Site Navigation

FreeBSD Manual Pages

   man apropos
 
   All Sections 1 - General Commands 2 - System Calls 3 - Subroutines 4 - Special Files 5 - File Formats 6 - Games 7 - Macros and Conventions 8 - Maintenance Commands 9 - Kernel Interface n - New Commands FreeBSD 15.0-CURRENT FreeBSD 14.2-RELEASE FreeBSD 14.2-RELEASE and Ports FreeBSD 14.2-STABLE FreeBSD 14.1-RELEASE FreeBSD 14.1-RELEASE and Ports FreeBSD 14.0-RELEASE FreeBSD 14.0-RELEASE and Ports FreeBSD 13.5-RELEASE FreeBSD 13.5-RELEASE and Ports FreeBSD 13.5-STABLE FreeBSD 13.4-RELEASE FreeBSD 13.4-RELEASE and Ports FreeBSD 13.3-RELEASE FreeBSD 13.3-RELEASE and Ports FreeBSD 13.2-RELEASE FreeBSD 13.2-RELEASE and Ports FreeBSD 13.1-RELEASE FreeBSD 13.1-RELEASE and Ports FreeBSD 13.0-RELEASE FreeBSD 13.0-RELEASE and Ports FreeBSD 12.4-RELEASE FreeBSD 12.4-RELEASE and Ports FreeBSD 12.3-RELEASE FreeBSD 12.3-RELEASE and Ports FreeBSD 12.2-RELEASE FreeBSD 12.2-RELEASE and Ports FreeBSD 12.1-RELEASE FreeBSD 12.1-RELEASE and Ports FreeBSD 12.0-RELEASE FreeBSD 12.0-RELEASE and Ports FreeBSD 11.4-RELEASE FreeBSD 11.4-RELEASE and Ports FreeBSD 11.3-RELEASE FreeBSD 11.3-RELEASE and Ports FreeBSD 11.2-RELEASE FreeBSD 11.2-RELEASE and Ports FreeBSD 11.1-RELEASE FreeBSD 11.1-RELEASE and Ports FreeBSD 11.0-RELEASE FreeBSD 11.0-RELEASE and Ports FreeBSD 10.4-RELEASE FreeBSD 10.4-RELEASE and Ports FreeBSD 10.3-RELEASE FreeBSD 10.3-RELEASE and Ports FreeBSD 10.2-RELEASE FreeBSD 10.2-RELEASE and Ports FreeBSD 10.1-RELEASE FreeBSD 10.1-RELEASE and Ports FreeBSD 10.0-RELEASE FreeBSD 10.0-RELEASE and Ports FreeBSD 9.3-RELEASE FreeBSD 9.3-RELEASE and Ports FreeBSD 9.2-RELEASE FreeBSD 9.2-RELEASE and Ports FreeBSD 9.1-RELEASE FreeBSD 9.1-RELEASE and Ports FreeBSD 9.0-RELEASE FreeBSD 9.0-RELEASE and Ports FreeBSD 8.4-RELEASE FreeBSD 8.4-RELEASE and Ports FreeBSD 8.3-RELEASE FreeBSD 8.3-RELEASE and Ports FreeBSD 8.2-RELEASE FreeBSD 8.2-RELEASE and Ports FreeBSD 8.1-RELEASE FreeBSD 8.1-RELEASE and Ports FreeBSD 8.0-RELEASE FreeBSD 8.0-RELEASE and Ports FreeBSD 7.4-RELEASE FreeBSD 7.4-RELEASE and Ports FreeBSD 7.3-RELEASE FreeBSD 7.3-RELEASE and Ports FreeBSD 7.2-RELEASE FreeBSD 7.2-RELEASE and Ports FreeBSD 7.1-RELEASE FreeBSD 7.1-RELEASE and Ports FreeBSD 7.0-RELEASE FreeBSD 6.4-RELEASE FreeBSD 6.4-RELEASE and Ports