You want to send a TSIG-signed dynamic update.
Use nsupdate's -k command-line option or the key command in nsupdate's interactive mode.
The -k command-line option takes as an argument the path to a file that contains a TSIG key, as generated by the dnssec-keygen program. Those files have names of the form Kkey-name.+157+number.key. For example:
$ nsupdate -k Kdhcp-server.foo.example.+157+27656.key
nsupdate's key command takes the name of a TSIG key and the base 64 representation of the key data (just like in a key statement) as arguments. For example:
$ nsupdate > key dhcp-server.foo.example CPB4fRniZYUPobYF/4igZg== > update delete foo.example. NS ns1.foo.example. > send
Remember that the name of the key, not just the key data, needs to match in nsupdate and in the name server's configuration.
BIND 8's version of nsupdate doesn't support the key command (yet another reason to use BIND 9's nsupdate). Also, the syntax of the argument to -k is different: key-directory:key-name. For example:
$ nsupdate -k /var/named:dhcp-server.foo.example
Note that the BIND 8 nsupdate really doesn't like key files generated with BIND 9's dnssec-keygen; use BIND 8's dnskeygen instead.
Finally, BIND 9's nsupdate also supports a -y option, which takes as arguments the name of the key and the key data, as in:
$ nsupdate -y dhcp-server.foo.example:CPB4fRniZYUPobYF/4igZg==
Using the -y option is a bad idea on any host on which unauthorized users have accounts, since the key name and data are visible to anyone who can run ps.
5.23.4 See Also
nsupdate(8); Section 3.11, for allowing TSIG-signed dynamic updates to a zone; and Section 9.11, for sending TSIG-signed updates programmatically.
BIND Name Server Configuration
BIND Name Server Operations
Delegation and Registration
Interoperability and Upgrading
Resolvers and Programming
Logging and Troubleshooting