rndc.docbook revision 0c27b3fe77ac1d5094ba3521e8142d9e7973133f
f743002678eb67b99bbc29fee116b65d9530fec0wrowe<!--
80833bb9a1bf25dcf19e814438a4b311d2e1f4cffuankg - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
a34684a59b60a4173c25035d0c627ef17e6dc215rpluem -
1337c7673efc1f80f634139fbad7cbb98a0dc657ylavic - This Source Code Form is subject to the terms of the Mozilla Public
1337c7673efc1f80f634139fbad7cbb98a0dc657ylavic - License, v. 2.0. If a copy of the MPL was not distributed with this
1337c7673efc1f80f634139fbad7cbb98a0dc657ylavic - file, You can obtain one at http://mozilla.org/MPL/2.0/.
1337c7673efc1f80f634139fbad7cbb98a0dc657ylavic-->
4da61833a1cbbca94094f9653fd970582b97a72etrawick
4da61833a1cbbca94094f9653fd970582b97a72etrawick<!-- Converted by db4-upgrade version 1.0 -->
4da61833a1cbbca94094f9653fd970582b97a72etrawick<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc">
4da61833a1cbbca94094f9653fd970582b97a72etrawick <info>
4da61833a1cbbca94094f9653fd970582b97a72etrawick <date>2014-08-15</date>
4789804be088bcd86ae637a29cdb7fda25169521jailletc </info>
4789804be088bcd86ae637a29cdb7fda25169521jailletc <refentryinfo>
4789804be088bcd86ae637a29cdb7fda25169521jailletc <corpname>ISC</corpname>
4789804be088bcd86ae637a29cdb7fda25169521jailletc <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
e50c3026198fd496f183cda4c32a202925476778covener </refentryinfo>
e50c3026198fd496f183cda4c32a202925476778covener
e50c3026198fd496f183cda4c32a202925476778covener <refmeta>
5b88c8507d5ef6d0c4cfbc78230294968175b638minfrin <refentrytitle><application>rndc</application></refentrytitle>
5b88c8507d5ef6d0c4cfbc78230294968175b638minfrin <manvolnum>8</manvolnum>
6c3b9cebb551140fbb25d58bae08b539b3802133ylavic <refmiscinfo>BIND9</refmiscinfo>
6c3b9cebb551140fbb25d58bae08b539b3802133ylavic </refmeta>
6c3b9cebb551140fbb25d58bae08b539b3802133ylavic
4f29b65ab4b547ad5dbe506e2d0ff5d12ead9247ylavic <refnamediv>
4f29b65ab4b547ad5dbe506e2d0ff5d12ead9247ylavic <refname><application>rndc</application></refname>
0a0df13b7f1f4f1a74fe295253d89ca3911b301aylavic <refpurpose>name server control utility</refpurpose>
0a0df13b7f1f4f1a74fe295253d89ca3911b301aylavic </refnamediv>
0a0df13b7f1f4f1a74fe295253d89ca3911b301aylavic
0a0df13b7f1f4f1a74fe295253d89ca3911b301aylavic <docinfo>
69301145375a889e7e37caf7cc7321ac0f91801erpluem <copyright>
69301145375a889e7e37caf7cc7321ac0f91801erpluem <year>2004</year>
69301145375a889e7e37caf7cc7321ac0f91801erpluem <year>2005</year>
506bfe33206b2fece40ef25f695af39dd4130facjkaluza <year>2007</year>
506bfe33206b2fece40ef25f695af39dd4130facjkaluza <year>2013</year>
506bfe33206b2fece40ef25f695af39dd4130facjkaluza <year>2014</year>
506bfe33206b2fece40ef25f695af39dd4130facjkaluza <year>2015</year>
d58a848a016d401b965111e50ef829e1641f7834minfrin <year>2016</year>
d58a848a016d401b965111e50ef829e1641f7834minfrin <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
d58a848a016d401b965111e50ef829e1641f7834minfrin </copyright>
2e6f4d654c96c98b761fb012fd25c5d5b1558c44sf <copyright>
2e6f4d654c96c98b761fb012fd25c5d5b1558c44sf <year>2000</year>
2e6f4d654c96c98b761fb012fd25c5d5b1558c44sf <year>2001</year>
17e6c95f3b22d18acdf8380fb26a8d0e10c80767ylavic <holder>Internet Software Consortium.</holder>
17e6c95f3b22d18acdf8380fb26a8d0e10c80767ylavic </copyright>
17e6c95f3b22d18acdf8380fb26a8d0e10c80767ylavic </docinfo>
17e6c95f3b22d18acdf8380fb26a8d0e10c80767ylavic
17e6c95f3b22d18acdf8380fb26a8d0e10c80767ylavic <refsynopsisdiv>
e8bd80a4bb88199d2f9a24a50345688e52d9c116ylavic <cmdsynopsis sepchar=" ">
e8bd80a4bb88199d2f9a24a50345688e52d9c116ylavic <command>rndc</command>
e8bd80a4bb88199d2f9a24a50345688e52d9c116ylavic <arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">source-address</replaceable></option></arg>
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic <arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">key-file</replaceable></option></arg>
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">server</replaceable></option></arg>
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic <arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">port</replaceable></option></arg>
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic <arg choice="opt" rep="norepeat"><option>-q</option></arg>
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic <arg choice="opt" rep="norepeat"><option>-r</option></arg>
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic <arg choice="opt" rep="norepeat"><option>-V</option></arg>
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener <arg choice="opt" rep="norepeat"><option>-y <replaceable class="parameter">key_id</replaceable></option></arg>
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener <arg choice="req" rep="norepeat">command</arg>
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener </cmdsynopsis>
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener </refsynopsisdiv>
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener
44ff304057225e944e220e981d434a046d14cf06covener <refsection><info><title>DESCRIPTION</title></info>
44ff304057225e944e220e981d434a046d14cf06covener
44ff304057225e944e220e981d434a046d14cf06covener <para><command>rndc</command>
44ff304057225e944e220e981d434a046d14cf06covener controls the operation of a name
5d1ba75b8794925e67591c209085a49279791de9covener server. It supersedes the <command>ndc</command> utility
5d1ba75b8794925e67591c209085a49279791de9covener that was provided in old BIND releases. If
5d1ba75b8794925e67591c209085a49279791de9covener <command>rndc</command> is invoked with no command line
032982212dbcc7c3cce95bf89c503bb56e185ac7kbrand options or arguments, it prints a short summary of the
032982212dbcc7c3cce95bf89c503bb56e185ac7kbrand supported commands and the available options and their
032982212dbcc7c3cce95bf89c503bb56e185ac7kbrand arguments.
