49
<refname>nsupdate</refname>
50
<refpurpose>Dynamic DNS update utility</refpurpose>
54
<command>nsupdate</command>
55
<arg><option>-d</option></arg>
57
<arg><option>-y <replaceable class="parameter">keyname:secret</replaceable></option></arg>
58
<arg><option>-k <replaceable class="parameter">keyfile</replaceable></option></arg>
60
<arg><option>-t <replaceable class="parameter">timeout</replaceable></option></arg>
61
<arg><option>-u <replaceable class="parameter">udptimeout</replaceable></option></arg>
62
<arg><option>-r <replaceable class="parameter">udpretries</replaceable></option></arg>
63
<arg><option>-v</option></arg>
69
<title>DESCRIPTION</title>
71
<command>nsupdate</command>
72
is used to submit Dynamic DNS Update requests as defined in RFC2136
74
This allows resource records to be added or removed from a zone
75
without manually editing the zone file.
76
A single update request can contain requests to add or remove more than one
80
Zones that are under dynamic control via
81
<command>nsupdate</command>
82
or a DHCP server should not be edited by hand.
84
conflict with dynamic updates and cause data to be lost.
87
The resource records that are dynamically added or removed with
88
<command>nsupdate</command>
89
have to be in the same zone.
90
Requests are sent to the zone's master server.
91
This is identified by the MNAME field of the zone's SOA record.
97
<command>nsupdate</command>
98
operate in debug mode.
99
This provides tracing information about the update requests that are
100
made and the replies received from the name server.
103
Transaction signatures can be used to authenticate the Dynamic DNS
105
These use the TSIG resource record type described in RFC2845 or the
106
SIG(0) record described in RFC3535 and RFC2931.
107
TSIG relies on a shared secret that should only be known to
108
<command>nsupdate</command> and the name server.
109
Currently, the only supported encryption algorithm for TSIG is
110
HMAC-MD5, which is defined in RFC 2104.
111
Once other algorithms are defined for TSIG, applications will need to
112
ensure they select the appropriate algorithm as well as the key when
113
authenticating each other.
114
For instance suitable
118
statements would be added to
119
<filename>/etc/named.conf</filename>
120
so that the name server can associate the appropriate secret key
121
and algorithm with the IP address of the
122
client application that will be using TSIG authentication.
123
SIG(0) uses public key cryptography. To use a SIG(0) key, the public
124
key must be stored in a KEY record in a zone served by the name server.
125
<command>nsupdate</command>
127
<filename>/etc/named.conf</filename>.
130
<command>nsupdate</command>
135
option (with an HMAC-MD5 key) to provide the shared secret needed to generate
136
a TSIG record for authenticating Dynamic DNS update requests.
137
These options are mutually exclusive.
141
<command>nsupdate</command>
142
reads the shared secret from the file
143
<parameter>keyfile</parameter>,
144
whose name is of the form
145
<filename>K{name}.+157.+{random}.private</filename>.
148
<filename>K{name}.+157.+{random}.key</filename>
149
must also be present. When the
151
option is used, a signature is generated from
152
<parameter>keyname:secret.</parameter>
153
<parameter>keyname</parameter>
154
is the name of the key,
156
<parameter>secret</parameter>
157
is the base64 encoded shared secret.
160
option is discouraged because the shared secret is supplied as a command
161
line argument in clear text.
162
This may be visible in the output from
164
<refentrytitle>ps</refentrytitle><manvolnum>1
167
or in a history file maintained by the user's shell.
170
The <option>-k</option> may also be used to specify a SIG(0) key used
171
to authenticate Dynamic DNS update requests. In this case, the key
172
specified is not an HMAC-MD5 key.
176
<command>nsupdate</command>
177
uses UDP to send update requests to the name server unless they are too
178
large to fit in a UDP request in which case TCP will be used.
182
<command>nsupdate</command>
183
use a TCP connection.
184
This may be preferable when a batch of update requests is made.
186
<para>The <option>-t</option> option sets the maximum time a update request can
187
take before it is aborted. The default is 300 seconds. Zero can be used
188
to disable the timeout.
190
<para>The <option>-u</option> option sets the UDP retry interval. The default is
191
3 seconds. If zero the interval will be computed from the timeout interval
192
and number of UDP retries.
