Menu:

Introduced in BIND version 8 and refined in BIND version 9, the nsupdate utility provides the system administrator or casual user with a quick and painless method of updating a DNS zone, adding or deleting any type of DNS record the name server supports.

This article describes how to setup dynamic DNS, and provides some examples of use. For Fedora Core (and Red Hat) users, you will need to install both the bind (for dnssec-keygen) and bind-utils (for nsupdate) packages. If you plan to configure a DNS server, also read the companion article on configuring your server.

My home network is the same as millions of other Internet users: dynamic IP obtained from my ISP via DHCP. Wanting to make sure that I can connect to my home network remotely, even if the underlying dynamic IP changes, I looked around for a reliable (and hopefully free!) dynamic DNS service. I found dyndns.org, which I use today, and recently someone also pointed me to zoneedit.com.

Even though my DNS is automatically updated when it changes, via the highly versatile ddclient package, the traditional dynamic DNS update protocols (including dyndns.org's) are typically site-specific and non-standard. While googling around for a better solution, a friend on IRC pointing me to a utility that has been around since BIND 8: nsupdate.

nsupdate is a fantastic little utility that enable quick and secure DNS zone updates. Setup is quick and painless, and use is fairly intuitive for anyone remotely familiar with DNS, and skilled enough to admin their own Linux system.

Creating the keypair

Access to update a DNS zone is granted by key. This key is created by running the dnssec-keygen utility. For single users generating a key, you provide your email address and hash algorithm details as input, and dnssec-keygen generates two keys, a public key and a private key. For this specific case, HMAC-MD5, the public and private keys are the same. In this example, email address foo22@bar44.com is used.

$ dnssec-keygen -a HMAC-MD5 -b 512 -n USER foo22.bar44.com.
Kfoo22.bar44.com.+157+12505

This created two files in the current directory, Kfoo22.bar44.com.+157+12505.key and Kfoo22.bar44.com.+157+12505.private. The filename with the ".key" suffix is the public key, and the file with ".private" suffix is, you guessed it, the private key. The contents of the public key (you give this to your DNS administrator) looks like

foo22.bar44.com. IN KEY 0 2 157 YrVW9yP6gNMA7VbcU/r2mSIwYnFj/XkCDd6QuqOHE26/ipnrPy+eXrKr UyaFhB2XWNdVLUX7QCUkfhg4zN5YiA==

and the content of the private key looks like

Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key:
YrVW9yP6gNMA7VbcU/r2mSIwYnFj/XkCDd6QuqOHE26/ipnrPy+eXrKrUyaFhB2XWNdVLUX7QCUkfhg4zN5YiA==

(again, the public and private keys are the same for HMAC-MD5)

Store the private key in a secure location. If you are also the DNS server adminstrator, configure your server with the public key. Otherwise, email the public key to your DNS adminstrator.

Executing a Dynamic DNS update

The first step is to create a convenience script for performing regular DNS updates, using the private key you just generated. Here is my do-nsupdate script:

#!/bin/sh
# usage:  do-nsupdate [text-file-containing-nsupdate-instructions]

nsupdate -k Kfoo22.bar44.com.+157+12505.private -v $1

The next step is to create a text file which contains the information necessary to perform a DNS update. The full format of this text file is described on the nsupdate man page.

server ns.bar44.com
zone bar44.com
update delete somehost.bar44.com. A
update add somehost.bar44.com. 86400 A 10.10.10.1
show
send

server is the nameserver to which updates will be sent. zone is the DNS domain to be updated. The update lines specify the changes to be made to one or more DNS records. The show line is optional, and causes nsupdate to display the records after updating. The send line directs nsupdate to send flush all updates listed in the file to the nameserver.

The final step is to execute the script, passing the text file you just created (my-nsupdate.txt in this example) to the update script:

./do-nsupdate my-nsupdate.txt

That's it! The updates are available on the DNS server immediately.

Further thought

Anyone familiar with scripting should be able to hook this into their DHCP client, to provide automatic DNS updates directly to the DNS server.

For more imaginative folks, nsupdate facilitates a great many automated DNS services one can devise. For example, if you wish to fight spam by running your own DNS "blackhole list" (blacklist), nsupdate makes it trivial to automate updates. Since the updates take affect immediately on the DNS server, anti-spam and anti-virus databases can effectively be made real-time. In fact, I would be surprised if spam fighters are not already using nsupdate to update their anti-spam and anti-virus DNS blackhole lists.

Further reading