032982212dbcc7c3cce95bf89c503bb56e185ac7kbrand </para>
caad2986f81ab263f7af41467dd622dc9add17f3ylavic <para><command>rndc</command>
caad2986f81ab263f7af41467dd622dc9add17f3ylavic communicates with the name server over a TCP connection, sending
caad2986f81ab263f7af41467dd622dc9add17f3ylavic commands authenticated with digital signatures. In the current
caad2986f81ab263f7af41467dd622dc9add17f3ylavic versions of
45a10d38e6051fd7bdf9d742aaae633d97ff02abjailletc <command>rndc</command> and <command>named</command>,
f7317ff316c2b141feea31bddb74d5d3fa1584edjorton the only supported authentication algorithms are HMAC-MD5
f7317ff316c2b141feea31bddb74d5d3fa1584edjorton (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
2165214331e4afafca4048f66f303d0253d7b001covener (default), HMAC-SHA384 and HMAC-SHA512.
a34684a59b60a4173c25035d0c627ef17e6dc215rpluem They use a shared secret on each end of the connection.
a34684a59b60a4173c25035d0c627ef17e6dc215rpluem This provides TSIG-style authentication for the command
1e2d421a36999d292042a5539971070d54aa6c63ylavic request and the name server's response. All commands sent
1e2d421a36999d292042a5539971070d54aa6c63ylavic over the channel must be signed by a key_id known to the
1e2d421a36999d292042a5539971070d54aa6c63ylavic server.
fa7ed98b9dc94c5845cf845aea0a44ecacd290c9humbedooh </para>
fa7ed98b9dc94c5845cf845aea0a44ecacd290c9humbedooh <para><command>rndc</command>
fa7ed98b9dc94c5845cf845aea0a44ecacd290c9humbedooh reads a configuration file to
0b67eb8568cd58bb77082703951679b42cf098actrawick determine how to contact the name server and decide what
0b67eb8568cd58bb77082703951679b42cf098actrawick algorithm and key it should use.
0b67eb8568cd58bb77082703951679b42cf098actrawick </para>
0b67eb8568cd58bb77082703951679b42cf098actrawick </refsection>
5ef3c61605a3a021ff71f488983cb0065f8e1a79covener
fb1985a97912b25ec6564c73e610a31e5fc6e25fcovener <refsection><info><title>OPTIONS</title></info>
09c87c777bed1655621bb20e1c46cb6b1a63279dcovener
6502b7b32f980cc2093bb3ebce37e5e4dc68fba4ylavic
6502b7b32f980cc2093bb3ebce37e5e4dc68fba4ylavic <variablelist>
3060ce7f798fbda7999cd4ddf89b525d2b294185covener <varlistentry>
c1a63b8fad09c419c1a64f75993feb8a343a6801ylavic <term>-b <replaceable class="parameter">source-address</replaceable></term>
c1a63b8fad09c419c1a64f75993feb8a343a6801ylavic <listitem>
c1a63b8fad09c419c1a64f75993feb8a343a6801ylavic <para>
e6b4bd1113567627ab6bb6c6a7105e1e01a7d889jailletc Use <replaceable class="parameter">source-address</replaceable>
e6b4bd1113567627ab6bb6c6a7105e1e01a7d889jailletc as the source address for the connection to the server.
e466c40e1801982602ee0200c9e8b61cc148742djailletc Multiple instances are permitted to allow setting of both
e466c40e1801982602ee0200c9e8b61cc148742djailletc the IPv4 and IPv6 source addresses.
457468b82e59d01eba00dd9d0817309c8f5e414ejim </para>
457468b82e59d01eba00dd9d0817309c8f5e414ejim </listitem>
457468b82e59d01eba00dd9d0817309c8f5e414ejim </varlistentry>
04983e3bd1754764eec7d6bb772fe3b0bf391771jorton
04983e3bd1754764eec7d6bb772fe3b0bf391771jorton <varlistentry>
15890c9306ba98f6fc243e15a3c4778ddc7d773erpluem <term>-c <replaceable class="parameter">config-file</replaceable></term>
15660979a30d251681463de2e0584853890082accovener <listitem>
15660979a30d251681463de2e0584853890082accovener <para>
49dacedb6c387b786b7911082ff35121a45f414bcovener Use <replaceable class="parameter">config-file</replaceable>
49dacedb6c387b786b7911082ff35121a45f414bcovener as the configuration file instead of the default,
cfd9415521847b2f9394fad04fb701cfb955f503rjung <filename>/etc/rndc.conf</filename>.
cfd9415521847b2f9394fad04fb701cfb955f503rjung </para>
cfd9415521847b2f9394fad04fb701cfb955f503rjung </listitem>
28c31fb73c1264bd1d0ff932573677030b024c7dwrowe </varlistentry>
28c31fb73c1264bd1d0ff932573677030b024c7dwrowe
28c31fb73c1264bd1d0ff932573677030b024c7dwrowe <varlistentry>
28c31fb73c1264bd1d0ff932573677030b024c7dwrowe <term>-k <replaceable class="parameter">key-file</replaceable></term>
28c31fb73c1264bd1d0ff932573677030b024c7dwrowe <listitem>
8491e0600f69b0405e156ea8a419653c065c645bcovener <para>
63b9f1f5880391261705f696d7d65507bbe9ace3covener Use <replaceable class="parameter">key-file</replaceable>
63b9f1f5880391261705f696d7d65507bbe9ace3covener as the key file instead of the default,
63b9f1f5880391261705f696d7d65507bbe9ace3covener <filename>/etc/rndc.key</filename>. The key in
49dacedb6c387b786b7911082ff35121a45f414bcovener <filename>/etc/rndc.key</filename> will be used to
49dacedb6c387b786b7911082ff35121a45f414bcovener authenticate
49dacedb6c387b786b7911082ff35121a45f414bcovener commands sent to the server if the <replaceable class="parameter">config-file</replaceable>
49dacedb6c387b786b7911082ff35121a45f414bcovener does not exist.