194
<para>The <option>-r</option> option sets the number of UDP retries. The default is
195
3. If zero only one update request will be made.
200
<title>INPUT FORMAT</title>
202
<command>nsupdate</command>
204
<parameter>filename</parameter>
206
Each command is supplied on exactly one line of input.
207
Some commands are for administrative purposes.
208
The others are either update instructions or prerequisite checks on the
209
contents of the zone.
210
These checks set conditions that some name or set of
211
resource records (RRset) either exists or is absent from the zone.
212
These conditions must be met if the entire update request is to succeed.
213
Updates will be rejected if the tests for the prerequisite conditions fail.
216
Every update request consists of zero or more prerequisites
217
and zero or more updates.
218
This allows a suitably authenticated update request to proceed if some
219
specified resource records are present or missing from the zone.
220
A blank input line (or the <command>send</command> command) causes the
221
accumulated commands to be sent as one Dynamic DNS update request to the
225
The command formats and their meaning are as follows:
229
<command>server</command>
230
<arg choice="req">servername</arg>
231
<arg choice="opt">port</arg>
236
Sends all dynamic update requests to the name server
237
<parameter>servername</parameter>.
238
When no server statement is provided,
239
<command>nsupdate</command>
240
will send updates to the master server of the correct zone.
241
The MNAME field of that zone's SOA record will identify the master
242
server for that zone.
243
<parameter>port</parameter>
244
is the port number on
245
<parameter>servername</parameter>
246
where the dynamic update requests get sent.
247
If no port number is specified, the default DNS port number of 53 is
255
<command>local</command>
256
<arg choice="req">address</arg>
257
<arg choice="opt">port</arg>
262
Sends all dynamic update requests using the local
263
<parameter>address</parameter>.
265
When no local statement is provided,
266
<command>nsupdate</command>
267
will send updates using an address and port chosen by the system.
268
<parameter>port</parameter>
269
can additionally be used to make requests come from a specific port.
270
If no port number is specified, the system will assign one.
277
<command>zone</command>
278
<arg choice="req">zonename</arg>
283
Specifies that all updates are to be made to the zone
284
<parameter>zonename</parameter>.
286
<parameter>zone</parameter>
287
statement is provided,
288
<command>nsupdate</command>
289
will attempt determine the correct zone to update based on the rest of the input.
296
<command>class</command>
297
<arg choice="req">classname</arg>
302
Specify the default class.
303
If no <parameter>class</parameter> is specified the default class is
304
<parameter>IN</parameter>.
311
<command>key</command>
312
<arg choice="req">name</arg>
313
<arg choice="req">secret</arg>
318
Specifies that all updates are to be TSIG signed using the
319
<parameter>keyname</parameter> <parameter>keysecret</parameter> pair.
320
The <command>key</command> command
321
overrides any key specified on the command line via
322
<option>-y</option> or <option>-k</option>.
329
<command>prereq nxdomain</command>
330
<arg choice="req">domain-name</arg>
335
Requires that no resource record of any type exists with name
336
<parameter>domain-name</parameter>.
344
<command>prereq yxdomain</command>
345
<arg choice="req">domain-name</arg>
351
<parameter>domain-name</parameter>
352
exists (has as at least one resource record, of any type).
359
<command>prereq nxrrset</command>
360
<arg choice="req">domain-name</arg>
361
<arg choice="opt">class</arg>
362
<arg choice="req">type</arg>
367
Requires that no resource record exists of the specified
368
<parameter>type</parameter>,
369
<parameter>class</parameter>
371
<parameter>domain-name</parameter>.
373
<parameter>class</parameter>
374
is omitted, IN (internet) is assumed.
382
<command>prereq yxrrset</command>
383
<arg choice="req">domain-name</arg>
384
<arg choice="opt">class</arg>
385
<arg choice="req">type</arg>
390
This requires that a resource record of the specified
391
<parameter>type</parameter>,
392
<parameter>class</parameter>
394
<parameter>domain-name</parameter>
397
<parameter>class</parameter>
398
is omitted, IN (internet) is assumed.