FreeBSD 6.3-RELEASE FreeBSD 6.3-RELEASE and Ports FreeBSD 6.2-RELEASE FreeBSD 6.1-RELEASE FreeBSD 6.0-RELEASE FreeBSD 6.0-RELEASE and Ports FreeBSD 5.5-RELEASE FreeBSD 5.5-RELEASE and Ports FreeBSD 5.4-RELEASE FreeBSD 5.4-RELEASE and Ports FreeBSD 5.3-RELEASE FreeBSD 5.3-RELEASE and Ports FreeBSD 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE and Ports FreeBSD 5.2-RELEASE FreeBSD 5.2-RELEASE and Ports FreeBSD 5.1-RELEASE FreeBSD 5.0-RELEASE FreeBSD 4.11-RELEASE FreeBSD 4.11-RELEASE and Ports FreeBSD 4.10-RELEASE FreeBSD 4.10-RELEASE and Ports FreeBSD 4.9-RELEASE FreeBSD 4.9-RELEASE and Ports FreeBSD 4.8-RELEASE FreeBSD 4.8-RELEASE and Ports FreeBSD 4.7-RELEASE FreeBSD 4.6.2-RELEASE FreeBSD 4.6.2-RELEASE and Ports FreeBSD 4.6-RELEASE FreeBSD 4.6-RELEASE and Ports FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE and Ports FreeBSD 4.4-RELEASE FreeBSD 4.3-RELEASE FreeBSD 4.3-RELEASE and Ports FreeBSD 4.2-RELEASE FreeBSD 4.2-RELEASE and Ports FreeBSD 4.1.1-RELEASE FreeBSD 4.1.1-RELEASE and Ports FreeBSD 4.1-RELEASE FreeBSD 4.0-RELEASE FreeBSD 3.5.1-RELEASE FreeBSD 3.5.1-RELEASE and Ports FreeBSD 3.5-RELEASE and Ports FreeBSD 3.4-RELEASE FreeBSD 3.4-RELEASE and Ports FreeBSD 3.3-RELEASE FreeBSD 3.2-RELEASE FreeBSD 3.1-RELEASE FreeBSD 3.0-RELEASE FreeBSD 2.2.8-RELEASE FreeBSD 2.2.8-RELEASE and Ports FreeBSD 2.2.7-RELEASE FreeBSD 2.2.6-RELEASE FreeBSD 2.2.5-RELEASE FreeBSD 2.2.2-RELEASE FreeBSD 2.2.1-RELEASE FreeBSD 2.1.7.1-RELEASE FreeBSD 2.1.6.1-RELEASE FreeBSD 2.1.5-RELEASE FreeBSD 2.1.0-RELEASE FreeBSD 2.0.5-RELEASE FreeBSD 2.0-RELEASE FreeBSD 1.1.5.1-RELEASE FreeBSD 1.1-RELEASE FreeBSD 1.0-RELEASE FreeBSD Ports 14.2 FreeBSD Ports 14.1 FreeBSD Ports 14.0 FreeBSD Ports 13.5 FreeBSD Ports 13.4 FreeBSD Ports 13.3 FreeBSD Ports 13.2 FreeBSD Ports 13.1 FreeBSD Ports 13.0 FreeBSD Ports 12.4 FreeBSD Ports 12.3 FreeBSD Ports 12.2 FreeBSD Ports 12.1 FreeBSD Ports 12.0 FreeBSD Ports 11.4 FreeBSD Ports 11.3 FreeBSD Ports 11.2 FreeBSD Ports 11.1 FreeBSD Ports 11.0 FreeBSD Ports 10.4 FreeBSD Ports 10.3 FreeBSD Ports 10.2 FreeBSD Ports 10.1 FreeBSD Ports 10.0 FreeBSD Ports 9.3 FreeBSD Ports 9.2 FreeBSD Ports 9.1 FreeBSD Ports 9.0 FreeBSD Ports 8.4 FreeBSD Ports 8.3 FreeBSD Ports 8.2 FreeBSD Ports 8.1 FreeBSD Ports 8.0 FreeBSD Ports 7.4 FreeBSD Ports 7.3 