1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2.. 3.. SPDX-License-Identifier: MPL-2.0 4.. 5.. This Source Code Form is subject to the terms of the Mozilla Public 6.. License, v. 2.0. If a copy of the MPL was not distributed with this 7.. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8.. 9.. See the COPYRIGHT file distributed with this work for additional 10.. information regarding copyright ownership. 11 12.. highlight: console 13 14.. BEWARE: Do not forget to edit also tsig-keygen.rst! 15 16.. iscman:: ddns-confgen 17.. program:: ddns-confgen 18.. _man_ddns-confgen: 19 20ddns-confgen - TSIG key generation tool 21--------------------------------------- 22 23Synopsis 24~~~~~~~~ 25:program:`ddns-confgen` [**-a** algorithm] [**-h**] [**-k** keyname] [**-q**] [**-s** name] [**-z** zone] 26 27Description 28~~~~~~~~~~~ 29 30:program:`ddns-confgen` is an utility that generates keys for use in TSIG signing. 31The resulting keys can be used, for example, to secure dynamic DNS updates 32to a zone, or for the :iscman:`rndc` command channel. 33 34The key name can specified using :option:`-k` parameter and defaults to ``ddns-key``. 35The generated key is accompanied by configuration text and instructions that 36can be used with :iscman:`nsupdate` and :iscman:`named` when setting up dynamic DNS, 37including an example ``update-policy`` statement. 38(This usage is similar to the :iscman:`rndc-confgen` command for setting up 39command-channel security.) 40 41Note that :iscman:`named` itself can configure a local DDNS key for use with 42:option:`nsupdate -l`; it does this when a zone is configured with 43``update-policy local;``. :program:`ddns-confgen` is only needed when a more 44elaborate configuration is required: for instance, if :iscman:`nsupdate` is to 45be used from a remote system. 46 47Options 48~~~~~~~ 49 50.. option:: -a algorithm 51 52 This option specifies the algorithm to use for the TSIG key. Available 53 choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, 54 and hmac-sha512. The default is hmac-sha256. Options are 55 case-insensitive, and the "hmac-" prefix may be omitted. 56 57.. option:: -h 58 59 This option prints a short summary of options and arguments. 60 61.. option:: -k keyname 62 63 This option specifies the key name of the DDNS authentication key. The 64 default is ``ddns-key`` when neither the :option:`-s` nor :option:`-z` option is 65 specified; otherwise, the default is ``ddns-key`` as a separate label 66 followed by the argument of the option, e.g., ``ddns-key.example.com.`` 67 The key name must have the format of a valid domain name, consisting of 68 letters, digits, hyphens, and periods. 69 70.. option:: -q 71 72 This option enables quiet mode, which prints only the key, with no 73 explanatory text or usage examples. This is essentially identical to 74 :iscman:`tsig-keygen`. 75 76.. option:: -s name 77 78 This option generates a configuration example to allow dynamic updates 79 of a single hostname. The example :iscman:`named.conf` text shows how to set 80 an update policy for the specified name using the "name" nametype. The 81 default key name is ``ddns-key.name``. Note that the "self" nametype 82 cannot be used, since the name to be updated may differ from the key 83 name. This option cannot be used with the :option:`-z` option. 84 85.. option:: -z zone 86 87 This option generates a configuration example to allow 88 dynamic updates of a zone. The example :iscman:`named.conf` text shows how 89 to set an update policy for the specified zone using the "zonesub" 90 nametype, allowing updates to all subdomain names within that zone. 91 This option cannot be used with the :option:`-s` option. 92 93See Also 94~~~~~~~~ 95 96:iscman:`nsupdate(1) <nsupdate>`, :iscman:`named.conf(5) <named.conf>`, :iscman:`named(8) <named>`, BIND 9 Administrator Reference Manual. 97