3c990331fc6702119e4f5b8ba9eae3021aea5265jim </para>
3c990331fc6702119e4f5b8ba9eae3021aea5265jim </listitem>
3c990331fc6702119e4f5b8ba9eae3021aea5265jim </varlistentry>
3c990331fc6702119e4f5b8ba9eae3021aea5265jim
fc42512879dd0504532f52fe5d0d0383dda96a1eniq <varlistentry>
fc42512879dd0504532f52fe5d0d0383dda96a1eniq <term>-s <replaceable class="parameter">server</replaceable></term>
fc42512879dd0504532f52fe5d0d0383dda96a1eniq <listitem>
0451df5dc50fa5d8b3e07d92ee6a92e36a1181a5niq <para><replaceable class="parameter">server</replaceable> is
0451df5dc50fa5d8b3e07d92ee6a92e36a1181a5niq the name or address of the server which matches a
0451df5dc50fa5d8b3e07d92ee6a92e36a1181a5niq server statement in the configuration file for
da0442c0440caef34706e2c2f3af05cb65921cc0jailletc <command>rndc</command>. If no server is supplied on the
983528026996668ea295be95aedb9c7a346af470ylavic command line, the host named by the default-server clause
da0442c0440caef34706e2c2f3af05cb65921cc0jailletc in the options statement of the <command>rndc</command>
da0442c0440caef34706e2c2f3af05cb65921cc0jailletc configuration file will be used.
06b8f183140c8e02e0974e938a05078b511d1603covener </para>
06b8f183140c8e02e0974e938a05078b511d1603covener </listitem>
06b8f183140c8e02e0974e938a05078b511d1603covener </varlistentry>
15890c9306ba98f6fc243e15a3c4778ddc7d773erpluem
259878293a997ff49f5ddfc53d3739cbdc25444ecovener <varlistentry>
259878293a997ff49f5ddfc53d3739cbdc25444ecovener <term>-p <replaceable class="parameter">port</replaceable></term>
259878293a997ff49f5ddfc53d3739cbdc25444ecovener <listitem>
259878293a997ff49f5ddfc53d3739cbdc25444ecovener <para>
15890c9306ba98f6fc243e15a3c4778ddc7d773erpluem Send commands to TCP port
b54b024c06a19926832d77d40ba35ad8c41e4d3dminfrin <replaceable class="parameter">port</replaceable>
b54b024c06a19926832d77d40ba35ad8c41e4d3dminfrin instead
b54b024c06a19926832d77d40ba35ad8c41e4d3dminfrin of BIND 9's default control channel port, 953.
65967d05f839dbf27cf91d91fa79585eeae19660minfrin </para>
65967d05f839dbf27cf91d91fa79585eeae19660minfrin </listitem>
65967d05f839dbf27cf91d91fa79585eeae19660minfrin </varlistentry>
65967d05f839dbf27cf91d91fa79585eeae19660minfrin
8152945ae46857b170cb227e79bb799f4fc7710dminfrin <varlistentry>
8152945ae46857b170cb227e79bb799f4fc7710dminfrin <term>-q</term>
8152945ae46857b170cb227e79bb799f4fc7710dminfrin <listitem>
8152945ae46857b170cb227e79bb799f4fc7710dminfrin <para>
75f5c2db254c0167a0e396254460de09b775d203trawick Quiet mode: Message text returned by the server
75f5c2db254c0167a0e396254460de09b775d203trawick will not be printed except when there is an error.
75f5c2db254c0167a0e396254460de09b775d203trawick </para>
4f0358189bfa57b8e75bd6b94db264302a8f336amrumph </listitem>
4f0358189bfa57b8e75bd6b94db264302a8f336amrumph </varlistentry>
4f0358189bfa57b8e75bd6b94db264302a8f336amrumph
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick <varlistentry>
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick <term>-r</term>
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick <listitem>
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick <para>
54d750a84a175d8e338880514d440773eb986b50covener Instructs <command>rndc</command> to print the result code
54d750a84a175d8e338880514d440773eb986b50covener returned by <command>named</command> after executing the
54d750a84a175d8e338880514d440773eb986b50covener requested command (e.g., ISC_R_SUCCESS, ISC_R_FAILURE, etc).
54d750a84a175d8e338880514d440773eb986b50covener </para>
54d750a84a175d8e338880514d440773eb986b50covener </listitem>
54d750a84a175d8e338880514d440773eb986b50covener </varlistentry>
54d750a84a175d8e338880514d440773eb986b50covener
54d750a84a175d8e338880514d440773eb986b50covener <varlistentry>
7a3aa12f0eda24793ee26d6a179bd53132e9dae8covener <term>-V</term>
54d750a84a175d8e338880514d440773eb986b50covener <listitem>
54d750a84a175d8e338880514d440773eb986b50covener <para>
83b50288fa7d306324bba68832011ea08f5c7832covener Enable verbose logging.
4e30ef014533a7e93c92d88306291f5e49c9692ftrawick </para>
83b50288fa7d306324bba68832011ea08f5c7832covener </listitem>
5f066f496cd9f20a2a701255bc67d44e7cb46daetrawick </varlistentry>
5f066f496cd9f20a2a701255bc67d44e7cb46daetrawick
5f066f496cd9f20a2a701255bc67d44e7cb46daetrawick <varlistentry>
2e15620d724fb8e3a5be183b917359a2fd6e9468covener <term>-y <replaceable class="parameter">key_id</replaceable></term>
2e15620d724fb8e3a5be183b917359a2fd6e9468covener <listitem>
2e15620d724fb8e3a5be183b917359a2fd6e9468covener <para>
2e15620d724fb8e3a5be183b917359a2fd6e9468covener Use the key <replaceable class="parameter">key_id</replaceable>
1b988c41ee505962781d110a3e4c2c90f1ea0aa4covener from the configuration file.
1b988c41ee505962781d110a3e4c2c90f1ea0aa4covener <replaceable class="parameter">key_id</replaceable>
1b988c41ee505962781d110a3e4c2c90f1ea0aa4covener must be
1b988c41ee505962781d110a3e4c2c90f1ea0aa4covener known by <command>named</command> with the same algorithm and secret string
b8efdc95bec9cf089aa1be0bfd07d46aa1137a7acovener in order for control message validation to succeed.
b8efdc95bec9cf089aa1be0bfd07d46aa1137a7acovener If no <replaceable class="parameter">key_id</replaceable>
b8efdc95bec9cf089aa1be0bfd07d46aa1137a7acovener is specified, <command>rndc</command> will first look
f06e7c4b1bce6b6491e5de0b7998d3f5696b293dchrisd for a key clause in the server statement of the server
f06e7c4b1bce6b6491e5de0b7998d3f5696b293dchrisd being used, or if no server statement is present for that
f06e7c4b1bce6b6491e5de0b7998d3f5696b293dchrisd host, then the default-key clause of the options statement.
