rndc.docbook revision 1479200aa05414b2acf33607dbd1682c16f58c51
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
885f47576842cf3c569315b9a48bd9f0ca03f203Automatic Updater "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
71bd43eebd9d6e42dbcae62b730f5b6508d5acd8Automatic Updater [<!ENTITY mdash "—">]>
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater - Copyright (C) 2004, 2005, 2007, 2013-2015 Internet Systems Consortium, Inc. ("ISC")
2bb3422dc683c013db7042f5736240de6b86f182Automatic Updater - Copyright (C) 2000, 2001 Internet Software Consortium.
75b70a68aefaa17ac4e768d5ed85d2f50d471490Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater - purpose with or without fee is hereby granted, provided that the above
ea854b585041ad19f70f7af15e08144ef2c2bd1bMark Andrews - copyright notice and this permission notice appear in all copies.
c89d02f2fb4c06168236d600e86831cff324f763Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
90ff38a0d8deaf5f9c2aa5916d99b2e572d28738Automatic Updater - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
6c6a121295b30772cbf3dd75a51fb9d883051a0eAutomatic Updater - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater - PERFORMANCE OF THIS SOFTWARE.
96713299d08c0735c18ebe8772dd2cc1ecd4356aAutomatic Updater <refentryinfo>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews </refentryinfo>
80faf1588895fd26490f82f95a7a1b771df1c324Automatic Updater <refentrytitle><application>rndc</application></refentrytitle>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater <refname><application>rndc</application></refname>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater <refpurpose>name server control utility</refpurpose>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt </copyright>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater <holder>Internet Software Consortium.</holder>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater <refsynopsisdiv>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater <arg><option>-b <replaceable class="parameter">source-address</replaceable></option></arg>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater <arg><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater <arg><option>-k <replaceable class="parameter">key-file</replaceable></option></arg>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater <arg><option>-s <replaceable class="parameter">server</replaceable></option></arg>
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews <arg><option>-p <replaceable class="parameter">port</replaceable></option></arg>
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater <arg><option>-y <replaceable class="parameter">key_id</replaceable></option></arg>
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater </cmdsynopsis>
80faf1588895fd26490f82f95a7a1b771df1c324Automatic Updater </refsynopsisdiv>
80faf1588895fd26490f82f95a7a1b771df1c324Automatic Updater controls the operation of a name
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews server. It supersedes the <command>ndc</command> utility
1a06700908f5a1d9f4a8d51285a0fd971e2f9117Automatic Updater that was provided in old BIND releases. If
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <command>rndc</command> is invoked with no command line
db5b7e2cdf150c46e8242d3e2e3ad3f5c7300258Automatic Updater options or arguments, it prints a short summary of the
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews supported commands and the available options and their
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater communicates with the name server over a TCP connection, sending
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater commands authenticated with digital signatures. In the current
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater <command>rndc</command> and <command>named</command>,
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson the only supported authentication algorithms are HMAC-MD5
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater (default), HMAC-SHA384 and HMAC-SHA512.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson They use a shared secret on each end of the connection.
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater This provides TSIG-style authentication for the command
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater request and the name server's response. All commands sent
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater over the channel must be signed by a key_id known to the
9174e44c14b1cb91a651fa1dc29470438c246ab9Automatic Updater reads a configuration file to
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont determine how to contact the name server and decide what
52367885450d8f61d4f2d63292beb15ba8f39ac7Automatic Updater algorithm and key it should use.
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater <variablelist>
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater <varlistentry>
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater <term>-b <replaceable class="parameter">source-address</replaceable></term>
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater Use <replaceable class="parameter">source-address</replaceable>
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater as the source address for the connection to the server.
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater Multiple instances are permitted to allow setting of both
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews the IPv4 and IPv6 source addresses.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews </varlistentry>
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater <varlistentry>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater <term>-c <replaceable class="parameter">config-file</replaceable></term>
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater Use <replaceable class="parameter">config-file</replaceable>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater as the configuration file instead of the default,
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater </varlistentry>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater <varlistentry>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews <term>-k <replaceable class="parameter">key-file</replaceable></term>
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater Use <replaceable class="parameter">key-file</replaceable>
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater as the key file instead of the default,
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater <filename>/etc/rndc.key</filename>. The key in
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater <filename>/etc/rndc.key</filename> will be used to
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater commands sent to the server if the <replaceable class="parameter">config-file</replaceable>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson does not exist.
