1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
2..
3.. SPDX-License-Identifier: MPL-2.0
4..
5.. This Source Code Form is subject to the terms of the Mozilla Public
6.. License, v. 2.0.  If a copy of the MPL was not distributed with this
7.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
8..
9.. See the COPYRIGHT file distributed with this work for additional
10.. information regarding copyright ownership.
11
12.. highlight: console
13
14.. BEWARE: Do not forget to edit also tsig-keygen.rst!
15
16.. iscman:: ddns-confgen
17.. program:: ddns-confgen
18.. _man_ddns-confgen:
19
20ddns-confgen - TSIG key generation tool
21---------------------------------------
22
23Synopsis
24~~~~~~~~
25:program:`ddns-confgen` [**-a** algorithm] [**-h**] [**-k** keyname] [**-q**] [**-s** name] [**-z** zone]
26
27Description
28~~~~~~~~~~~
29
30:program:`ddns-confgen` is an utility that generates keys for use in TSIG signing.
31The resulting keys can be used, for example, to secure dynamic DNS updates
32to a zone, or for the :iscman:`rndc` command channel.
33
34The key name can specified using :option:`-k` parameter and defaults to ``ddns-key``.
35The generated key is accompanied by configuration text and instructions that
36can be used with :iscman:`nsupdate` and :iscman:`named` when setting up dynamic DNS,
37including an example ``update-policy`` statement.
38(This usage is similar to the :iscman:`rndc-confgen` command for setting up
39command-channel security.)
40
41Note that :iscman:`named` itself can configure a local DDNS key for use with
42:option:`nsupdate -l`; it does this when a zone is configured with
43``update-policy local;``. :program:`ddns-confgen` is only needed when a more
44elaborate configuration is required: for instance, if :iscman:`nsupdate` is to
45be used from a remote system.
46
47Options
48~~~~~~~
49
50.. option:: -a algorithm
51
52   This option specifies the algorithm to use for the TSIG key. Available
53   choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384,
54   and hmac-sha512. The default is hmac-sha256. Options are
55   case-insensitive, and the "hmac-" prefix may be omitted.
56
57.. option:: -h
58
59   This option prints a short summary of options and arguments.
60
61.. option:: -k keyname
62
63   This option specifies the key name of the DDNS authentication key. The
64   default is ``ddns-key`` when neither the :option:`-s` nor :option:`-z` option is
65   specified; otherwise, the default is ``ddns-key`` as a separate label
66   followed by the argument of the option, e.g., ``ddns-key.example.com.``
67   The key name must have the format of a valid domain name, consisting of
68   letters, digits, hyphens, and periods.
69
70.. option:: -q
71
72   This option enables quiet mode, which prints only the key, with no
73   explanatory text or usage examples. This is essentially identical to
74   :iscman:`tsig-keygen`.
75
76.. option:: -s name
77
78   This option generates a configuration example to allow dynamic updates
79   of a single hostname. The example :iscman:`named.conf` text shows how to set
80   an update policy for the specified name using the "name" nametype. The
81   default key name is ``ddns-key.name``. Note that the "self" nametype
82   cannot be used, since the name to be updated may differ from the key
83   name. This option cannot be used with the :option:`-z` option.
84
85.. option:: -z zone
86
87   This option generates a configuration example to allow
88   dynamic updates of a zone. The example :iscman:`named.conf` text shows how
89   to set an update policy for the specified zone using the "zonesub"
90   nametype, allowing updates to all subdomain names within that zone.
91   This option cannot be used with the :option:`-s` option.
92
93See Also
94~~~~~~~~
95
96:iscman:`nsupdate(1) <nsupdate>`, :iscman:`named.conf(5) <named.conf>`, :iscman:`named(8) <named>`, BIND 9 Administrator Reference Manual.
97