179565be4043d7e5f9161aa75271fa0a001866d9covener Note that the configuration file contains shared secrets
179565be4043d7e5f9161aa75271fa0a001866d9covener which are used to send authenticated control commands
179565be4043d7e5f9161aa75271fa0a001866d9covener to name servers. It should therefore not have general read
111436a32ba1254291e4883292fb116d15fe8f64covener or write access.
fce4949fb0b309a5744afcd503c6ed2d35621ee2covener </para>
fce4949fb0b309a5744afcd503c6ed2d35621ee2covener </listitem>
fce4949fb0b309a5744afcd503c6ed2d35621ee2covener </varlistentry>
fce4949fb0b309a5744afcd503c6ed2d35621ee2covener
7b7430e701e9a31ce809da7c220bb8dfcf68c86etrawick </variablelist>
7b7430e701e9a31ce809da7c220bb8dfcf68c86etrawick </refsection>
7b7430e701e9a31ce809da7c220bb8dfcf68c86etrawick
ccc20788c1e5fc973f36df634399c89acb70deaejerenkrantz <refsection><info><title>COMMANDS</title></info>
ccc20788c1e5fc973f36df634399c89acb70deaejerenkrantz
ccc20788c1e5fc973f36df634399c89acb70deaejerenkrantz <para>
273e512f20f262e5e2aa8e0e83371d1929fb76adjkaluza A list of commands supported by <command>rndc</command> can
273e512f20f262e5e2aa8e0e83371d1929fb76adjkaluza be seen by running <command>rndc</command> without arguments.
273e512f20f262e5e2aa8e0e83371d1929fb76adjkaluza </para>
efe780dcf13b2b95effabf897d694d8f23feac74trawick <para>
fe83f60b41477b14a37edcfcd1f7f5c5a1ebfe44minfrin Currently supported commands are:
fe83f60b41477b14a37edcfcd1f7f5c5a1ebfe44minfrin </para>
fe83f60b41477b14a37edcfcd1f7f5c5a1ebfe44minfrin
993d1261a278d7322bccef219101220b7b4fb8c5jkaluza <variablelist>
993d1261a278d7322bccef219101220b7b4fb8c5jkaluza
993d1261a278d7322bccef219101220b7b4fb8c5jkaluza <varlistentry>
ba050a6f942b9fa0e81ed73437588005c569655ccovener <term><userinput>addzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> <replaceable>configuration</replaceable> </userinput></term>
ba050a6f942b9fa0e81ed73437588005c569655ccovener <listitem>
ba050a6f942b9fa0e81ed73437588005c569655ccovener <para>
ba050a6f942b9fa0e81ed73437588005c569655ccovener Add a zone while the server is running. This
135ddda3a989215d2bedbcf1529bfb269c3eda23niq command requires the
135ddda3a989215d2bedbcf1529bfb269c3eda23niq <command>allow-new-zones</command> option to be set
135ddda3a989215d2bedbcf1529bfb269c3eda23niq to <userinput>yes</userinput>. The
001a44c352f89c9ec332ffd3e0a6927dcd19432chumbedooh <replaceable>configuration</replaceable> string
001a44c352f89c9ec332ffd3e0a6927dcd19432chumbedooh specified on the command line is the zone
001a44c352f89c9ec332ffd3e0a6927dcd19432chumbedooh configuration text that would ordinarily be
efe780dcf13b2b95effabf897d694d8f23feac74trawick placed in <filename>named.conf</filename>.
793214f67dede32edfd9ee96c664ead04d175cbbjfclere </para>
cc5a4a08dc9783fcbc52ce86f11e01c281a43810minfrin <para>
9b0076ddd1103e5fa9c1f9bafde4b06ce244fbaecovener The configuration is saved in a file called
9b0076ddd1103e5fa9c1f9bafde4b06ce244fbaecovener <filename><replaceable>name</replaceable>.nzf</filename>,
9b0076ddd1103e5fa9c1f9bafde4b06ce244fbaecovener where <replaceable>name</replaceable> is the
249d09d51808cb7981af99762c3b3736ca126cd5jkaluza name of the view, or if it contains characters
249d09d51808cb7981af99762c3b3736ca126cd5jkaluza that are incompatible with use as a file name, a
249d09d51808cb7981af99762c3b3736ca126cd5jkaluza cryptographic hash generated from the name
249d09d51808cb7981af99762c3b3736ca126cd5jkaluza of the view.
56589be3d7a3e9343370df240010c6928cc78b39jkaluza When <command>named</command> is
56589be3d7a3e9343370df240010c6928cc78b39jkaluza restarted, the file will be loaded into the view
56589be3d7a3e9343370df240010c6928cc78b39jkaluza configuration, so that zones that were added
77ca16c5676da23155311e13cee61e7eaba9fa3ejailletc can persist after a restart.
77ca16c5676da23155311e13cee61e7eaba9fa3ejailletc </para>
77ca16c5676da23155311e13cee61e7eaba9fa3ejailletc <para>
77ca16c5676da23155311e13cee61e7eaba9fa3ejailletc This sample <command>addzone</command> command
f87299dab99bc04b51a6b8cad51b6795db862c0atrawick would add the zone <literal>example.com</literal>
f87299dab99bc04b51a6b8cad51b6795db862c0atrawick to the default view:
f87299dab99bc04b51a6b8cad51b6795db862c0atrawick </para>
4d12805e6c18253040223ea637acd6b3b3c18f60jorton <para>
4d12805e6c18253040223ea637acd6b3b3c18f60jorton<prompt>$ </prompt><userinput>rndc addzone example.com '{ type master; file "example.com.db"; };'</userinput>
4d12805e6c18253040223ea637acd6b3b3c18f60jorton </para>
85eacfc96a04547ef25aabbc06440039715084c2jorton <para>
85eacfc96a04547ef25aabbc06440039715084c2jorton (Note the brackets and semi-colon around the zone
e5d909f2b06bd880fb3675cd49363df981caa631trawick configuration text.)
a4df2cd1e1391575a327c2a90ba4315f805a0a78covener </para>
a4df2cd1e1391575a327c2a90ba4315f805a0a78covener <para>
a4df2cd1e1391575a327c2a90ba4315f805a0a78covener See also <command>rndc delzone</command> and <command>rndc modzone</command>.
cb666b29f81df1d11d65002250153353568021fccovener </para>
cb666b29f81df1d11d65002250153353568021fccovener </listitem>
cb666b29f81df1d11d65002250153353568021fccovener </varlistentry>
6a80c3c6f4b8ea7ba5e89402b8b779b09ce020e0covener
1c2cab00d988fc48cbe59032cf76cc0bab20d6f7covener <varlistentry>
6a80c3c6f4b8ea7ba5e89402b8b779b09ce020e0covener <term><userinput>delzone <optional>-clean</optional> <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
75a230a728338d84dcfe81edd375352f34de22d0covener <listitem>
75a230a728338d84dcfe81edd375352f34de22d0covener <para>
75a230a728338d84dcfe81edd375352f34de22d0covener Delete a zone while the server is running.
