rndc.docbook revision 704e6c8876907aac0bf7380effca8bca400d4acd
306763c67bb99228487345b32ab8c5c6cd41f23cChristian Maeder - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
7968d3a131e5a684ec1ff0c6d88aae638549153dChristian Maeder - This Source Code Form is subject to the terms of the Mozilla Public
97018cf5fa25b494adffd7e9b4e87320dae6bf47Christian Maeder - License, v. 2.0. If a copy of the MPL was not distributed with this
e899b993b4f642217274fda6f462fe1318ae3626Christian Maeder - file, You can obtain one at http://mozilla.org/MPL/2.0/.
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder<!-- Converted by db4-upgrade version 1.0 -->
e6d40133bc9f858308654afb1262b8b483ec5922Till Mossakowski<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc">
02dc9cda66fc907229f0c74658c5f0bec550f898Till Mossakowski <refentryinfo>
52012e2c12ec90a1bbf4fe0cb19e1a7058bce350Christian Maeder <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
52012e2c12ec90a1bbf4fe0cb19e1a7058bce350Christian Maeder </refentryinfo>
306763c67bb99228487345b32ab8c5c6cd41f23cChristian Maeder <refentrytitle><application>rndc</application></refentrytitle>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder <refname><application>rndc</application></refname>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder <refpurpose>name server control utility</refpurpose>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder </refnamediv>
b60a22e76e983e8129c5dae4d713fe2794ed7054Christian Maeder <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
f3e815e0f960f2c002904b18ad75c149a3827d9fChristian Maeder <refsynopsisdiv>
b91b82fd2625c349da6284f252cf4c50a6519650Christian Maeder <arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">source-address</replaceable></option></arg>
e1abb0a8a17632e11db927958ab8cf58635bdf96Christian Maeder <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
5b14cb4855372bd9578cc07a9f6f9f3076bc033cChristian Maeder <arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">key-file</replaceable></option></arg>
5b14cb4855372bd9578cc07a9f6f9f3076bc033cChristian Maeder <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">server</replaceable></option></arg>
697e63e30aa3c309a1ef1f9357745111f8dfc5a9Christian Maeder <arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">port</replaceable></option></arg>
e1abb0a8a17632e11db927958ab8cf58635bdf96Christian Maeder <arg choice="opt" rep="norepeat"><option>-q</option></arg>
be688cc3aa83344b0141321d2d20bf6a8d5c5686Christian Maeder <arg choice="opt" rep="norepeat"><option>-r</option></arg>
f45fad43ee1673ab280fbc700821d5d20a493eaaChristian Maeder <arg choice="opt" rep="norepeat"><option>-V</option></arg>
be688cc3aa83344b0141321d2d20bf6a8d5c5686Christian Maeder <arg choice="opt" rep="norepeat"><option>-y <replaceable class="parameter">key_id</replaceable></option></arg>
df9a64f1f61bf944b2116f92fce7083ff291debcChristian Maeder <arg choice="req" rep="norepeat">command</arg>
5b14cb4855372bd9578cc07a9f6f9f3076bc033cChristian Maeder </cmdsynopsis>
df9a64f1f61bf944b2116f92fce7083ff291debcChristian Maeder </refsynopsisdiv>
607b972b45ce513052c55cc28e2bab19d6bf7311Christian Maeder <refsection><info><title>DESCRIPTION</title></info>
c7e03d0708369f944b6f235057b39142a21599f2Mihai Codescu controls the operation of a name
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder server. It supersedes the <command>ndc</command> utility
9fa5b06733fe318e18d9b8e0ef58e5d1ec953f7cMaciek Makowski that was provided in old BIND releases. If
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <command>rndc</command> is invoked with no command line
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder options or arguments, it prints a short summary of the
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder supported commands and the available options and their
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder communicates with the name server over a TCP connection, sending
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder commands authenticated with digital signatures. In the current
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <command>rndc</command> and <command>named</command>,
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder the only supported authentication algorithms are HMAC-MD5
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder (default), HMAC-SHA384 and HMAC-SHA512.
ad8db7f06757c9fc0ed5b6e5ae8ef8a944247dcbChristian Maeder They use a shared secret on each end of the connection.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder This provides TSIG-style authentication for the command
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder request and the name server's response. All commands sent
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder over the channel must be signed by a key_id known to the
f7e2f5cc7bdd629381c881a67d8a39bc4eb8dd6dChristian Maeder reads a configuration file to
7688e20f844fe88f75c04016841ebb5e5e3d927fChristian Maeder determine how to contact the name server and decide what
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski algorithm and key it should use.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder </refsection>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <refsection><info><title>OPTIONS</title></info>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <variablelist>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <term>-b <replaceable class="parameter">source-address</replaceable></term>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder Use <replaceable class="parameter">source-address</replaceable>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder as the source address for the connection to the server.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder Multiple instances are permitted to allow setting of both
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder the IPv4 and IPv6 source addresses.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder </varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <term>-c <replaceable class="parameter">config-file</replaceable></term>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder Use <replaceable class="parameter">config-file</replaceable>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder as the configuration file instead of the default,
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder </varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <varlistentry>
f4651a172fa4d00037b061fbe4df71abc69f12b5Christian Maeder <term>-k <replaceable class="parameter">key-file</replaceable></term>
09aa12aebe61c224a53ed608808baf11130e03b1Christian Maeder Use <replaceable class="parameter">key-file</replaceable>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder as the key file instead of the default,
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <filename>/etc/rndc.key</filename>. The key in
17d4f8c5576d93f36cafe68161cdb960ec49ce7cChristian Maeder <filename>/etc/rndc.key</filename> will be used to
2b6aa5d5fc7da111461c0837f1a0abe0f35fa984Christian Maeder commands sent to the server if the <replaceable class="parameter">config-file</replaceable>
17d4f8c5576d93f36cafe68161cdb960ec49ce7cChristian Maeder does not exist.