0df8ead472f207020f8da22a185fe4b945248ab8Automatic Updater </varlistentry>
0ce87e5749aabb8eef1e0a37e4bd6e6ffa1d7196Automatic Updater <varlistentry>
0ce87e5749aabb8eef1e0a37e4bd6e6ffa1d7196Automatic Updater <term>-s <replaceable class="parameter">server</replaceable></term>
2bb3422dc683c013db7042f5736240de6b86f182Automatic Updater <para><replaceable class="parameter">server</replaceable> is
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater the name or address of the server which matches a
0df8ead472f207020f8da22a185fe4b945248ab8Automatic Updater server statement in the configuration file for
3b6e4c84a525b0b3fc9e8affd8bb9fa5c000345fAutomatic Updater <command>rndc</command>. If no server is supplied on the
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic Updater command line, the host named by the default-server clause
d145b64cacc8d9cda51f9924ec70cd4661c3e2cfAutomatic Updater in the options statement of the <command>rndc</command>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater configuration file will be used.
c243d779731a410f8dc2d2feeed20c15f299b6e3Automatic Updater </varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <term>-p <replaceable class="parameter">port</replaceable></term>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Send commands to TCP port
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater <replaceable class="parameter">port</replaceable>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater of BIND 9's default control channel port, 953.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater </varlistentry>
7f94d9a8162c9a96b56e66176702b66e79d8e1a2Automatic Updater <varlistentry>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater Quiet mode: Message text returned by the server
7f94d9a8162c9a96b56e66176702b66e79d8e1a2Automatic Updater will not be printed except when there is an error.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater </varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <varlistentry>
96ea71632887c58a9d00f47eb318bf76b35903c3Mark Andrews Instructs <command>rndc</command> to print the result code
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater returned by <command>named</command> after executing the
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater requested command (e.g., ISC_R_SUCCESS, ISC_R_FAILURE, etc).
4cda4fd158d6ded5586bacea8c388445d99611eaAutomatic Updater </varlistentry>
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater <varlistentry>
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater Enable verbose logging.
70f5a54bf2676b136aa838d1ee9688e00b5dd8b9Automatic Updater </varlistentry>
f7c88d61cc1ad2435b0b7cfaedfc9d5248c0be25Automatic Updater <varlistentry>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <term>-y <replaceable class="parameter">key_id</replaceable></term>
7f94d9a8162c9a96b56e66176702b66e79d8e1a2Automatic Updater Use the key <replaceable class="parameter">key_id</replaceable>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater from the configuration file.
7f94d9a8162c9a96b56e66176702b66e79d8e1a2Automatic Updater <replaceable class="parameter">key_id</replaceable>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater known by <command>named</command> with the same algorithm and secret string
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington in order for control message validation to succeed.
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater If no <replaceable class="parameter">key_id</replaceable>
cf7e98f59148b559946a7f1ca728471374f1eef3Automatic Updater is specified, <command>rndc</command> will first look
96713299d08c0735c18ebe8772dd2cc1ecd4356aAutomatic Updater for a key clause in the server statement of the server
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater being used, or if no server statement is present for that
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater host, then the default-key clause of the options statement.
cf7e98f59148b559946a7f1ca728471374f1eef3Automatic Updater Note that the configuration file contains shared secrets
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater which are used to send authenticated control commands
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson to name servers. It should therefore not have general read
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater or write access.
71bd43eebd9d6e42dbcae62b730f5b6508d5acd8Automatic Updater </varlistentry>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </variablelist>
9174e44c14b1cb91a651fa1dc29470438c246ab9Automatic Updater A list of commands supported by <command>rndc</command> can
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson be seen by running <command>rndc</command> without arguments.
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater Currently supported commands are:
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater <variablelist>
699487d8026a2b931bdce8ce3ae6bc1025d639fbMark Andrews <varlistentry>
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater <term><userinput>addzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> <replaceable>configuration</replaceable> </userinput></term>
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater Add a zone while the server is running. This
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater command requires the
3351ccbd5c1961404044f8273d54dad405f53960Mark Andrews <command>allow-new-zones</command> option to be set
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater <replaceable>configuration</replaceable> string
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater specified on the command line is the zone
3351ccbd5c1961404044f8273d54dad405f53960Mark Andrews configuration text that would ordinarily be
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater placed in <filename>named.conf</filename>.
