d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<!--
523230336909d30111cb060b7eb6fc39d23ad174Tinderbox User - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington -
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - This Source Code Form is subject to the terms of the Mozilla Public
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - License, v. 2.0. If a copy of the MPL was not distributed with this
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - file, You can obtain one at http://mozilla.org/MPL/2.0/.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington-->
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<!-- Converted by db4-upgrade version 1.0 -->
83a28ca274521e15086fc39febde507bcc4e145eMark Andrews<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <info>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <date>2014-08-15</date>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </info>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <refentryinfo>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <corpname>ISC</corpname>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </refentryinfo>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <refmeta>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <refentrytitle><application>rndc</application></refentrytitle>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <manvolnum>8</manvolnum>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <refmiscinfo>BIND9</refmiscinfo>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </refmeta>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <refnamediv>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <refname><application>rndc</application></refname>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <refpurpose>name server control utility</refpurpose>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </refnamediv>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <docinfo>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <copyright>
704e6c8876907aac0bf7380effca8bca400d4acdMark Andrews <year>2000</year>
704e6c8876907aac0bf7380effca8bca400d4acdMark Andrews <year>2001</year>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <year>2004</year>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <year>2005</year>
c1a883f2e04d94e99c433b1f6cfd0c0338f4ed85Mark Andrews <year>2007</year>
cfa2326b5c96a3a4c720262e077b2baf9fc27970Tinderbox User <year>2013</year>
81f58902eb5a1c1ab22742c72bd6cf318acbc06aTinderbox User <year>2014</year>
b129f72d951663755496670606e5f7303e8f2dc2Tinderbox User <year>2015</year>
8927a982bde7e4b665966b55f0fa57c5cf21b9d8Mark Andrews <year>2016</year>
1ca2cf024391992fe14b2df7d3ae0f575d074452Evan Hunt <year>2017</year>
523230336909d30111cb060b7eb6fc39d23ad174Tinderbox User <year>2018</year>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </copyright>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </docinfo>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <refsynopsisdiv>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <cmdsynopsis sepchar=" ">
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <command>rndc</command>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">source-address</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">key-file</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">server</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">port</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-q</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-r</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-V</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-y <replaceable class="parameter">key_id</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="req" rep="norepeat">command</arg>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </cmdsynopsis>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </refsynopsisdiv>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <refsection><info><title>DESCRIPTION</title></info>
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <para><command>rndc</command>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein controls the operation of a name
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein server. It supersedes the <command>ndc</command> utility
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein that was provided in old BIND releases. If
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <command>rndc</command> is invoked with no command line
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein options or arguments, it prints a short summary of the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein supported commands and the available options and their
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein arguments.
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <para><command>rndc</command>
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt communicates with the name server over a TCP connection, sending
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt commands authenticated with digital signatures. In the current
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt versions of
122c58bd11790c7576cdb1c6fd8e4439d0d7f7a5Mark Andrews <command>rndc</command> and <command>named</command>,
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt the only supported authentication algorithms are HMAC-MD5
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt (default), HMAC-SHA384 and HMAC-SHA512.
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt They use a shared secret on each end of the connection.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein This provides TSIG-style authentication for the command
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein request and the name server's response. All commands sent
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein over the channel must be signed by a key_id known to the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein server.
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <para><command>rndc</command>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein reads a configuration file to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein determine how to contact the name server and decide what
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein algorithm and key it should use.
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refsection>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <refsection><info><title>OPTIONS</title></info>
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <variablelist>
c4f9e613e12f03795bee18cf2ca8e6a9d39d6468Mark Andrews <varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <term>-b <replaceable class="parameter">source-address</replaceable></term>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt Use <replaceable class="parameter">source-address</replaceable>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt as the source address for the connection to the server.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt Multiple instances are permitted to allow setting of both
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt the IPv4 and IPv6 source addresses.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <term>-c <replaceable class="parameter">config-file</replaceable></term>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt Use <replaceable class="parameter">config-file</replaceable>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt as the configuration file instead of the default,
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <filename>/etc/rndc.conf</filename>.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <term>-k <replaceable class="parameter">key-file</replaceable></term>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt Use <replaceable class="parameter">key-file</replaceable>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt as the key file instead of the default,
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <filename>/etc/rndc.key</filename>. The key in
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <filename>/etc/rndc.key</filename> will be used to
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt authenticate
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt commands sent to the server if the <replaceable class="parameter">config-file</replaceable>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt does not exist.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <term>-s <replaceable class="parameter">server</replaceable></term>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para><replaceable class="parameter">server</replaceable> is
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt the name or address of the server which matches a
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt server statement in the configuration file for
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <command>rndc</command>. If no server is supplied on the
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt command line, the host named by the default-server clause
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt in the options statement of the <command>rndc</command>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt configuration file will be used.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <term>-p <replaceable class="parameter">port</replaceable></term>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt Send commands to TCP port
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <replaceable class="parameter">port</replaceable>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt instead
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt of BIND 9's default control channel port, 953.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <term>-q</term>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt Quiet mode: Message text returned by the server
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt will not be printed except when there is an error.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt
9e804040a29b9c3066c8471b43835f30707039b7Evan Hunt <varlistentry>
9e804040a29b9c3066c8471b43835f30707039b7Evan Hunt <term>-r</term>
9e804040a29b9c3066c8471b43835f30707039b7Evan Hunt <listitem>
9e804040a29b9c3066c8471b43835f30707039b7Evan Hunt <para>
9e804040a29b9c3066c8471b43835f30707039b7Evan Hunt Instructs <command>rndc</command> to print the result code
9e804040a29b9c3066c8471b43835f30707039b7Evan Hunt returned by <command>named</command> after executing the
9e804040a29b9c3066c8471b43835f30707039b7Evan Hunt requested command (e.g., ISC_R_SUCCESS, ISC_R_FAILURE, etc).
9e804040a29b9c3066c8471b43835f30707039b7Evan Hunt </para>
9e804040a29b9c3066c8471b43835f30707039b7Evan Hunt </listitem>
9e804040a29b9c3066c8471b43835f30707039b7Evan Hunt </varlistentry>
9e804040a29b9c3066c8471b43835f30707039b7Evan Hunt
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <term>-V</term>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt Enable verbose logging.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <term>-y <replaceable class="parameter">key_id</replaceable></term>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt Use the key <replaceable class="parameter">key_id</replaceable>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt from the configuration file.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <replaceable class="parameter">key_id</replaceable>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt must be
2637d30fbd235fe98145f4312b10cc41a13bf7dcJeremy C. Reed known by <command>named</command> with the same algorithm and secret string
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt in order for control message validation to succeed.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt If no <replaceable class="parameter">key_id</replaceable>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt is specified, <command>rndc</command> will first look
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt for a key clause in the server statement of the server
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt being used, or if no server statement is present for that
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt host, then the default-key clause of the options statement.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt Note that the configuration file contains shared secrets
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt which are used to send authenticated control commands
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt to name servers. It should therefore not have general read
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt or write access.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </varlistentry>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </variablelist>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refsection>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <refsection><info><title>COMMANDS</title></info>
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <para>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt A list of commands supported by <command>rndc</command> can
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt be seen by running <command>rndc</command> without arguments.
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </para>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <para>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Currently supported commands are:
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </para>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <variablelist>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <term><userinput>addzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> <replaceable>configuration</replaceable> </userinput></term>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Add a zone while the server is running. This
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews command requires the
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <command>allow-new-zones</command> option to be set
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews to <userinput>yes</userinput>. The
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <replaceable>configuration</replaceable> string
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews specified on the command line is the zone
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews configuration text that would ordinarily be
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews placed in <filename>named.conf</filename>.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews The configuration is saved in a file called
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <filename><replaceable>name</replaceable>.nzf</filename>,
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews where <replaceable>name</replaceable> is the
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews name of the view, or if it contains characters
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews that are incompatible with use as a file name, a
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews cryptographic hash generated from the name
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews of the view.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews When <command>named</command> is
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews restarted, the file will be loaded into the view
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews configuration, so that zones that were added
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews can persist after a restart.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews This sample <command>addzone</command> command
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews would add the zone <literal>example.com</literal>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews to the default view:
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews<prompt>$ </prompt><userinput>rndc addzone example.com '{ type master; file "example.com.db"; };'</userinput>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews (Note the brackets and semi-colon around the zone
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews configuration text.)
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews See also <command>rndc delzone</command> and <command>rndc modzone</command>.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <term><userinput>delzone <optional>-clean</optional> <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Delete a zone while the server is running.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
9e804040a29b9c3066c8471b43835f30707039b7Evan Hunt If the <option>-clean</option> argument is specified,
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews the zone's master file (and journal file, if any)
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews will be deleted along with the zone. Without the
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <option>-clean</option> option, zone files must
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews be cleaned up by hand. (If the zone is of
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews type "slave" or "stub", the files needing to
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews be cleaned up will be reported in the output
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews of the <command>rndc delzone</command> command.)
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews If the zone was originally added via
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <command>rndc addzone</command>, then it will be
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews removed permanently. However, if it was originally
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews configured in <filename>named.conf</filename>, then
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews that original configuration is still in place; when
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews the server is restarted or reconfigured, the zone will
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews come back. To remove it permanently, it must also be
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews removed from <filename>named.conf</filename>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews See also <command>rndc addzone</command> and <command>rndc modzone</command>.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt
7d262a3647a517a86d6d83058aedd18b7a6b06dfMark Andrews <varlistentry>
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt <term><userinput>dnstap ( -reopen | -roll <optional><replaceable>number</replaceable></optional> )</userinput></term>
7d262a3647a517a86d6d83058aedd18b7a6b06dfMark Andrews <listitem>
7d262a3647a517a86d6d83058aedd18b7a6b06dfMark Andrews <para>
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt Close and re-open DNSTAP output files.
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt <command>rndc dnstap -reopen</command> allows the output
19977879caf8579a5fafb0cf3bf1cb983063796cEvan Hunt file to be renamed externally, so
19977879caf8579a5fafb0cf3bf1cb983063796cEvan Hunt that <command>named</command> can truncate and re-open it.
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt <command>rndc dnstap -roll</command> causes the output file
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt to be rolled automatically, similar to log files; the most
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt recent output file has ".0" appended to its name; the
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt previous most recent output file is moved to ".1", and so on.
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt If <replaceable>number</replaceable> is specified, then the
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt number of backup log files is limited to that number.
7d262a3647a517a86d6d83058aedd18b7a6b06dfMark Andrews </para>
7d262a3647a517a86d6d83058aedd18b7a6b06dfMark Andrews </listitem>
7d262a3647a517a86d6d83058aedd18b7a6b06dfMark Andrews </varlistentry>
7d262a3647a517a86d6d83058aedd18b7a6b06dfMark Andrews
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <varlistentry>
32ceffe2d832412e8f449529bcb898c00eb87b62Evan Hunt <term><userinput>dumpdb <optional>-all|-cache|-zones|-adb|-bad|-fail</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Dump the server's caches (default) and/or zones to
32ceffe2d832412e8f449529bcb898c00eb87b62Evan Hunt the dump file for the specified views. If no view
32ceffe2d832412e8f449529bcb898c00eb87b62Evan Hunt is specified, all views are dumped.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews (See the <command>dump-file</command> option in
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews the BIND 9 Administrator Reference Manual.)
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <term><userinput>flush</userinput></term>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Flushes the server's cache.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <term><userinput>flushname</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Flushes the given name from the view's DNS cache
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews and, if applicable, from the view's nameserver address
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews database, bad server cache and SERVFAIL cache.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <term><userinput>flushtree</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Flushes the given name, and all of its subdomains,
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews from the view's DNS cache, address database,
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews bad server cache, and SERVFAIL cache.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <term><userinput>freeze <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Suspend updates to a dynamic zone. If no zone is
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews specified, then all zones are suspended. This allows
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews manual edits to be made to a zone normally updated by
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews dynamic update. It also causes changes in the
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews journal file to be synced into the master file.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews All dynamic update attempts will be refused while
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews the zone is frozen.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews See also <command>rndc thaw</command>.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <term><userinput>halt <optional>-p</optional></userinput></term>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt Stop the server immediately. Recent changes
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt made through dynamic update or IXFR are not saved to
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt the master files, but will be rolled forward from the
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt journal files when the server is restarted.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt If <option>-p</option> is specified <command>named</command>'s process id is returned.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt This allows an external process to determine when <command>named</command>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt had completed halting.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews See also <command>rndc stop</command>.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <term><userinput>loadkeys <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Fetch all DNSSEC keys for the given zone
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews from the key directory. If they are within
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews their publication period, merge them into the
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews zone's DNSKEY RRset. Unlike <command>rndc
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews sign</command>, however, the zone is not
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews immediately re-signed by the new keys, but is
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews allowed to incrementally re-sign over time.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews This command requires that the
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <command>auto-dnssec</command> zone option
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews be set to <literal>maintain</literal>,
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews and also requires the zone to be configured to
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews allow dynamic DNS.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews (See "Dynamic Update Policies" in the Administrator
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Reference Manual for more details.)
