rndc.docbook revision 74eb2f5cbc98d9646bcd13ffcb17688f0db5ab8d
5cd4555ad444fd391002ae32450572054369fd42Rob Austein<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
5cd4555ad444fd391002ae32450572054369fd42Rob Austein "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt [<!ENTITY mdash "—">]>
81f58902eb5a1c1ab22742c72bd6cf318acbc06aTinderbox User - Copyright (C) 2004, 2005, 2007, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews - Copyright (C) 2000, 2001 Internet Software Consortium.
ec5347e2c775f027573ce5648b910361aa926c01Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - purpose with or without fee is hereby granted, provided that the above
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - copyright notice and this permission notice appear in all copies.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <refentryinfo>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </refentryinfo>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <refentrytitle><application>rndc</application></refentrytitle>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <refnamediv>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <refname><application>rndc</application></refname>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <refpurpose>name server control utility</refpurpose>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </refnamediv>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </copyright>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </copyright>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <refsynopsisdiv>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <cmdsynopsis>
c4f9e613e12f03795bee18cf2ca8e6a9d39d6468Mark Andrews <arg><option>-b <replaceable class="parameter">source-address</replaceable></option></arg>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <arg><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
a769eca4e3b223866b01dc8f7a4dde8d9e49bab0Mark Andrews <arg><option>-k <replaceable class="parameter">key-file</replaceable></option></arg>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <arg><option>-s <replaceable class="parameter">server</replaceable></option></arg>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <arg><option>-p <replaceable class="parameter">port</replaceable></option></arg>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <arg><option>-y <replaceable class="parameter">key_id</replaceable></option></arg>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </cmdsynopsis>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </refsynopsisdiv>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein controls the operation of a name
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein server. It supersedes the <command>ndc</command> utility
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein that was provided in old BIND releases. If
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <command>rndc</command> is invoked with no command line
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein options or arguments, it prints a short summary of the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein supported commands and the available options and their
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt communicates with the name server over a TCP connection, sending
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt commands authenticated with digital signatures. In the current
122c58bd11790c7576cdb1c6fd8e4439d0d7f7a5Mark Andrews <command>rndc</command> and <command>named</command>,
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt the only supported authentication algorithms are HMAC-MD5
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt (default), HMAC-SHA384 and HMAC-SHA512.
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt They use a shared secret on each end of the connection.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein This provides TSIG-style authentication for the command
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein request and the name server's response. All commands sent
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein over the channel must be signed by a key_id known to the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein reads a configuration file to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein determine how to contact the name server and decide what
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein algorithm and key it should use.
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <variablelist>
c4f9e613e12f03795bee18cf2ca8e6a9d39d6468Mark Andrews <varlistentry>
c4f9e613e12f03795bee18cf2ca8e6a9d39d6468Mark Andrews <term>-b <replaceable class="parameter">source-address</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Use <replaceable class="parameter">source-address</replaceable>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein as the source address for the connection to the server.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Multiple instances are permitted to allow setting of both
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein the IPv4 and IPv6 source addresses.
c4f9e613e12f03795bee18cf2ca8e6a9d39d6468Mark Andrews </varlistentry>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <varlistentry>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <term>-c <replaceable class="parameter">config-file</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Use <replaceable class="parameter">config-file</replaceable>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein as the configuration file instead of the default,
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </varlistentry>
a769eca4e3b223866b01dc8f7a4dde8d9e49bab0Mark Andrews <varlistentry>
a769eca4e3b223866b01dc8f7a4dde8d9e49bab0Mark Andrews <term>-k <replaceable class="parameter">key-file</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Use <replaceable class="parameter">key-file</replaceable>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein as the key file instead of the default,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <filename>/etc/rndc.key</filename> will be used to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein authenticate
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein commands sent to the server if the <replaceable class="parameter">config-file</replaceable>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein does not exist.
a769eca4e3b223866b01dc8f7a4dde8d9e49bab0Mark Andrews </varlistentry>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <varlistentry>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <term>-s <replaceable class="parameter">server</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <para><replaceable class="parameter">server</replaceable> is
6043e41fcf5dc91aa8a981c966512d73bdec31c1Mark Andrews the name or address of the server which matches a
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein server statement in the configuration file for
6043e41fcf5dc91aa8a981c966512d73bdec31c1Mark Andrews <command>rndc</command>. If no server is supplied on the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein command line, the host named by the default-server clause
6043e41fcf5dc91aa8a981c966512d73bdec31c1Mark Andrews in the options statement of the <command>rndc</command>
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt configuration file will be used.
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </varlistentry>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <varlistentry>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <term>-p <replaceable class="parameter">port</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Send commands to TCP port
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <replaceable class="parameter">port</replaceable>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein of BIND 9's default control channel port, 953.
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </varlistentry>
e7c0d42b11358f08e04316d31c67c23261dcdf36Evan Hunt <varlistentry>
e7c0d42b11358f08e04316d31c67c23261dcdf36Evan Hunt Quiet mode: Message text returned by the server
e7c0d42b11358f08e04316d31c67c23261dcdf36Evan Hunt will not be printed except when there is an error.
e7c0d42b11358f08e04316d31c67c23261dcdf36Evan Hunt </varlistentry>
b435b1ded3def3159f597953d21dffc1615cb250Brian Wellington <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Enable verbose logging.
b435b1ded3def3159f597953d21dffc1615cb250Brian Wellington </varlistentry>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <varlistentry>
122c58bd11790c7576cdb1c6fd8e4439d0d7f7a5Mark Andrews <term>-y <replaceable class="parameter">key_id</replaceable></term>
122c58bd11790c7576cdb1c6fd8e4439d0d7f7a5Mark Andrews Use the key <replaceable class="parameter">key_id</replaceable>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein from the configuration file.
122c58bd11790c7576cdb1c6fd8e4439d0d7f7a5Mark Andrews <replaceable class="parameter">key_id</replaceable>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein known by named with the same algorithm and secret string
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein in order for control message validation to succeed.
122c58bd11790c7576cdb1c6fd8e4439d0d7f7a5Mark Andrews If no <replaceable class="parameter">key_id</replaceable>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein is specified, <command>rndc</command> will first look
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein for a key clause in the server statement of the server
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein being used, or if no server statement is present for that
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein host, then the default-key clause of the options statement.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Note that the configuration file contains shared secrets
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein which are used to send authenticated control commands
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein to name servers. It should therefore not have general read
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein or write access.
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </varlistentry>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </variablelist>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt A list of commands supported by <command>rndc</command> can
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt be seen by running <command>rndc</command> without arguments.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Currently supported commands are:
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <variablelist>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Reload configuration file and zones.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <term><userinput>reload <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Reload the given zone.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <term><userinput>refresh <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Schedule zone maintenance for the given zone.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <term><userinput>retransfer <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
8009525601d946805fae58b037cf7dad0da516f8Curtis Blackburn Retransfer the given slave zone from the master server.
8009525601d946805fae58b037cf7dad0da516f8Curtis Blackburn If the zone is configured to use
8009525601d946805fae58b037cf7dad0da516f8Curtis Blackburn <command>inline-signing</command>, the signed
8009525601d946805fae58b037cf7dad0da516f8Curtis Blackburn version of the zone is discarded; after the
8009525601d946805fae58b037cf7dad0da516f8Curtis Blackburn retransfer of the unsigned version is complete, the
8009525601d946805fae58b037cf7dad0da516f8Curtis Blackburn signed version will be regenerated with all new
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <term><userinput>sign <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Fetch all DNSSEC keys for the given zone
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt from the key directory (see the
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt the BIND 9 Administrator Reference Manual). If they are within
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt their publication period, merge them into the
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt zone's DNSKEY RRset. If the DNSKEY RRset
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt is changed, then the zone is automatically
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt re-signed with the new key set.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt This command requires that the
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt and also requires the zone to be configured to
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt allow dynamic DNS.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt (See "Dynamic Update Policies" in the Administrator
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Reference Manual for more details.)
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <term><userinput>loadkeys <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Fetch all DNSSEC keys for the given zone
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt from the key directory. If they are within
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt their publication period, merge them into the
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt zone's DNSKEY RRset. Unlike <command>rndc
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt sign</command>, however, the zone is not
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt immediately re-signed by the new keys, but is
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt allowed to incrementally re-sign over time.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt This command requires that the
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt and also requires the zone to be configured to
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt allow dynamic DNS.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt (See "Dynamic Update Policies" in the Administrator
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Reference Manual for more details.)
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <term><userinput>freeze <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Suspend updates to a dynamic zone. If no zone is
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt specified, then all zones are suspended. This allows
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt manual edits to be made to a zone normally updated by
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt dynamic update. It also causes changes in the
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt journal file to be synced into the master file.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt All dynamic update attempts will be refused while
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt the zone is frozen.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <term><userinput>thaw <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Enable updates to a frozen dynamic zone. If no
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt zone is specified, then all frozen zones are
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt enabled. This causes the server to reload the zone
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt from disk, and re-enables dynamic updates after the
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt load has completed. After a zone is thawed,
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt dynamic updates will no longer be refused. If
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt the zone has changed and the
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <command>ixfr-from-differences</command> option is
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt in use, then the journal file will be updated to
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt reflect changes in the zone. Otherwise, if the
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt zone has changed, any existing journal file will be
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
62ec9fd1681ffae7d6b0d54618599ecf650e3100Mark Andrews <varlistentry>
62ec9fd1681ffae7d6b0d54618599ecf650e3100Mark Andrews Scan the list of available network interfaces
62ec9fd1681ffae7d6b0d54618599ecf650e3100Mark Andrews for changes, without performing a full
62ec9fd1681ffae7d6b0d54618599ecf650e3100Mark Andrews </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <term><userinput>sync <optional>-clean</optional> <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Sync changes in the journal file for a dynamic zone
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt to the master file. If the "-clean" option is
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt specified, the journal file is also removed. If
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt no zone is specified, then all zones are synced.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <term><userinput>notify <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Resend NOTIFY messages for the zone.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Reload the configuration file and load new zones,
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt but do not reload existing zone files even if they
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt have changed.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt This is faster than a full <command>reload</command> when there
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt is a large number of zones because it avoids the need
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt to examine the
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt modification times of the zones files.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <term><userinput>zonestatus <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Displays the current status of the given zone,
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt including the master file name and any include
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt files from which it was loaded, when it was most
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt recently loaded, the current serial number, the
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt number of nodes, whether the zone supports
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt dynamic updates, whether the zone is DNSSEC
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt signed, whether it uses automatic DNSSEC key
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt management or inline signing, and the scheduled
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt refresh or expiry times for the zone.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Write server statistics to the statistics file.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <term><userinput>querylog</userinput> <optional>on|off</optional> </term>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Enable or disable query logging. (For backward
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt compatibility, this command can also be used without
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt an argument to toggle query logging on and off.)
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Query logging can also be enabled
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt by explicitly directing the <command>queries</command>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <term><userinput>dumpdb <optional>-all|-cache|-zone</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Dump the server's caches (default) and/or zones to
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt dump file for the specified views. If no view is
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt specified, all
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt views are dumped.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <term><userinput>secroots <optional><replaceable>view ...</replaceable></optional></userinput></term>
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt Dump the server's security roots and negative trust anchors
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt to the secroots file for the specified views. If no view is
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt specified, all views are dumped.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <term><userinput>stop <optional>-p</optional></userinput></term>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Stop the server, making sure any recent changes
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt made through dynamic update or IXFR are first saved to
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt the master files of the updated zones.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt If <option>-p</option> is specified <command>named</command>'s process id is returned.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt This allows an external process to determine when <command>named</command>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt had completed stopping.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <term><userinput>halt <optional>-p</optional></userinput></term>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Stop the server immediately. Recent changes
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt made through dynamic update or IXFR are not saved to
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt the master files, but will be rolled forward from the
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt journal files when the server is restarted.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt If <option>-p</option> is specified <command>named</command>'s process id is returned.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt This allows an external process to determine when <command>named</command>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt had completed halting.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Increment the servers debugging level by one.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <term><userinput>trace <replaceable>level</replaceable></userinput></term>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Sets the server's debugging level to an explicit
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Sets the server's debugging level to 0.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Flushes the server's cache.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <term><userinput>flushname</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term>
a8783019814daa36dd57afe3f527462822834c3bEvan Hunt Flushes the given name from the view's DNS cache
a8783019814daa36dd57afe3f527462822834c3bEvan Hunt and, if applicable, from the view's nameserver address
a8783019814daa36dd57afe3f527462822834c3bEvan Hunt database, bad server cache and SERVFAIL cache.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
2f5461d23b4044b62d4d668732611909d902e54dJeremy C. Reed <term><userinput>flushtree</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Flushes the given name, and all of its subdomains,
a8783019814daa36dd57afe3f527462822834c3bEvan Hunt from the view's DNS cache, address database,
a8783019814daa36dd57afe3f527462822834c3bEvan Hunt bad server cache, and SERVFAIL cache.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Display status of the server.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Note that the number of zones includes the internal <command>bind/CH</command> zone
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt hint zone if there is not an
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt explicit root zone configured.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Dump the list of queries <command>named</command> is currently recursing
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <term><userinput>validation ( on | off | check ) <optional><replaceable>view ...</replaceable></optional> </userinput></term>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Enable, disable, or check the current status of
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt DNSSEC validation.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Note <command>dnssec-enable</command> also needs to be
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt It defaults to enabled.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
0cfb24736841b3e98bb25853229a0efabab88bddEvan Hunt <varlistentry>
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt <optional>( -d | -f | -r | -l <replaceable>duration</replaceable>)</optional>
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt <optional><replaceable>view</replaceable></optional>
0cfb24736841b3e98bb25853229a0efabab88bddEvan Hunt Sets a DNSSEC negative trust anchor (NTA)
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt <option>lifetime</option>. The default lifetime is
22c15979377db32808c19f3569ce4491c815531bJeremy C. Reed configured in <filename>named.conf</filename> via the
22c15979377db32808c19f3569ce4491c815531bJeremy C. Reed <option>nta-lifetime</option> option, and defaults to
3d066288ad6c6fe2ec2a54475f541a305a085068Evan Hunt one hour. The lifetime cannot exceed one week.
0cfb24736841b3e98bb25853229a0efabab88bddEvan Hunt A negative trust anchor selectively disables
22c15979377db32808c19f3569ce4491c815531bJeremy C. Reed DNSSEC validation for zones that are known to be
0cfb24736841b3e98bb25853229a0efabab88bddEvan Hunt failing because of misconfiguration rather than
0cfb24736841b3e98bb25853229a0efabab88bddEvan Hunt an attack. When data to be validated is
0cfb24736841b3e98bb25853229a0efabab88bddEvan Hunt at or below an active NTA (and above any other
0cfb24736841b3e98bb25853229a0efabab88bddEvan Hunt configured trust anchors), <command>named</command> will
0cfb24736841b3e98bb25853229a0efabab88bddEvan Hunt abort the DNSSEC validation process and treat the data as
0cfb24736841b3e98bb25853229a0efabab88bddEvan Hunt insecure rather than bogus. This continues until the
0cfb24736841b3e98bb25853229a0efabab88bddEvan Hunt NTA's lifetime is elapsed, or until the server is
edad003e630cf9a25db88d95247d10eb96117d66Jeremy C. Reed restarted (NTAs do not persist across restarts).
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt An existing NTA can be removed by using the
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt An NTA's lifetime can be specified with the
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt suffixes can be used to specify the lifetime in
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt seconds, minutes, or hours. If the specified NTA
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt already exists, its lifetime will be updated to the
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt new value. Setting <option>lifetime</option> to zero
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt If <option>-dump</option> is used, any other arguments
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt are ignored, and a list of existing NTAs is printed
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt (note that this may include NTAs that are expired but
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt have not yet been cleaned up).
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt Normally, <command>named</command> will periodically
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt test to see whether data below an NTA can now be
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt validated (see the <option>nta-recheck</option> option
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt in the Administrator Reference Manual for details).
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt If data can be validated, then the NTA is regarded as
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt no longer necessary, and will be allowed to expire
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt behavior and forces an NTA to persist for its entire
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt lifetime, regardless of whether data could be
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt validated if the NTA were not present.
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt All of these options can be shortened, i.e., to
b8a9632333a92d73a503afe1aaa7990016c8bee9Evan Hunt <option>-l</option>, <option>-r</option>, <option>-d</option>,
0cfb24736841b3e98bb25853229a0efabab88bddEvan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt List the names of all TSIG keys currently configured
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt for use by <command>named</command> in each view. The
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt list both statically configured keys and dynamic
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt TKEY-negotiated keys.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <term><userinput>tsig-delete</userinput> <replaceable>keyname</replaceable> <optional><replaceable>view</replaceable></optional></term>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Delete a given TKEY-negotiated key from the server.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt (This does not apply to statically configured TSIG
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <term><userinput>addzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> <replaceable>configuration</replaceable> </userinput></term>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Add a zone while the server is running. This
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt command requires the
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <command>allow-new-zones</command> option to be set
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt specified on the command line is the zone
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt configuration text that would ordinarily be
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt The configuration is saved in a file called
ce96d4326c872c8165b5e3a81ac5b49950c782c6Evan Hunt <filename><replaceable>name</replaceable>.nzf</filename>,
ce96d4326c872c8165b5e3a81ac5b49950c782c6Evan Hunt name of the view, or if it contains characters
ce96d4326c872c8165b5e3a81ac5b49950c782c6Evan Hunt that are incompatible with use as a file name, a
ce96d4326c872c8165b5e3a81ac5b49950c782c6Evan Hunt cryptographic hash generated from the name
ce96d4326c872c8165b5e3a81ac5b49950c782c6Evan Hunt of the view.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt restarted, the file will be loaded into the view
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt configuration, so that zones that were added
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt can persist after a restart.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt to the default view:
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt<prompt>$ </prompt><userinput>rndc addzone example.com '{ type master; file "example.com.db"; };'</userinput>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt (Note the brackets and semi-colon around the zone
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt configuration text.)
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <term><userinput>delzone <optional>-clean</optional> <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Delete a zone while the server is running.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt the zone's master file (and journal file, if any)
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt will be deleted along with the zone. Without the
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt be cleaned up by hand. (If the zone is of
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt type "slave" or "stub", the files needing to
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt be cleaned up will be reported in the output
74eb2f5cbc98d9646bcd13ffcb17688f0db5ab8dEvan Hunt If the zone was originally added via
74eb2f5cbc98d9646bcd13ffcb17688f0db5ab8dEvan Hunt removed permanently. However, if it was originally
74eb2f5cbc98d9646bcd13ffcb17688f0db5ab8dEvan Hunt configured in <filename>named.conf</filename>, then
74eb2f5cbc98d9646bcd13ffcb17688f0db5ab8dEvan Hunt that original configuration is still in place; when
74eb2f5cbc98d9646bcd13ffcb17688f0db5ab8dEvan Hunt the server is restarted or reconfigured, the zone will
74eb2f5cbc98d9646bcd13ffcb17688f0db5ab8dEvan Hunt come back. To remove it permanently, it must also be
74eb2f5cbc98d9646bcd13ffcb17688f0db5ab8dEvan Hunt </varlistentry>
74eb2f5cbc98d9646bcd13ffcb17688f0db5ab8dEvan Hunt <varlistentry>
74eb2f5cbc98d9646bcd13ffcb17688f0db5ab8dEvan Hunt <term><userinput>showzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
74eb2f5cbc98d9646bcd13ffcb17688f0db5ab8dEvan Hunt Print the configuration of a running zone.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <varlistentry>
cb6ec834f1dd40385b8dd37dd27285ddf7d7f51dMark Andrews <term><userinput>signing <optional>( -list | -clear <replaceable>keyid/algorithm</replaceable> | -clear <literal>all</literal> | -nsec3param ( <replaceable>parameters</replaceable> | <literal>none</literal> ) | -serial <replaceable>value</replaceable> ) </optional> <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
3ef4b7383ab4310df48ee5143e361ab1cfa3c8e8Evan Hunt List, edit, or remove the DNSSEC signing state records
3ef4b7383ab4310df48ee5143e361ab1cfa3c8e8Evan Hunt for the specified zone. The status of ongoing DNSSEC
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt operations (such as signing or generating
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt NSEC3 chains) is stored in the zone in the form
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt of DNS resource records of type
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt these records into a human-readable form,
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt indicating which keys are currently signing
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt or have finished signing the zone, and which NSEC3
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt chains are being created or removed.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt a single key (specified in the same format that
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt display it), or all keys. In either case, only
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt completed keys are removed; any record indicating
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt that a key has not yet finished signing the zone
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt will be retained.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt the NSEC3 parameters for a zone. This is the
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt only supported mechanism for using NSEC3 with
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Parameters are specified in the same format as
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt an NSEC3PARAM resource record: hash algorithm,
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt flags, iterations, and salt, in that order.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Currently, the only defined value for hash algorithm
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt depending on whether you wish to set the opt-out
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt bit in the NSEC3 chain. <option>iterations</option>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt defines the number of additional times to apply
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt the algorithm when generating an NSEC3 hash. The
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <option>salt</option> is a string of data expressed
62258ada486dfe76afc3f0f3835d3a45d2d8105cEvan Hunt in hexadecimal, a hyphen (`-') if no salt is
62258ada486dfe76afc3f0f3835d3a45d2d8105cEvan Hunt to be used, or the keyword <literal>auto</literal>,
62258ada486dfe76afc3f0f3835d3a45d2d8105cEvan Hunt which causes <command>named</command> to generate a
62258ada486dfe76afc3f0f3835d3a45d2d8105cEvan Hunt random 64-bit salt.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt So, for example, to create an NSEC3 chain using
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt the SHA-1 hash algorithm, no opt-out flag,
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt 10 iterations, and a salt value of "FFFF", use:
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <command>rndc signing -nsec3param 1 0 10 FFFF <replaceable>zone</replaceable></command>.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt To set the opt-out flag, 15 iterations, and no
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <command>rndc signing -nsec3param 1 1 15 - <replaceable>zone</replaceable></command>.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt removes an existing NSEC3 chain and replaces it
4140a96f22b2319a658c17723c976ddff0e2633aMark Andrews <command>rndc signing -serial value</command> sets
4140a96f22b2319a658c17723c976ddff0e2633aMark Andrews the serial number of the zone to value. If the value
4140a96f22b2319a658c17723c976ddff0e2633aMark Andrews would cause the serial number to go backwards it will
4140a96f22b2319a658c17723c976ddff0e2633aMark Andrews be rejected. The primary use is to set the serial on
4140a96f22b2319a658c17723c976ddff0e2633aMark Andrews inline signed zones.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </varlistentry>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt </variablelist>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein There is currently no way to provide the shared secret for a
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <option>key_id</option> without using the configuration file.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Several error messages could be clearer.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </citerefentry>,
b39ee56af9c9a690db068a98cf44af175dbb45edMark Andrews <citerefentry>
b39ee56af9c9a690db068a98cf44af175dbb45edMark Andrews <refentrytitle>rndc-confgen</refentrytitle><manvolnum>8</manvolnum>
b39ee56af9c9a690db068a98cf44af175dbb45edMark Andrews </citerefentry>,
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <citerefentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </citerefentry>,
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <citerefentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews </citerefentry>,
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <citerefentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <refentrytitle>ndc</refentrytitle><manvolnum>8</manvolnum>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley </citerefentry>,
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <para><corpauthor>Internet Systems Consortium</corpauthor>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley - Local variables:
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley - mode: sgml