VAR CLASS="OPTION" ->-v</TT +>-v</VAR > option makes <B @@ -277,11 +296,31 @@ CLASS="COMMAND" > use a TCP connection. This may be preferable when a batch of update requests is made.</P +><P +>The <VAR +CLASS="OPTION" +>-t</VAR +> option sets the maximum time a update request can +take before it is aborted. The default is 300 seconds. Zero can be used +to disable the timeout.</P +><P +>The <VAR +CLASS="OPTION" +>-u</VAR +> option sets the UDP retry interval. The default is +3 seconds. If zero the interval will be computed from the timeout interval +and number of UDP retries.</P +><P +>The <VAR +CLASS="OPTION" +>-r</VAR +> option sets the number of UDP retries. The default is +3. If zero only one update request will be made.</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN65" +NAME="AEN82" ></A ><H2 >INPUT FORMAT</H2 @@ -291,11 +330,9 @@ CLASS="COMMAND" >nsupdate</B > reads input from -<TT +<VAR CLASS="PARAMETER" -><I ->filename</I -></TT +>filename</VAR > or standard input. Each command is supplied on exactly one line of input. @@ -334,11 +371,9 @@ CLASS="COMMAND" ><DD ><P >Sends all dynamic update requests to the name server -<TT +<VAR CLASS="PARAMETER" -><I ->servername</I -></TT +>servername</VAR >. When no server statement is provided, <B @@ -348,18 +383,14 @@ CLASS="COMMAND" will send updates to the master server of the correct zone. The MNAME field of that zone's SOA record will identify the master server for that zone. -<TT +<VAR CLASS="PARAMETER" -><I ->port</I -></TT +>port</VAR > is the port number on -<TT +<VAR CLASS="PARAMETER" -><I ->servername</I -></TT +>servername</VAR > where the dynamic update requests get sent. If no port number is specified, the default DNS port number of 53 is @@ -375,11 +406,9 @@ CLASS="COMMAND" ><DD ><P >Sends all dynamic update requests using the local -<TT +<VAR CLASS="PARAMETER" -><I ->address</I -></TT +>address</VAR >. When no local statement is provided, @@ -388,11 +417,9 @@ CLASS="COMMAND" >nsupdate</B > will send updates using an address and port chosen by the system. -<TT +<VAR CLASS="PARAMETER" -><I ->port</I -></TT +>port</VAR > can additionally be used to make requests come from a specific port. If no port number is specified, the system will assign one. </P @@ -407,18 +434,14 @@ CLASS="COMMAND" ><DD ><P >Specifies that all updates are to be made to the zone -<TT +<VAR CLASS="PARAMETER" -><I ->zonename</I -></TT +>zonename</VAR >. If no -<TT +<VAR CLASS="PARAMETER" -><I ->zone</I -></TT +>zone</VAR > statement is provided, <B @@ -431,34 +454,49 @@ will attempt determine the correct zone to update based on the rest of the input ><P ><B CLASS="COMMAND" +>class</B +> {classname}</P +></DT +><DD +><P +>Specify the default class. +If no <VAR +CLASS="PARAMETER" +>class</VAR +> is specified the default class is +<VAR +CLASS="PARAMETER" +>IN</VAR +>.</P +></DD +><DT +><P +><B +CLASS="COMMAND" >key</B > {name} {secret}</P ></DT ><DD ><P >Specifies that all updates are to be TSIG signed using the -<TT +<VAR CLASS="PARAMETER" -><I ->keyname</I -></TT -> <TT +>keyname</VAR +> <VAR CLASS="PARAMETER" -><I ->keysecret</I -></TT +>keysecret</VAR > pair. The <B CLASS="COMMAND" >key</B > command overrides any key specified on the command line via -<TT +<VAR CLASS="OPTION" ->-y</TT -> or <TT +>-y</VAR +> or <VAR CLASS="OPTION" ->-k</TT +>-k</VAR >.</P ></DD ><DT @@ -471,11 +509,9 @@ CLASS="COMMAND" ><DD ><P >Requires that no resource record of any type exists with name -<TT +<VAR CLASS="PARAMETER" -><I ->domain-name</I -></TT +>domain-name</VAR >.</P ></DD ><DT @@ -488,11 +524,9 @@ CLASS="COMMAND" ><DD ><P >Requires that -<TT +<VAR CLASS="PARAMETER" -><I ->domain-name</I -></TT +>domain-name</VAR > exists (has as at least one resource record, of any type).</P ></DD @@ -506,34 +540,25 @@ CLASS="COMMAND" ><DD ><P >Requires that no resource record exists of the specified -<TT +<VAR CLASS="PARAMETER" -><I ->type</I -></TT +>type</VAR >, -<TT +<VAR CLASS="PARAMETER" -><I ->class</I -></TT +>class</VAR > and -<TT +<VAR CLASS="PARAMETER" -><I ->domain-name</I -></TT +>domain-name</VAR >. If -<TT +<VAR CLASS="PARAMETER" -><I ->class</I -></TT +>class</VAR > -is omitted, IN (internet) is assumed. - </P +is omitted, IN (internet) is assumed.</P ></DD ><DT ><P @@ -545,32 +570,24 @@ CLASS="COMMAND" ><DD ><P >This requires that a resource record of the specified -<TT +<VAR CLASS="PARAMETER" -><I ->type</I -></TT +>type</VAR >, -<TT +<VAR CLASS="PARAMETER" -><I ->class</I -></TT +>class</VAR > and -<TT +<VAR CLASS="PARAMETER" -><I ->domain-name</I -></TT +>domain-name</VAR > must exist. If -<TT +<VAR CLASS="PARAMETER" -><I ->class</I -></TT +>class</VAR > is omitted, IN (internet) is assumed.</P ></DD @@ -584,61 +601,45 @@ CLASS="COMMAND" ><DD ><P >The -<TT +<VAR CLASS="PARAMETER" -><I ->data</I -></TT +>data</VAR > from each set of prerequisites of this form sharing a common -<TT +<VAR CLASS="PARAMETER" -><I ->type</I -></TT +>type</VAR >, -<TT +<VAR CLASS="PARAMETER" -><I ->class</I -></TT +>class</VAR >, and -<TT +<VAR CLASS="PARAMETER" -><I ->domain-name</I -></TT +>domain-name</VAR > are combined to form a set of RRs. This set of RRs must exactly match the set of RRs existing in the zone at the given -<TT +<VAR CLASS="PARAMETER" -><I ->type</I -></TT +>type</VAR >, -<TT +<VAR CLASS="PARAMETER" -><I ->class</I -></TT +>class</VAR >, and -<TT +<VAR CLASS="PARAMETER" -><I ->domain-name</I -></TT +>domain-name</VAR >. The -<TT +<VAR CLASS="PARAMETER" -><I ->data</I -></TT +>data</VAR > are written in the standard text representation of the resource record's RDATA.</P @@ -653,40 +654,30 @@ CLASS="COMMAND" ><DD ><P >Deletes any resource records named -<TT +<VAR CLASS="PARAMETER" -><I ->domain-name</I -></TT +>domain-name</VAR >. If -<TT +<VAR CLASS="PARAMETER" -><I ->type</I -></TT +>type</VAR > and -<TT +<VAR CLASS="PARAMETER" -><I ->data</I -></TT +>data</VAR > is provided, only matching resource records will be removed. The internet class is assumed if -<TT +<VAR CLASS="PARAMETER" -><I ->class</I -></TT +>class</VAR > is not supplied. The -<TT +<VAR CLASS="PARAMETER" -><I ->ttl</I -></TT +>ttl</VAR > is ignored, and is only allowed for compatibility.</P ></DD @@ -700,24 +691,18 @@ CLASS="COMMAND" ><DD ><P >Adds a new resource record with the specified -<TT +<VAR CLASS="PARAMETER" -><I ->ttl</I -></TT +>ttl</VAR >, -<TT +<VAR CLASS="PARAMETER" -><I ->class</I -></TT +>class</VAR > and -<TT +<VAR CLASS="PARAMETER" -><I ->data</I -></TT +>data</VAR >.</P ></DD ><DT @@ -743,16 +728,27 @@ CLASS="COMMAND" ><P >Sends the current message. This is equivalent to entering a blank line.</P ></DD +><DT +><P +><B +CLASS="COMMAND" +>answer</B +> </P +></DT +><DD +><P +>Displays the answer.</P +></DD ></DL ></DIV > </P ><P ->Lines beginning with a semicolon are comments, and are ignored.</P +>Lines beginning with a semicolon are comments and are ignored.</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN223" +NAME="AEN255" ></A ><H2 >EXAMPLES</H2 @@ -781,7 +777,7 @@ CLASS="PROGRAMLISTING" ># nsupdate > update delete oldhost.example.com A > update add newhost.example.com 86400 A 172.16.1.1 -></PRE +> send</PRE ></P ><P >Any A records for @@ -802,7 +798,7 @@ CLASS="PROGRAMLISTING" ># nsupdate > prereq nxdomain nickname.example.com > update add nickname.example.com 86400 CNAME somehost.example.com -></PRE +> send</PRE ></P ><P >The prerequisite condition gets the name server to check that there @@ -818,12 +814,12 @@ This ensures that when the CNAME is added, it cannot conflict with the long-standing rule in RFC1034 that a name must not exist as any other record type if it exists as a CNAME. (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have -SIG, KEY and NXT records.)</P +RRSIG, DNSKEY and NSEC records.)</P ></DIV ><DIV CLASS="REFSECT1" ><A -NAME="AEN236" +NAME="AEN268" ></A ><H2 >FILES</H2 @@ -833,18 +829,18 @@ NAME="AEN236" CLASS="VARIABLELIST" ><DL ><DT -><TT +><CODE CLASS="CONSTANT" ->/etc/resolv.conf</TT +>/etc/resolv.conf</CODE ></DT ><DD ><P >used to identify default name server</P ></DD ><DT -><TT +><CODE CLASS="CONSTANT" ->K{name}.+157.+{random}.key</TT +>K{name}.+157.+{random}.key</CODE ></DT ><DD ><P @@ -858,9 +854,9 @@ CLASS="REFENTRYTITLE" >.</P ></DD ><DT -><TT +><CODE CLASS="CONSTANT" ->K{name}.+157.+{random}.private</TT +>K{name}.+157.+{random}.private</CODE ></DT ><DD ><P @@ -879,7 +875,7 @@ CLASS="REFENTRYTITLE" ><DIV CLASS="REFSECT1" ><A -NAME="AEN260" +NAME="AEN292" ></A ><H2 >SEE ALSO</H2 @@ -930,6 +926,13 @@ CLASS="REFENTRYTITLE" CLASS="CITEREFENTRY" ><SPAN CLASS="REFENTRYTITLE" +>RFC2931</SPAN +></SPAN +>, +<SPAN +CLASS="CITEREFENTRY" +><SPAN +CLASS="REFENTRYTITLE" >named</SPAN >(8)</SPAN >, @@ -944,7 +947,7 @@ CLASS="REFENTRYTITLE" ><DIV CLASS="REFSECT1" ><A -NAME="AEN281" +NAME="AEN315" ></A ><H2 >BUGS</H2 |