405
<command>prereq yxrrset</command>
406
<arg choice="req">domain-name</arg>
407
<arg choice="opt">class</arg>
408
<arg choice="req">type</arg>
409
<arg choice="req" rep="repeat">data</arg>
415
<parameter>data</parameter>
416
from each set of prerequisites of this form
418
<parameter>type</parameter>,
419
<parameter>class</parameter>,
421
<parameter>domain-name</parameter>
422
are combined to form a set of RRs. This set of RRs must
423
exactly match the set of RRs existing in the zone at the
425
<parameter>type</parameter>,
426
<parameter>class</parameter>,
428
<parameter>domain-name</parameter>.
430
<parameter>data</parameter>
431
are written in the standard text representation of the resource record's
439
<command>update delete</command>
440
<arg choice="req">domain-name</arg>
441
<arg choice="opt">ttl</arg>
442
<arg choice="opt">class</arg>
443
<arg choice="opt">type <arg choice="opt" rep="repeat">data</arg></arg>
448
Deletes any resource records named
449
<parameter>domain-name</parameter>.
451
<parameter>type</parameter>
453
<parameter>data</parameter>
454
is provided, only matching resource records will be removed.
455
The internet class is assumed if
456
<parameter>class</parameter>
458
<parameter>ttl</parameter>
459
is ignored, and is only allowed for compatibility.
466
<command>update add</command>
467
<arg choice="req">domain-name</arg>
468
<arg choice="req">ttl</arg>
469
<arg choice="opt">class</arg>
470
<arg choice="req">type</arg>
471
<arg choice="req" rep="repeat">data</arg>
476
Adds a new resource record with the specified
477
<parameter>ttl</parameter>,
478
<parameter>class</parameter>
480
<parameter>data</parameter>.
487
<command>show</command>
492
Displays the current message, containing all of the prerequisites and
493
updates specified since the last send.
500
<command>send</command>
505
Sends the current message. This is equivalent to entering a blank line.
512
<command>answer</command>
526
Lines beginning with a semicolon are comments and are ignored.
532
<title>EXAMPLES</title>
534
The examples below show how
535
<command>nsupdate</command>
536
could be used to insert and delete resource records from the
537
<type>example.com</type>
539
Notice that the input in each example contains a trailing blank line so that
540
a group of commands are sent as one dynamic update request to the
541
master name server for
542
<type>example.com</type>.
546
> update delete oldhost.example.com A
547
> update add newhost.example.com 86400 A 172.16.1.1
553
<type>oldhost.example.com</type>
556
<type>newhost.example.com</type>
557
it IP address 172.16.1.1 is added.
558
The newly-added record has a 1 day TTL (86400 seconds)
561
> prereq nxdomain nickname.example.com
562
> update add nickname.example.com 86400 CNAME somehost.example.com
567
The prerequisite condition gets the name server to check that there
568
are no resource records of any type for
569
<type>nickname.example.com</type>.
571
If there are, the update request fails.
572
If this name does not exist, a CNAME for it is added.
573
This ensures that when the CNAME is added, it cannot conflict with the
574
long-standing rule in RFC1034 that a name must not exist as any other
575
record type if it exists as a CNAME.
576
(The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have
577
RRSIG, DNSKEY and NSEC records.)
585
<varlistentry><term><constant>/etc/resolv.conf</constant></term>
588
used to identify default name server
593
<varlistentry><term><constant>K{name}.+157.+{random}.key</constant></term>
596
base-64 encoding of HMAC-MD5 key created by
598
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
604
<varlistentry><term><constant>K{name}.+157.+{random}.private</constant></term>
607
base-64 encoding of HMAC-MD5 key created by
609
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
618
<title>SEE ALSO</title>
621
<refentrytitle>RFC2136</refentrytitle>
624
<refentrytitle>RFC3007</refentrytitle>
627
<refentrytitle>RFC2104</refentrytitle>
630
<refentrytitle>RFC2845</refentrytitle>
633
<refentrytitle>RFC1034</refentrytitle>
636
<refentrytitle>RFC2535</refentrytitle>
639
<refentrytitle>RFC2931</refentrytitle>
642
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
645
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
652
The TSIG key is redundantly stored in two separate files.
