DDNS-CONFGEN(8) BIND 9 DDNS-CONFGEN(8)
NAME
ddns-confgen - ddns key generation tool
SYNOPSIS
ddns-confgen [-a algorithm] [-h] [-k keyname] [-q] [-s name] [-z zone]
DESCRIPTION
ddns-confgen is an utility that generates keys for use in TSIG signing.
The resulting keys can be used, for example, to secure dynamic DNS up-
dates to a zone, or for the rndc <#std-iscman-rndc> command channel.
The key name can specified using -k parameter and defaults to ddns-key.
The generated key is accompanied by configuration text and instructions
that can be used with nsupdate <#std-iscman-nsupdate> and named <#
std-iscman-named> when setting up dynamic DNS, including an example up-
date-policy statement. (This usage is similar to the rndc-confgen <#
std-iscman-rndc-confgen> command for setting up command-channel secu-
rity.)
Note that named <#std-iscman-named> itself can configure a local DDNS
key for use with nsupdate -l <#cmdoption-nsupdate-l>; it does this when
a zone is configured with update-policy local;. ddns-confgen is only
needed when a more elaborate configuration is required: for instance, if
nsupdate <#std-iscman-nsupdate> is to be used from a remote system.
OPTIONS
-a algorithm
This option specifies the algorithm to use for the TSIG key.
Available choices are: hmac-md5, hmac-sha1, hmac-sha224,
hmac-sha256, hmac-sha384, and hmac-sha512. The default is
hmac-sha256. Options are case-insensitive, and the "hmac-" prefix
may be omitted.
-h This option prints a short summary of options and arguments.
-k keyname
This option specifies the key name of the DDNS authentication
key. The default is ddns-key when neither the -s nor -z option is
specified; otherwise, the default is ddns-key as a separate label
followed by the argument of the option, e.g., ddns-key.exam-
ple.com. The key name must have the format of a valid domain
name, consisting of letters, digits, hyphens, and periods.
-q This option enables quiet mode, which prints only the key, with
no explanatory text or usage examples. This is essentially iden-
tical to tsig-keygen <#std-iscman-tsig-keygen>.
-s name
This option generates a configuration example to allow dynamic
updates of a single hostname. The example named.conf <#
std-iscman-named.conf> text shows how to set an update policy for
the specified name using the "name" nametype. The default key
name is ddns-key.name. Note that the "self" nametype cannot be
used, since the name to be updated may differ from the key name.
This option cannot be used with the -z option.
-z zone
This option generates a configuration example to allow dynamic
updates of a zone. The example named.conf <#std-iscman-named
.conf> text shows how to set an update policy for the specified
zone using the "zonesub" nametype, allowing updates to all subdo-
main names within that zone. This option cannot be used with the
-s option.
SEE ALSO
nsupdate(1) <#std-iscman-nsupdate>, named.conf(5) <#std-iscman-named
.conf>, named(8) <#std-iscman-named>, BIND 9 Administrator Reference
Manual.
Author
Internet Systems Consortium
Copyright
2026, Internet Systems Consortium
9.20.21-1~deb13u1-Debian 2026-03-13 DDNS-CONFGEN(8)
Generated by dwww version 1.16 on Mon Mar 30 02:33:19 CEST 2026.