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater The configuration is saved in a file called
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater <filename><replaceable>name</replaceable>.nzf</filename>,
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater where <replaceable>name</replaceable> is the
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater name of the view, or if it contains characters
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater that are incompatible with use as a file name, a
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater cryptographic hash generated from the name
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater restarted, the file will be loaded into the view
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater configuration, so that zones that were added
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater can persist after a restart.
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater This sample <command>addzone</command> command
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater would add the zone <literal>example.com</literal>
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater to the default view:
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater<prompt>$ </prompt><userinput>rndc addzone example.com '{ type master; file "example.com.db"; };'</userinput>
807ffe7aba4095b2f25c75ac1459f9efcd017eebMark Andrews (Note the brackets and semi-colon around the zone
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater configuration text.)
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater See also <command>rndc delzone</command> and <command>rndc modzone</command>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater </varlistentry>
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews <varlistentry>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <term><userinput>delzone <optional>-clean</optional> <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Delete a zone while the server is running.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson If the <option>-clean</option> argument is specified,
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater the zone's master file (and journal file, if any)
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews will be deleted along with the zone. Without the
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews <option>-clean</option> option, zone files must
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews be cleaned up by hand. (If the zone is of
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington type "slave" or "stub", the files needing to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be cleaned up will be reported in the output
b4cebdb6ccde66a8f3e397a1b90b0cf788519d69Automatic Updater of the <command>rndc delzone</command> command.)
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If the zone was originally added via
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater <command>rndc addzone</command>, then it will be
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater removed permanently. However, if it was originally
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater configured in <filename>named.conf</filename>, then
6c6a121295b30772cbf3dd75a51fb9d883051a0eAutomatic Updater that original configuration is still in place; when
bc0a4c01beede169df81a3ee5b614ed9e82339dbAutomatic Updater the server is restarted or reconfigured, the zone will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington come back. To remove it permanently, it must also be
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater removed from <filename>named.conf</filename>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington See also <command>rndc addzone</command> and <command>rndc modzone</command>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </varlistentry>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <varlistentry>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <term><userinput>dumpdb <optional>-all|-cache|-zone|-adb|-bad|-fail</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Dump the server's caches (default) and/or zones to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington dump file for the specified views. If no view is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington specified, all
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington views are dumped.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington (See the <command>dump-file</command> option in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the BIND 9 Administrator Reference Manual.)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </varlistentry>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <varlistentry>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Flushes the server's cache.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </varlistentry>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <varlistentry>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <term><userinput>flushname</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Flushes the given name from the view's DNS cache
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington and, if applicable, from the view's nameserver address
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington database, bad server cache and SERVFAIL cache.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </varlistentry>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <varlistentry>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <term><userinput>flushtree</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Flushes the given name, and all of its subdomains,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington from the view's DNS cache, address database,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington bad server cache, and SERVFAIL cache.
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater </varlistentry>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater <varlistentry>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater <term><userinput>freeze <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater Suspend updates to a dynamic zone. If no zone is
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater specified, then all zones are suspended. This allows
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater manual edits to be made to a zone normally updated by
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater dynamic update. It also causes changes in the
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater journal file to be synced into the master file.
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater All dynamic update attempts will be refused while
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater the zone is frozen.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington </varlistentry>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington <varlistentry>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews <term><userinput>halt <optional>-p</optional></userinput></term>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews Stop the server immediately. Recent changes
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington made through dynamic update or IXFR are not saved to
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews the master files, but will be rolled forward from the
6c6a121295b30772cbf3dd75a51fb9d883051a0eAutomatic Updater journal files when the server is restarted.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington If <option>-p</option> is specified <command>named</command>'s process id is returned.
6c6a121295b30772cbf3dd75a51fb9d883051a0eAutomatic Updater This allows an external process to determine when <command>named</command>
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater had completed halting.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater </varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <term><userinput>loadkeys <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Fetch all DNSSEC keys for the given zone
c01dec514a81ecf8c17ca3ef8c3ba95e437295ebAutomatic Updater from the key directory. If they are within
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater their publication period, merge them into the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater zone's DNSKEY RRset. Unlike <command>rndc
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater sign</command>, however, the zone is not
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater immediately re-signed by the new keys, but is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater allowed to incrementally re-sign over time.