653
This is a consequence of nsupdate using the DST library
654
for its cryptographic operations, and may change in future
55
<command>nsupdate</command>
56
<arg><option>-d</option></arg>
58
<arg><option>-y <replaceable class="parameter"><optional>hmac:</optional>keyname:secret</replaceable></option></arg>
59
<arg><option>-k <replaceable class="parameter">keyfile</replaceable></option></arg>
61
<arg><option>-t <replaceable class="parameter">timeout</replaceable></option></arg>
62
<arg><option>-u <replaceable class="parameter">udptimeout</replaceable></option></arg>
63
<arg><option>-r <replaceable class="parameter">udpretries</replaceable></option></arg>
64
<arg><option>-R <replaceable class="parameter">randomdev</replaceable></option></arg>
65
<arg><option>-v</option></arg>
71
<title>DESCRIPTION</title>
72
<para><command>nsupdate</command>
73
is used to submit Dynamic DNS Update requests as defined in RFC2136
75
This allows resource records to be added or removed from a zone
76
without manually editing the zone file.
77
A single update request can contain requests to add or remove more than
82
Zones that are under dynamic control via
83
<command>nsupdate</command>
84
or a DHCP server should not be edited by hand.
86
conflict with dynamic updates and cause data to be lost.
89
The resource records that are dynamically added or removed with
90
<command>nsupdate</command>
91
have to be in the same zone.
92
Requests are sent to the zone's master server.
93
This is identified by the MNAME field of the zone's SOA record.
99
<command>nsupdate</command>
100
operate in debug mode.
101
This provides tracing information about the update requests that are
102
made and the replies received from the name server.
105
Transaction signatures can be used to authenticate the Dynamic DNS
107
These use the TSIG resource record type described in RFC2845 or the
108
SIG(0) record described in RFC3535 and RFC2931.
109
TSIG relies on a shared secret that should only be known to
110
<command>nsupdate</command> and the name server.
111
Currently, the only supported encryption algorithm for TSIG is
112
HMAC-MD5, which is defined in RFC 2104.
113
Once other algorithms are defined for TSIG, applications will need to
114
ensure they select the appropriate algorithm as well as the key when
115
authenticating each other.
116
For instance, suitable
120
statements would be added to
121
<filename>/etc/named.conf</filename>
122
so that the name server can associate the appropriate secret key
123
and algorithm with the IP address of the
124
client application that will be using TSIG authentication.
125
SIG(0) uses public key cryptography. To use a SIG(0) key, the public
126
key must be stored in a KEY record in a zone served by the name server.
127
<command>nsupdate</command>
129
<filename>/etc/named.conf</filename>.
131
<para><command>nsupdate</command>
132
uses the <option>-y</option> or <option>-k</option> option
133
to provide the shared secret needed to generate a TSIG record
134
for authenticating Dynamic DNS update requests, default type
135
HMAC-MD5. These options are mutually exclusive. With the
136
<option>-k</option> option, <command>nsupdate</command> reads
137
the shared secret from the file <parameter>keyfile</parameter>,
138
whose name is of the form
139
<filename>K{name}.+157.+{random}.private</filename>. For
140
historical reasons, the file
141
<filename>K{name}.+157.+{random}.key</filename> must also be
142
present. When the <option>-y</option> option is used, a
143
signature is generated from
144
<optional><parameter>hmac:</parameter></optional><parameter>keyname:secret.</parameter>
145
<parameter>keyname</parameter> is the name of the key, and
146
<parameter>secret</parameter> is the base64 encoded shared
147
secret. Use of the <option>-y</option> option is discouraged
148
because the shared secret is supplied as a command line
149
argument in clear text. This may be visible in the output
152
<refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum>
153
</citerefentry> or in a history file maintained by the user's
157
The <option>-k</option> may also be used to specify a SIG(0) key used
158
to authenticate Dynamic DNS update requests. In this case, the key
159
specified is not an HMAC-MD5 key.
163
<command>nsupdate</command>
164
uses UDP to send update requests to the name server unless they are too
165
large to fit in a UDP request in which case TCP will be used.
169
<command>nsupdate</command>
170
use a TCP connection.
171
This may be preferable when a batch of update requests is made.
174
The <option>-t</option> option sets the maximum time an update request
176
take before it is aborted. The default is 300 seconds. Zero can be
178
to disable the timeout.
181
The <option>-u</option> option sets the UDP retry interval. The default
183
3 seconds. If zero, the interval will be computed from the timeout
185
and number of UDP retries.
188
The <option>-r</option> option sets the number of UDP retries. The
190
3. If zero, only one update request will be made.
193
The <option>-R <replaceable
194
class="parameter">randomdev</replaceable></option> option
195
specifies a source of randomness. If the operating system
196
does not provide a <filename>/dev/random</filename> or
197
equivalent device, the default source of randomness is keyboard
198
input. <filename>randomdev</filename> specifies the name of
199
a character device or file containing random data to be used
200
instead of the default. The special value
201
<filename>keyboard</filename> indicates that keyboard input
202
should be used. This option may be specified multiple times.
207
<title>INPUT FORMAT</title>
208
<para><command>nsupdate</command>
210
<parameter>filename</parameter>
212
Each command is supplied on exactly one line of input.
213
Some commands are for administrative purposes.
214
The others are either update instructions or prerequisite checks on the
215
contents of the zone.
216
These checks set conditions that some name or set of
217
resource records (RRset) either exists or is absent from the zone.
218
These conditions must be met if the entire update request is to succeed.
219
Updates will be rejected if the tests for the prerequisite conditions
223
Every update request consists of zero or more prerequisites
224
and zero or more updates.
225
This allows a suitably authenticated update request to proceed if some
226
specified resource records are present or missing from the zone.
227
A blank input line (or the <command>send</command> command)
229
accumulated commands to be sent as one Dynamic DNS update request to the
233
The command formats and their meaning are as follows:
238
<command>server</command>
239
<arg choice="req">servername</arg>
240
<arg choice="opt">port</arg>
244
Sends all dynamic update requests to the name server
245
<parameter>servername</parameter>.
246
When no server statement is provided,
247
<command>nsupdate</command>
248
will send updates to the master server of the correct zone.
249
The MNAME field of that zone's SOA record will identify the
251
server for that zone.
252
<parameter>port</parameter>
253
is the port number on
254
<parameter>servername</parameter>
255
where the dynamic update requests get sent.
256
If no port number is specified, the default DNS port number of
265
<command>local</command>
266
<arg choice="req">address</arg>
267
<arg choice="opt">port</arg>
271
Sends all dynamic update requests using the local
272
<parameter>address</parameter>.
274
When no local statement is provided,
275
<command>nsupdate</command>
276
will send updates using an address and port chosen by the
278
<parameter>port</parameter>
279
can additionally be used to make requests come from a specific
281
If no port number is specified, the system will assign one.
288
<command>zone</command>
289
<arg choice="req">zonename</arg>
293
Specifies that all updates are to be made to the zone
294
<parameter>zonename</parameter>.
296
<parameter>zone</parameter>
297
statement is provided,
298
<command>nsupdate</command>
299
will attempt determine the correct zone to update based on the
307
<command>class</command>
308
<arg choice="req">classname</arg>
312
Specify the default class.
313
If no <parameter>class</parameter> is specified, the
315
<parameter>IN</parameter>.
322
<command>key</command>
323
<arg choice="req">name</arg>
324
<arg choice="req">secret</arg>
328
Specifies that all updates are to be TSIG-signed using the
329
<parameter>keyname</parameter> <parameter>keysecret</parameter> pair.
330
The <command>key</command> command
331
overrides any key specified on the command line via
332
<option>-y</option> or <option>-k</option>.
339
<command>prereq nxdomain</command>
340
<arg choice="req">domain-name</arg>
344
Requires that no resource record of any type exists with name
345
<parameter>domain-name</parameter>.
353
<command>prereq yxdomain</command>
354
<arg choice="req">domain-name</arg>
359
<parameter>domain-name</parameter>
360
exists (has as at least one resource record, of any type).
367
<command>prereq nxrrset</command>
368
<arg choice="req">domain-name</arg>
369
<arg choice="opt">class</arg>
370
<arg choice="req">type</arg>
374
Requires that no resource record exists of the specified
375
<parameter>type</parameter>,
376
<parameter>class</parameter>
378
<parameter>domain-name</parameter>.
380
<parameter>class</parameter>
381
is omitted, IN (internet) is assumed.
389
<command>prereq yxrrset</command>
390
<arg choice="req">domain-name</arg>
391
<arg choice="opt">class</arg>
392
<arg choice="req">type</arg>
396
This requires that a resource record of the specified
397
<parameter>type</parameter>,
398
<parameter>class</parameter>
400
<parameter>domain-name</parameter>
403
<parameter>class</parameter>
404
is omitted, IN (internet) is assumed.
