Sending TSIG-Signed Dynamic Updates

5.23.1 Problem

You want to send a TSIG-signed dynamic update.

5.23.2 Solution

Use nsupdate's -k command-line option or the key command in nsupdate's interactive mode.

The -k command-line option takes as an argument the path to a file that contains a TSIG key, as generated by the dnssec-keygen program. Those files have names of the form Kkey-name.+157+number.key. For example:

$ nsupdate -k

nsupdate's key command takes the name of a TSIG key and the base 64 representation of the key data (just like in a key statement) as arguments. For example:

$ nsupdate
> key CPB4fRniZYUPobYF/4igZg==
> update delete foo.example. NS
> send

5.23.3 Discussion

Remember that the name of the key, not just the key data, needs to match in nsupdate and in the name server's configuration.

BIND 8's version of nsupdate doesn't support the key command (yet another reason to use BIND 9's nsupdate). Also, the syntax of the argument to -k is different: key-directory:key-name. For example:

$ nsupdate -k /var/

Note that the BIND 8 nsupdate really doesn't like key files generated with BIND 9's dnssec-keygen; use BIND 8's dnskeygen instead.

Finally, BIND 9's nsupdate also supports a -y option, which takes as arguments the name of the key and the key data, as in:

$ nsupdate -y

Using the -y option is a bad idea on any host on which unauthorized users have accounts, since the key name and data are visible to anyone who can run ps.

5.23.4 See Also

nsupdate(8); Section 3.11, for allowing TSIG-signed dynamic updates to a zone; and Section 9.11, for sending TSIG-signed updates programmatically.

Getting Started

Zone Data

BIND Name Server Configuration

Electronic Mail

BIND Name Server Operations

Delegation and Registration


Interoperability and Upgrading

Resolvers and Programming

Logging and Troubleshooting


DNS & BIND Cookbook
DNS & BIND Cookbook
ISBN: 0596004109
EAN: 2147483647
Year: 2005
Pages: 220
Authors: Cricket Liu © 2008-2020.
If you may any questions please contact us: