Provided by: knot-dnsutils_3.4.6-2_amd64 
NAME
knsupdate - Dynamic DNS update utility
SYNOPSIS
knsupdate [-v] [options] [filename]
knsupdate [-q] [quic_options] [options] [filename]
DESCRIPTION
This utility sends Dynamic DNS update messages to a DNS server. Update content is read from a file (if
the parameter filename is given) or from the standard input.
The format of updates is textual and is made up of commands. Every command is placed on the separate line
of the input. Lines starting with a semicolon are comments and are not processed.
Parameters
filename
Path to the file with knsupdate commands.
Options
-T, --tcp
Use a TCP connection. (-v can be used for compatibility with nsupdate).
-S, --tls
Use a TLS connection.
-Q, --quic
Use a QUIC connection.
-p, --port number
Set the port to use for connections to the server (if not explicitly specified in the update). The
default is 53 for UDP/TCP or 853 for QUIC.
-r, --retry count
The number of retries for UDP requests. The default is 3.
-t, --timeout seconds
The total timeout (for all UDP update tries) of the update request in seconds. The default is 12.
If set to zero, the timeout is infinite.
-y, --tsig [alg:]name:key
Use the TSIG key with a name name to authenticate the request. The alg part specifies the
algorithm (the default is hmac-sha256) and key specifies the shared secret encoded in Base64.
-k, --tsigfile path
Use the TSIG key stored in a file keyfile to authenticate the request. The file should contain the
key in the same format, which is accepted by the -y option.
-d, --debug
Enable debug messages.
-h, --help
Print the program help.
-V, --version
Print the program version. The option -VV makes the program print the compile time configuration
summary.
QUIC/TLS options
-H, --hostname string
Enable remote server hostname validation.
-P, --pin base64
Use Out-of-Band key-pinned privacy profile (RFC 7858#section-4.2). The PIN must be a Base64
encoded SHA-256 hash of the X.509 SubjectPublicKeyInfo. Can be specified multiple times.
-A, --ca [path]
Enable certificate validation. Certification authority certificates are loaded from the specified
PEM file (default is system certificate storage if no argument is provided). Can be specified
multiple times.
-E, --certfile path
Path to a client certificate file.
-K, --keyfile path
Path to a client key file.
-s, --sni string
Use specified Server Name Indication.
Commands
server name [port]
Specifies a receiving server of the dynamic update message. The name parameter can be either a
host name or an IP address. If the port is not specified, the default port is used. The default
port value can be controlled using the -p program option.
local address [port]
Specifies outgoing address and port. If no local is specified, the address and port are set by the
system automatically. The default port number is 0.
zone name
Specifies that all updates are done within a zone name. The zone name doesn't have a default and
must be set explicitly.
origin name
Specifies fully qualified domain name suffix which is appended to non-fqd owners in update
commands. The default is the terminal label (.).
class name
Sets name as the default class for all updates. If not used, the default class is IN.
ttl value
Sets value as the default TTL (in seconds). If not used, the default value is 3600.
key [alg:]name key
Specifies the TSIG key named name to authenticate the request. An optional alg algorithm can be
specified. This command has the same effect as the program option -y.
[prereq] nxdomain name
Adds a prerequisite for a non-existing record owned by name.
[prereq] yxdomain name
Adds a prerequisite for an existing record owned by name.
[prereq] nxrrset name [class] type
Adds a prerequisite for a non-existing record of the type owned by name. Internet class is
expected.
[prereq] yxrrset name [class] type [data]
Adds a prerequisite for an existing record of the type owned by name with optional data. Internet
class is expected.
[update] add name [ttl] [class] type data
Adds a request to add a new resource record into the zone. Please note that if the name is not
fully qualified domain name, the current origin name is appended to it.
[update] del[ete] name [ttl] [class] [type] [data]
Adds a request to remove all (or matching class, type or data) resource records from the zone.
There is the same requirement for the name parameter as in update add command. The ttl item is
ignored.
show Displays current content of the update message.
send Sends the current update message and cleans the list of updates.
answer Displays the last answer from the server.
debug Enable debugging. This command has the same meaning as the -d program option.
exit End the program.
NOTES
Options -k and -y can not be used simultaneously.
Neither tsig-keygen(8) nor dnssec-keygen(1) keyfile formats are supported. Use keymgr(8) to construct a
string for -y or the file passed to -k.
Zone name/server guessing is not supported if the zone name/server is not specified.
An empty line doesn't send the update.
Interactive mode
The utility provides interactive mode with basic line editing functionality, command completion, and
command history.
Interactive mode behavior can be customized in ~/.editrc. Refer to editrc(5) for details.
Command history is saved in ~/.knsupdate_history.
EXIT VALUES
Exit status of 0 means successful operation. Any other exit status indicates an error.
EXAMPLES
1. Send one update of the zone example.com to the server 192.168.1.1. The update contains two new
records:
$ knsupdate
knsupdate> server 192.168.1.1
knsupdate> zone example.com.
knsupdate> origin example.com.
knsupdate> ttl 3600
knsupdate> add test1.example.com. 7200 A 192.168.2.2
knsupdate> add test2 TXT "hello"
knsupdate> show
knsupdate> send
knsupdate> answer
knsupdate> exit
SEE ALSO
kdig(1), khost(1), keymgr(8), editrc(5).
AUTHOR
CZ.NIC Labs <https://www.knot-dns.cz>
COPYRIGHT
Copyright 2010–2025, CZ.NIC, z.s.p.o.
3.4.6 2025-04-10 KNSUPDATE(1)