- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: nsupdate.docbook,v 1.34.48.2 2009/01/22 23:47:05 tbox Exp $ -->
+<!-- $Id: nsupdate.docbook,v 1.34.48.3 2009/03/09 04:21:56 marka Exp $ -->
<refentry id="man.nsupdate">
<refentryinfo>
<date>Jun 30, 2000</date>
<arg><option>-d</option></arg>
<arg><option>-D</option></arg>
<group>
+ <arg><option>-g</option></arg>
+ <arg><option>-o</option></arg>
<arg><option>-y <replaceable class="parameter"><optional>hmac:</optional>keyname:secret</replaceable></option></arg>
<arg><option>-k <replaceable class="parameter">keyfile</replaceable></option></arg>
</group>
report additional debugging information to <option>-d</option>.
</para>
<para>
- Transaction signatures can be used to authenticate the Dynamic DNS
- updates.
- These use the TSIG resource record type described in RFC2845 or the
- SIG(0) record described in RFC3535 and RFC2931.
- TSIG relies on a shared secret that should only be known to
- <command>nsupdate</command> and the name server.
- Currently, the only supported encryption algorithm for TSIG is
- HMAC-MD5, which is defined in RFC 2104.
- Once other algorithms are defined for TSIG, applications will need to
- ensure they select the appropriate algorithm as well as the key when
- authenticating each other.
- For instance, suitable
- <type>key</type>
- and
- <type>server</type>
- statements would be added to
- <filename>/etc/named.conf</filename>
- so that the name server can associate the appropriate secret key
- and algorithm with the IP address of the
- client application that will be using TSIG authentication.
- SIG(0) uses public key cryptography. To use a SIG(0) key, the public
- key must be stored in a KEY record in a zone served by the name server.
- <command>nsupdate</command>
- does not read
+ Transaction signatures can be used to authenticate the Dynamic
+ DNS updates. These use the TSIG resource record type described
+ in RFC2845 or the SIG(0) record described in RFC3535 and
+ RFC2931 or GSS-TSIG as described in RFC3645. TSIG relies on
+ a shared secret that should only be known to
+ <command>nsupdate</command> and the name server. Currently,
+ the only supported encryption algorithm for TSIG is HMAC-MD5,
+ which is defined in RFC 2104. Once other algorithms are
+ defined for TSIG, applications will need to ensure they select
+ the appropriate algorithm as well as the key when authenticating
+ each other. For instance, suitable <type>key</type> and
+ <type>server</type> statements would be added to
+ <filename>/etc/named.conf</filename> so that the name server
+ can associate the appropriate secret key and algorithm with
+ the IP address of the client application that will be using
+ TSIG authentication. SIG(0) uses public key cryptography.
+ To use a SIG(0) key, the public key must be stored in a KEY
+ record in a zone served by the name server.
+ <command>nsupdate</command> does not read
<filename>/etc/named.conf</filename>.
+ GSS-TSIG uses Kerberos credentials.
</para>
<para><command>nsupdate</command>
uses the <option>-y</option> or <option>-k</option> option
to authenticate Dynamic DNS update requests. In this case, the key
specified is not an HMAC-MD5 key.
</para>
+ <para>
+ The <option>-g</option> and <option>-o</option> specify that
+ GSS-TSIG is to be used. The <option>-o</option> should only
+ be used with old Microsoft Windows 2000 servers.
+ </para>
<para>
By default,
<command>nsupdate</command>
projects / thirdparty / bind9.git / commitdiff