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <term><userinput>managed-keys <replaceable>(status | refresh | sync)</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews When run with the "status" keyword, print the current
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews status of the managed-keys database for the specified
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews view, or for all views if none is specified. When run
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews with the "refresh" keyword, force an immediate refresh
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews of all the managed-keys in the specified view, or all
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews views. When run with the "sync" keyword, force an
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews immediate dump of the managed-keys database to disk (in
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews the file <filename>managed-keys.bind</filename> or
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews (<filename><replaceable>viewname</replaceable>.mkeys</filename>).
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <term><userinput>modzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> <replaceable>configuration</replaceable> </userinput></term>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Modify the configuration of a zone while the server
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews is running. This command requires the
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <command>allow-new-zones</command> option to be
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews set to <userinput>yes</userinput>. As with
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <command>addzone</command>, the
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <replaceable>configuration</replaceable> string
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews specified on the command line is the zone
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews configuration text that would ordinarily be
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews placed in <filename>named.conf</filename>.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews If the zone was originally added via
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <command>rndc addzone</command>, the configuration
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews changes will be recorded permanently and will still be
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews in effect after the server is restarted or reconfigured.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews However, if it was originally configured in
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <filename>named.conf</filename>, then that original
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews configuration is still in place; when the server is
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews restarted or reconfigured, the zone will revert to
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews its original configuration. To make the changes
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews permanent, it must also be modified in
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <filename>named.conf</filename>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews See also <command>rndc addzone</command> and <command>rndc delzone</command>.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <term><userinput>notify <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Resend NOTIFY messages for the zone.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <term><userinput>notrace</userinput></term>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Sets the server's debugging level to 0.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews See also <command>rndc trace</command>.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt
0cfb24736841b3e98bb25853229a0efabab88bddEvan Hunt <varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <term><userinput>nta
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt <optional>( -d | -f | -r | -l <replaceable>duration</replaceable>)</optional>
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt <replaceable>domain</replaceable>
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt <optional><replaceable>view</replaceable></optional>
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt </userinput></term>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt Sets a DNSSEC negative trust anchor (NTA)
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt for <option>domain</option>, with a lifetime of
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <option>duration</option>. The default lifetime is
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt configured in <filename>named.conf</filename> via the
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <option>nta-lifetime</option> option, and defaults to
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt one hour. The lifetime cannot exceed one week.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt A negative trust anchor selectively disables
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt DNSSEC validation for zones that are known to be
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt failing because of misconfiguration rather than
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt an attack. When data to be validated is
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt at or below an active NTA (and above any other
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt configured trust anchors), <command>named</command> will
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt abort the DNSSEC validation process and treat the data as
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt insecure rather than bogus. This continues until the
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt NTA's lifetime is elapsed.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
2637d30fbd235fe98145f4312b10cc41a13bf7dcJeremy C. Reed NTAs persist across restarts of the <command>named</command> server.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt The NTAs for a view are saved in a file called
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <filename><replaceable>name</replaceable>.nta</filename>,
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt where <replaceable>name</replaceable> is the
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt name of the view, or if it contains characters
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt that are incompatible with use as a file name, a
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt cryptographic hash generated from the name
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt of the view.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt An existing NTA can be removed by using the
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <option>-remove</option> option.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt An NTA's lifetime can be specified with the
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <option>-lifetime</option> option. TTL-style
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt suffixes can be used to specify the lifetime in
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt seconds, minutes, or hours. If the specified NTA
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt already exists, its lifetime will be updated to the
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt new value. Setting <option>lifetime</option> to zero
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt is equivalent to <option>-remove</option>.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt If <option>-dump</option> is used, any other arguments
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt are ignored, and a list of existing NTAs is printed
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt (note that this may include NTAs that are expired but
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt have not yet been cleaned up).