FreeBSD Ports 7.2 FreeBSD Ports 7.1 FreeBSD Ports 7.0 FreeBSD Ports 6.4 FreeBSD Ports 6.3 FreeBSD Ports 6.2 FreeBSD Ports 6.0 FreeBSD Ports 5.5 FreeBSD Ports 5.4 FreeBSD Ports 5.3 FreeBSD Ports 5.2.1 FreeBSD Ports 5.2 FreeBSD Ports 5.1 FreeBSD Ports 4.11 FreeBSD Ports 4.10 FreeBSD Ports 4.9 FreeBSD Ports 4.8 FreeBSD Ports 4.7 FreeBSD Ports 4.6.2 FreeBSD Ports 4.6 FreeBSD Ports 4.5 FreeBSD Ports 4.3 FreeBSD Ports 4.2 FreeBSD Ports 4.1.1 FreeBSD Ports 3.5.1 FreeBSD Ports 3.5 FreeBSD Ports 3.4 FreeBSD Ports 2.2.8 4.4BSD Lite2 4.3BSD NET/2 4.3BSD Reno 2.11 BSD 2.10 BSD 2.9.1 BSD 2.8 BSD 386BSD 0.1 386BSD 0.0 CentOS 7.9 CentOS 7.8 CentOS 7.7 CentOS 7.6 CentOS 7.5 CentOS 7.4 CentOS 7.3 CentOS 7.2 CentOS 7.1 CentOS 7.0 CentOS 6.10 CentOS 6.9 CentOS 6.8 CentOS 6.7 CentOS 6.6 CentOS 6.5 CentOS 6.4 CentOS 6.3 CentOS 6.2 CentOS 6.1 CentOS 6.0 CentOS 5.11 CentOS 5.10 CentOS 5.9 CentOS 5.8 CentOS 5.7 CentOS 5.6 CentOS 5.5 CentOS 5.4 CentOS 4.8 CentOS 3.9 Darwin 8.0.1/ppc Darwin 7.0.1 Darwin 6.0.2/x86 Darwin 1.4.1/x86 Darwin 1.3.1/x86 Debian 13.0 unstable Debian 12.9.0 Debian 11.11.0 Debian 10.13.0 Debian 9.13.0 Debian 8.11.1 Debian 7.11.0 Debian 6.0.10 Debian 5.0.10 Debian 4.0.9 Debian 3.1.8 Debian 2.2.7 Debian 2.0.0 Dell UNIX SVR4 2.2 DragonFly 6.4.0 DragonFly 5.8.3 DragonFly 4.8.1 DragonFly 3.8.2 DragonFly 2.10.1 DragonFly 1.12.1 DragonFly 1.0A HP-UX 11.22 HP-UX 11.20 HP-UX 11.11 HP-UX 11.00 HP-UX 10.20 HP-UX 10.10 HP-UX 10.01 HP-UX 9.07 HP-UX 8.07 Inferno 4th Edition IRIX 6.5.30 Linux Slackware 3.1 MACH 2.5/i386 macOS 15.4.1 macOS 14.7.5 macOS 13.6.5 macOS 12.7.3 macOS 11.1 macOS 10.15.0 macOS 10.13.6 macOS 10.12.0 Minix 3.3.0 Minix 3.2.1 Minix 3.2.0 Minix 3.1.7 Minix 3.1.6 Minix 3.1.5 Minix 2.0.0 NetBSD 10.1 NetBSD 10.0 NetBSD 9.4 NetBSD 9.3 NetBSD 9.2 NetBSD 9.1 NetBSD 9.0 NetBSD 8.2 NetBSD 8.1 NetBSD 8.0 NetBSD 7.1 NetBSD 7.0 NetBSD 6.1.5 NetBSD 6.0 NetBSD 5.1 NetBSD 5.0 NetBSD 4.0.1 NetBSD 4.0 NetBSD 3.1 NetBSD 3.0 NetBSD 2.1 NetBSD 2.0.2 NetBSD 2.0 NetBSD 1.6.2 NetBSD 1.6.1 NetBSD 1.6 NetBSD 1.5.3 NetBSD 1.5.2 NetBSD 1.5.1 NetBSD 1.5 NetBSD 1.4.3 NetBSD 1.4.2 NetBSD 1.4.1 NetBSD 1.4 NetBSD 1.3.3 NetBSD 1.3.2 NetBSD 1.3.1 NetBSD 1.3 NetBSD 1.2.1 NetBSD 1.2 NetBSD 1.1 NetBSD 1.0 NeXTSTEP 3.3 OpenBSD 7.6 OpenBSD 7.5 OpenBSD 7.4 OpenBSD 7.3 OpenBSD 7.2 OpenBSD 