rndc.docbook revision 30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1
842ae4bd224140319ae7feec1872b93dfd491143fielding - Copyright (C) 2004, 2005, 2007, 2013-2015 Internet Systems Consortium, Inc. ("ISC")
842ae4bd224140319ae7feec1872b93dfd491143fielding - Copyright (C) 2000, 2001 Internet Software Consortium.
842ae4bd224140319ae7feec1872b93dfd491143fielding - Permission to use, copy, modify, and/or distribute this software for any
842ae4bd224140319ae7feec1872b93dfd491143fielding - purpose with or without fee is hereby granted, provided that the above
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes - copyright notice and this permission notice appear in all copies.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes - PERFORMANCE OF THIS SOFTWARE.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes<!-- Converted by db4-upgrade version 1.0 -->
e8f95a682820a599fe41b22977010636be5c2717jim<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc">
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <refentryinfo>
5c0419d51818eb02045cf923a9fe456127a44c60wrowe <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </refentryinfo>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <refentrytitle><application>rndc</application></refentrytitle>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <refnamediv>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <refname><application>rndc</application></refname>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <refpurpose>name server control utility</refpurpose>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </refnamediv>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </copyright>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </copyright>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <refsynopsisdiv>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">source-address</replaceable></option></arg>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">key-file</replaceable></option></arg>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">server</replaceable></option></arg>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">port</replaceable></option></arg>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <arg choice="opt" rep="norepeat"><option>-q</option></arg>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <arg choice="opt" rep="norepeat"><option>-r</option></arg>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <arg choice="opt" rep="norepeat"><option>-V</option></arg>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <arg choice="opt" rep="norepeat"><option>-y <replaceable class="parameter">key_id</replaceable></option></arg>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </cmdsynopsis>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </refsynopsisdiv>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <refsection><info><title>DESCRIPTION</title></info>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes controls the operation of a name
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes server. It supersedes the <command>ndc</command> utility
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes that was provided in old BIND releases. If
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <command>rndc</command> is invoked with no command line
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes options or arguments, it prints a short summary of the
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes supported commands and the available options and their
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes communicates with the name server over a TCP connection, sending
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes commands authenticated with digital signatures. In the current
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <command>rndc</command> and <command>named</command>,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes the only supported authentication algorithms are HMAC-MD5
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes (default), HMAC-SHA384 and HMAC-SHA512.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes They use a shared secret on each end of the connection.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes This provides TSIG-style authentication for the command
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes request and the name server's response. All commands sent
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes over the channel must be signed by a key_id known to the
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes reads a configuration file to
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes determine how to contact the name server and decide what
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes algorithm and key it should use.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </refsection>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <variablelist>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <term>-b <replaceable class="parameter">source-address</replaceable></term>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Use <replaceable class="parameter">source-address</replaceable>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes as the source address for the connection to the server.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Multiple instances are permitted to allow setting of both
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes the IPv4 and IPv6 source addresses.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <term>-c <replaceable class="parameter">config-file</replaceable></term>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Use <replaceable class="parameter">config-file</replaceable>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes as the configuration file instead of the default,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </varlistentry>
3f5585f7f4a7d74f2f94ec729ea8c1879d419e35rederpj <varlistentry>
3f5585f7f4a7d74f2f94ec729ea8c1879d419e35rederpj <term>-k <replaceable class="parameter">key-file</replaceable></term>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Use <replaceable class="parameter">key-file</replaceable>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes as the key file instead of the default,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <filename>/etc/rndc.key</filename> will be used to
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes authenticate
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes commands sent to the server if the <replaceable class="parameter">config-file</replaceable>
3f5585f7f4a7d74f2f94ec729ea8c1879d419e35rederpj does not exist.
