nsupdate

nsupdate [-4|-6] [-d] [-D] [-g] [-i identity] [-k keyfile] [-l] [-n] [-o] [-P] [-t timeout] [-T ttl] [-u] [-v] [-y keyname:secret] [-z zone] [update_file]

-4
    Use IPv4 only.

-6
    Use IPv6 only.

-d
    Enable debugging mode. Displays detailed information about the update process.

-D
    Enable extra debugging mode. Same as -d, but including the DNS protocol packets being sent.

-g
    Use GSS-TSIG for authentication.

-i identity
    Specify the Kerberos identity to use for GSS-TSIG.

-k keyfile
    Specify the TSIG key file to use for authentication. The keyfile should contain a valid TSIG key.

-l
    Local-only mode. Send updates to the local DNS server.

-n
    Non-interactive mode. Prevents interaction with the user.

-o
    One-shot mode. Perform updates and exit. Implies -n.

-P
    Print the contents of the update request.

-t timeout
    Specify the timeout for the update request in seconds.

-T ttl
    Sets a default TTL for new records.

-u
    Use UDP instead of TCP.

-v
    Enable verbose output.

-y keyname:secret
    Specify the TSIG key and secret on the command line.

-z zone
    The zone to be updated. This option is required when running nsupdate interactively and update directives are specified.

update_file
    File containing update commands. If no file is specified, reads from standard input.

The nsupdate command is a dynamic DNS update utility used to submit Dynamic DNS Update requests, as defined in RFC 2136, to a DNS server. This allows you to add, delete, or modify Resource Records (RRs) in a zone without manually editing the zone file. It is commonly used in conjunction with DHCP servers to automatically update DNS records when devices obtain or release IP addresses.

The command operates by sending a series of update requests to the specified DNS server. Each update can specify operations like adding a new record, deleting an existing record, or replacing a record with a new value. The DNS server will then process these updates and update the zone file accordingly.

Authentication can be handled using TSIG (Transaction Signature) keys, ensuring that only authorized clients can update the zone. This is critical for security. The command can read instructions from standard input or from a file.

Incorrect use of nsupdate can lead to DNS resolution problems. Ensure proper authentication (TSIG, GSS-TSIG) is configured to prevent unauthorized updates.
Care should be taken when deleting records as deletion are permanent without backups.

The update file contains a series of DNS update commands, each on a separate line. Common commands include:
- server hostname: Specifies the DNS server to send the updates to.
- zone zone_name: Specifies the zone to update.
- update add name ttl class type data: Adds a new record.
- update delete name type data: Deletes a specific record.
- send: Sends the update request to the server.
- prereq nxdomain name: Prerequisite that a record does not exist.
Note: If not using a file, the commands are provided interactively.

TSIG authentication is crucial for securing dynamic DNS updates. It uses a shared secret key between the client and the server to sign the update requests, preventing unauthorized modifications. nsupdate supports TSIG authentication using the -k option or the -y option. Proper configuration of TSIG keys on both the client and the server is essential for secure operation.

nsupdate was developed as part of the BIND (Berkeley Internet Name Domain) suite. The command facilitates dynamic updates to DNS zones as defined in RFC 2136, which was published in 1997. Before nsupdate, DNS zone files were typically managed manually, requiring administrators to edit the zone files directly and reload the DNS server configuration to apply changes.

The introduction of nsupdate significantly simplified the process of updating DNS records dynamically, particularly in environments where IP addresses and hostnames change frequently. Common use cases include DHCP integration, where DNS records are automatically updated as devices are assigned IP addresses, and environments where services need to be moved or reconfigured dynamically.

named(8), rndc(8)