7.1 OpenBSD 7.0 OpenBSD 6.9 OpenBSD 6.8 OpenBSD 6.7 OpenBSD 6.6 OpenBSD 6.5 OpenBSD 6.4 OpenBSD 6.3 OpenBSD 6.2 OpenBSD 6.1 OpenBSD 6.0 OpenBSD 5.9 OpenBSD 5.8 OpenBSD 5.7 OpenBSD 5.6 OpenBSD 5.5 OpenBSD 5.4 OpenBSD 5.3 OpenBSD 5.2 OpenBSD 5.1 OpenBSD 5.0 OpenBSD 4.9 OpenBSD 4.8 OpenBSD 4.7 OpenBSD 4.6 OpenBSD 4.5 OpenBSD 4.4 OpenBSD 4.3 OpenBSD 4.2 OpenBSD 4.1 OpenBSD 4.0 OpenBSD 3.9 OpenBSD 3.8 OpenBSD 3.7 OpenBSD 3.6 OpenBSD 3.5 OpenBSD 3.4 OpenBSD 3.3 OpenBSD 3.2 OpenBSD 3.1 OpenBSD 3.0 OpenBSD 2.9 OpenBSD 2.8 OpenBSD 2.7 OpenBSD 2.6 OpenBSD 2.5 OpenBSD 2.4 OpenBSD 2.3 OpenBSD 2.2 OpenBSD 2.1 OpenBSD 2.0 OpenDarwin 7.2.1 OpenDarwin 6.6.2/x86 OpenDarwin 6.6.1/x86 OpenDarwin 20030208pre4/ppc OpenIndiana 2024.10 OpenIndiana 2022.10 OpenIndiana 2020.10 OpenIndiana 2017.10 OpenIndiana 2015.10 OpenIndiana 2013.08 OpenSolaris 2010.03 OpenSolaris 2009.06 OpenStep 4.2 openSUSE 42.3 openSUSE 42.2 openSUSE 42.1 openSUSE 15.6 openSUSE 15.5 openSUSE 15.4 openSUSE 15.3 openSUSE 15.2 openSUSE 15.1 openSUSE 15.0 openSUSE 13.2 openSUSE 13.1 openSUSE 11.4 openSUSE 11.3 openSUSE 11.2 openSUSE 10.3 openSUSE 10.2 OSF1 V5.1/alpha OSF1 V4.0/alpha OSF1 V1.0/mips Plan 9 Red Hat 9.0 Red Hat 8.0 Red Hat 7.3 Red Hat 7.2 Red Hat 7.1 Red Hat 7.0 Red Hat 6.2 Red Hat 6.1 Red Hat 5.2 Red Hat 5.0 Red Hat 4.2 Rhapsody DR1 Rhapsody DR2 Rocky 9.5 Rocky 9.4 Rocky 9.3 Rocky 9.2 Rocky 9.1 Rocky 9.0 Rocky 8.10 Rocky 8.9 Rocky 8.8 Rocky 8.7 Rocky 8.6 Rocky 8.5 Rocky 8.4 Rocky 8.3 Sun UNIX 0.4 SunOS 5.10 SunOS 5.9 SunOS 5.8 SunOS 5.7 SunOS 5.6 SunOS 5.5.1 SunOS 4.1.3 SuSE 11.3 SuSE 11.2 SuSE 11.1 SuSE 11.0 SuSE 10.3 SuSE 10.2 SuSE 10.1 SuSE 10.0 SuSE 9.3 SuSE 9.2 SuSE 8.2 SuSE 8.1 SuSE 8.0 SuSE 7.3 SuSE 7.2 SuSE 7.1 SuSE 7.0 SuSE 6.4 SuSE 6.3 SuSE 6.1 SuSE 6.0 SuSE 5.3 SuSE 5.2 SuSE 5.0 SuSE 4.3 SuSE ES 10 SP1 Ubuntu 24.04 noble Ubuntu 23.10 mantic Ubuntu 22.04 jammy Ubuntu 20.04 focal Ubuntu 18.04 bionic Ubuntu 16.04 xenial Ubuntu 14.04 trusty ULTRIX 4.2 Ultrix-32 2.0/VAX Unix Seventh Edition X11R7.4 X11R7.3.2 X11R7.2 X11R6.9.0 X11R6.8.2 X11R6.7.0 XFree86 4.8.0 XFree86 4.7.0 XFree86 4.6.0 XFree86 4.5.0 XFree86 4.4.0 XFree86 4.3.0 XFree86 4.2.99.3 XFree86 4.2.0 XFree86 4.1.0 XFree86 4.0.2 XFree86 4.0.1 XFree86 4.0 XFree86 3.3.6 XFree86 3.3 XFree86 2.1 All Architectures html pdf ascii