411
<command>prereq yxrrset</command>
412
<arg choice="req">domain-name</arg>
413
<arg choice="opt">class</arg>
414
<arg choice="req">type</arg>
415
<arg choice="req" rep="repeat">data</arg>
420
<parameter>data</parameter>
421
from each set of prerequisites of this form
423
<parameter>type</parameter>,
424
<parameter>class</parameter>,
426
<parameter>domain-name</parameter>
427
are combined to form a set of RRs. This set of RRs must
428
exactly match the set of RRs existing in the zone at the
430
<parameter>type</parameter>,
431
<parameter>class</parameter>,
433
<parameter>domain-name</parameter>.
435
<parameter>data</parameter>
436
are written in the standard text representation of the resource
445
<command>update delete</command>
446
<arg choice="req">domain-name</arg>
447
<arg choice="opt">ttl</arg>
448
<arg choice="opt">class</arg>
449
<arg choice="opt">type <arg choice="opt" rep="repeat">data</arg></arg>
453
Deletes any resource records named
454
<parameter>domain-name</parameter>.
456
<parameter>type</parameter>
458
<parameter>data</parameter>
459
is provided, only matching resource records will be removed.
460
The internet class is assumed if
461
<parameter>class</parameter>
463
<parameter>ttl</parameter>
464
is ignored, and is only allowed for compatibility.
471
<command>update add</command>
472
<arg choice="req">domain-name</arg>
473
<arg choice="req">ttl</arg>
474
<arg choice="opt">class</arg>
475
<arg choice="req">type</arg>
476
<arg choice="req" rep="repeat">data</arg>
480
Adds a new resource record with the specified
481
<parameter>ttl</parameter>,
482
<parameter>class</parameter>
484
<parameter>data</parameter>.
491
<command>show</command>
495
Displays the current message, containing all of the
497
updates specified since the last send.
504
<command>send</command>
508
Sends the current message. This is equivalent to entering a
516
<command>answer</command>
529
Lines beginning with a semicolon are comments and are ignored.
535
<title>EXAMPLES</title>
537
The examples below show how
538
<command>nsupdate</command>
539
could be used to insert and delete resource records from the
540
<type>example.com</type>
542
Notice that the input in each example contains a trailing blank line so
544
a group of commands are sent as one dynamic update request to the
545
master name server for
546
<type>example.com</type>.
550
> update delete oldhost.example.com A
551
> update add newhost.example.com 86400 A 172.16.1.1
557
<type>oldhost.example.com</type>
560
<type>newhost.example.com</type>
561
with IP address 172.16.1.1 is added.
562
The newly-added record has a 1 day TTL (86400 seconds).
565
> prereq nxdomain nickname.example.com
566
> update add nickname.example.com 86400 CNAME somehost.example.com
571
The prerequisite condition gets the name server to check that there
572
are no resource records of any type for
573
<type>nickname.example.com</type>.
575
If there are, the update request fails.
576
If this name does not exist, a CNAME for it is added.
577
This ensures that when the CNAME is added, it cannot conflict with the
578
long-standing rule in RFC1034 that a name must not exist as any other
579
record type if it exists as a CNAME.
580
(The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have
581
RRSIG, DNSKEY and NSEC records.)
590
<term><constant>/etc/resolv.conf</constant></term>
593
used to identify default name server
599
<term><constant>K{name}.+157.+{random}.key</constant></term>
602
base-64 encoding of HMAC-MD5 key created by
604
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
611
<term><constant>K{name}.+157.+{random}.private</constant></term>
614
base-64 encoding of HMAC-MD5 key created by
616
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
626
<title>SEE ALSO</title>
628
<refentrytitle>RFC2136</refentrytitle>
631
<refentrytitle>RFC3007</refentrytitle>
634
<refentrytitle>RFC2104</refentrytitle>
637
<refentrytitle>RFC2845</refentrytitle>
640
<refentrytitle>RFC1034</refentrytitle>
643
<refentrytitle>RFC2535</refentrytitle>
646
<refentrytitle>RFC2931</refentrytitle>
649
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
652
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
660
The TSIG key is redundantly stored in two separate files.
661
This is a consequence of nsupdate using the DST library
662
for its cryptographic operations, and may change in future