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater This command requires that the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington and also requires the zone to be configured to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allow dynamic DNS.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington (See "Dynamic Update Policies" in the Administrator
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Reference Manual for more details.)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </varlistentry>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <varlistentry>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <term><userinput>managed-keys <replaceable>(status | refresh | sync)</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington When run with the "status" keyword, print the current
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington status of the managed-keys database for the specified
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington view, or for all views if none is specified. When run
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington with the "refresh" keyword, force an immediate refresh
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews of all the managed-keys in the specified view, or all
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews views. When run with the "sync" keyword, force an
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington immediate dump of the managed-keys database to disk (in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the file <filename>managed-keys.bind</filename> or
a26b22914b7bf25f065afb8cdef983766dcd672bAutomatic Updater (<filename><replaceable>viewname</replaceable>.mkeys</filename>).
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater </varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <varlistentry>
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater <term><userinput>modzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> <replaceable>configuration</replaceable> </userinput></term>
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater Modify the configuration of a zone while the server
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington is running. This command requires the
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews <command>allow-new-zones</command> option to be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <replaceable>configuration</replaceable> string
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington specified on the command line is the zone
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington configuration text that would ordinarily be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington If the zone was originally added via
b7aab05edae933e169d5f83c653935b17c7f0a8bMark Andrews <command>rndc addzone</command>, the configuration
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington changes will be recorded permanently and will still be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington in effect after the server is restarted or reconfigured.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington However, if it was originally configured in
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews <filename>named.conf</filename>, then that original
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews configuration is still in place; when the server is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington restarted or reconfigured, the zone will revert to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington its original configuration. To make the changes
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews permanent, it must also be modified in
a26b22914b7bf25f065afb8cdef983766dcd672bAutomatic Updater See also <command>rndc addzone</command> and <command>rndc delzone</command>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </varlistentry>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <varlistentry>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <term><userinput>notify <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Resend NOTIFY messages for the zone.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <term><userinput>notrace</userinput></term>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Sets the server's debugging level to 0.
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater </varlistentry>
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews <varlistentry>
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews <optional>( -d | -f | -r | -l <replaceable>duration</replaceable>)</optional>
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews <optional><replaceable>view</replaceable></optional>
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews Sets a DNSSEC negative trust anchor (NTA)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington for <option>domain</option>, with a lifetime of
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <option>duration</option>. The default lifetime is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington configured in <filename>named.conf</filename> via the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <option>nta-lifetime</option> option, and defaults to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington one hour. The lifetime cannot exceed one week.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A negative trust anchor selectively disables
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington DNSSEC validation for zones that are known to be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington failing because of misconfiguration rather than
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington an attack. When data to be validated is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington at or below an active NTA (and above any other
a26b22914b7bf25f065afb8cdef983766dcd672bAutomatic Updater configured trust anchors), <command>named</command> will
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater abort the DNSSEC validation process and treat the data as
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington insecure rather than bogus. This continues until the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater NTA's lifetime is elapsed.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater NTAs persist across restarts of the <command>named</command> server.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The NTAs for a view are saved in a file called
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <filename><replaceable>name</replaceable>.nta</filename>,
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater where <replaceable>name</replaceable> is the
b0d566a2ce0f5a67f537ee7f8233f82f2584cc61Automatic Updater name of the view, or if it contains characters
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington that are incompatible with use as a file name, a
b4cebdb6ccde66a8f3e397a1b90b0cf788519d69Automatic Updater cryptographic hash generated from the name
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater An existing NTA can be removed by using the
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater An NTA's lifetime can be specified with the
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater <option>-lifetime</option> option. TTL-style
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater suffixes can be used to specify the lifetime in
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater seconds, minutes, or hours. If the specified NTA
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater already exists, its lifetime will be updated to the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater new value. Setting <option>lifetime</option> to zero
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If <option>-dump</option> is used, any other arguments
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater are ignored, and a list of existing NTAs is printed
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington (note that this may include NTAs that are expired but
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater have not yet been cleaned up).
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Normally, <command>named</command> will periodically
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater test to see whether data below an NTA can now be
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater validated (see the <option>nta-recheck</option> option
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater in the Administrator Reference Manual for details).
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If data can be validated, then the NTA is regarded as
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater no longer necessary, and will be allowed to expire
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater early. The <option>-force</option> overrides this
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater behavior and forces an NTA to persist for its entire
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater lifetime, regardless of whether data could be
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater validated if the NTA were not present.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater All of these options can be shortened, i.e., to
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater <option>-l</option>, <option>-r</option>, <option>-d</option>,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater </varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <term><userinput>querylog</userinput> <optional>on|off</optional> </term>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Enable or disable query logging. (For backward
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater compatibility, this command can also be used without
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater an argument to toggle query logging on and off.)