home | help

---

NSUPDATE(1)			    BIND 9			   NSUPDATE(1)

NAME
       nsupdate	- dynamic DNS update utility

SYNOPSIS
       nsupdate	 [-d]  [-D]  [-i]  [-L	level]	[  [-g]	 |  [-o]  | [-l] | [-y
       [hmac:]keyname:secret] |	[-k keyfile] ]	[  [-S]	 [-K  tlskeyfile]  [-E
       tlscertfile]  [-A  tlscafile]  [-H tlshostname] [-O] ] [-t timeout] [-u
       udptimeout] [-r udpretries] [-v]	[-T] [-P] [-V] [ [-4] |	[-6] ]	[file-
       name]

DESCRIPTION
       nsupdate	is used	to submit Dynamic DNS Update requests, as defined in -
       RFC 2136, to a name server. This	allows resource	records	to be added or
       removed	from  a	 zone without manually editing the zone	file. A	single
       update request can contain requests to add or remove more than one  re-
       source record.

       Zones  that  are	 under	dynamic	 control via nsupdate or a DHCP	server
       should not be edited by hand. Manual edits could	conflict with  dynamic
       updates and cause data to be lost.

       The  resource  records that are dynamically added or removed with nsup-
       date must be in the same	zone. Requests are sent	to the zone's  primary
       server,	which  is  identified  by  the	MNAME  field of	the zone's SOA
       record.

       Transaction signatures can be used to authenticate the Dynamic DNS  up-
       dates.  These  use the TSIG resource record type	described in RFC 2845,
       the SIG(0) record described in RFC 2535 and RFC 2931,  or  GSS-TSIG  as
       described in RFC	3645.

       TSIG  relies  on	 a shared secret that should only be known to nsupdate
       and the name server. For	instance, suitable key and  server  statements
       are  added  to /usr/local/etc/namedb/named.conf so that the name	server
       can associate the appropriate secret key	and algorithm with the IP  ad-
       dress  of  the  client application that is using	TSIG authentication. -
       ddns-confgen can	generate suitable  configuration  fragments.  nsupdate
       uses  the -y or -k options to provide the TSIG shared secret; these op-
       tions are mutually exclusive.

       SIG(0) uses public key cryptography. To use a SIG(0)  key,  the	public
       key must	be stored in a KEY record in a zone served by the name server.

       GSS-TSIG	 uses Kerberos credentials. Standard GSS-TSIG mode is switched
       on with the -g flag. A non-standards-compliant variant of GSS-TSIG used
       by Windows 2000 can be switched on with the -o flag.

OPTIONS
       -4     This option sets use of IPv4 only.

       -6     This option sets use of IPv6 only.

       -A tlscafile
	      This option specifies the	file of	 the  certificate  authorities
	      (CA)  certificates (in PEM format) in order to verify the	remote
	      server TLS certificate when using	DNS-over-TLS (DoT), to achieve
	      Strict or	Mutual TLS. When used, it will override	 the  certifi-
	      cates  from  the	global certificates store, which are otherwise
	      used by default when -S is enabled. This option can not be  used
	      in conjuction with -O, and it implies -S.

       -C     Overrides	 the  default  resolv.conf file. This is only intended
	      for testing.

       -d     This option sets debug mode, which provides tracing  information
	      about the	update requests	that are made and the replies received
	      from the name server.

       -D     This option sets extra debug mode.

       -E tlscertfile
	      This  option sets	the certificate(s) file	for authentication for
	      the DNS-over-TLS (DoT) transport to the remote server. The  cer-
	      tificate chain file is expected to be in PEM format. This	option
	      implies -S, and can only be used with -K.

       -g     This option enables standard GSS-TSIG mode.

       -H tlshostname
	      This  option makes nsupdate use the provided hostname during re-
	      mote server TLS certificate  verification.  Otherwise,  the  DNS
	      server name is used. This	option implies -S.

       -i     This option forces interactive mode, even	when standard input is
	      not a terminal.

       -k keyfile
	      This  option  indicates the file containing the TSIG authentica-
	      tion key.	Keyfiles may be	in two formats:	a single file contain-
	      ing a named.conf-format key statement, which  may	 be  generated
	      automatically  by	 ddns-confgen;	or a pair of files whose names
	      are    of	   the	  format    K{name}.+157.+{random}.key	   and
	      K{name}.+157.+{random}.private,  which  can  be  generated  by -
	      dnssec-keygen. The -k option can	also  be  used	to  specify  a
	      SIG(0)  key used to authenticate Dynamic DNS update requests. In
	      this case, the key specified is not an HMAC-MD5 key.

       -K tlskeyfile
	      This option sets the key file for	authenticated  encryption  for
	      the  DNS-over-TLS	 (DoT)	transport  with	the remote server. The
	      private key file is expected to be in PEM	 format.  This	option
	      implies -S, and can only be used with -E.

       -l     This option sets local-host only mode, which sets	the server ad-
	      dress  to	localhost (disabling the server	so that	the server ad-
	      dress cannot be overridden). Connections to the local server use
	      a	TSIG key found in /var/run/session.key,	which is automatically
	      generated	by named if any	local primary zone has set update-pol-
	      icy to local. The	location of this key file  can	be  overridden
	      with the -k option.

       -L level
	      This  option  sets  the logging debug level. If zero, logging is
	      disabled.

       -o     This option is deprecated. Previously, it	 enabled  a  non-stan-
	      dards-compliant  variant	of  GSS-TSIG  that was used by Windows
	      2000. Since that OS is now long past its end of life,  this  op-
	      tion is now treated as a synonym for -g.

       -O     This  option  enables  Opportunistic  TLS. When used, the	remote
	      peer's TLS certificate will not be verified. This	option	should
	      be  used	for debugging purposes only, and it is not recommended
	      to use it	in production. This option can not be used in  conjuc-
	      tion with	-A, and	it implies -S.

       -p port
	      This  option  sets  the  port  to	 use for connections to	a name
	      server. The default is 53.

       -P     This option prints the list of  private  BIND-specific  resource
	      record  types  whose  format is understood by nsupdate. See also
	      the -T option.

       -r udpretries
	      This option sets the number of UDP retries. The default is 3. If
	      zero, only one update request is made.

       -S     This option indicates whether to	use  DNS-over-TLS  (DoT)  when
	      querying name servers specified by server	servername port	syntax
	      in  the  input file, and the primary server discovered through a
	      SOA request. When	the -K and -E options are used,	then the spec-
	      ified TLS	client certificate and private key pair	are  used  for
	      authentication (Mutual TLS). This	option implies -v.

       -t timeout
	      This option sets the maximum time	an update request can take be-
	      fore  it	is  aborted.  The default is 300 seconds. If zero, the
	      timeout is disabled for TCP mode.	For UDP	mode,  the  option  -u
	      takes  precedence	 over this option, unless the option -u	is set
	      to zero, in which	case the interval  is  computed	 from  the  -t
	      timeout  interval	 and  the number of UDP	retries. For UDP mode,
	      the timeout can not be disabled, and will	be  rounded  up	 to  1
	      second in	case if	both -t	and -u are set to zero.

       -T     This  option  prints  the	 list of IANA standard resource	record
	      types whose format is understood by nsupdate. nsupdate exits af-
	      ter the lists are	printed. The -T	option can  be	combined  with
	      the -P option.

	      Other  types  can	 be entered using TYPEXXXXX where XXXXX	is the
	      decimal value of the type	with no	leading	zeros. The  rdata,  if
	      present,	is parsed using	the UNKNOWN rdata format, (<backslash>
	      <hash> <space> <length> <space> <hexstring>).

       -u udptimeout
	      This option sets the UDP retry interval. The default is  3  sec-
	      onds.  If	zero, the interval is computed from the	timeout	inter-
	      val and number of	UDP retries.

       -v     This option specifies that TCP should be used even for small up-
	      date requests. By	default, nsupdate uses UDP to send update  re-
	      quests  to the name server unless	they are too large to fit in a
	      UDP request, in which case TCP is	used. TCP  may	be  preferable
	      when a batch of update requests is made.

       -V     This option prints the version number and	exits.

       -y [hmac:]keyname:secret
	      This option sets the literal TSIG	authentication key. keyname is
	      the name of the key, and secret is the base64 encoded shared se-
	      cret.  hmac  is the name of the key algorithm; valid choices are
	      hmac-md5,	hmac-sha1, hmac-sha224,	hmac-sha256,  hmac-sha384,  or
	      hmac-sha512.  If hmac is not specified, the default is hmac-md5,
	      or if MD5	was disabled, hmac-sha256.

