knsupdate(1) Knot DNS knsupdate(1)
NAME
knsupdate - Dynamic DNS update utility
SYNOPSIS
knsupdate [-v] [options] [filename]
knsupdate [-q] [quic_options] [options] [filename]
DESCRIPTION
This utility sends Dynamic DNS update messages to a DNS server. Update
content is read from a file (if the parameter filename is given) or
from the standard input.
The format of updates is textual and is made up of commands. Every
command is placed on the separate line of the input. Lines starting
with a semicolon are comments and are not processed.
Parameters
filename
Path to the file with knsupdate commands.
Options
-T, --tcp
Use a TCP connection. (-v can be used for compatibility with
nsupdate).
-S, --tls
Use a TLS connection.
-Q, --quic
Use a QUIC connection.
-p, --port number
Set the port to use for connections to the server (if not
explicitly specified in the update). The default is 53 for
UDP/TCP or 853 for QUIC.
-r, --retry count
The number of retries for UDP requests. The default is 3.
-t, --timeout seconds
The total timeout (for all UDP update tries) of the update
request in seconds. The default is 12. If set to zero, the
timeout is infinite.
-y, --tsig [alg:]name:key
Use the TSIG key with a name name to authenticate the request.
The alg part specifies the algorithm (the default is
hmac-sha256) and key specifies the shared secret encoded in
Base64.
-k, --tsigfile path
Use the TSIG key stored in a file keyfile to authenticate the
request. The file should contain the key in the same format,
which is accepted by the -y option.
-d, --debug
Enable debug messages.
-h, --help
Print the program help.
-V, --version
Print the program version. The option -VV makes the program
print the compile time configuration summary.
QUIC/TLS options
-H, --hostname string
Enable remote server hostname validation.
-P, --pin base64
Use Out-of-Band key-pinned privacy profile (RFC
7858#section-4.2). The PIN must be a Base64 encoded SHA-256 hash
of the X.509 SubjectPublicKeyInfo. Can be specified multiple
times.
-A, --ca [path]
Enable certificate validation. Certification authority
certificates are loaded from the specified PEM file (default is
system certificate storage if no argument is provided). Can be
specified multiple times.
-E, --certfile path
Path to a client certificate file.
-K, --keyfile path
Path to a client key file.
-s, --sni string
Use specified Server Name Indication.
Commands
server name [port]
Specifies a receiving server of the dynamic update message. The
name parameter can be either a host name or an IP address. If
the port is not specified, the default port is used. The default
port value can be controlled using the -p program option.
local address [port]
Specifies outgoing address and port. If no local is specified,
the address and port are set by the system automatically. The
default port number is 0.
zone name
Specifies that all updates are done within a zone name. The zone
name doesn't have a default and must be set explicitly.
origin name
Specifies fully qualified domain name suffix which is appended
to non-fqd owners in update commands. The default is the
terminal label (.).
class name
Sets name as the default class for all updates. If not used, the
default class is IN.
ttl value
Sets value as the default TTL (in seconds). If not used, the
default value is 3600.
key [alg:]name key
Specifies the TSIG key named name to authenticate the request.
An optional alg algorithm can be specified. This command has the
same effect as the program option -y.
[prereq] nxdomain name
Adds a prerequisite for a non-existing record owned by name.
[prereq] yxdomain name
Adds a prerequisite for an existing record owned by name.
[prereq] nxrrset name [class] type
Adds a prerequisite for a non-existing record of the type owned
by name. Internet class is expected.
[prereq] yxrrset name [class] type [data]
Adds a prerequisite for an existing record of the type owned by
name with optional data. Internet class is expected.
[update] add name [ttl] [class] type data
Adds a request to add a new resource record into the zone.
Please note that if the name is not fully qualified domain name,
the current origin name is appended to it.
[update] del[ete] name [ttl] [class] [type] [data]
Adds a request to remove all (or matching class, type or data)
resource records from the zone. There is the same requirement
for the name parameter as in update add command. The ttl item is
ignored.
show Displays current content of the update message.
send Sends the current update message and cleans the list of updates.
answer Displays the last answer from the server.
debug Enable debugging. This command has the same meaning as the -d
program option.
exit End the program.
NOTES
Options -k and -y can not be used simultaneously.
Neither tsig-keygen(8) nor dnssec-keygen(1) keyfile formats are
supported. Use keymgr(8) to construct a string for -y or the file
passed to -k.
Zone name/server guessing is not supported if the zone name/server is
not specified.
An empty line doesn't send the update.
Interactive mode
The utility provides interactive mode with basic line editing
functionality, command completion, and command history.
Interactive mode behavior can be customized in ~/.editrc. Refer to
editrc(5) for details.
Command history is saved in ~/.knsupdate_history.
EXIT VALUES
Exit status of 0 means successful operation. Any other exit status
indicates an error.
EXAMPLES
1. Send one update of the zone example.com to the server 192.168.1.1.
The update contains two new records:
$ knsupdate
knsupdate> server 192.168.1.1
knsupdate> zone example.com.
knsupdate> origin example.com.
knsupdate> ttl 3600
knsupdate> add test1.example.com. 7200 A 192.168.2.2
knsupdate> add test2 TXT "hello"
knsupdate> show
knsupdate> send
knsupdate> answer
knsupdate> exit
SEE ALSO
kdig(1), khost(1), keymgr(8), editrc(5).
AUTHOR
CZ.NIC, z.s.p.o. and contributors <https://www.knot-dns.cz/>
COPYRIGHT
Copyright (C) CZ.NIC, z.s.p.o. and contributors
3.5.0 2025-09-18 knsupdate(1)
knot 3.5.0 - Generated Fri Sep 19 15:37:04 CDT 2025