1f50dc34ae069adeed20b2986e5ffdefa5c410e0covener </para>
1f50dc34ae069adeed20b2986e5ffdefa5c410e0covener <para>
1f50dc34ae069adeed20b2986e5ffdefa5c410e0covener If the <option>-clean</option> argument is specified,
63a5ea80bddcc84a462e40f402b4f330e0e05411covener the zone's master file (and journal file, if any)
63a5ea80bddcc84a462e40f402b4f330e0e05411covener will be deleted along with the zone. Without the
63a5ea80bddcc84a462e40f402b4f330e0e05411covener <option>-clean</option> option, zone files must
63a5ea80bddcc84a462e40f402b4f330e0e05411covener be cleaned up by hand. (If the zone is of
65a4e663b82f8bce28ac22ab2edfd7502de36998sf type "slave" or "stub", the files needing to
65a4e663b82f8bce28ac22ab2edfd7502de36998sf be cleaned up will be reported in the output
65a4e663b82f8bce28ac22ab2edfd7502de36998sf of the <command>rndc delzone</command> command.)
65a4e663b82f8bce28ac22ab2edfd7502de36998sf </para>
c7de1955eb0eaeabf7042902476397692672d549sf <para>
74e7f6c55fd67b10cb400b3f6d1dc718a303d944minfrin If the zone was originally added via
74e7f6c55fd67b10cb400b3f6d1dc718a303d944minfrin <command>rndc addzone</command>, then it will be
74e7f6c55fd67b10cb400b3f6d1dc718a303d944minfrin removed permanently. However, if it was originally
74e7f6c55fd67b10cb400b3f6d1dc718a303d944minfrin configured in <filename>named.conf</filename>, then
a511a29faf2ff7ead3b67680154a624effb31aafminfrin that original configuration is still in place; when
a511a29faf2ff7ead3b67680154a624effb31aafminfrin the server is restarted or reconfigured, the zone will
a511a29faf2ff7ead3b67680154a624effb31aafminfrin come back. To remove it permanently, it must also be
a511a29faf2ff7ead3b67680154a624effb31aafminfrin removed from <filename>named.conf</filename>
a511a29faf2ff7ead3b67680154a624effb31aafminfrin </para>
63921358ef93fcb41bc71d9894221ba3d7fbb87bminfrin <para>
63921358ef93fcb41bc71d9894221ba3d7fbb87bminfrin See also <command>rndc addzone</command> and <command>rndc modzone</command>.
63921358ef93fcb41bc71d9894221ba3d7fbb87bminfrin </para>
deec48c67d4786bc77112ffbf3a4e70b931097edminfrin </listitem>
6d601599d3d65df0410eae6e573e75b2dbfb1fb4minfrin </varlistentry>
6d601599d3d65df0410eae6e573e75b2dbfb1fb4minfrin
6d601599d3d65df0410eae6e573e75b2dbfb1fb4minfrin <varlistentry>
6d601599d3d65df0410eae6e573e75b2dbfb1fb4minfrin <term><userinput>dnstap-reopen</userinput></term>
684e0cfc200f66287a93bbd1708d1dd8a92a7eefcovener <listitem>
684e0cfc200f66287a93bbd1708d1dd8a92a7eefcovener <para>
5c43d2fb853f84497b5ece2d414ef9484aa87e5fsf Close and re-open DNSTAP output files. This allows the files
05a5a9c3e16f21566e1b61f4bd68025ce1b741ccjoes to be renamed externally then to be re-opened.
05a5a9c3e16f21566e1b61f4bd68025ce1b741ccjoes </para>
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq </listitem>
26c5829347f6a355c00f1ba0301d575056b69536niq </varlistentry>
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq <varlistentry>
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq <term><userinput>dumpdb <optional>-all|-cache|-zone|-adb|-bad|-fail</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term>
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq <listitem>
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq <para>
ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq Dump the server's caches (default) and/or zones to
413ee814748f37be168ff12407fa6dba0ceeabe6trawick the
c12917da693bae4028a1d5a5e8224bceed8c739dsf dump file for the specified views. If no view is
c12917da693bae4028a1d5a5e8224bceed8c739dsf specified, all
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf views are dumped.
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf (See the <command>dump-file</command> option in
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf the BIND 9 Administrator Reference Manual.)
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf </para>
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf </listitem>
d7ffd2da16d58b1a0de212e4d56f7aebb72bef26sf </varlistentry>
d7ffd2da16d58b1a0de212e4d56f7aebb72bef26sf
d7ffd2da16d58b1a0de212e4d56f7aebb72bef26sf <varlistentry>
4576c1a9ef54cd1e5555ee07d016a7f559f80338sf <term><userinput>flush</userinput></term>
4576c1a9ef54cd1e5555ee07d016a7f559f80338sf <listitem>
4576c1a9ef54cd1e5555ee07d016a7f559f80338sf <para>
9811aed12bbc71783d2e544ccb5fecd193843eadsf Flushes the server's cache.
9811aed12bbc71783d2e544ccb5fecd193843eadsf </para>
9811aed12bbc71783d2e544ccb5fecd193843eadsf </listitem>
88fac54d9d64f85bbdab5d7010816f4377f95bd7rjung </varlistentry>
88fac54d9d64f85bbdab5d7010816f4377f95bd7rjung
bd3f5647b96d378d9c75c954e3f13582af32c643sf <varlistentry>
bd3f5647b96d378d9c75c954e3f13582af32c643sf <term><userinput>flushname</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term>
bd3f5647b96d378d9c75c954e3f13582af32c643sf <listitem>
bd3f5647b96d378d9c75c954e3f13582af32c643sf <para>
bd3f5647b96d378d9c75c954e3f13582af32c643sf Flushes the given name from the view's DNS cache
2a7beea91d46beb41f043a84eaad060047ee04aafabien and, if applicable, from the view's nameserver address
2a7beea91d46beb41f043a84eaad060047ee04aafabien database, bad server cache and SERVFAIL cache.
2a7beea91d46beb41f043a84eaad060047ee04aafabien </para>
2a7beea91d46beb41f043a84eaad060047ee04aafabien </listitem>
584a85dd4047e38d3ed3a29b6662fcc9d100ae4csf </varlistentry>
584a85dd4047e38d3ed3a29b6662fcc9d100ae4csf
584a85dd4047e38d3ed3a29b6662fcc9d100ae4csf <varlistentry>
f21e9e3d0bfb7a507ecc5bc963f2159d693503d1sf <term><userinput>flushtree</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term>
f21e9e3d0bfb7a507ecc5bc963f2159d693503d1sf <listitem>
f21e9e3d0bfb7a507ecc5bc963f2159d693503d1sf <para>
f6b9c755a0b793e8a3a3aebd327ca20a86478117sf Flushes the given name, and all of its subdomains,
f6b9c755a0b793e8a3a3aebd327ca20a86478117sf from the view's DNS cache, address database,
f6b9c755a0b793e8a3a3aebd327ca20a86478117sf bad server cache, and SERVFAIL cache.
132ee6ac1c26d6e8953836316ba50734eefab47bsf </para>
132ee6ac1c26d6e8953836316ba50734eefab47bsf </listitem>
132ee6ac1c26d6e8953836316ba50734eefab47bsf </varlistentry>
85eacfc96a04547ef25aabbc06440039715084c2jorton
85eacfc96a04547ef25aabbc06440039715084c2jorton <varlistentry>
85eacfc96a04547ef25aabbc06440039715084c2jorton <term><userinput>freeze <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick <listitem>
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick <para>
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick Suspend updates to a dynamic zone. If no zone is
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick specified, then all zones are suspended. This allows
79c5787b92ac5f0e1cc82393816c77a006399316trawick manual edits to be made to a zone normally updated by
79c5787b92ac5f0e1cc82393816c77a006399316trawick dynamic update. It also causes changes in the
79c5787b92ac5f0e1cc82393816c77a006399316trawick journal file to be synced into the master file.
79c5787b92ac5f0e1cc82393816c77a006399316trawick All dynamic update attempts will be refused while
c967bf3bc89e8aa60dbd30d9da388e448ddc1cc4trawick the zone is frozen.
79c5787b92ac5f0e1cc82393816c77a006399316trawick </para>
79c5787b92ac5f0e1cc82393816c77a006399316trawick <para>
79c5787b92ac5f0e1cc82393816c77a006399316trawick See also <command>rndc thaw</command>.
79c5787b92ac5f0e1cc82393816c77a006399316trawick </para>
79c5787b92ac5f0e1cc82393816c77a006399316trawick </listitem>
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton </varlistentry>
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton <varlistentry>
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton <term><userinput>halt <optional>-p</optional></userinput></term>
536e48c08d674acac5d44929318f2ad928edc361jorton <listitem>
536e48c08d674acac5d44929318f2ad928edc361jorton <para>
e81785da447b469da66f218b3f0244aab507958djorton Stop the server immediately. Recent changes
e81785da447b469da66f218b3f0244aab507958djorton made through dynamic update or IXFR are not saved to
3e4e54d4e3fc0123c63d57aa84ac7ad7a8c73ff8jorton the master files, but will be rolled forward from the
3e4e54d4e3fc0123c63d57aa84ac7ad7a8c73ff8jorton journal files when the server is restarted.
3e4e54d4e3fc0123c63d57aa84ac7ad7a8c73ff8jorton If <option>-p</option> is specified <command>named</command>'s process id is returned.
53e9b27aba029b18be814df40bcf6f0428771d1efuankg This allows an external process to determine when <command>named</command>
53e9b27aba029b18be814df40bcf6f0428771d1efuankg had completed halting.
53e9b27aba029b18be814df40bcf6f0428771d1efuankg </para>
53e9b27aba029b18be814df40bcf6f0428771d1efuankg <para>
53e9b27aba029b18be814df40bcf6f0428771d1efuankg See also <command>rndc stop</command>.
6bb524f1895f30265a1431afc460977d391cb36bsf </para>
6bb524f1895f30265a1431afc460977d391cb36bsf </listitem>
ca61ccd0c306c2c72df153688ba1b49f3eceed80sf </varlistentry>
6bb524f1895f30265a1431afc460977d391cb36bsf
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <varlistentry>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <term><userinput>loadkeys <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <listitem>
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin <para>
23f1535d6a60817d2846bac0aea230ea475d7dccminfrin Fetch all DNSSEC keys for the given zone
23f1535d6a60817d2846bac0aea230ea475d7dccminfrin from the key directory. If they are within
23f1535d6a60817d2846bac0aea230ea475d7dccminfrin their publication period, merge them into the
23f1535d6a60817d2846bac0aea230ea475d7dccminfrin zone's DNSKEY RRset. Unlike <command>rndc
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung sign</command>, however, the zone is not
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung immediately re-signed by the new keys, but is
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung allowed to incrementally re-sign over time.
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung </para>
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung <para>
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung This command requires that the
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung <command>auto-dnssec</command> zone option
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung be set to <literal>maintain</literal>,
6249dfa569d3b4f1f539665b979a80c6e335d93etrawick and also requires the zone to be configured to
6249dfa569d3b4f1f539665b979a80c6e335d93etrawick allow dynamic DNS.
0827cb14e550f6f65018431c22c2c913631c8f25kbrand (See "Dynamic Update Policies" in the Administrator
6249dfa569d3b4f1f539665b979a80c6e335d93etrawick Reference Manual for more details.)
ae600ca541efc686b34f8b1f21bd3d0741d37674covener </para>
6249dfa569d3b4f1f539665b979a80c6e335d93etrawick </listitem>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding </varlistentry>
74499a117b3b2cd9666715a14f90c0e5d1a4ee8ajim
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <varlistentry>
74499a117b3b2cd9666715a14f90c0e5d1a4ee8ajim <term><userinput>managed-keys <replaceable>(status | refresh | sync)</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <listitem>
74499a117b3b2cd9666715a14f90c0e5d1a4ee8ajim <para>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When run with the "status" keyword, print the current
74499a117b3b2cd9666715a14f90c0e5d1a4ee8ajim status of the managed-keys database for the specified
cfa64348224b66dd1c9979b809406c4d15b1c137fielding view, or for all views if none is specified. When run
with the "refresh" keyword, force an immediate refresh
of all the managed-keys in the specified view, or all
views. When run with the "sync" keyword, force an
immediate dump of the managed-keys database to disk (in
the file <filename>managed-keys.bind</filename> or
(<filename><replaceable>viewname</replaceable>.mkeys</filename>).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>modzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> <replaceable>configuration</replaceable> </userinput></term>
<listitem>
<para>
Modify the configuration of a zone while the server
is running. This command requires the
<command>allow-new-zones</command> option to be
set to <userinput>yes</userinput>. As with
<command>addzone</command>, the
<replaceable>configuration</replaceable> string
specified on the command line is the zone
configuration text that would ordinarily be
placed in <filename>named.conf</filename>.
</para>
<para>
If the zone was originally added via
<command>rndc addzone</command>, the configuration
changes will be recorded permanently and will still be
in effect after the server is restarted or reconfigured.
However, if it was originally configured in
<filename>named.conf</filename>, then that original
configuration is still in place; when the server is
restarted or reconfigured, the zone will revert to
its original configuration. To make the changes
permanent, it must also be modified in
<filename>named.conf</filename>
</para>
<para>
See also <command>rndc addzone</command> and <command>rndc delzone</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>notify <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
<listitem>
<para>
Resend NOTIFY messages for the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>notrace</userinput></term>
<listitem>
<para>
Sets the server's debugging level to 0.
</para>
<para>
See also <command>rndc trace</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>nta
<optional>( -d | -f | -r | -l <replaceable>duration</replaceable>)</optional>
<replaceable>domain</replaceable>
<optional><replaceable>view</replaceable></optional>
</userinput></term>
<listitem>
<para>
Sets a DNSSEC negative trust anchor (NTA)
for <option>domain</option>, with a lifetime of
<option>duration</option>. The default lifetime is
configured in <filename>named.conf</filename> via the
<option>nta-lifetime</option> option, and defaults to
one hour. The lifetime cannot exceed one week.
</para>
<para>
A negative trust anchor selectively disables
DNSSEC validation for zones that are known to be
failing because of misconfiguration rather than
an attack. When data to be validated is
at or below an active NTA (and above any other
configured trust anchors), <command>named</command> will
abort the DNSSEC validation process and treat the data as
insecure rather than bogus. This continues until the
NTA's lifetime is elapsed.
</para>
<para>
NTAs persist across restarts of the <command>named</command> server.
The NTAs for a view are saved in a file called
<filename><replaceable>name</replaceable>.nta</filename>,
where <replaceable>name</replaceable> is the
name of the view, or if it contains characters
that are incompatible with use as a file name, a
cryptographic hash generated from the name
of the view.
</para>
<para>
An existing NTA can be removed by using the
<option>-remove</option> option.
</para>
<para>
An NTA's lifetime can be specified with the
<option>-lifetime</option> option. TTL-style
suffixes can be used to specify the lifetime in
seconds, minutes, or hours. If the specified NTA
already exists, its lifetime will be updated to the
new value. Setting <option>lifetime</option> to zero
is equivalent to <option>-remove</option>.
</para>
<para>
If <option>-dump</option> is used, any other arguments
are ignored, and a list of existing NTAs is printed
(note that this may include NTAs that are expired but
have not yet been cleaned up).
</para>
<para>
Normally, <command>named</command> will periodically
test to see whether data below an NTA can now be
validated (see the <option>nta-recheck</option> option
in the Administrator Reference Manual for details).
If data can be validated, then the NTA is regarded as
no longer necessary, and will be allowed to expire
early. The <option>-force</option> overrides this
behavior and forces an NTA to persist for its entire
lifetime, regardless of whether data could be
validated if the NTA were not present.
</para>
<para>
All of these options can be shortened, i.e., to
<option>-l</option>, <option>-r</option>, <option>-d</option>,
and <option>-f</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>querylog</userinput> <optional>on|off</optional> </term>
<listitem>
<para>
Enable or disable query logging. (For backward
compatibility, this command can also be used without
an argument to toggle query logging on and off.)
</para>
<para>
Query logging can also be enabled
by explicitly directing the <command>queries</command>
<command>category</command> to a
<command>channel</command> in the
<command>logging</command> section of
<filename>named.conf</filename> or by specifying
<command>querylog yes;</command> in the
<command>options</command> section of
<filename>named.conf</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>reconfig</userinput></term>
<listitem>
<para>
Reload the configuration file and load new zones,
but do not reload existing zone files even if they
have changed.
This is faster than a full <command>reload</command> when there
is a large number of zones because it avoids the need
to examine the
modification times of the zones files.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>recursing</userinput></term>
<listitem>
<para>
Dump the list of queries <command>named</command> is currently
recursing on, and the list of domains to which iterative
queries are currently being sent. (The second list includes
the number of fetches currently active for the given domain,
and how many have been passed or dropped because of the
<option>fetches-per-zone</option> option.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>refresh <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
<listitem>
<para>
Schedule zone maintenance for the given zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>reload</userinput></term>
<listitem>
<para>
Reload configuration file and zones.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>reload <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
<listitem>
<para>
Reload the given zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>retransfer <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
<listitem>
<para>
Retransfer the given slave zone from the master server.
</para>
<para>
If the zone is configured to use
<command>inline-signing</command>, the signed
version of the zone is discarded; after the
retransfer of the unsigned version is complete, the
signed version will be regenerated with all new
signatures.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>scan</userinput></term>
<listitem>
<para>
Scan the list of available network interfaces
for changes, without performing a full
<command>reconfig</command> or waiting for the
<command>interface-interval</command> timer.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>secroots <optional>-</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term>
<listitem>
<para>
Dump the server's security roots and negative trust anchors
for the specified views. If no view is specified, all views
are dumped.
</para>
<para>
If the first argument is "-", then the output is
returned via the <command>rndc</command> response channel
and printed to the standard output.
Otherwise, it is written to the secroots dump file, which
defaults to <filename>named.secroots</filename>, but can be
overridden via the <option>secroots-file</option> option in
<filename>named.conf</filename>.
</para>
<para>
See also <command>rndc managed-keys</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>showzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
<listitem>
<para>
Print the configuration of a running zone.
</para>
<para>
See also <command>rndc zonestatus</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>sign <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
<listitem>
<para>
Fetch all DNSSEC keys for the given zone
from the key directory (see the
<command>key-directory</command> option in
the BIND 9 Administrator Reference Manual). If they are within
their publication period, merge them into the
zone's DNSKEY RRset. If the DNSKEY RRset
is changed, then the zone is automatically
re-signed with the new key set.
</para>
<para>
This command requires that the
<command>auto-dnssec</command> zone option be set
to <literal>allow</literal> or
<literal>maintain</literal>,
and also requires the zone to be configured to
allow dynamic DNS.
(See "Dynamic Update Policies" in the Administrator
Reference Manual for more details.)
</para>
<para>
See also <command>rndc loadkeys</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>signing <optional>( -list | -clear <replaceable>keyid/algorithm</replaceable> | -clear <literal>all</literal> | -nsec3param ( <replaceable>parameters</replaceable> | <literal>none</literal> ) | -serial <replaceable>value</replaceable> ) </optional> <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
<listitem>
<para>
List, edit, or remove the DNSSEC signing state records
for the specified zone. The status of ongoing DNSSEC
operations (such as signing or generating
NSEC3 chains) is stored in the zone in the form
of DNS resource records of type
<command>sig-signing-type</command>.
<command>rndc signing -list</command> converts
these records into a human-readable form,
indicating which keys are currently signing
or have finished signing the zone, and which NSEC3
chains are being created or removed.
</para>
<para>
<command>rndc signing -clear</command> can remove
a single key (specified in the same format that
<command>rndc signing -list</command> uses to
display it), or all keys. In either case, only
completed keys are removed; any record indicating
that a key has not yet finished signing the zone
will be retained.
</para>
<para>
<command>rndc signing -nsec3param</command> sets
the NSEC3 parameters for a zone. This is the
only supported mechanism for using NSEC3 with
<command>inline-signing</command> zones.
Parameters are specified in the same format as
an NSEC3PARAM resource record: hash algorithm,
flags, iterations, and salt, in that order.
</para>
<para>
Currently, the only defined value for hash algorithm
is <literal>1</literal>, representing SHA-1.
The <option>flags</option> may be set to
<literal>0</literal> or <literal>1</literal>,
depending on whether you wish to set the opt-out
bit in the NSEC3 chain. <option>iterations</option>
defines the number of additional times to apply
the algorithm when generating an NSEC3 hash. The
<option>salt</option> is a string of data expressed
in hexadecimal, a hyphen (`-') if no salt is
to be used, or the keyword <literal>auto</literal>,
which causes <command>named</command> to generate a
random 64-bit salt.
</para>
<para>
So, for example, to create an NSEC3 chain using
the SHA-1 hash algorithm, no opt-out flag,
10 iterations, and a salt value of "FFFF", use:
<command>rndc signing -nsec3param 1 0 10 FFFF <replaceable>zone</replaceable></command>.
To set the opt-out flag, 15 iterations, and no
salt, use:
<command>rndc signing -nsec3param 1 1 15 - <replaceable>zone</replaceable></command>.
</para>
<para>
<command>rndc signing -nsec3param none</command>
removes an existing NSEC3 chain and replaces it
with NSEC.
</para>
<para>
<command>rndc signing -serial value</command> sets
the serial number of the zone to value. If the value
would cause the serial number to go backwards it will
be rejected. The primary use is to set the serial on
inline signed zones.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>stats</userinput></term>
<listitem>
<para>
Write server statistics to the statistics file.
(See the <command>statistics-file</command> option in
the BIND 9 Administrator Reference Manual.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>status</userinput></term>
<listitem>
<para>
Display status of the server.
Note that the number of zones includes the internal <command>bind/CH</command> zone
and the default <command>/IN</command>
hint zone if there is not an
explicit root zone configured.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>stop <optional>-p</optional></userinput></term>
<listitem>
<para>
Stop the server, making sure any recent changes
made through dynamic update or IXFR are first saved to
the master files of the updated zones.
If <option>-p</option> is specified <command>named</command>'s process id is returned.
This allows an external process to determine when <command>named</command>
had completed stopping.
</para>
<para>See also <command>rndc halt</command>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>sync <optional>-clean</optional> <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
<listitem>
<para>
Sync changes in the journal file for a dynamic zone
to the master file. If the "-clean" option is
specified, the journal file is also removed. If
no zone is specified, then all zones are synced.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>thaw <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
<listitem>
<para>
Enable updates to a frozen dynamic zone. If no
zone is specified, then all frozen zones are
enabled. This causes the server to reload the zone
from disk, and re-enables dynamic updates after the
load has completed. After a zone is thawed,
dynamic updates will no longer be refused. If
the zone has changed and the
<command>ixfr-from-differences</command> option is
in use, then the journal file will be updated to
reflect changes in the zone. Otherwise, if the
zone has changed, any existing journal file will be
removed.
</para>
<para>See also <command>rndc freeze</command>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>trace</userinput></term>
<listitem>
<para>
Increment the servers debugging level by one.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>trace <replaceable>level</replaceable></userinput></term>
<listitem>
<para>
Sets the server's debugging level to an explicit
value.
</para>
<para>
See also <command>rndc notrace</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>tsig-delete</userinput> <replaceable>keyname</replaceable> <optional><replaceable>view</replaceable></optional></term>
<listitem>
<para>
Delete a given TKEY-negotiated key from the server.
(This does not apply to statically configured TSIG
keys.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>tsig-list</userinput></term>
<listitem>
<para>
List the names of all TSIG keys currently configured
for use by <command>named</command> in each view. The
list both statically configured keys and dynamic
TKEY-negotiated keys.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>validation ( on | off | check ) <optional><replaceable>view ...</replaceable></optional> </userinput></term>
<listitem>
<para>
Enable, disable, or check the current status of
DNSSEC validation.
Note <command>dnssec-enable</command> also needs to be
set to <userinput>yes</userinput> or
<userinput>auto</userinput> to be effective.
It defaults to enabled.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><userinput>zonestatus <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
<listitem>
<para>
Displays the current status of the given zone,
including the master file name and any include
files from which it was loaded, when it was most
recently loaded, the current serial number, the
number of nodes, whether the zone supports
dynamic updates, whether the zone is DNSSEC
signed, whether it uses automatic DNSSEC key
management or inline signing, and the scheduled
refresh or expiry times for the zone.
</para>
<para>
See also <command>rndc showzone</command>.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>LIMITATIONS</title></info>
<para>
There is currently no way to provide the shared secret for a
<option>key_id</option> without using the configuration file.
</para>
<para>
Several error messages could be clearer.
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>rndc-confgen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>ndc</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsection>
</refentry>