Sending TSIG-Signed Dynamic Updates

5.23.1 Problem

You want to send a TSIG-signed dynamic update.

5.23.2 Solution

Use nsupdate's -k command-line option or the key command in nsupdate's interactive mode.

The -k command-line option takes as an argument the path to a file that contains a TSIG key, as generated by the dnssec-keygen program. Those files have names of the form Kkey-name.+157+number.key. For example:

$ nsupdate -k Kdhcp-server.foo.example.+157+27656.key

nsupdate's key command takes the name of a TSIG key and the base 64 representation of the key data (just like in a key statement) as arguments. For example:

$ nsupdate > key dhcp-server.foo.example CPB4fRniZYUPobYF/4igZg== > update delete foo.example. NS ns1.foo.example. > send

5.23.3 Discussion

Remember that the name of the key, not just the key data, needs to match in nsupdate and in the name server's configuration.

BIND 8's version of nsupdate doesn't support the key command (yet another reason to use BIND 9's nsupdate). Also, the syntax of the argument to -k is different: key-directory:key-name. For example:

$ nsupdate -k /var/named:dhcp-server.foo.example

Note that the BIND 8 nsupdate really doesn't like key files generated with BIND 9's dnssec-keygen; use BIND 8's dnskeygen instead.

Finally, BIND 9's nsupdate also supports a -y option, which takes as arguments the name of the key and the key data, as in:

$ nsupdate -y dhcp-server.foo.example:CPB4fRniZYUPobYF/4igZg==

Using the -y option is a bad idea on any host on which unauthorized users have accounts, since the key name and data are visible to anyone who can run ps.

5.23.4 See Also

nsupdate(8); Section 3.11, for allowing TSIG-signed dynamic updates to a zone; and Section 9.11, for sending TSIG-signed updates programmatically.

Категории