3f5585f7f4a7d74f2f94ec729ea8c1879d419e35rederpj </listitem>
3f5585f7f4a7d74f2f94ec729ea8c1879d419e35rederpj </varlistentry>
3f5585f7f4a7d74f2f94ec729ea8c1879d419e35rederpj <varlistentry>
3f5585f7f4a7d74f2f94ec729ea8c1879d419e35rederpj <term>-s <replaceable class="parameter">server</replaceable></term>
3f5585f7f4a7d74f2f94ec729ea8c1879d419e35rederpj <para><replaceable class="parameter">server</replaceable> is
53ac306610ecb7fe91374f970d422165e9153ee6rederpj the name or address of the server which matches a
53ac306610ecb7fe91374f970d422165e9153ee6rederpj server statement in the configuration file for
53ac306610ecb7fe91374f970d422165e9153ee6rederpj <command>rndc</command>. If no server is supplied on the
3f5585f7f4a7d74f2f94ec729ea8c1879d419e35rederpj command line, the host named by the default-server clause
3f5585f7f4a7d74f2f94ec729ea8c1879d419e35rederpj in the options statement of the <command>rndc</command>
53ac306610ecb7fe91374f970d422165e9153ee6rederpj configuration file will be used.
53ac306610ecb7fe91374f970d422165e9153ee6rederpj </listitem>
53ac306610ecb7fe91374f970d422165e9153ee6rederpj </varlistentry>
53ac306610ecb7fe91374f970d422165e9153ee6rederpj <varlistentry>
53ac306610ecb7fe91374f970d422165e9153ee6rederpj <term>-p <replaceable class="parameter">port</replaceable></term>
53ac306610ecb7fe91374f970d422165e9153ee6rederpj Send commands to TCP port
53ac306610ecb7fe91374f970d422165e9153ee6rederpj of BIND 9's default control channel port, 953.
53ac306610ecb7fe91374f970d422165e9153ee6rederpj </listitem>
53ac306610ecb7fe91374f970d422165e9153ee6rederpj </varlistentry>
53ac306610ecb7fe91374f970d422165e9153ee6rederpj <varlistentry>
3f5585f7f4a7d74f2f94ec729ea8c1879d419e35rederpj Quiet mode: Message text returned by the server
3f5585f7f4a7d74f2f94ec729ea8c1879d419e35rederpj will not be printed except when there is an error.
3f5585f7f4a7d74f2f94ec729ea8c1879d419e35rederpj </listitem>
3f5585f7f4a7d74f2f94ec729ea8c1879d419e35rederpj </varlistentry>
3f5585f7f4a7d74f2f94ec729ea8c1879d419e35rederpj <varlistentry>
3f5585f7f4a7d74f2f94ec729ea8c1879d419e35rederpj Instructs <command>rndc</command> to print the result code
3f5585f7f4a7d74f2f94ec729ea8c1879d419e35rederpj returned by <command>named</command> after executing the
3f5585f7f4a7d74f2f94ec729ea8c1879d419e35rederpj requested command (e.g., ISC_R_SUCCESS, ISC_R_FAILURE, etc).
3f5585f7f4a7d74f2f94ec729ea8c1879d419e35rederpj </listitem>
3f5585f7f4a7d74f2f94ec729ea8c1879d419e35rederpj </varlistentry>
3f5585f7f4a7d74f2f94ec729ea8c1879d419e35rederpj <varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Enable verbose logging.
e8f95a682820a599fe41b22977010636be5c2717jim </listitem>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <term>-y <replaceable class="parameter">key_id</replaceable></term>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Use the key <replaceable class="parameter">key_id</replaceable>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes from the configuration file.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes known by <command>named</command> with the same algorithm and secret string
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes in order for control message validation to succeed.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes If no <replaceable class="parameter">key_id</replaceable>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes is specified, <command>rndc</command> will first look
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes for a key clause in the server statement of the server
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes being used, or if no server statement is present for that
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes host, then the default-key clause of the options statement.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Note that the configuration file contains shared secrets
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes which are used to send authenticated control commands
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes to name servers. It should therefore not have general read
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes or write access.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </variablelist>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </refsection>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes A list of commands supported by <command>rndc</command> can
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes be seen by running <command>rndc</command> without arguments.
de32a9bcfa7af5df51cbeb170c82220ec1aa4373minfrin Currently supported commands are:
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <variablelist>
c76a31675e52fe9308b147f9edd9a7024b4c8ce7bnicholes <varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <term><userinput>addzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> <replaceable>configuration</replaceable> </userinput></term>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Add a zone while the server is running. This
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes command requires the
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes specified on the command line is the zone
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes configuration text that would ordinarily be
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes The configuration is saved in a file called
de32a9bcfa7af5df51cbeb170c82220ec1aa4373minfrin <filename><replaceable>name</replaceable>.nzf</filename>,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes name of the view, or if it contains characters
de32a9bcfa7af5df51cbeb170c82220ec1aa4373minfrin that are incompatible with use as a file name, a
de32a9bcfa7af5df51cbeb170c82220ec1aa4373minfrin cryptographic hash generated from the name
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes of the view.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes restarted, the file will be loaded into the view
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes configuration, so that zones that were added
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes can persist after a restart.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes to the default view:
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes<prompt>$ </prompt><userinput>rndc addzone example.com '{ type master; file "example.com.db"; };'</userinput>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes (Note the brackets and semi-colon around the zone
3a11074e78d5961088e8f5520ba3cec163faed9cjorton configuration text.)
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes See also <command>rndc delzone</command> and <command>rndc modzone</command>.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <term><userinput>delzone <optional>-clean</optional> <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Delete a zone while the server is running.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes If the <option>-clean</option> argument is specified,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes the zone's master file (and journal file, if any)
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes will be deleted along with the zone. Without the
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes be cleaned up by hand. (If the zone is of
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes type "slave" or "stub", the files needing to
c76a31675e52fe9308b147f9edd9a7024b4c8ce7bnicholes be cleaned up will be reported in the output
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes If the zone was originally added via
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes removed permanently. However, if it was originally
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes configured in <filename>named.conf</filename>, then
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes that original configuration is still in place; when
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes the server is restarted or reconfigured, the zone will
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes come back. To remove it permanently, it must also be
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes See also <command>rndc addzone</command> and <command>rndc modzone</command>.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <term><userinput>dumpdb <optional>-all|-cache|-zone|-adb|-bad|-fail</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Dump the server's caches (default) and/or zones to
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes dump file for the specified views. If no view is
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes specified, all
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes views are dumped.
e8f95a682820a599fe41b22977010636be5c2717jim the BIND 9 Administrator Reference Manual.)
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <varlistentry>
e19d3a1e487aa73e0850658d3773f748aefba7f7sf Flushes the server's cache.
c76a31675e52fe9308b147f9edd9a7024b4c8ce7bnicholes </varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <term><userinput>flushname</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Flushes the given name from the view's DNS cache
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes and, if applicable, from the view's nameserver address
e19d3a1e487aa73e0850658d3773f748aefba7f7sf database, bad server cache and SERVFAIL cache.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <term><userinput>flushtree</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Flushes the given name, and all of its subdomains,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes from the view's DNS cache, address database,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes bad server cache, and SERVFAIL cache.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <term><userinput>freeze <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Suspend updates to a dynamic zone. If no zone is
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes specified, then all zones are suspended. This allows
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes manual edits to be made to a zone normally updated by
e19d3a1e487aa73e0850658d3773f748aefba7f7sf dynamic update. It also causes changes in the
e19d3a1e487aa73e0850658d3773f748aefba7f7sf journal file to be synced into the master file.
e19d3a1e487aa73e0850658d3773f748aefba7f7sf All dynamic update attempts will be refused while
e19d3a1e487aa73e0850658d3773f748aefba7f7sf the zone is frozen.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <term><userinput>halt <optional>-p</optional></userinput></term>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Stop the server immediately. Recent changes
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes made through dynamic update or IXFR are not saved to
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes the master files, but will be rolled forward from the
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes journal files when the server is restarted.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes If <option>-p</option> is specified <command>named</command>'s process id is returned.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes This allows an external process to determine when <command>named</command>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes had completed halting.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <term><userinput>loadkeys <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Fetch all DNSSEC keys for the given zone
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes from the key directory. If they are within
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes their publication period, merge them into the
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes zone's DNSKEY RRset. Unlike <command>rndc
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes sign</command>, however, the zone is not
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes immediately re-signed by the new keys, but is
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes allowed to incrementally re-sign over time.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes This command requires that the
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes and also requires the zone to be configured to
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes allow dynamic DNS.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes (See "Dynamic Update Policies" in the Administrator
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Reference Manual for more details.)
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <term><userinput>managed-keys <replaceable>(status | refresh | sync)</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes When run with the "status" keyword, print the current
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes status of the managed-keys database for the specified
92f8e96490cb38f58db704ec6bf0041069f067f2jorton view, or for all views if none is specified. When run
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes with the "refresh" keyword, force an immediate refresh
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes of all the managed-keys in the specified view, or all
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes views. When run with the "sync" keyword, force an
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes immediate dump of the managed-keys database to disk (in
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes the file <filename>managed-keys.bind</filename> or
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes (<filename><replaceable>viewname</replaceable>.mkeys</filename>).
3f5585f7f4a7d74f2f94ec729ea8c1879d419e35rederpj </varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <varlistentry>
3f5585f7f4a7d74f2f94ec729ea8c1879d419e35rederpj <term><userinput>modzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> <replaceable>configuration</replaceable> </userinput></term>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Modify the configuration of a zone while the server
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes is running. This command requires the
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes specified on the command line is the zone
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes configuration text that would ordinarily be
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes If the zone was originally added via
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <command>rndc addzone</command>, the configuration
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes changes will be recorded permanently and will still be
92f8e96490cb38f58db704ec6bf0041069f067f2jorton in effect after the server is restarted or reconfigured.
ecc6e723b804fb4b8f858910eff3f88242ec56fasf However, if it was originally configured in
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <filename>named.conf</filename>, then that original
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes configuration is still in place; when the server is
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes restarted or reconfigured, the zone will revert to
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes its original configuration. To make the changes
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes permanent, it must also be modified in
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes See also <command>rndc addzone</command> and <command>rndc delzone</command>.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </varlistentry>
ecc6e723b804fb4b8f858910eff3f88242ec56fasf <varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <term><userinput>notify <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Resend NOTIFY messages for the zone.
ecc6e723b804fb4b8f858910eff3f88242ec56fasf </listitem>
ecc6e723b804fb4b8f858910eff3f88242ec56fasf </varlistentry>
ecc6e723b804fb4b8f858910eff3f88242ec56fasf <varlistentry>
ecc6e723b804fb4b8f858910eff3f88242ec56fasf <listitem>
ecc6e723b804fb4b8f858910eff3f88242ec56fasf Sets the server's debugging level to 0.
ecc6e723b804fb4b8f858910eff3f88242ec56fasf </listitem>
ecc6e723b804fb4b8f858910eff3f88242ec56fasf </varlistentry>
ecc6e723b804fb4b8f858910eff3f88242ec56fasf <varlistentry>
ecc6e723b804fb4b8f858910eff3f88242ec56fasf <optional>( -d | -f | -r | -l <replaceable>duration</replaceable>)</optional>
ecc6e723b804fb4b8f858910eff3f88242ec56fasf <listitem>
ecc6e723b804fb4b8f858910eff3f88242ec56fasf Sets a DNSSEC negative trust anchor (NTA)
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <option>duration</option>. The default lifetime is
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes configured in <filename>named.conf</filename> via the
fb3eb28e66ae67f84a00c4d7f709b171c86a300ajorton <option>nta-lifetime</option> option, and defaults to
ecc6e723b804fb4b8f858910eff3f88242ec56fasf one hour. The lifetime cannot exceed one week.
ecc6e723b804fb4b8f858910eff3f88242ec56fasf A negative trust anchor selectively disables
ecc6e723b804fb4b8f858910eff3f88242ec56fasf DNSSEC validation for zones that are known to be
ecc6e723b804fb4b8f858910eff3f88242ec56fasf failing because of misconfiguration rather than
ecc6e723b804fb4b8f858910eff3f88242ec56fasf an attack. When data to be validated is
ecc6e723b804fb4b8f858910eff3f88242ec56fasf at or below an active NTA (and above any other
ecc6e723b804fb4b8f858910eff3f88242ec56fasf abort the DNSSEC validation process and treat the data as
ecc6e723b804fb4b8f858910eff3f88242ec56fasf insecure rather than bogus. This continues until the
ecc6e723b804fb4b8f858910eff3f88242ec56fasf NTA's lifetime is elapsed.
ecc6e723b804fb4b8f858910eff3f88242ec56fasf NTAs persist across restarts of the <command>named</command> server.
ecc6e723b804fb4b8f858910eff3f88242ec56fasf The NTAs for a view are saved in a file called
ecc6e723b804fb4b8f858910eff3f88242ec56fasf <filename><replaceable>name</replaceable>.nta</filename>,
ecc6e723b804fb4b8f858910eff3f88242ec56fasf name of the view, or if it contains characters
ecc6e723b804fb4b8f858910eff3f88242ec56fasf that are incompatible with use as a file name, a
ecc6e723b804fb4b8f858910eff3f88242ec56fasf cryptographic hash generated from the name
ecc6e723b804fb4b8f858910eff3f88242ec56fasf of the view.
ecc6e723b804fb4b8f858910eff3f88242ec56fasf An existing NTA can be removed by using the
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes An NTA's lifetime can be specified with the
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes suffixes can be used to specify the lifetime in
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes seconds, minutes, or hours. If the specified NTA
fb3eb28e66ae67f84a00c4d7f709b171c86a300ajorton already exists, its lifetime will be updated to the
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes new value. Setting <option>lifetime</option> to zero
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes If <option>-dump</option> is used, any other arguments
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes are ignored, and a list of existing NTAs is printed
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes (note that this may include NTAs that are expired but
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes have not yet been cleaned up).
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Normally, <command>named</command> will periodically
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes test to see whether data below an NTA can now be
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes validated (see the <option>nta-recheck</option> option
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes in the Administrator Reference Manual for details).
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes If data can be validated, then the NTA is regarded as
92f8e96490cb38f58db704ec6bf0041069f067f2jorton no longer necessary, and will be allowed to expire
e8f95a682820a599fe41b22977010636be5c2717jim behavior and forces an NTA to persist for its entire
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes lifetime, regardless of whether data could be
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes validated if the NTA were not present.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes All of these options can be shortened, i.e., to
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <option>-l</option>, <option>-r</option>, <option>-d</option>,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <term><userinput>querylog</userinput> <optional>on|off</optional> </term>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Enable or disable query logging. (For backward
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes compatibility, this command can also be used without
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes an argument to toggle query logging on and off.)
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Query logging can also be enabled
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes by explicitly directing the <command>queries</command>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Reload the configuration file and load new zones,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes but do not reload existing zone files even if they
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes have changed.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes This is faster than a full <command>reload</command> when there
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes is a large number of zones because it avoids the need
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes to examine the
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes modification times of the zones files.
2669b0829aa4efffd095ec93e41890d142fb74f0minfrin </listitem>
2669b0829aa4efffd095ec93e41890d142fb74f0minfrin </varlistentry>
17dc8282ea6b3ad1bbc661b498de9ec2e9987edejim <varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Dump the list of queries <command>named</command> is currently
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes recursing on, and the list of domains to which iterative
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes queries are currently being sent. (The second list includes
e8f95a682820a599fe41b22977010636be5c2717jim the number of fetches currently active for the given domain,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes and how many have been passed or dropped because of the
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <term><userinput>refresh <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Schedule zone maintenance for the given zone.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Reload configuration file and zones.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <term><userinput>reload <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Reload the given zone.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <varlistentry>
e8f95a682820a599fe41b22977010636be5c2717jim <term><userinput>retransfer <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Retransfer the given slave zone from the master server.
e8f95a682820a599fe41b22977010636be5c2717jim If the zone is configured to use
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes version of the zone is discarded; after the
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes retransfer of the unsigned version is complete, the
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes signed version will be regenerated with all new
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Scan the list of available network interfaces
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes for changes, without performing a full
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <term><userinput>secroots <optional>-</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term>
9ee1730dd807d2ea0d57dfba9e71161c36028ee8covener Dump the server's security roots and negative trust anchors
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes for the specified views. If no view is specified, all views
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes If the first argument is "-", then the output is
aca6568a9f251eedf4b3418eb4b3be05d3c366edtrawick returned via the <command>rndc</command> response channel
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes and printed to the standard output.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Otherwise, it is written to the secroots dump file, which
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes defaults to <filename>named.secroots</filename>, but can be
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes overridden via the <option>secroots-file</option> option in
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </varlistentry>
06ca8326e5b9bc464b13c2651e531490fa5e36f6jorton <varlistentry>
06ca8326e5b9bc464b13c2651e531490fa5e36f6jorton <term><userinput>showzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
06ca8326e5b9bc464b13c2651e531490fa5e36f6jorton Print the configuration of a running zone.
e8f95a682820a599fe41b22977010636be5c2717jim </listitem>
e8f95a682820a599fe41b22977010636be5c2717jim </varlistentry>
e8f95a682820a599fe41b22977010636be5c2717jim <varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <term><userinput>sign <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Fetch all DNSSEC keys for the given zone
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes from the key directory (see the
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes the BIND 9 Administrator Reference Manual). If they are within
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes their publication period, merge them into the
06ca8326e5b9bc464b13c2651e531490fa5e36f6jorton zone's DNSKEY RRset. If the DNSKEY RRset
06ca8326e5b9bc464b13c2651e531490fa5e36f6jorton is changed, then the zone is automatically
06ca8326e5b9bc464b13c2651e531490fa5e36f6jorton re-signed with the new key set.
06ca8326e5b9bc464b13c2651e531490fa5e36f6jorton This command requires that the
06ca8326e5b9bc464b13c2651e531490fa5e36f6jorton and also requires the zone to be configured to
06ca8326e5b9bc464b13c2651e531490fa5e36f6jorton allow dynamic DNS.
06ca8326e5b9bc464b13c2651e531490fa5e36f6jorton (See "Dynamic Update Policies" in the Administrator
06ca8326e5b9bc464b13c2651e531490fa5e36f6jorton Reference Manual for more details.)
06ca8326e5b9bc464b13c2651e531490fa5e36f6jorton </listitem>
06ca8326e5b9bc464b13c2651e531490fa5e36f6jorton </varlistentry>
06ca8326e5b9bc464b13c2651e531490fa5e36f6jorton <varlistentry>
06ca8326e5b9bc464b13c2651e531490fa5e36f6jorton <term><userinput>signing <optional>( -list | -clear <replaceable>keyid/algorithm</replaceable> | -clear <literal>all</literal> | -nsec3param ( <replaceable>parameters</replaceable> | <literal>none</literal> ) | -serial <replaceable>value</replaceable> ) </optional> <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
06ca8326e5b9bc464b13c2651e531490fa5e36f6jorton List, edit, or remove the DNSSEC signing state records
06ca8326e5b9bc464b13c2651e531490fa5e36f6jorton for the specified zone. The status of ongoing DNSSEC
06ca8326e5b9bc464b13c2651e531490fa5e36f6jorton operations (such as signing or generating
06ca8326e5b9bc464b13c2651e531490fa5e36f6jorton NSEC3 chains) is stored in the zone in the form
06ca8326e5b9bc464b13c2651e531490fa5e36f6jorton of DNS resource records of type
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes these records into a human-readable form,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes indicating which keys are currently signing
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes or have finished signing the zone, and which NSEC3
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes chains are being created or removed.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes a single key (specified in the same format that
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes display it), or all keys. In either case, only
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes completed keys are removed; any record indicating
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes that a key has not yet finished signing the zone
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes will be retained.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes the NSEC3 parameters for a zone. This is the
e8f95a682820a599fe41b22977010636be5c2717jim only supported mechanism for using NSEC3 with
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Parameters are specified in the same format as
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes an NSEC3PARAM resource record: hash algorithm,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes flags, iterations, and salt, in that order.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Currently, the only defined value for hash algorithm
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes depending on whether you wish to set the opt-out
680e2f0cf7c6d88ab06a8f4792ca716fc1fa8a9bbnicholes bit in the NSEC3 chain. <option>iterations</option>
680e2f0cf7c6d88ab06a8f4792ca716fc1fa8a9bbnicholes defines the number of additional times to apply
680e2f0cf7c6d88ab06a8f4792ca716fc1fa8a9bbnicholes the algorithm when generating an NSEC3 hash. The
680e2f0cf7c6d88ab06a8f4792ca716fc1fa8a9bbnicholes in hexadecimal, a hyphen (`-') if no salt is
680e2f0cf7c6d88ab06a8f4792ca716fc1fa8a9bbnicholes to be used, or the keyword <literal>auto</literal>,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes which causes <command>named</command> to generate a
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes random 64-bit salt.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes So, for example, to create an NSEC3 chain using
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes the SHA-1 hash algorithm, no opt-out flag,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes 10 iterations, and a salt value of "FFFF", use:
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <command>rndc signing -nsec3param 1 0 10 FFFF <replaceable>zone</replaceable></command>.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes To set the opt-out flag, 15 iterations, and no
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <command>rndc signing -nsec3param 1 1 15 - <replaceable>zone</replaceable></command>.
3f5585f7f4a7d74f2f94ec729ea8c1879d419e35rederpj removes an existing NSEC3 chain and replaces it
680e2f0cf7c6d88ab06a8f4792ca716fc1fa8a9bbnicholes <command>rndc signing -serial value</command> sets
680e2f0cf7c6d88ab06a8f4792ca716fc1fa8a9bbnicholes the serial number of the zone to value. If the value
e8f95a682820a599fe41b22977010636be5c2717jim would cause the serial number to go backwards it will
680e2f0cf7c6d88ab06a8f4792ca716fc1fa8a9bbnicholes be rejected. The primary use is to set the serial on
680e2f0cf7c6d88ab06a8f4792ca716fc1fa8a9bbnicholes inline signed zones.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Write server statistics to the statistics file.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes (See the <command>statistics-file</command> option in
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes the BIND 9 Administrator Reference Manual.)
680e2f0cf7c6d88ab06a8f4792ca716fc1fa8a9bbnicholes </varlistentry>
e8f95a682820a599fe41b22977010636be5c2717jim <varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Display status of the server.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Note that the number of zones includes the internal <command>bind/CH</command> zone
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes hint zone if there is not an
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes explicit root zone configured.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </varlistentry>
347fa64a621fc2e6b5320ce2f6aaacf8e4302725jorton <varlistentry>
347fa64a621fc2e6b5320ce2f6aaacf8e4302725jorton <term><userinput>stop <optional>-p</optional></userinput></term>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Stop the server, making sure any recent changes
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes made through dynamic update or IXFR are first saved to
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes the master files of the updated zones.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes If <option>-p</option> is specified <command>named</command>'s process id is returned.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes This allows an external process to determine when <command>named</command>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes had completed stopping.
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <para>See also <command>rndc halt</command>.</para>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <term><userinput>sync <optional>-clean</optional> <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Sync changes in the journal file for a dynamic zone
e8f95a682820a599fe41b22977010636be5c2717jim to the master file. If the "-clean" option is
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes specified, the journal file is also removed. If
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes no zone is specified, then all zones are synced.
e8f95a682820a599fe41b22977010636be5c2717jim </varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <term><userinput>thaw <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes Enable updates to a frozen dynamic zone. If no
e8f95a682820a599fe41b22977010636be5c2717jim zone is specified, then all frozen zones are
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes enabled. This causes the server to reload the zone
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes from disk, and re-enables dynamic updates after the
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes load has completed. After a zone is thawed,
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes dynamic updates will no longer be refused. If
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes the zone has changed and the
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <command>ixfr-from-differences</command> option is
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes in use, then the journal file will be updated to
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes reflect changes in the zone. Otherwise, if the
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes zone has changed, any existing journal file will be
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <para>See also <command>rndc freeze</command>.</para>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes </varlistentry>
d5b12fe8ae917e654a33247fd4e59dc9e75170aebnicholes <varlistentry>
<term><userinput>tsig-delete</userinput> <replaceable>keyname</replaceable> <optional><replaceable>view</replaceable></optional></term>
<term><userinput>validation ( on | off | check ) <optional><replaceable>view ...</replaceable></optional> </userinput></term>