	      NOTE: Use	of the -y option is discouraged	because	the shared se-
	      cret is supplied as a command-line argument in clear text.  This
	      may be visible in	the output from	ps1 or in a history file main-
	      tained by	the user's shell.

INPUT FORMAT
       nsupdate	 reads	input from filename or standard	input. Each command is
       supplied	on exactly one line of input. Some commands are	 for  adminis-
       trative purposes; others	are either update instructions or prerequisite
       checks  on  the	contents of the	zone. These checks set conditions that
       some name or set	of resource records (RRset) either exists or is	absent
       from the	zone. These conditions must be met if the  entire  update  re-
       quest  is to succeed. Updates are rejected if the tests for the prereq-
       uisite conditions fail.

       Every update request consists of	zero or	more prerequisites and zero or
       more updates. This allows a suitably authenticated  update  request  to
       proceed	if some	specified resource records are either present or miss-
       ing from	the zone. A blank input	line (or the send command) causes  the
       accumulated  commands  to  be sent as one Dynamic DNS update request to
       the name	server.

       The command formats and their meanings are as follows:

       server servername port
	      This command sends all  dynamic  update  requests	 to  the  name
	      server  servername.  When	no server statement is provided, nsup-
	      date sends updates to the	primary	server of  the	correct	 zone.
	      The  MNAME  field	of that	zone's SOA record identify the primary
	      server for that zone.  port is the  port	number	on  servername
	      where the	dynamic	update requests	are sent. If no	port number is
	      specified, the default DNS port number of	53 is used.

	      NOTE:
		 This command has no effect when GSS-TSIG is in	use.

       local address port
	      This  command  sends all dynamic update requests using the local
	      address. When no local statement is provided, nsupdate sends up-
	      dates using an address and port chosen by	the system.  port  can
	      also  be used to force requests to come from a specific port. If
	      no port number is	specified, the system assigns one.

       zone zonename
	      This command specifies that all updates are to be	 made  to  the
	      zone  zonename.	If no zone statement is	provided, nsupdate at-
	      tempts to	determine the correct zone to update based on the rest
	      of the input.

       class classname
	      This command specifies the default class.	If no class is	speci-
	      fied, the	default	class is IN.

       ttl seconds
	      This command specifies the default time-to-live, in seconds, for
	      records to be added. The value none clears the default TTL.

       key hmac:keyname	secret
	      This  command  specifies	that all updates are to	be TSIG-signed
	      using the	keyname-secret pair. If	hmac is	specified, it sets the
	      signing algorithm	in use.	The default is hmac-md5;  if  MD5  was
	      disabled,	 the default is	hmac-sha256. The key command overrides
	      any key specified	on the command line via	-y or -k.

       gsstsig
	      This command uses	GSS-TSIG to sign the updates. This is  equiva-
	      lent to specifying -g on the command line.

       oldgsstsig
	      This  command  is	deprecated and will be removed in a future re-
	      lease.  Previously, it caused nsupdate to	use the	 Windows  2000
	      version of GSS-TSIG to sign updates. It is now treated as	a syn-
	      onym for gsstsig.

       realm [realm_name]
	      When   using   GSS-TSIG,	this  command  specifies  the  use  of
	      realm_name rather	than the default realm	in  krb5.conf.	If  no
	      realm is specified, the saved realm is cleared.

       check-names [boolean]
	      This  command  turns on or off check-names processing on records
	      to be added.  Check-names	has  no	 effect	 on  prerequisites  or
	      records to be deleted.  By default check-names processing	is on.
	      If  check-names processing fails,	the record is not added	to the
	      UPDATE message.

       check-svbc [boolean]
	      This command turns on or off check-svcb processing on records to
	      be added.	 Check-svcb has	no effect on prerequisites or  records
	      to  be  deleted.	 By  default  check-svcb  processing is	on. If
	      check-svcb processing fails, the record is not added to the  UP-
	      DATE message.

       lease time [keytime]
	      Set  the	EDNS Update Lease (UL) option to value to time and op-
	      tionally also set	the key	lease time to keytime in seconds.   If
	      time is none the lease times are cleared.

       prereq nxdomain domain-name
	      This  command requires that no resource record of	any type exist
	      with the name domain-name.

       prereq yxdomain domain-name
	      This command requires that domain-name exist (as	at  least  one
	      resource record, of any type).

       prereq nxrrset domain-name class	type
	      This command requires that no resource record exist of the spec-
	      ified type, class, and domain-name. If class is omitted, IN (In-
	      ternet) is assumed.

       prereq yxrrset domain-name class	type
	      This  command  requires  that a resource record of the specified
	      type, class and domain-name exist. If class is omitted, IN  (in-
	      ternet) is assumed.

       prereq yxrrset domain-name class	type data
	      With  this  command,  the	data from each set of prerequisites of
	      this form	sharing	a common type, class, and domain-name are com-
	      bined to form a set of RRs. This set of RRs must	exactly	 match
	      the  set	of  RRs	existing in the	zone at	the given type,	class,
	      and domain-name. The data	are written in the standard text  rep-
	      resentation of the resource record's RDATA.

       update delete domain-name ttl class type	data
	      This  command deletes any	resource records named domain-name. If
	      type and data are	provided, only matching	resource  records  are
	      removed.	 The  Internet	class  is assumed if class is not sup-
	      plied. The ttl is	ignored, and is	only allowed  for  compatibil-
	      ity.

       update add domain-name ttl class	type data
	      This  command adds a new resource	record with the	specified ttl,
	      class, and data.

       show   This command displays the	current	message, containing all	of the
	      prerequisites and	updates	specified since	the last send.

       send   This command sends the current message. This  is	equivalent  to
	      entering a blank line.

       answer This command displays the	answer.

       debug  This command turns on debugging.

       version
	      This command prints the version number.

       help   This command prints a list of commands.

       Lines beginning with a semicolon	(;) are	comments and are ignored.

EXAMPLES
       The  examples  below show how nsupdate can be used to insert and	delete
       resource	records	from the example.com zone. Notice that	the  input  in
       each  example  contains	a trailing blank line, so that a group of com-
       mands is	sent as	one dynamic update request to the primary name	server
       for example.com.

	  # nsupdate
	  > update delete oldhost.example.com A
	  > update add newhost.example.com 86400 A 172.16.1.1
	  > send

       Any  A records for oldhost.example.com are deleted, and an A record for
       newhost.example.com with	IP address  172.16.1.1	is  added.  The	 newly
       added record has	a TTL of 1 day (86400 seconds).

	  # nsupdate
	  > prereq nxdomain nickname.example.com
	  > update add nickname.example.com 86400 CNAME	somehost.example.com
	  > send

       The  prerequisite  condition tells the name server to verify that there
       are no resource records of any type for nickname.example.com. If	 there
       are, the	update request fails. If this name does	not exist, a CNAME for
       it  is added. This ensures that when the	CNAME is added,	it cannot con-
       flict with the long-standing rule in RFC	1034 that a name must not  ex-
       ist  as	any  other  record type	if it exists as	a CNAME. (The rule has
       been updated for	DNSSEC in RFC 2535 to  allow  CNAMEs  to  have	RRSIG,
       DNSKEY, and NSEC	records.)

FILES
       /etc/resolv.conf
	      Used to identify the default name	server

       /var/run/session.key
	      Sets the default TSIG key	for use	in local-only mode

       K{name}.+157.+{random}.key
	      Base-64 encoding of the HMAC-MD5 key created by dnssec-keygen.

       K{name}.+157.+{random}.private
	      Base-64 encoding of the HMAC-MD5 key created by dnssec-keygen.

SEE ALSO
       RFC 2136, RFC 3007, RFC 2104, RFC 2845, RFC 1034, RFC 2535, RFC 2931, -
       named(8), dnssec-keygen(8), tsig-keygen(8).

BUGS
       The  TSIG  key  is  redundantly stored in two separate files. This is a
       consequence of nsupdate using the DST library for its cryptographic op-
       erations, and may change	in future releases.

AUTHOR
       Internet	Systems	Consortium

COPYRIGHT
       2024, Internet Systems Consortium

9.20.2				  2024-09-09			   NSUPDATE(1)

---

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | INPUT FORMAT | EXAMPLES | FILES | SEE ALSO | BUGS | AUTHOR | COPYRIGHT

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=nsupdate&manpath=FreeBSD+14.2-RELEASE+and+Ports>

home | help

---

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact