nsupdate

nsupdate [options] [filename]

nsupdate -k Kexample.com.+157+12345.key
update add host.example.com 300 A 192.0.2.1
send

-d
    Enable debug output. This provides more detailed information about the update process.

-D
    Enable even more debug output. Provides maximum debugging information.

-v
    Use TCP (virtual circuit) for sending update requests. By default, UDP is used unless the request is too large.

-y keyname:secret
    Specify a TSIG (Transaction Signature) key directly using its name and base64-encoded secret. For example, -y host.example.com:ABCDEF...

-k keyfile
    Specify a file containing a TSIG key. This file is typically generated by dnssec-keygen and follows a specific format (e.g., Khost.example.com.+alg+id.key).

-g
    Use GSS-API (Kerberos) for authentication. This requires Kerberos credentials and configuration.

-o GSS-API-options
    Provide additional GSS-API options. Consult Kerberos documentation for available options.

-t timeout
    Set the total timeout for the update request in seconds.

-u udp-timeout
    Set the timeout for UDP queries in seconds. This applies to individual UDP packets, not the total transaction.

-r attempts
    Set the number of UDP query retries.

-R retries
    Set the total number of retries for the entire update operation.

-p port
    Specify the port number of the DNS server to send updates to. Default is 53.

-P local_port
    Specify the local port number to bind to for sending updates.

-V level
    Set the logging verbosity level for nsupdate. Higher numbers mean more verbose output.

-s
    Send commands from standard input as a single batch transaction. This ensures all commands are sent as one atomic update.

-S
    Print all commands to standard output before sending them to the name server. Useful for debugging scripts.

filename
    Read update commands from the specified file instead of standard input. If not provided, commands are read from stdin.

nsupdate is a command-line utility used to send dynamic DNS update requests to a name server, in accordance with RFC 2136. It allows administrators and automated systems to programmatically add, delete, or modify DNS resource records directly on a DNS server. This is particularly useful for scenarios like DHCP servers updating A and PTR records when IP addresses are leased, or for scripts managing host entries. nsupdate operates by sending a series of update commands, which can be read from standard input or a specified file. To ensure secure updates, especially in production environments, nsupdate supports authentication methods such as TSIG (Transaction Signature) and GSS-API (Kerberos), which are crucial for preventing unauthorized modifications to DNS zones. The changes are typically batched and committed to the server with a send command, allowing for atomic updates.

Using nsupdate requires that the target DNS server (named) is configured to accept dynamic updates for the specific zone(s) you wish to modify. This configuration typically involves enabling 'allow-update' directives and specifying update policies, often leveraging TSIG keys or IP addresses for security.
Without proper authentication (e.g., TSIG or GSS-API), update requests will likely be rejected, or worse, could pose a significant security risk if the server is misconfigured to accept unauthenticated updates.
Changes made via nsupdate are not immediate on all DNS caches globally; propagation follows standard DNS practices.

Within an nsupdate session (interactive or file-based), specific commands are used to define the update transaction:
server ip-address: Specifies the target DNS server. If omitted, nsupdate attempts to determine it.
zone domain.com: Specifies the zone to be updated. Essential for non-standard zone-finding.
key keyname secret or key alg:keyname secret: Specifies a TSIG key inline.
update add name ttl type data: Adds a new resource record.
update delete name [type [data]]: Deletes records matching the criteria. If type or data are omitted, all records for name are deleted.
prereq nxdomain name: Pre-requisite: requires that name does not exist.
prereq yxdomain name: Pre-requisite: requires that name exists.
prereq nxrrset name type: Pre-requisite: requires that no resource record of type exists for name.
prereq yxrrset name type [data]: Pre-requisite: requires that a resource record of type exists for name (optionally with specific data).
send: Commits all preceding update and prerequisite commands as a single transaction to the server.
show: (Interactive mode) Shows the current message buffer to be sent.
quit: Exits nsupdate.

For any production environment, it is strongly recommended to use authenticated updates with nsupdate. The most common methods are:
TSIG (Transaction Signature): This uses symmetric key cryptography to sign each update message, ensuring authenticity and integrity. Keys are typically generated using dnssec-keygen and shared securely between the nsupdate client and the named server. This is specified using the -k or -y options.
GSS-API (Generic Security Service Application Programming Interface): This typically refers to Kerberos authentication. It allows nsupdate to participate in a Kerberos realm, authenticating with a Kerberos principal. This is specified using the -g option.

The nsupdate utility is an integral part of the BIND (Berkeley Internet Name Domain) software suite, which has been the predominant DNS server implementation for decades. Its functionality is based on RFC 2136, 'Dynamic Updates in the Domain Name System (DNS UPDATE)', published in April 1997. Since its inception, nsupdate has evolved alongside BIND, incorporating features like TSIG authentication and GSS-API support to meet growing security demands and enterprise integration needs, making it a robust tool for automated DNS management.

named(8), dig(1), rndc(8), dnssec-keygen(8), dnssec-signzone(8)