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt Normally, <command>named</command> will periodically
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt test to see whether data below an NTA can now be
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt validated (see the <option>nta-recheck</option> option
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt in the Administrator Reference Manual for details).
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt If data can be validated, then the NTA is regarded as
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt no longer necessary, and will be allowed to expire
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt early. The <option>-force</option> overrides this
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt behavior and forces an NTA to persist for its entire
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt lifetime, regardless of whether data could be
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt validated if the NTA were not present.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt All of these options can be shortened, i.e., to
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <option>-l</option>, <option>-r</option>, <option>-d</option>,
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt and <option>-f</option>.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <varlistentry>
4221d9cd1d02311fbf9b5f08a038f5af78b10b4aEvan Hunt <term><userinput>querylog</userinput> <optional> on | off </optional> </term>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Enable or disable query logging. (For backward
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews compatibility, this command can also be used without
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews an argument to toggle query logging on and off.)
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Query logging can also be enabled
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews by explicitly directing the <command>queries</command>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <command>category</command> to a
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <command>channel</command> in the
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <command>logging</command> section of
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <filename>named.conf</filename> or by specifying
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <command>querylog yes;</command> in the
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <command>options</command> section of
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <filename>named.conf</filename>.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <term><userinput>reconfig</userinput></term>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Reload the configuration file and load new zones,
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews but do not reload existing zone files even if they
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews have changed.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews This is faster than a full <command>reload</command> when there
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews is a large number of zones because it avoids the need
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews to examine the
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews modification times of the zones files.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <varlistentry>
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt <term><userinput>recursing</userinput></term>
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt <listitem>
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt <para>
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt Dump the list of queries <command>named</command> is currently
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt recursing on, and the list of domains to which iterative
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt queries are currently being sent. (The second list includes
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt the number of fetches currently active for the given domain,
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt and how many have been passed or dropped because of the
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt <option>fetches-per-zone</option> option.)
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt </para>
3525200d9fb0e70aec4f6a3c7e0ed5a7dd8398afEvan Hunt </listitem>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <term><userinput>refresh <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Schedule zone maintenance for the given zone.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </listitem>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <term><userinput>reload</userinput></term>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Reload configuration file and zones.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </listitem>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <term><userinput>reload <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Reload the given zone.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt
2817aa56ca12139849ba1017ff978833174f6294Evan Hunt <varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <term><userinput>retransfer <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Retransfer the given slave zone from the master server.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews If the zone is configured to use
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <command>inline-signing</command>, the signed
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews version of the zone is discarded; after the
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews retransfer of the unsigned version is complete, the
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews signed version will be regenerated with all new
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews signatures.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <term><userinput>scan</userinput></term>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Scan the list of available network interfaces
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews for changes, without performing a full
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <command>reconfig</command> or waiting for the
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <command>interface-interval</command> timer.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </listitem>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <term><userinput>secroots <optional>-</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Dump the server's security roots and negative trust anchors
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews for the specified views. If no view is specified, all views
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews are dumped.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews If the first argument is "-", then the output is
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews returned via the <command>rndc</command> response channel
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews and printed to the standard output.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Otherwise, it is written to the secroots dump file, which
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews defaults to <filename>named.secroots</filename>, but can be
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews overridden via the <option>secroots-file</option> option in
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <filename>named.conf</filename>.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews See also <command>rndc managed-keys</command>.
74eb2f5cbc98d9646bcd13ffcb17688f0db5ab8dEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <term><userinput>showzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt Print the configuration of a running zone.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <para>
8a46213dbea9ed3ae84361ae1e59a3470b65668bMark Andrews See also <command>rndc zonestatus</command>.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </listitem>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <term><userinput>sign <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <listitem>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Fetch all DNSSEC keys for the given zone
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews from the key directory (see the
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <command>key-directory</command> option in
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews the BIND 9 Administrator Reference Manual). If they are within
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews their publication period, merge them into the
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews zone's DNSKEY RRset. If the DNSKEY RRset
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews is changed, then the zone is automatically
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews re-signed with the new key set.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews This command requires that the
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <command>auto-dnssec</command> zone option be set
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews to <literal>allow</literal> or
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <literal>maintain</literal>,
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews and also requires the zone to be configured to
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews allow dynamic DNS.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews (See "Dynamic Update Policies" in the Administrator
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Reference Manual for more details.)
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews See also <command>rndc loadkeys</command>.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <varlistentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <term><userinput>signing <optional>( -list | -clear <replaceable>keyid/algorithm</replaceable> | -clear <literal>all</literal> | -nsec3param ( <replaceable>parameters</replaceable> | <literal>none</literal> ) | -serial <replaceable>value</replaceable> ) </optional> <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <listitem>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt List, edit, or remove the DNSSEC signing state records
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt for the specified zone. The status of ongoing DNSSEC
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt operations (such as signing or generating
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt NSEC3 chains) is stored in the zone in the form
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt of DNS resource records of type
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews <command>sig-signing-type</command>.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <command>rndc signing -list</command> converts
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt these records into a human-readable form,
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt indicating which keys are currently signing
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt or have finished signing the zone, and which NSEC3
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt chains are being created or removed.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <command>rndc signing -clear</command> can remove
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt a single key (specified in the same format that
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <command>rndc signing -list</command> uses to
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt display it), or all keys. In either case, only
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt completed keys are removed; any record indicating
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt that a key has not yet finished signing the zone
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt will be retained.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <command>rndc signing -nsec3param</command> sets
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt the NSEC3 parameters for a zone. This is the
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt only supported mechanism for using NSEC3 with
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <command>inline-signing</command> zones.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt Parameters are specified in the same format as
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt an NSEC3PARAM resource record: hash algorithm,
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt flags, iterations, and salt, in that order.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews Currently, the only defined value for hash algorithm
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt is <literal>1</literal>, representing SHA-1.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt The <option>flags</option> may be set to
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <literal>0</literal> or <literal>1</literal>,
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt depending on whether you wish to set the opt-out
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt bit in the NSEC3 chain. <option>iterations</option>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt defines the number of additional times to apply
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt the algorithm when generating an NSEC3 hash. The
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <option>salt</option> is a string of data expressed
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt in hexadecimal, a hyphen (`-') if no salt is
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt to be used, or the keyword <literal>auto</literal>,
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt which causes <command>named</command> to generate a
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt random 64-bit salt.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt So, for example, to create an NSEC3 chain using
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt the SHA-1 hash algorithm, no opt-out flag,
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt 10 iterations, and a salt value of "FFFF", use:
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <command>rndc signing -nsec3param 1 0 10 FFFF <replaceable>zone</replaceable></command>.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt To set the opt-out flag, 15 iterations, and no
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt salt, use:
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <command>rndc signing -nsec3param 1 1 15 - <replaceable>zone</replaceable></command>.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <command>rndc signing -nsec3param none</command>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt removes an existing NSEC3 chain and replaces it
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt with NSEC.
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <command>rndc signing -serial value</command> sets
4140a96f22b2319a658c17723c976ddff0e2633aMark Andrews the serial number of the zone to value. If the value
4140a96f22b2319a658c17723c976ddff0e2633aMark Andrews would cause the serial number to go backwards it will
4140a96f22b2319a658c17723c976ddff0e2633aMark Andrews be rejected. The primary use is to set the serial on
4140a96f22b2319a658c17723c976ddff0e2633aMark Andrews inline signed zones.
4140a96f22b2319a658c17723c976ddff0e2633aMark Andrews </para>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt </listitem>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <term><userinput>stats</userinput></term>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <listitem>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Write server statistics to the statistics file.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews (See the <command>statistics-file</command> option in
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews the BIND 9 Administrator Reference Manual.)
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </listitem>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <term><userinput>status</userinput></term>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <listitem>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Display status of the server.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Note that the number of zones includes the internal <command>bind/CH</command> zone
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews and the default <command>/IN</command>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews hint zone if there is not an
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews explicit root zone configured.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </listitem>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <term><userinput>stop <optional>-p</optional></userinput></term>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <listitem>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Stop the server, making sure any recent changes
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews made through dynamic update or IXFR are first saved to
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews the master files of the updated zones.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews If <option>-p</option> is specified <command>named</command>'s process id is returned.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews This allows an external process to determine when <command>named</command>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews had completed stopping.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <para>See also <command>rndc halt</command>.</para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </listitem>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <term><userinput>sync <optional>-clean</optional> <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <listitem>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Sync changes in the journal file for a dynamic zone
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews to the master file. If the "-clean" option is
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews specified, the journal file is also removed. If
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews no zone is specified, then all zones are synced.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </listitem>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <term><userinput>thaw <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <listitem>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Enable updates to a frozen dynamic zone. If no
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews zone is specified, then all frozen zones are
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews enabled. This causes the server to reload the zone
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews from disk, and re-enables dynamic updates after the
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews load has completed. After a zone is thawed,
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews dynamic updates will no longer be refused. If
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews the zone has changed and the
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <command>ixfr-from-differences</command> option is
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews in use, then the journal file will be updated to
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews reflect changes in the zone. Otherwise, if the
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews zone has changed, any existing journal file will be
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews removed.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <para>See also <command>rndc freeze</command>.</para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </listitem>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <term><userinput>trace</userinput></term>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <listitem>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Increment the servers debugging level by one.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </listitem>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <term><userinput>trace <replaceable>level</replaceable></userinput></term>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <listitem>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Sets the server's debugging level to an explicit
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews value.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews See also <command>rndc notrace</command>.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </listitem>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <term><userinput>tsig-delete</userinput> <replaceable>keyname</replaceable> <optional><replaceable>view</replaceable></optional></term>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <listitem>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Delete a given TKEY-negotiated key from the server.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews (This does not apply to statically configured TSIG
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews keys.)
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </listitem>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <term><userinput>tsig-list</userinput></term>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <listitem>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews List the names of all TSIG keys currently configured
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews for use by <command>named</command> in each view. The
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews list both statically configured keys and dynamic
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews TKEY-negotiated keys.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </listitem>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <varlistentry>
4221d9cd1d02311fbf9b5f08a038f5af78b10b4aEvan Hunt <term><userinput>validation ( on | off | status ) <optional><replaceable>view ...</replaceable></optional> </userinput></term>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <listitem>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Enable, disable, or check the current status of
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews DNSSEC validation.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Note <command>dnssec-enable</command> also needs to be
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews set to <userinput>yes</userinput> or
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <userinput>auto</userinput> to be effective.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews It defaults to enabled.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </listitem>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <varlistentry>
539c3f73b7cf53603d688591c2749b4036824770Mark Andrews <term><userinput>zonestatus <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <listitem>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews Displays the current status of the given zone,
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews including the master file name and any include
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews files from which it was loaded, when it was most
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews recently loaded, the current serial number, the
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews number of nodes, whether the zone supports
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews dynamic updates, whether the zone is DNSSEC
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews signed, whether it uses automatic DNSSEC key
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews management or inline signing, and the scheduled
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews refresh or expiry times for the zone.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews <para>
31385711705010afd8850f101d768e2ab0871039Mark Andrews See also <command>rndc showzone</command>.
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </para>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </listitem>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews </varlistentry>
52aa2f94981aa570a37c659b451541171f7537a4Mark Andrews
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </variablelist>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refsection>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <refsection><info><title>LIMITATIONS</title></info>
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein There is currently no way to provide the shared secret for a
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <option>key_id</option> without using the configuration file.
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </para>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Several error messages could be clearer.
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refsection>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <refsection><info><title>SEE ALSO</title></info>
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <para><citerefentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </citerefentry>,
b39ee56af9c9a690db068a98cf44af175dbb45edMark Andrews <citerefentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <refentrytitle>rndc-confgen</refentrytitle><manvolnum>8</manvolnum>
b39ee56af9c9a690db068a98cf44af175dbb45edMark Andrews </citerefentry>,
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <citerefentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </citerefentry>,
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <citerefentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews </citerefentry>,
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <citerefentry>
591389c7d44e5ca20c357627dd179772cfefaaccEvan Hunt <refentrytitle>ndc</refentrytitle><manvolnum>8</manvolnum>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </citerefentry>,
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refsection>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</refentry>