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Query logging can also be enabled
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington by explicitly directing the <command>queries</command>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <filename>named.conf</filename> or by specifying
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater </varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <term><userinput>reconfig</userinput></term>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Reload the configuration file and load new zones,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater but do not reload existing zone files even if they
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater This is faster than a full <command>reload</command> when there
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater is a large number of zones because it avoids the need
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater to examine the
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater modification times of the zones files.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater </varlistentry>
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater <varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <term><userinput>recursing</userinput></term>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Dump the list of queries <command>named</command> is currently
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater recursing on, and the list of domains to which iterative
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington queries are currently being sent. (The second list includes
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater the number of fetches currently active for the given domain,
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater and how many have been passed or dropped because of the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <option>fetches-per-zone</option> option.)
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater </varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <varlistentry>
2da2220fe7af2c45724b50b0187523b1fab0cf08Rob Austein <term><userinput>refresh <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Schedule zone maintenance for the given zone.
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater </varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <varlistentry>
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater <term><userinput>reload</userinput></term>
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater Reload configuration file and zones.
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater </varlistentry>
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater <varlistentry>
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater <term><userinput>reload <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater Reload the given zone.
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater </varlistentry>
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater <varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <term><userinput>retransfer <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
6c6a121295b30772cbf3dd75a51fb9d883051a0eAutomatic Updater Retransfer the given slave zone from the master server.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If the zone is configured to use
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <command>inline-signing</command>, the signed
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington version of the zone is discarded; after the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater retransfer of the unsigned version is complete, the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater signed version will be regenerated with all new
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater </varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Scan the list of available network interfaces
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater for changes, without performing a full
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater <command>reconfig</command> or waiting for the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <command>interface-interval</command> timer.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <varlistentry>
bbf7c3fd96ae5e02cb84743c581862e35327032aAutomatic Updater <term><userinput>secroots <optional>-</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Dump the server's security roots and negative trust anchors
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater for the specified views. If no view is specified, all views
6d3ca68adcd2e825d7de011d78f14002c8b7e55eAutomatic Updater If the first argument is "-", then the output is
7a6ad11e0185a73984410f3252f3c49c3a301dbdBrian Wellington returned via the <command>rndc</command> response channel
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater and printed to the standard output.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Otherwise, it is written to the secroots dump file, which
7a6ad11e0185a73984410f3252f3c49c3a301dbdBrian Wellington defaults to <filename>named.secroots</filename>, but can be
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater overridden via the <option>secroots-file</option> option in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington See also <command>rndc managed-keys</command>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington </varlistentry>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <term><userinput>showzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Print the configuration of a running zone.
f65d2e1c04c806a185bf9f3120e80692f5ccd5e6Automatic Updater See also <command>rndc zonestatus</command>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater </varlistentry>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <term><userinput>sign <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Fetch all DNSSEC keys for the given zone
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater from the key directory (see the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <command>key-directory</command> option in
d145b64cacc8d9cda51f9924ec70cd4661c3e2cfAutomatic Updater the BIND 9 Administrator Reference Manual). If they are within
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater their publication period, merge them into the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater zone's DNSKEY RRset. If the DNSKEY RRset
3e79333aa37d3b88959372431a02af8a3eb7cfd9Automatic Updater is changed, then the zone is automatically
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson re-signed with the new key set.
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson This command requires that the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <command>auto-dnssec</command> zone option be set
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater and also requires the zone to be configured to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater allow dynamic DNS.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater (See "Dynamic Update Policies" in the Administrator
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Reference Manual for more details.)
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater See also <command>rndc loadkeys</command>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater </varlistentry>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <term><userinput>signing <optional>( -list | -clear <replaceable>keyid/algorithm</replaceable> | -clear <literal>all</literal> | -nsec3param ( <replaceable>parameters</replaceable> | <literal>none</literal> ) | -serial <replaceable>value</replaceable> ) </optional> <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater List, edit, or remove the DNSSEC signing state records
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater for the specified zone. The status of ongoing DNSSEC
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater operations (such as signing or generating
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater NSEC3 chains) is stored in the zone in the form
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater of DNS resource records of type
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater <command>rndc signing -list</command> converts
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater these records into a human-readable form,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater indicating which keys are currently signing
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington or have finished signing the zone, and which NSEC3
47ce374fcf4bac7a56bb69f5dae1d30be5b4376dAutomatic Updater chains are being created or removed.
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater <command>rndc signing -clear</command> can remove
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington a single key (specified in the same format that
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater <command>rndc signing -list</command> uses to
47ce374fcf4bac7a56bb69f5dae1d30be5b4376dAutomatic Updater display it), or all keys. In either case, only
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington completed keys are removed; any record indicating
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater that a key has not yet finished signing the zone
47ce374fcf4bac7a56bb69f5dae1d30be5b4376dAutomatic Updater will be retained.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <command>rndc signing -nsec3param</command> sets
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the NSEC3 parameters for a zone. This is the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington only supported mechanism for using NSEC3 with
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Parameters are specified in the same format as
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington an NSEC3PARAM resource record: hash algorithm,
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater flags, iterations, and salt, in that order.
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater Currently, the only defined value for hash algorithm
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater is <literal>1</literal>, representing SHA-1.
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater <literal>0</literal> or <literal>1</literal>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington depending on whether you wish to set the opt-out
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater bit in the NSEC3 chain. <option>iterations</option>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater defines the number of additional times to apply
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the algorithm when generating an NSEC3 hash. The
53aed64e0f8553762fc0c380ee41cb42f514c7d5Brian Wellington <option>salt</option> is a string of data expressed
6de27e27ad6056d7c049feb912df5a6b9a56d1b8Automatic Updater in hexadecimal, a hyphen (`-') if no salt is
53aed64e0f8553762fc0c380ee41cb42f514c7d5Brian Wellington to be used, or the keyword <literal>auto</literal>,
6de27e27ad6056d7c049feb912df5a6b9a56d1b8Automatic Updater which causes <command>named</command> to generate a
6de27e27ad6056d7c049feb912df5a6b9a56d1b8Automatic Updater random 64-bit salt.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater So, for example, to create an NSEC3 chain using
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the SHA-1 hash algorithm, no opt-out flag,
6de27e27ad6056d7c049feb912df5a6b9a56d1b8Automatic Updater 10 iterations, and a salt value of "FFFF", use:
af3e516f771c8ba376a8cd954a7233badfce8cdcAutomatic Updater <command>rndc signing -nsec3param 1 0 10 FFFF <replaceable>zone</replaceable></command>.
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews To set the opt-out flag, 15 iterations, and no
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews <command>rndc signing -nsec3param 1 1 15 - <replaceable>zone</replaceable></command>.
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews <command>rndc signing -nsec3param none</command>
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews removes an existing NSEC3 chain and replaces it
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews <command>rndc signing -serial value</command> sets
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews the serial number of the zone to value. If the value
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews would cause the serial number to go backwards it will
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews be rejected. The primary use is to set the serial on
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews inline signed zones.
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews </varlistentry>
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews <varlistentry>
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews Write server statistics to the statistics file.
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews (See the <command>statistics-file</command> option in
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the BIND 9 Administrator Reference Manual.)
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater </varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <term><userinput>status</userinput></term>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Display status of the server.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Note that the number of zones includes the internal <command>bind/CH</command> zone
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater hint zone if there is not an
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater explicit root zone configured.
f55369d776907119cd8699a4119d9c80daa7cae4Mark Andrews </varlistentry>
f55369d776907119cd8699a4119d9c80daa7cae4Mark Andrews <varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <term><userinput>stop <optional>-p</optional></userinput></term>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Stop the server, making sure any recent changes
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater made through dynamic update or IXFR are first saved to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the master files of the updated zones.
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater If <option>-p</option> is specified <command>named</command>'s process id is returned.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This allows an external process to determine when <command>named</command>
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater had completed stopping.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <para>See also <command>rndc halt</command>.</para>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater </varlistentry>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <varlistentry>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <term><userinput>sync <optional>-clean</optional> <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Sync changes in the journal file for a dynamic zone
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to the master file. If the "-clean" option is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater specified, the journal file is also removed. If
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater no zone is specified, then all zones are synced.