17d4f8c5576d93f36cafe68161cdb960ec49ce7cChristian Maeder </varlistentry>
f3e815e0f960f2c002904b18ad75c149a3827d9fChristian Maeder <varlistentry>
f3e815e0f960f2c002904b18ad75c149a3827d9fChristian Maeder <term>-s <replaceable class="parameter">server</replaceable></term>
17d4f8c5576d93f36cafe68161cdb960ec49ce7cChristian Maeder <para><replaceable class="parameter">server</replaceable> is
7688e20f844fe88f75c04016841ebb5e5e3d927fChristian Maeder the name or address of the server which matches a
b5a5755f7d034f5ebc9f7f45e878c68695e139c4Thiemo Wiedemeyer server statement in the configuration file for
bfb2ae5ac1ccfacbfa29ffa240838461e18f4d49Christian Maeder <command>rndc</command>. If no server is supplied on the
b5a5755f7d034f5ebc9f7f45e878c68695e139c4Thiemo Wiedemeyer command line, the host named by the default-server clause
b5a5755f7d034f5ebc9f7f45e878c68695e139c4Thiemo Wiedemeyer in the options statement of the <command>rndc</command>
17d4f8c5576d93f36cafe68161cdb960ec49ce7cChristian Maeder configuration file will be used.
8a8880f1b6a0681e636480991d45dfea11d62ff8Christian Maeder </varlistentry>
b5a5755f7d034f5ebc9f7f45e878c68695e139c4Thiemo Wiedemeyer <varlistentry>
b5a5755f7d034f5ebc9f7f45e878c68695e139c4Thiemo Wiedemeyer <term>-p <replaceable class="parameter">port</replaceable></term>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder Send commands to TCP port
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <replaceable class="parameter">port</replaceable>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder of BIND 9's default control channel port, 953.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder </varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <varlistentry>
c72a6b711518a31fe947a03601426d06c59edbd2Christian Maeder Quiet mode: Message text returned by the server
c72a6b711518a31fe947a03601426d06c59edbd2Christian Maeder will not be printed except when there is an error.
c72a6b711518a31fe947a03601426d06c59edbd2Christian Maeder </varlistentry>
5c4d35b8cd25e3547eda72daea6b036548573e55Christian Maeder <varlistentry>
2b6aa5d5fc7da111461c0837f1a0abe0f35fa984Christian Maeder Instructs <command>rndc</command> to print the result code
2b6aa5d5fc7da111461c0837f1a0abe0f35fa984Christian Maeder returned by <command>named</command> after executing the
2b6aa5d5fc7da111461c0837f1a0abe0f35fa984Christian Maeder requested command (e.g., ISC_R_SUCCESS, ISC_R_FAILURE, etc).
9a9860760c6f30558e5e60049692b6fc63904590Markus Gross </varlistentry>
9a9860760c6f30558e5e60049692b6fc63904590Markus Gross <varlistentry>
9a9860760c6f30558e5e60049692b6fc63904590Markus Gross Enable verbose logging.
260bfc3b7dc8ed037b7d98ee044302415db6fcd7Christian Maeder </varlistentry>
260bfc3b7dc8ed037b7d98ee044302415db6fcd7Christian Maeder <varlistentry>
260bfc3b7dc8ed037b7d98ee044302415db6fcd7Christian Maeder <term>-y <replaceable class="parameter">key_id</replaceable></term>
260bfc3b7dc8ed037b7d98ee044302415db6fcd7Christian Maeder Use the key <replaceable class="parameter">key_id</replaceable>
260bfc3b7dc8ed037b7d98ee044302415db6fcd7Christian Maeder from the configuration file.
260bfc3b7dc8ed037b7d98ee044302415db6fcd7Christian Maeder <replaceable class="parameter">key_id</replaceable>
bb295aa59341862c40813173cd512cb67765edf4Christian Maeder known by <command>named</command> with the same algorithm and secret string
5b00a9d748d5bea461601ed7ed5198dfd30cf2d2Thiemo Wiedemeyer in order for control message validation to succeed.
5b00a9d748d5bea461601ed7ed5198dfd30cf2d2Thiemo Wiedemeyer If no <replaceable class="parameter">key_id</replaceable>
5b00a9d748d5bea461601ed7ed5198dfd30cf2d2Thiemo Wiedemeyer is specified, <command>rndc</command> will first look
5b00a9d748d5bea461601ed7ed5198dfd30cf2d2Thiemo Wiedemeyer for a key clause in the server statement of the server
5b00a9d748d5bea461601ed7ed5198dfd30cf2d2Thiemo Wiedemeyer being used, or if no server statement is present for that
c40a1fdc8ec6978bd27240d6780d0e0a7b6b0056Dominik Luecke host, then the default-key clause of the options statement.
5b00a9d748d5bea461601ed7ed5198dfd30cf2d2Thiemo Wiedemeyer Note that the configuration file contains shared secrets
5b00a9d748d5bea461601ed7ed5198dfd30cf2d2Thiemo Wiedemeyer which are used to send authenticated control commands
5b00a9d748d5bea461601ed7ed5198dfd30cf2d2Thiemo Wiedemeyer to name servers. It should therefore not have general read
5b00a9d748d5bea461601ed7ed5198dfd30cf2d2Thiemo Wiedemeyer or write access.
84ba39232a012abf2085c8a421ebce6abc52d56eThiemo Wiedemeyer </varlistentry>
5c4d35b8cd25e3547eda72daea6b036548573e55Christian Maeder </variablelist>
260bfc3b7dc8ed037b7d98ee044302415db6fcd7Christian Maeder </refsection>
5b00a9d748d5bea461601ed7ed5198dfd30cf2d2Thiemo Wiedemeyer <refsection><info><title>COMMANDS</title></info>
15a50ae940b17c65d2b3c68918a26de29e565370Thiemo Wiedemeyer A list of commands supported by <command>rndc</command> can
15a50ae940b17c65d2b3c68918a26de29e565370Thiemo Wiedemeyer be seen by running <command>rndc</command> without arguments.
607b972b45ce513052c55cc28e2bab19d6bf7311Christian Maeder Currently supported commands are:
15a50ae940b17c65d2b3c68918a26de29e565370Thiemo Wiedemeyer <variablelist>
15a50ae940b17c65d2b3c68918a26de29e565370Thiemo Wiedemeyer <varlistentry>
15a50ae940b17c65d2b3c68918a26de29e565370Thiemo Wiedemeyer <term><userinput>addzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> <replaceable>configuration</replaceable> </userinput></term>
db7143998eee23e3d781f1f1e97e953bb831df1fTill Mossakowski Add a zone while the server is running. This
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder command requires the
e426842636f7f3b76ad57d4c7b16a024cf6cf08cCui Jian <command>allow-new-zones</command> option to be set
e426842636f7f3b76ad57d4c7b16a024cf6cf08cCui Jian specified on the command line is the zone
e426842636f7f3b76ad57d4c7b16a024cf6cf08cCui Jian configuration text that would ordinarily be
e426842636f7f3b76ad57d4c7b16a024cf6cf08cCui Jian The configuration is saved in a file called
17d4f8c5576d93f36cafe68161cdb960ec49ce7cChristian Maeder <filename><replaceable>name</replaceable>.nzf</filename>,
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder where <replaceable>name</replaceable> is the
ad8db7f06757c9fc0ed5b6e5ae8ef8a944247dcbChristian Maeder name of the view, or if it contains characters
3fe83d4c932a8266edcf0304a97814c59821d91fChristian Maeder that are incompatible with use as a file name, a
32240a990f9cdfd8ba13af7b1d33fee9cdcb0c11Christian Maeder cryptographic hash generated from the name
32240a990f9cdfd8ba13af7b1d33fee9cdcb0c11Christian Maeder restarted, the file will be loaded into the view
041f100aad732af02d566c18e3295140bc0c3ca1Christian Maeder configuration, so that zones that were added
041f100aad732af02d566c18e3295140bc0c3ca1Christian Maeder can persist after a restart.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder This sample <command>addzone</command> command
ad8db7f06757c9fc0ed5b6e5ae8ef8a944247dcbChristian Maeder would add the zone <literal>example.com</literal>
3fe83d4c932a8266edcf0304a97814c59821d91fChristian Maeder to the default view:
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder<prompt>$ </prompt><userinput>rndc addzone example.com '{ type master; file "example.com.db"; };'</userinput>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder (Note the brackets and semi-colon around the zone
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder configuration text.)
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder See also <command>rndc delzone</command> and <command>rndc modzone</command>.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder </varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <varlistentry>
10f46e60ea9ea8787e4584ad0a9e5db6cfd76446Christian Maeder <term><userinput>delzone <optional>-clean</optional> <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
3fe83d4c932a8266edcf0304a97814c59821d91fChristian Maeder Delete a zone while the server is running.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder If the <option>-clean</option> argument is specified,
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder the zone's master file (and journal file, if any)
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder will be deleted along with the zone. Without the
4b136ad539bd9f4e115dff4eee4d552a42d4437eChristian Maeder <option>-clean</option> option, zone files must
4b136ad539bd9f4e115dff4eee4d552a42d4437eChristian Maeder be cleaned up by hand. (If the zone is of
9efd6c53035431532177713f3aabd092e63ddf1fChristian Maeder type "slave" or "stub", the files needing to
9efd6c53035431532177713f3aabd092e63ddf1fChristian Maeder be cleaned up will be reported in the output
9efd6c53035431532177713f3aabd092e63ddf1fChristian Maeder of the <command>rndc delzone</command> command.)
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder If the zone was originally added via
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <command>rndc addzone</command>, then it will be
3fe83d4c932a8266edcf0304a97814c59821d91fChristian Maeder removed permanently. However, if it was originally
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder configured in <filename>named.conf</filename>, then
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder that original configuration is still in place; when
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder the server is restarted or reconfigured, the zone will
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder come back. To remove it permanently, it must also be
3fe83d4c932a8266edcf0304a97814c59821d91fChristian Maeder removed from <filename>named.conf</filename>
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder See also <command>rndc addzone</command> and <command>rndc modzone</command>.
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder </varlistentry>
ab1fe642759c3652c153fe101657787c8ce0d1b8Christian Maeder <varlistentry>
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder <term><userinput>dnstap ( -reopen | -roll <optional><replaceable>number</replaceable></optional> )</userinput></term>
fa1bf658051ac503f27ff1b59edb093398eed6edThiemo Wiedemeyer Close and re-open DNSTAP output files.
2b6aa5d5fc7da111461c0837f1a0abe0f35fa984Christian Maeder <command>rndc dnstap -reopen</command> allows the output
2b6aa5d5fc7da111461c0837f1a0abe0f35fa984Christian Maeder file to be renamed externally, then re-opened.
2b6aa5d5fc7da111461c0837f1a0abe0f35fa984Christian Maeder <command>rndc dnstap -roll</command> causes the output file
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder to be rolled automatically, similar to log files; the most
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder recent output file has ".0" appended to its name; the
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder previous most recent output file is moved to ".1", and so on.
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder If <replaceable>number</replaceable> is specified, then the
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder number of backup log files is limited to that number.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder </varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <term><userinput>dumpdb <optional>-all|-cache|-zone|-adb|-bad|-fail</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term>
09aa12aebe61c224a53ed608808baf11130e03b1Christian Maeder Dump the server's caches (default) and/or zones to
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder dump file for the specified views. If no view is
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder specified, all
09aa12aebe61c224a53ed608808baf11130e03b1Christian Maeder views are dumped.
09aa12aebe61c224a53ed608808baf11130e03b1Christian Maeder (See the <command>dump-file</command> option in
ad53c2449238379699243be05926645262e9581eChristian Maeder the BIND 9 Administrator Reference Manual.)
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder </varlistentry>
810292cfd2cc8ab106e371d86d605678f752fc89Christian Maeder <varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder Flushes the server's cache.
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder </varlistentry>
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder <varlistentry>
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder <term><userinput>flushname</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term>
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder Flushes the given name from the view's DNS cache
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder and, if applicable, from the view's nameserver address
fa1bf658051ac503f27ff1b59edb093398eed6edThiemo Wiedemeyer database, bad server cache and SERVFAIL cache.
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder </varlistentry>
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder <varlistentry>
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder <term><userinput>flushtree</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term>
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder Flushes the given name, and all of its subdomains,
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder from the view's DNS cache, address database,
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder bad server cache, and SERVFAIL cache.
5b00a9d748d5bea461601ed7ed5198dfd30cf2d2Thiemo Wiedemeyer </varlistentry>
5b00a9d748d5bea461601ed7ed5198dfd30cf2d2Thiemo Wiedemeyer <varlistentry>
5b00a9d748d5bea461601ed7ed5198dfd30cf2d2Thiemo Wiedemeyer <term><userinput>freeze <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder Suspend updates to a dynamic zone. If no zone is
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder specified, then all zones are suspended. This allows
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder manual edits to be made to a zone normally updated by
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder dynamic update. It also causes changes in the
5b00a9d748d5bea461601ed7ed5198dfd30cf2d2Thiemo Wiedemeyer journal file to be synced into the master file.
fa1bf658051ac503f27ff1b59edb093398eed6edThiemo Wiedemeyer All dynamic update attempts will be refused while
fa1bf658051ac503f27ff1b59edb093398eed6edThiemo Wiedemeyer the zone is frozen.
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder </varlistentry>
5b00a9d748d5bea461601ed7ed5198dfd30cf2d2Thiemo Wiedemeyer <varlistentry>
84ba39232a012abf2085c8a421ebce6abc52d56eThiemo Wiedemeyer <term><userinput>halt <optional>-p</optional></userinput></term>
fa1bf658051ac503f27ff1b59edb093398eed6edThiemo Wiedemeyer Stop the server immediately. Recent changes
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder made through dynamic update or IXFR are not saved to
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder the master files, but will be rolled forward from the
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder journal files when the server is restarted.
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder If <option>-p</option> is specified <command>named</command>'s process id is returned.
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder This allows an external process to determine when <command>named</command>
fa1bf658051ac503f27ff1b59edb093398eed6edThiemo Wiedemeyer had completed halting.
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder </varlistentry>
fa1bf658051ac503f27ff1b59edb093398eed6edThiemo Wiedemeyer <varlistentry>
fa1bf658051ac503f27ff1b59edb093398eed6edThiemo Wiedemeyer <term><userinput>loadkeys <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
a0efda9ffb465daf1e735c5ced1be3174af42dffChristian Maeder Fetch all DNSSEC keys for the given zone
a0efda9ffb465daf1e735c5ced1be3174af42dffChristian Maeder from the key directory. If they are within
a0efda9ffb465daf1e735c5ced1be3174af42dffChristian Maeder their publication period, merge them into the
a0efda9ffb465daf1e735c5ced1be3174af42dffChristian Maeder zone's DNSKEY RRset. Unlike <command>rndc
a0efda9ffb465daf1e735c5ced1be3174af42dffChristian Maeder sign</command>, however, the zone is not
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder immediately re-signed by the new keys, but is
5b00a9d748d5bea461601ed7ed5198dfd30cf2d2Thiemo Wiedemeyer allowed to incrementally re-sign over time.
15a50ae940b17c65d2b3c68918a26de29e565370Thiemo Wiedemeyer This command requires that the
15a50ae940b17c65d2b3c68918a26de29e565370Thiemo Wiedemeyer <command>auto-dnssec</command> zone option
15a50ae940b17c65d2b3c68918a26de29e565370Thiemo Wiedemeyer and also requires the zone to be configured to
15a50ae940b17c65d2b3c68918a26de29e565370Thiemo Wiedemeyer allow dynamic DNS.
c40a1fdc8ec6978bd27240d6780d0e0a7b6b0056Dominik Luecke (See "Dynamic Update Policies" in the Administrator
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder Reference Manual for more details.)
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder </varlistentry>
15a50ae940b17c65d2b3c68918a26de29e565370Thiemo Wiedemeyer <varlistentry>
fa1bf658051ac503f27ff1b59edb093398eed6edThiemo Wiedemeyer <term><userinput>managed-keys <replaceable>(status | refresh | sync)</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder When run with the "status" keyword, print the current
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder status of the managed-keys database for the specified
15a50ae940b17c65d2b3c68918a26de29e565370Thiemo Wiedemeyer view, or for all views if none is specified. When run
fa1bf658051ac503f27ff1b59edb093398eed6edThiemo Wiedemeyer with the "refresh" keyword, force an immediate refresh
9192fdd8f0e682ac0f0183dd854d5210fbfa4ec5Christian Maeder of all the managed-keys in the specified view, or all
15a50ae940b17c65d2b3c68918a26de29e565370Thiemo Wiedemeyer views. When run with the "sync" keyword, force an
15a50ae940b17c65d2b3c68918a26de29e565370Thiemo Wiedemeyer immediate dump of the managed-keys database to disk (in
15a50ae940b17c65d2b3c68918a26de29e565370Thiemo Wiedemeyer the file <filename>managed-keys.bind</filename> or
fa1bf658051ac503f27ff1b59edb093398eed6edThiemo Wiedemeyer (<filename><replaceable>viewname</replaceable>.mkeys</filename>).
15a50ae940b17c65d2b3c68918a26de29e565370Thiemo Wiedemeyer </varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <varlistentry>
f45fad43ee1673ab280fbc700821d5d20a493eaaChristian Maeder <term><userinput>modzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> <replaceable>configuration</replaceable> </userinput></term>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder Modify the configuration of a zone while the server
ef2affdc0cdf3acd5c051597c04ab9b08a346a7dChristian Maeder is running. This command requires the
ef2affdc0cdf3acd5c051597c04ab9b08a346a7dChristian Maeder <command>allow-new-zones</command> option to be
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <replaceable>configuration</replaceable> string
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder specified on the command line is the zone
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder configuration text that would ordinarily be
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder If the zone was originally added via
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <command>rndc addzone</command>, the configuration
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder changes will be recorded permanently and will still be
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder in effect after the server is restarted or reconfigured.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder However, if it was originally configured in
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <filename>named.conf</filename>, then that original
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder configuration is still in place; when the server is
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder restarted or reconfigured, the zone will revert to
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder its original configuration. To make the changes
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder permanent, it must also be modified in
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder See also <command>rndc addzone</command> and <command>rndc delzone</command>.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder </varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <term><userinput>notify <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder Resend NOTIFY messages for the zone.
f45fad43ee1673ab280fbc700821d5d20a493eaaChristian Maeder </varlistentry>
f45fad43ee1673ab280fbc700821d5d20a493eaaChristian Maeder <varlistentry>
f45fad43ee1673ab280fbc700821d5d20a493eaaChristian Maeder <term><userinput>notrace</userinput></term>
09aa12aebe61c224a53ed608808baf11130e03b1Christian Maeder Sets the server's debugging level to 0.
a6a23b6c37e231b4893abc461531a492a0902d37Till Mossakowski </varlistentry>
4b90b9ff831e2c5b7ecbff6e18dff45646571e35Till Mossakowski <varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <optional>( -d | -f | -r | -l <replaceable>duration</replaceable>)</optional>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <optional><replaceable>view</replaceable></optional>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder Sets a DNSSEC negative trust anchor (NTA)
810292cfd2cc8ab106e371d86d605678f752fc89Christian Maeder for <option>domain</option>, with a lifetime of
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <option>duration</option>. The default lifetime is
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder configured in <filename>named.conf</filename> via the
12368e292c1abf7eaf975f20ee30ef7820ac5dd5Christian Maeder <option>nta-lifetime</option> option, and defaults to
12368e292c1abf7eaf975f20ee30ef7820ac5dd5Christian Maeder one hour. The lifetime cannot exceed one week.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder A negative trust anchor selectively disables
0b8b26a22f136a9b2a8e99d655f6fe6b0b96008cThiemo Wiedemeyer DNSSEC validation for zones that are known to be
d1b2ff60eca24a058f50a6acce0475a6798c3665Christian Maeder failing because of misconfiguration rather than
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder an attack. When data to be validated is
8c0c8034bdf3688904ed4f40e255c09ddba63a6bTill Mossakowski at or below an active NTA (and above any other
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder configured trust anchors), <command>named</command> will
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder abort the DNSSEC validation process and treat the data as
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder insecure rather than bogus. This continues until the
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder NTA's lifetime is elapsed.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder NTAs persist across restarts of the <command>named</command> server.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder The NTAs for a view are saved in a file called
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <filename><replaceable>name</replaceable>.nta</filename>,
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder where <replaceable>name</replaceable> is the
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder name of the view, or if it contains characters
4b136ad539bd9f4e115dff4eee4d552a42d4437eChristian Maeder that are incompatible with use as a file name, a
4b136ad539bd9f4e115dff4eee4d552a42d4437eChristian Maeder cryptographic hash generated from the name
17d4f8c5576d93f36cafe68161cdb960ec49ce7cChristian Maeder An existing NTA can be removed by using the
8c0c8034bdf3688904ed4f40e255c09ddba63a6bTill Mossakowski An NTA's lifetime can be specified with the
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <option>-lifetime</option> option. TTL-style
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder suffixes can be used to specify the lifetime in
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder seconds, minutes, or hours. If the specified NTA
32240a990f9cdfd8ba13af7b1d33fee9cdcb0c11Christian Maeder already exists, its lifetime will be updated to the
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder new value. Setting <option>lifetime</option> to zero
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski If <option>-dump</option> is used, any other arguments
452a5aa4c71034740812eb4fec56ccd516d34b62Maciek Makowski are ignored, and a list of existing NTAs is printed
12368e292c1abf7eaf975f20ee30ef7820ac5dd5Christian Maeder (note that this may include NTAs that are expired but
452a5aa4c71034740812eb4fec56ccd516d34b62Maciek Makowski have not yet been cleaned up).
b9804822fb178b0fc27ce967a6a8cedc42c5bf90Christian Maeder Normally, <command>named</command> will periodically
b9804822fb178b0fc27ce967a6a8cedc42c5bf90Christian Maeder test to see whether data below an NTA can now be
b9804822fb178b0fc27ce967a6a8cedc42c5bf90Christian Maeder validated (see the <option>nta-recheck</option> option
b9804822fb178b0fc27ce967a6a8cedc42c5bf90Christian Maeder in the Administrator Reference Manual for details).
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder If data can be validated, then the NTA is regarded as
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder no longer necessary, and will be allowed to expire
b9804822fb178b0fc27ce967a6a8cedc42c5bf90Christian Maeder early. The <option>-force</option> overrides this
e24d81c69aecd41abb2f4969519c9e7126b1d687Christian Maeder behavior and forces an NTA to persist for its entire
b9804822fb178b0fc27ce967a6a8cedc42c5bf90Christian Maeder lifetime, regardless of whether data could be
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder validated if the NTA were not present.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder All of these options can be shortened, i.e., to
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <option>-l</option>, <option>-r</option>, <option>-d</option>,
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder </varlistentry>
607b972b45ce513052c55cc28e2bab19d6bf7311Christian Maeder <varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <term><userinput>querylog</userinput> <optional>on|off</optional> </term>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder Enable or disable query logging. (For backward
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder compatibility, this command can also be used without
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder an argument to toggle query logging on and off.)
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder Query logging can also be enabled
09aa12aebe61c224a53ed608808baf11130e03b1Christian Maeder by explicitly directing the <command>queries</command>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <filename>named.conf</filename> or by specifying
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder </varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <term><userinput>reconfig</userinput></term>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder Reload the configuration file and load new zones,
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder but do not reload existing zone files even if they
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder have changed.
d1b2ff60eca24a058f50a6acce0475a6798c3665Christian Maeder This is faster than a full <command>reload</command> when there
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder is a large number of zones because it avoids the need
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder to examine the
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder modification times of the zones files.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder </varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <term><userinput>recursing</userinput></term>
17d4f8c5576d93f36cafe68161cdb960ec49ce7cChristian Maeder Dump the list of queries <command>named</command> is currently
17d4f8c5576d93f36cafe68161cdb960ec49ce7cChristian Maeder recursing on, and the list of domains to which iterative
17d4f8c5576d93f36cafe68161cdb960ec49ce7cChristian Maeder queries are currently being sent. (The second list includes
2b6aa5d5fc7da111461c0837f1a0abe0f35fa984Christian Maeder the number of fetches currently active for the given domain,
17d4f8c5576d93f36cafe68161cdb960ec49ce7cChristian Maeder and how many have been passed or dropped because of the
17d4f8c5576d93f36cafe68161cdb960ec49ce7cChristian Maeder </varlistentry>
17d4f8c5576d93f36cafe68161cdb960ec49ce7cChristian Maeder <varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <term><userinput>refresh <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
17d4f8c5576d93f36cafe68161cdb960ec49ce7cChristian Maeder Schedule zone maintenance for the given zone.
17d4f8c5576d93f36cafe68161cdb960ec49ce7cChristian Maeder </varlistentry>
17d4f8c5576d93f36cafe68161cdb960ec49ce7cChristian Maeder <varlistentry>
7688e20f844fe88f75c04016841ebb5e5e3d927fChristian Maeder Reload configuration file and zones.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder </varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <term><userinput>reload <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder Reload the given zone.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder </varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <term><userinput>retransfer <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder Retransfer the given slave zone from the master server.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder If the zone is configured to use
3468a2292bb3a53a252df0f916e4034e8e6f9dccMaciek Makowski <command>inline-signing</command>, the signed
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder version of the zone is discarded; after the
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder retransfer of the unsigned version is complete, the
607b972b45ce513052c55cc28e2bab19d6bf7311Christian Maeder signed version will be regenerated with all new
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder </varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <varlistentry>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder Scan the list of available network interfaces
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder for changes, without performing a full
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <command>reconfig</command> or waiting for the
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder <command>interface-interval</command> timer.
333780eae2be9f20fe46dedbf5eb46ffa0cbfd02Christian Maeder </varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <term><userinput>secroots <optional>-</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term>
b03274844ecd270f9e9331f51cc4236a33e2e671Christian Maeder Dump the server's security roots and negative trust anchors
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder for the specified views. If no view is specified, all views
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder If the first argument is "-", then the output is
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder returned via the <command>rndc</command> response channel
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder and printed to the standard output.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder Otherwise, it is written to the secroots dump file, which
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder defaults to <filename>named.secroots</filename>, but can be
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder overridden via the <option>secroots-file</option> option in
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder See also <command>rndc managed-keys</command>.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder </varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <term><userinput>showzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
4112d6e50d7f90b5120ecbd1c49452f222021579Thiemo Wiedemeyer Print the configuration of a running zone.
f69416aa2b00518744d25a93aefbdb778f399787Cui Jian </varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <varlistentry>
f69416aa2b00518744d25a93aefbdb778f399787Cui Jian <term><userinput>sign <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
12368e292c1abf7eaf975f20ee30ef7820ac5dd5Christian Maeder Fetch all DNSSEC keys for the given zone
f69416aa2b00518744d25a93aefbdb778f399787Cui Jian from the key directory (see the
12368e292c1abf7eaf975f20ee30ef7820ac5dd5Christian Maeder the BIND 9 Administrator Reference Manual). If they are within
f69416aa2b00518744d25a93aefbdb778f399787Cui Jian their publication period, merge them into the
f69416aa2b00518744d25a93aefbdb778f399787Cui Jian zone's DNSKEY RRset. If the DNSKEY RRset
12368e292c1abf7eaf975f20ee30ef7820ac5dd5Christian Maeder is changed, then the zone is automatically
f69416aa2b00518744d25a93aefbdb778f399787Cui Jian re-signed with the new key set.
f69416aa2b00518744d25a93aefbdb778f399787Cui Jian This command requires that the
12368e292c1abf7eaf975f20ee30ef7820ac5dd5Christian Maeder <command>auto-dnssec</command> zone option be set
c709832fd2eca1b9970e36e1b8022f4cee1c0289Christian Maeder and also requires the zone to be configured to
12368e292c1abf7eaf975f20ee30ef7820ac5dd5Christian Maeder allow dynamic DNS.
12368e292c1abf7eaf975f20ee30ef7820ac5dd5Christian Maeder (See "Dynamic Update Policies" in the Administrator
c709832fd2eca1b9970e36e1b8022f4cee1c0289Christian Maeder Reference Manual for more details.)
c709832fd2eca1b9970e36e1b8022f4cee1c0289Christian Maeder </varlistentry>
95c3e5d11dcee331dc3876a9bf0c1d6daa38e2caChristian Maeder <varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <term><userinput>signing <optional>( -list | -clear <replaceable>keyid/algorithm</replaceable> | -clear <literal>all</literal> | -nsec3param ( <replaceable>parameters</replaceable> | <literal>none</literal> ) | -serial <replaceable>value</replaceable> ) </optional> <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder List, edit, or remove the DNSSEC signing state records
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder for the specified zone. The status of ongoing DNSSEC
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder operations (such as signing or generating
04d04d19fdd5320953c78ad5b6d2d11f85bc4bcfChristian Maeder NSEC3 chains) is stored in the zone in the form
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder of DNS resource records of type
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <command>rndc signing -list</command> converts
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder these records into a human-readable form,
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder indicating which keys are currently signing
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder or have finished signing the zone, and which NSEC3
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder chains are being created or removed.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <command>rndc signing -clear</command> can remove
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder a single key (specified in the same format that
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <command>rndc signing -list</command> uses to
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder display it), or all keys. In either case, only
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder completed keys are removed; any record indicating
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder that a key has not yet finished signing the zone
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder will be retained.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <command>rndc signing -nsec3param</command> sets
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder the NSEC3 parameters for a zone. This is the
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder only supported mechanism for using NSEC3 with
e1abb0a8a17632e11db927958ab8cf58635bdf96Christian Maeder Parameters are specified in the same format as
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder an NSEC3PARAM resource record: hash algorithm,
edd35c6c970fa1707dc6ad7a3ba26119e0046223Cui Jian flags, iterations, and salt, in that order.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder Currently, the only defined value for hash algorithm
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder is <literal>1</literal>, representing SHA-1.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <literal>0</literal> or <literal>1</literal>,
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder depending on whether you wish to set the opt-out
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder bit in the NSEC3 chain. <option>iterations</option>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder defines the number of additional times to apply
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder the algorithm when generating an NSEC3 hash. The
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <option>salt</option> is a string of data expressed
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder in hexadecimal, a hyphen (`-') if no salt is
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder to be used, or the keyword <literal>auto</literal>,
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder which causes <command>named</command> to generate a
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder random 64-bit salt.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder So, for example, to create an NSEC3 chain using
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder the SHA-1 hash algorithm, no opt-out flag,
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder 10 iterations, and a salt value of "FFFF", use:
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <command>rndc signing -nsec3param 1 0 10 FFFF <replaceable>zone</replaceable></command>.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder To set the opt-out flag, 15 iterations, and no
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <command>rndc signing -nsec3param 1 1 15 - <replaceable>zone</replaceable></command>.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <command>rndc signing -nsec3param none</command>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder removes an existing NSEC3 chain and replaces it
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <command>rndc signing -serial value</command> sets
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder the serial number of the zone to value. If the value
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder would cause the serial number to go backwards it will
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder be rejected. The primary use is to set the serial on
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder inline signed zones.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder </varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <varlistentry>
607b972b45ce513052c55cc28e2bab19d6bf7311Christian Maeder Write server statistics to the statistics file.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder (See the <command>statistics-file</command> option in
f409ea7e4a6a1fee58595481759fcd2e839ce152Christian Maeder the BIND 9 Administrator Reference Manual.)
f409ea7e4a6a1fee58595481759fcd2e839ce152Christian Maeder </varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder Display status of the server.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder Note that the number of zones includes the internal <command>bind/CH</command> zone
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder hint zone if there is not an
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder explicit root zone configured.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder </varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <term><userinput>stop <optional>-p</optional></userinput></term>
607b972b45ce513052c55cc28e2bab19d6bf7311Christian Maeder Stop the server, making sure any recent changes
607b972b45ce513052c55cc28e2bab19d6bf7311Christian Maeder made through dynamic update or IXFR are first saved to
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder the master files of the updated zones.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder If <option>-p</option> is specified <command>named</command>'s process id is returned.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder This allows an external process to determine when <command>named</command>
607b972b45ce513052c55cc28e2bab19d6bf7311Christian Maeder had completed stopping.
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <para>See also <command>rndc halt</command>.</para>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder </varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <term><userinput>sync <optional>-clean</optional> <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
edd35c6c970fa1707dc6ad7a3ba26119e0046223Cui Jian Sync changes in the journal file for a dynamic zone
221be9ca317fc772a165ea4c33065b5bcd4e34acChristian Maeder to the master file. If the "-clean" option is
edd35c6c970fa1707dc6ad7a3ba26119e0046223Cui Jian specified, the journal file is also removed. If
e426842636f7f3b76ad57d4c7b16a024cf6cf08cCui Jian no zone is specified, then all zones are synced.
f69416aa2b00518744d25a93aefbdb778f399787Cui Jian </varlistentry>
186f18acada88292af9c18865c622222940dff50Christian Maeder <varlistentry>
221be9ca317fc772a165ea4c33065b5bcd4e34acChristian Maeder <term><userinput>thaw <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
f69416aa2b00518744d25a93aefbdb778f399787Cui Jian Enable updates to a frozen dynamic zone. If no
b91b82fd2625c349da6284f252cf4c50a6519650Christian Maeder zone is specified, then all frozen zones are
f69416aa2b00518744d25a93aefbdb778f399787Cui Jian enabled. This causes the server to reload the zone
e426842636f7f3b76ad57d4c7b16a024cf6cf08cCui Jian from disk, and re-enables dynamic updates after the
f69416aa2b00518744d25a93aefbdb778f399787Cui Jian load has completed. After a zone is thawed,
f69416aa2b00518744d25a93aefbdb778f399787Cui Jian dynamic updates will no longer be refused. If
f69416aa2b00518744d25a93aefbdb778f399787Cui Jian the zone has changed and the
e899b993b4f642217274fda6f462fe1318ae3626Christian Maeder in use, then the journal file will be updated to
edd35c6c970fa1707dc6ad7a3ba26119e0046223Cui Jian reflect changes in the zone. Otherwise, if the
221be9ca317fc772a165ea4c33065b5bcd4e34acChristian Maeder zone has changed, any existing journal file will be
edd35c6c970fa1707dc6ad7a3ba26119e0046223Cui Jian <para>See also <command>rndc freeze</command>.</para>
edd35c6c970fa1707dc6ad7a3ba26119e0046223Cui Jian </varlistentry>
edd35c6c970fa1707dc6ad7a3ba26119e0046223Cui Jian <varlistentry>
f69416aa2b00518744d25a93aefbdb778f399787Cui Jian Increment the servers debugging level by one.
ec3416789a50202d5be3fdaee43a2b854db95a10Christian Maeder </varlistentry>
3c72744cb050a481a3f83af8277cdd7baff78731Christian Maeder <varlistentry>
3c72744cb050a481a3f83af8277cdd7baff78731Christian Maeder <term><userinput>trace <replaceable>level</replaceable></userinput></term>
e934658887c8af3ecdb3e42ca60db00389d02370Christian Maeder Sets the server's debugging level to an explicit
3c72744cb050a481a3f83af8277cdd7baff78731Christian Maeder </varlistentry>
e426842636f7f3b76ad57d4c7b16a024cf6cf08cCui Jian <varlistentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <term><userinput>tsig-delete</userinput> <replaceable>keyname</replaceable> <optional><replaceable>view</replaceable></optional></term>
7b8cbe941bf90256d31f11e5e9c60c7b933b7b62Christian Maeder Delete a given TKEY-negotiated key from the server.
7b8cbe941bf90256d31f11e5e9c60c7b933b7b62Christian Maeder (This does not apply to statically configured TSIG
36f69d35e01d2d6b6bdc165b49661f2a80af8687Mihai Codescu </varlistentry>
7b8cbe941bf90256d31f11e5e9c60c7b933b7b62Christian Maeder <varlistentry>
edd35c6c970fa1707dc6ad7a3ba26119e0046223Cui Jian List the names of all TSIG keys currently configured
186f18acada88292af9c18865c622222940dff50Christian Maeder for use by <command>named</command> in each view. The
2afae0880da7ca73c9376fd4d653ab19833fe858Christian Maeder list both statically configured keys and dynamic
3c72744cb050a481a3f83af8277cdd7baff78731Christian Maeder TKEY-negotiated keys.
e426842636f7f3b76ad57d4c7b16a024cf6cf08cCui Jian </listitem>
edd35c6c970fa1707dc6ad7a3ba26119e0046223Cui Jian </varlistentry>
edd35c6c970fa1707dc6ad7a3ba26119e0046223Cui Jian <varlistentry>
e426842636f7f3b76ad57d4c7b16a024cf6cf08cCui Jian <term><userinput>validation ( on | off | check ) <optional><replaceable>view ...</replaceable></optional> </userinput></term>
edd35c6c970fa1707dc6ad7a3ba26119e0046223Cui Jian Enable, disable, or check the current status of
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder DNSSEC validation.
f69416aa2b00518744d25a93aefbdb778f399787Cui Jian Note <command>dnssec-enable</command> also needs to be
4b136ad539bd9f4e115dff4eee4d552a42d4437eChristian Maeder <userinput>auto</userinput> to be effective.
4b136ad539bd9f4e115dff4eee4d552a42d4437eChristian Maeder It defaults to enabled.
4b136ad539bd9f4e115dff4eee4d552a42d4437eChristian Maeder </varlistentry>
4b136ad539bd9f4e115dff4eee4d552a42d4437eChristian Maeder <varlistentry>
4b136ad539bd9f4e115dff4eee4d552a42d4437eChristian Maeder <term><userinput>zonestatus <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
4b136ad539bd9f4e115dff4eee4d552a42d4437eChristian Maeder Displays the current status of the given zone,
4b136ad539bd9f4e115dff4eee4d552a42d4437eChristian Maeder including the master file name and any include
4b136ad539bd9f4e115dff4eee4d552a42d4437eChristian Maeder files from which it was loaded, when it was most
4b136ad539bd9f4e115dff4eee4d552a42d4437eChristian Maeder recently loaded, the current serial number, the
4b136ad539bd9f4e115dff4eee4d552a42d4437eChristian Maeder number of nodes, whether the zone supports
4b136ad539bd9f4e115dff4eee4d552a42d4437eChristian Maeder dynamic updates, whether the zone is DNSSEC
4b136ad539bd9f4e115dff4eee4d552a42d4437eChristian Maeder signed, whether it uses automatic DNSSEC key
4b136ad539bd9f4e115dff4eee4d552a42d4437eChristian Maeder management or inline signing, and the scheduled
4b136ad539bd9f4e115dff4eee4d552a42d4437eChristian Maeder refresh or expiry times for the zone.
4b136ad539bd9f4e115dff4eee4d552a42d4437eChristian Maeder </varlistentry>
4b136ad539bd9f4e115dff4eee4d552a42d4437eChristian Maeder </variablelist>
4b136ad539bd9f4e115dff4eee4d552a42d4437eChristian Maeder </refsection>
4b136ad539bd9f4e115dff4eee4d552a42d4437eChristian Maeder <refsection><info><title>LIMITATIONS</title></info>
4b136ad539bd9f4e115dff4eee4d552a42d4437eChristian Maeder There is currently no way to provide the shared secret for a
4b136ad539bd9f4e115dff4eee4d552a42d4437eChristian Maeder <option>key_id</option> without using the configuration file.
4b136ad539bd9f4e115dff4eee4d552a42d4437eChristian Maeder Several error messages could be clearer.
373759ad1d30c03fe0224a68f9f1d9a6f38de632Christian Maeder </refsection>
c7e03d0708369f944b6f235057b39142a21599f2Mihai Codescu <refsection><info><title>SEE ALSO</title></info>
db6762eb6c962c6143a8867231e113dbc18569f5Thiemo Wiedemeyer <refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum>
db6762eb6c962c6143a8867231e113dbc18569f5Thiemo Wiedemeyer </citerefentry>,
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <citerefentry>
db6762eb6c962c6143a8867231e113dbc18569f5Thiemo Wiedemeyer <refentrytitle>rndc-confgen</refentrytitle><manvolnum>8</manvolnum>
db6762eb6c962c6143a8867231e113dbc18569f5Thiemo Wiedemeyer </citerefentry>,
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <citerefentry>
22dac733a93bc32b8db195625edea6364079a89eChristian Maeder <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
dda4e358a429dc24dd09d42b409d709a19eff159Christian Maeder </citerefentry>,
36f69d35e01d2d6b6bdc165b49661f2a80af8687Mihai Codescu <citerefentry>
c1c1d5fe20b5dd747c7defecfb2579afbc3dda9dChristian Maeder <refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
c1c1d5fe20b5dd747c7defecfb2579afbc3dda9dChristian Maeder </citerefentry>,
c1c1d5fe20b5dd747c7defecfb2579afbc3dda9dChristian Maeder <citerefentry>
c1c1d5fe20b5dd747c7defecfb2579afbc3dda9dChristian Maeder <refentrytitle>ndc</refentrytitle><manvolnum>8</manvolnum>
c1c1d5fe20b5dd747c7defecfb2579afbc3dda9dChristian Maeder </citerefentry>,
c1c1d5fe20b5dd747c7defecfb2579afbc3dda9dChristian Maeder <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
c1c1d5fe20b5dd747c7defecfb2579afbc3dda9dChristian Maeder </refsection>