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater </varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <varlistentry>
73eb75dc212911e4da58a3ce0a4672d3910193ebBrian Wellington <term><userinput>thaw <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater Enable updates to a frozen dynamic zone. If no
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater zone is specified, then all frozen zones are
73eb75dc212911e4da58a3ce0a4672d3910193ebBrian Wellington enabled. This causes the server to reload the zone
bbf7c3fd96ae5e02cb84743c581862e35327032aAutomatic Updater from disk, and re-enables dynamic updates after the
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater load has completed. After a zone is thawed,
6c6a121295b30772cbf3dd75a51fb9d883051a0eAutomatic Updater dynamic updates will no longer be refused. If
6c6a121295b30772cbf3dd75a51fb9d883051a0eAutomatic Updater the zone has changed and the
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater <command>ixfr-from-differences</command> option is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater in use, then the journal file will be updated to
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater reflect changes in the zone. Otherwise, if the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater zone has changed, any existing journal file will be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <para>See also <command>rndc freeze</command>.</para>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater </varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Increment the servers debugging level by one.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater </varlistentry>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <varlistentry>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <term><userinput>trace <replaceable>level</replaceable></userinput></term>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Sets the server's debugging level to an explicit
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater </varlistentry>
8227257b1c0224a7991e04bb79dc5059d5062dfbAndreas Gustafsson <varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <term><userinput>tsig-delete</userinput> <replaceable>keyname</replaceable> <optional><replaceable>view</replaceable></optional></term>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Delete a given TKEY-negotiated key from the server.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater (This does not apply to statically configured TSIG
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater </varlistentry>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <term><userinput>tsig-list</userinput></term>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater List the names of all TSIG keys currently configured
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington for use by <command>named</command> in each view. The
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater list both statically configured keys and dynamic
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater TKEY-negotiated keys.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater </varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <term><userinput>validation ( on | off | check ) <optional><replaceable>view ...</replaceable></optional> </userinput></term>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Enable, disable, or check the current status of
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater DNSSEC validation.
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater Note <command>dnssec-enable</command> also needs to be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <userinput>auto</userinput> to be effective.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater It defaults to enabled.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater </varlistentry>
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater <varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <term><userinput>zonestatus <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Displays the current status of the given zone,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater including the master file name and any include
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater files from which it was loaded, when it was most
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater recently loaded, the current serial number, the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater number of nodes, whether the zone supports
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington dynamic updates, whether the zone is DNSSEC
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater signed, whether it uses automatic DNSSEC key
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater management or inline signing, and the scheduled
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater refresh or expiry times for the zone.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater See also <command>rndc showzone</command>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater </varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater </variablelist>
b4cebdb6ccde66a8f3e397a1b90b0cf788519d69Automatic Updater There is currently no way to provide the shared secret for a
a26b22914b7bf25f065afb8cdef983766dcd672bAutomatic Updater <option>key_id</option> without using the configuration file.
b4cebdb6ccde66a8f3e397a1b90b0cf788519d69Automatic Updater Several error messages could be clearer.
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater <refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum>
0df8ead472f207020f8da22a185fe4b945248ab8Automatic Updater </citerefentry>,
6c6a121295b30772cbf3dd75a51fb9d883051a0eAutomatic Updater <citerefentry>
0df8ead472f207020f8da22a185fe4b945248ab8Automatic Updater <refentrytitle>rndc-confgen</refentrytitle><manvolnum>8</manvolnum>
0df8ead472f207020f8da22a185fe4b945248ab8Automatic Updater </citerefentry>,
0df8ead472f207020f8da22a185fe4b945248ab8Automatic Updater <citerefentry>
0df8ead472f207020f8da22a185fe4b945248ab8Automatic Updater <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
6c6a121295b30772cbf3dd75a51fb9d883051a0eAutomatic Updater </citerefentry>,
cab3e375b77a980a5d4b7e5e4ee90167439e7934Mark Andrews <citerefentry>
6c6a121295b30772cbf3dd75a51fb9d883051a0eAutomatic Updater <refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
6c6a121295b30772cbf3dd75a51fb9d883051a0eAutomatic Updater </citerefentry>,
6c6a121295b30772cbf3dd75a51fb9d883051a0eAutomatic Updater <citerefentry>
cab3e375b77a980a5d4b7e5e4ee90167439e7934Mark Andrews <refentrytitle>ndc</refentrytitle><manvolnum>8</manvolnum>
6c6a121295b30772cbf3dd75a51fb9d883051a0eAutomatic Updater </citerefentry>,
6c6a121295b30772cbf3dd75a51fb9d883051a0eAutomatic Updater <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <para><corpauthor>Internet Systems Consortium</corpauthor>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater - Local variables: