rndc.docbook revision b8a9632333a92d73a503afe1aaa7990016c8bee9
78cd48acd325773619d78ac0d7263a99a8922faend<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd [<!ENTITY mdash "—">]>
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd - Copyright (C) 2004, 2005, 2007, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - Copyright (C) 2000, 2001 Internet Software Consortium.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - Permission to use, copy, modify, and/or distribute this software for any
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd - purpose with or without fee is hereby granted, provided that the above
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd - copyright notice and this permission notice appear in all copies.
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - PERFORMANCE OF THIS SOFTWARE.
ba4c566c200c2436dae841b7c811807c80cd712afielding <refentryinfo>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding </refentryinfo>
ba4c566c200c2436dae841b7c811807c80cd712afielding <refentrytitle><application>rndc</application></refentrytitle>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <refnamediv>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <refpurpose>name server control utility</refpurpose>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding </refnamediv>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <copyright>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding </copyright>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <copyright>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding </copyright>
ba4c566c200c2436dae841b7c811807c80cd712afielding <refsynopsisdiv>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <cmdsynopsis>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <arg><option>-b <replaceable class="parameter">source-address</replaceable></option></arg>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <arg><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
ba4c566c200c2436dae841b7c811807c80cd712afielding <arg><option>-k <replaceable class="parameter">key-file</replaceable></option></arg>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <arg><option>-s <replaceable class="parameter">server</replaceable></option></arg>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <arg><option>-p <replaceable class="parameter">port</replaceable></option></arg>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <arg><option>-y <replaceable class="parameter">key_id</replaceable></option></arg>
024cd9589e52cf11ce765dfddb5b5f0c6e421a48gstein </cmdsynopsis>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard </refsynopsisdiv>
024cd9589e52cf11ce765dfddb5b5f0c6e421a48gstein controls the operation of a name
024cd9589e52cf11ce765dfddb5b5f0c6e421a48gstein server. It supersedes the <command>ndc</command> utility
024cd9589e52cf11ce765dfddb5b5f0c6e421a48gstein that was provided in old BIND releases. If
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <command>rndc</command> is invoked with no command line
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding options or arguments, it prints a short summary of the
4cff088e460b3832142e59c63b357f8cf4d77fa8ake supported commands and the available options and their
5fac45c1ef49924141fe28497deb350cf031b377trawick communicates with the name server over a TCP connection, sending
77f0db50b7e6636f6422de76ffb2a0af7acaed6djorton commands authenticated with digital signatures. In the current
77f0db50b7e6636f6422de76ffb2a0af7acaed6djorton versions of
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard <command>rndc</command> and <command>named</command>,
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard the only supported authentication algorithms are HMAC-MD5
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding (default), HMAC-SHA384 and HMAC-SHA512.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding They use a shared secret on each end of the connection.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding This provides TSIG-style authentication for the command
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding request and the name server's response. All commands sent
3bc407b46a67691f3e5fd4f5f5ead4e1eff09998stoddard over the channel must be signed by a key_id known to the
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard reads a configuration file to
ba4c566c200c2436dae841b7c811807c80cd712afielding determine how to contact the name server and decide what
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar algorithm and key it should use.
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard </refsect1>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard <variablelist>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard <varlistentry>
0d73c7af09ed0dc265900f5db0c896dcd561524bben <term>-b <replaceable class="parameter">source-address</replaceable></term>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard Use <replaceable class="parameter">source-address</replaceable>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard as the source address for the connection to the server.
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard Multiple instances are permitted to allow setting of both
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard the IPv4 and IPv6 source addresses.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding </listitem>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding </varlistentry>
3bc407b46a67691f3e5fd4f5f5ead4e1eff09998stoddard <varlistentry>
fd709745f1226d683c57ad9bbcdd05971d214d0cstoddard <term>-c <replaceable class="parameter">config-file</replaceable></term>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard Use <replaceable class="parameter">config-file</replaceable>
3bc407b46a67691f3e5fd4f5f5ead4e1eff09998stoddard as the configuration file instead of the default,
3bc407b46a67691f3e5fd4f5f5ead4e1eff09998stoddard </listitem>
3bc407b46a67691f3e5fd4f5f5ead4e1eff09998stoddard </varlistentry>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <varlistentry>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <term>-k <replaceable class="parameter">key-file</replaceable></term>
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard Use <replaceable class="parameter">key-file</replaceable>
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard as the key file instead of the default,
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding authenticate
3d96ee83babeec32482c9082c9426340cee8c44dwrowe commands sent to the server if the <replaceable class="parameter">config-file</replaceable>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding does not exist.
77f0db50b7e6636f6422de76ffb2a0af7acaed6djorton </listitem>
77f0db50b7e6636f6422de76ffb2a0af7acaed6djorton </varlistentry>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard <varlistentry>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard <term>-s <replaceable class="parameter">server</replaceable></term>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard <para><replaceable class="parameter">server</replaceable> is
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard the name or address of the server which matches a
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard server statement in the configuration file for
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard <command>rndc</command>. If no server is supplied on the
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard command line, the host named by the default-server clause
0329db7881b698897213e816552b0ab31f8d4d56trawick in the options statement of the <command>rndc</command>
0329db7881b698897213e816552b0ab31f8d4d56trawick configuration file will be used.
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard </listitem>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard </varlistentry>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard <varlistentry>
77f0db50b7e6636f6422de76ffb2a0af7acaed6djorton <term>-p <replaceable class="parameter">port</replaceable></term>
77f0db50b7e6636f6422de76ffb2a0af7acaed6djorton Send commands to TCP port
77f0db50b7e6636f6422de76ffb2a0af7acaed6djorton of BIND 9's default control channel port, 953.
77f0db50b7e6636f6422de76ffb2a0af7acaed6djorton </listitem>
77f0db50b7e6636f6422de76ffb2a0af7acaed6djorton </varlistentry>
77f0db50b7e6636f6422de76ffb2a0af7acaed6djorton <varlistentry>
77f0db50b7e6636f6422de76ffb2a0af7acaed6djorton Quiet mode: Message text returned by the server
77f0db50b7e6636f6422de76ffb2a0af7acaed6djorton will not be printed except when there is an error.
ed4b039edaff2a734bd8da9c33e43e2fb8dd0db9ianh </listitem>
ed4b039edaff2a734bd8da9c33e43e2fb8dd0db9ianh </varlistentry>
a47a28784ca46876076471d2a0b45c11f800bffestoddard <varlistentry>
ed4b039edaff2a734bd8da9c33e43e2fb8dd0db9ianh Enable verbose logging.
77f0db50b7e6636f6422de76ffb2a0af7acaed6djorton </listitem>
77f0db50b7e6636f6422de76ffb2a0af7acaed6djorton </varlistentry>
77f0db50b7e6636f6422de76ffb2a0af7acaed6djorton <varlistentry>
77f0db50b7e6636f6422de76ffb2a0af7acaed6djorton <term>-y <replaceable class="parameter">key_id</replaceable></term>
77f0db50b7e6636f6422de76ffb2a0af7acaed6djorton Use the key <replaceable class="parameter">key_id</replaceable>
77f0db50b7e6636f6422de76ffb2a0af7acaed6djorton from the configuration file.
77f0db50b7e6636f6422de76ffb2a0af7acaed6djorton known by named with the same algorithm and secret string
77f0db50b7e6636f6422de76ffb2a0af7acaed6djorton in order for control message validation to succeed.
77f0db50b7e6636f6422de76ffb2a0af7acaed6djorton If no <replaceable class="parameter">key_id</replaceable>
77f0db50b7e6636f6422de76ffb2a0af7acaed6djorton is specified, <command>rndc</command> will first look
77f0db50b7e6636f6422de76ffb2a0af7acaed6djorton for a key clause in the server statement of the server
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard being used, or if no server statement is present for that
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard host, then the default-key clause of the options statement.
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard Note that the configuration file contains shared secrets
1ccd992d37d62c8cb2056126f2234f64ec189bfddougm which are used to send authenticated control commands
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding to name servers. It should therefore not have general read
a6b9ed64fdf548c61de9714e2cfb999ec59d149cgstein or write access.
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard </listitem>
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard </varlistentry>
a6b9ed64fdf548c61de9714e2cfb999ec59d149cgstein </variablelist>
a6b9ed64fdf548c61de9714e2cfb999ec59d149cgstein </refsect1>
a6b9ed64fdf548c61de9714e2cfb999ec59d149cgstein A list of commands supported by <command>rndc</command> can
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding be seen by running <command>rndc</command> without arguments.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding Currently supported commands are:
a6b9ed64fdf548c61de9714e2cfb999ec59d149cgstein <variablelist>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <varlistentry>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar Reload configuration file and zones.
a6b9ed64fdf548c61de9714e2cfb999ec59d149cgstein </listitem>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding </varlistentry>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard <varlistentry>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard <term><userinput>reload <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard Reload the given zone.
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard </listitem>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard </varlistentry>
a47a28784ca46876076471d2a0b45c11f800bffestoddard <varlistentry>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard <term><userinput>refresh <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard Schedule zone maintenance for the given zone.
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard </listitem>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard </varlistentry>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard <varlistentry>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard <term><userinput>retransfer <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
a47a28784ca46876076471d2a0b45c11f800bffestoddard Retransfer the given slave zone from the master server.
a47a28784ca46876076471d2a0b45c11f800bffestoddard If the zone is configured to use
a47a28784ca46876076471d2a0b45c11f800bffestoddard version of the zone is discarded; after the
a47a28784ca46876076471d2a0b45c11f800bffestoddard retransfer of the unsigned version is complete, the
a47a28784ca46876076471d2a0b45c11f800bffestoddard signed version will be regenerated with all new
a47a28784ca46876076471d2a0b45c11f800bffestoddard signatures.
a47a28784ca46876076471d2a0b45c11f800bffestoddard </listitem>
a47a28784ca46876076471d2a0b45c11f800bffestoddard </varlistentry>
a47a28784ca46876076471d2a0b45c11f800bffestoddard <varlistentry>
a47a28784ca46876076471d2a0b45c11f800bffestoddard <term><userinput>sign <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
a47a28784ca46876076471d2a0b45c11f800bffestoddard Fetch all DNSSEC keys for the given zone
a47a28784ca46876076471d2a0b45c11f800bffestoddard from the key directory (see the
a47a28784ca46876076471d2a0b45c11f800bffestoddard the BIND 9 Administrator Reference Manual). If they are within
a47a28784ca46876076471d2a0b45c11f800bffestoddard their publication period, merge them into the
a47a28784ca46876076471d2a0b45c11f800bffestoddard zone's DNSKEY RRset. If the DNSKEY RRset
a47a28784ca46876076471d2a0b45c11f800bffestoddard is changed, then the zone is automatically
a47a28784ca46876076471d2a0b45c11f800bffestoddard re-signed with the new key set.
a47a28784ca46876076471d2a0b45c11f800bffestoddard This command requires that the
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard and also requires the zone to be configured to
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard allow dynamic DNS.
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard (See "Dynamic Update Policies" in the Administrator
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard Reference Manual for more details.)
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard </listitem>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard </varlistentry>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard <varlistentry>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard <term><userinput>loadkeys <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard Fetch all DNSSEC keys for the given zone
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard from the key directory. If they are within
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard their publication period, merge them into the
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard zone's DNSKEY RRset. Unlike <command>rndc
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard sign</command>, however, the zone is not
ed4b039edaff2a734bd8da9c33e43e2fb8dd0db9ianh immediately re-signed by the new keys, but is
ed4b039edaff2a734bd8da9c33e43e2fb8dd0db9ianh allowed to incrementally re-sign over time.
ed4b039edaff2a734bd8da9c33e43e2fb8dd0db9ianh This command requires that the
58ecd4abb0bc207016069618e7d2b9cb640046c4trawick and also requires the zone to be configured to
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard allow dynamic DNS.
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard (See "Dynamic Update Policies" in the Administrator
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard Reference Manual for more details.)
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard </listitem>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard </varlistentry>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard <varlistentry>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard <term><userinput>freeze <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard Suspend updates to a dynamic zone. If no zone is
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard specified, then all zones are suspended. This allows
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard manual edits to be made to a zone normally updated by
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard dynamic update. It also causes changes in the
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard journal file to be synced into the master file.
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard All dynamic update attempts will be refused while
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard the zone is frozen.
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard </listitem>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard </varlistentry>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard <varlistentry>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard <term><userinput>thaw <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard Enable updates to a frozen dynamic zone. If no
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard zone is specified, then all frozen zones are
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard enabled. This causes the server to reload the zone
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard from disk, and re-enables dynamic updates after the
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard load has completed. After a zone is thawed,
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard dynamic updates will no longer be refused. If
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard the zone has changed and the
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard in use, then the journal file will be updated to
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard reflect changes in the zone. Otherwise, if the
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard zone has changed, any existing journal file will be
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard </listitem>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard </varlistentry>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard <varlistentry>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar Scan the list of available network interfaces
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar for changes, without performing a full
2dc8dcdf14f304577a6210479a4008f7cb6bc827trawick </listitem>
fd709745f1226d683c57ad9bbcdd05971d214d0cstoddard </varlistentry>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <varlistentry>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <term><userinput>sync <optional>-clean</optional> <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar Sync changes in the journal file for a dynamic zone
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar to the master file. If the "-clean" option is
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar specified, the journal file is also removed. If
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar no zone is specified, then all zones are synced.
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar </listitem>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar </varlistentry>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar <varlistentry>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar <term><userinput>notify <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar <listitem>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar Resend NOTIFY messages for the zone.
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar </listitem>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar </varlistentry>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar <varlistentry>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar Reload the configuration file and load new zones,
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding but do not reload existing zone files even if they
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding have changed.
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar This is faster than a full <command>reload</command> when there
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding is a large number of zones because it avoids the need
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding to examine the
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding modification times of the zones files.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding </listitem>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding </varlistentry>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <varlistentry>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <term><userinput>zonestatus <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
3bc407b46a67691f3e5fd4f5f5ead4e1eff09998stoddard Displays the current status of the given zone,
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding including the master file name and any include
3bc407b46a67691f3e5fd4f5f5ead4e1eff09998stoddard files from which it was loaded, when it was most
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding recently loaded, the current serial number, the
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding number of nodes, whether the zone supports
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding dynamic updates, whether the zone is DNSSEC
ba4c566c200c2436dae841b7c811807c80cd712afielding signed, whether it uses automatic DNSSEC key
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding management or inline signing, and the scheduled
3bc407b46a67691f3e5fd4f5f5ead4e1eff09998stoddard refresh or expiry times for the zone.
3bc407b46a67691f3e5fd4f5f5ead4e1eff09998stoddard </listitem>
3bc407b46a67691f3e5fd4f5f5ead4e1eff09998stoddard </varlistentry>
3bc407b46a67691f3e5fd4f5f5ead4e1eff09998stoddard <varlistentry>
3bc407b46a67691f3e5fd4f5f5ead4e1eff09998stoddard Write server statistics to the statistics file.
3bc407b46a67691f3e5fd4f5f5ead4e1eff09998stoddard </listitem>
3bc407b46a67691f3e5fd4f5f5ead4e1eff09998stoddard </varlistentry>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <varlistentry>
ba4c566c200c2436dae841b7c811807c80cd712afielding <term><userinput>querylog</userinput> <optional>on|off</optional> </term>
fd709745f1226d683c57ad9bbcdd05971d214d0cstoddard Enable or disable query logging. (For backward
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar compatibility, this command can also be used without
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar an argument to toggle query logging on and off.)
a47a28784ca46876076471d2a0b45c11f800bffestoddard Query logging can also be enabled
a47a28784ca46876076471d2a0b45c11f800bffestoddard by explicitly directing the <command>queries</command>
fd709745f1226d683c57ad9bbcdd05971d214d0cstoddard </listitem>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding </varlistentry>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <varlistentry>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <term><userinput>dumpdb <optional>-all|-cache|-zone</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding dump file for the specified views. If no view is
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard specified, all
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard views are dumped.
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard </listitem>
671d7810d2bfbbb809b12d13eb6533c459464671trawick </varlistentry>
fd709745f1226d683c57ad9bbcdd05971d214d0cstoddard <varlistentry>
fd709745f1226d683c57ad9bbcdd05971d214d0cstoddard <term><userinput>secroots <optional><replaceable>view ...</replaceable></optional></userinput></term>
fd709745f1226d683c57ad9bbcdd05971d214d0cstoddard Dump the server's security roots and negative trust anchors
fd709745f1226d683c57ad9bbcdd05971d214d0cstoddard to the secroots file for the specified views. If no view is
fd709745f1226d683c57ad9bbcdd05971d214d0cstoddard specified, all views are dumped.
fd709745f1226d683c57ad9bbcdd05971d214d0cstoddard </listitem>
fd709745f1226d683c57ad9bbcdd05971d214d0cstoddard </varlistentry>
fd709745f1226d683c57ad9bbcdd05971d214d0cstoddard <varlistentry>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar <term><userinput>stop <optional>-p</optional></userinput></term>
ba4c566c200c2436dae841b7c811807c80cd712afielding Stop the server, making sure any recent changes
ec3c7f73162e58dc6aa163bdb4b1703ea3987afeminfrin made through dynamic update or IXFR are first saved to
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard the master files of the updated zones.
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard If <option>-p</option> is specified <command>named</command>'s process id is returned.
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard This allows an external process to determine when <command>named</command>
fd709745f1226d683c57ad9bbcdd05971d214d0cstoddard had completed stopping.
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard </listitem>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard </varlistentry>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard <varlistentry>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard <term><userinput>halt <optional>-p</optional></userinput></term>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard Stop the server immediately. Recent changes
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard made through dynamic update or IXFR are not saved to
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard the master files, but will be rolled forward from the
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard journal files when the server is restarted.
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard If <option>-p</option> is specified <command>named</command>'s process id is returned.
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard This allows an external process to determine when <command>named</command>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard had completed halting.
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard </listitem>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard </varlistentry>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard <varlistentry>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard Increment the servers debugging level by one.
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard </listitem>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard </varlistentry>
3bc407b46a67691f3e5fd4f5f5ead4e1eff09998stoddard <varlistentry>
3bc407b46a67691f3e5fd4f5f5ead4e1eff09998stoddard <term><userinput>trace <replaceable>level</replaceable></userinput></term>
3bc407b46a67691f3e5fd4f5f5ead4e1eff09998stoddard Sets the server's debugging level to an explicit
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard </listitem>
f2127630a87ab5952a3d173b164e600c99cff25astoddard </varlistentry>
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard <varlistentry>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding Sets the server's debugging level to 0.
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar </listitem>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar </varlistentry>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar <varlistentry>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar <listitem>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar Flushes the server's cache.
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar </listitem>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar </varlistentry>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <varlistentry>
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard <term><userinput>flushname</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term>
fd709745f1226d683c57ad9bbcdd05971d214d0cstoddard Flushes the given name from the server's DNS cache
fd709745f1226d683c57ad9bbcdd05971d214d0cstoddard and, if applicable, from the server's nameserver address
fd709745f1226d683c57ad9bbcdd05971d214d0cstoddard database or bad-server cache.
fd709745f1226d683c57ad9bbcdd05971d214d0cstoddard </listitem>
fd709745f1226d683c57ad9bbcdd05971d214d0cstoddard </varlistentry>
fd709745f1226d683c57ad9bbcdd05971d214d0cstoddard <varlistentry>
fd709745f1226d683c57ad9bbcdd05971d214d0cstoddard <term><userinput>flushtree</userinput> <optional>-all</optional> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term>
fd709745f1226d683c57ad9bbcdd05971d214d0cstoddard Flushes the given name, and all of its subdomains,
fd709745f1226d683c57ad9bbcdd05971d214d0cstoddard from the server's DNS cache, the address database,
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding and the bad server cache.
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard </listitem>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding </varlistentry>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard <varlistentry>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding Display status of the server.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding Note that the number of zones includes the internal <command>bind/CH</command> zone
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding hint zone if there is not an
3bc407b46a67691f3e5fd4f5f5ead4e1eff09998stoddard explicit root zone configured.
3bc407b46a67691f3e5fd4f5f5ead4e1eff09998stoddard </listitem>
3bc407b46a67691f3e5fd4f5f5ead4e1eff09998stoddard </varlistentry>
3bc407b46a67691f3e5fd4f5f5ead4e1eff09998stoddard <varlistentry>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding Dump the list of queries <command>named</command> is currently recursing
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard </listitem>
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard </varlistentry>
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard <varlistentry>
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard <term><userinput>validation ( on | off | check ) <optional><replaceable>view ...</replaceable></optional> </userinput></term>
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard Enable, disable, or check the current status of
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar DNSSEC validation.
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard It defaults to enabled.
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar </listitem>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar </varlistentry>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar <varlistentry>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar <optional>( -d | -f | -r | -l <replaceable>duration</replaceable>)</optional>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar <listitem>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar Sets a DNSSEC negative trust anchor (NTA)
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard one hour. The lifetime cannot exceed one day.
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard A negative trust anchor selectively disables
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard DNSSEC validation for zones that known to be
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard failing because of misconfiguration rather than
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding an attack. When data to be validated is
12901074f5d6b36d08be84d8637b6f2c21e0da26trawick at or below an active NTA (and above any other
a47a28784ca46876076471d2a0b45c11f800bffestoddard configured trust anchors), <command>named</command> will
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard abort the DNSSEC validation process and treat the data as
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard insecure rather than bogus. This continues until the
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar NTA's lifetime is elapsed, or until the server is
3bc407b46a67691f3e5fd4f5f5ead4e1eff09998stoddard restarted (NTA's do not persist across restarts).
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard An existing NTA can be removed by using the
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard An NTA's lifetime can be specified with the
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding suffixes can be used to specify the lifetime in
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding seconds, minutes, or hours. If the specified NTA
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar already exists, its lifetime will be updated to the
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar are ignored, and a list of existing NTAs is printed
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar (note that this may include NTAs that are expired but
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar have not yet been cleaned up).
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar test to see whether data below an NTA can now be
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar in the Administrator Reference Manual for details).
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar If data can be validated, then the NTA is regarded as
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar no longer necessary, and will be allowed to expire
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar behavior and forces an NTA to persist for its entire
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar lifetime, regardless of whether data could be
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar validated if the NTA were not present.
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar All of these options can be shortened, i.e., to
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar <option>-l</option>, <option>-r</option>, <option>-d</option>,
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar </listitem>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar </varlistentry>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar <varlistentry>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar <listitem>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar List the names of all TSIG keys currently configured
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard list both statically configured keys and dynamic
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding TKEY-negotiated keys.
a6b9ed64fdf548c61de9714e2cfb999ec59d149cgstein </listitem>
a6b9ed64fdf548c61de9714e2cfb999ec59d149cgstein </varlistentry>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <varlistentry>
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard <term><userinput>tsig-delete</userinput> <replaceable>keyname</replaceable> <optional><replaceable>view</replaceable></optional></term>
3bc407b46a67691f3e5fd4f5f5ead4e1eff09998stoddard Delete a given TKEY-negotiated key from the server.
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard (This does not apply to statically configured TSIG
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding </listitem>
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard </varlistentry>
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard <varlistentry>
fd709745f1226d683c57ad9bbcdd05971d214d0cstoddard <term><userinput>addzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> <replaceable>configuration</replaceable> </userinput></term>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar Add a zone while the server is running. This
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar command requires the
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard specified on the command line is the zone
73e8b26287de5c06fa470d36162e103dbac9c7e5wrowe configuration text that would ordinarily be
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard The configuration is saved in a file called
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard <filename><replaceable>hash</replaceable>.nzf</filename>,
417f504d4d11631c0d062be85347f82a26c88677aaron cryptographic hash generated from the name of
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard restarted, the file will be loaded into the view
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard configuration, so that zones that were added
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard can persist after a restart.
417f504d4d11631c0d062be85347f82a26c88677aaron to the default view:
77f0db50b7e6636f6422de76ffb2a0af7acaed6djorton<prompt>$ </prompt><userinput>rndc addzone example.com '{ type master; file "example.com.db"; };'</userinput>
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard (Note the brackets and semi-colon around the zone
fd0075570654d8f3473f12c47f507c8b3c59a8e4stoddard configuration text.)
577a76180006add04a166b12f1ad130aeedeaa5estoddard </listitem>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar </varlistentry>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar <varlistentry>
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar <term><userinput>delzone <optional>-clean</optional> <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard Delete a zone while the server is running.
71f3601de4983bc2a6aaffcf37dc1d35c8674a34coar Only zones that were originally added via
ea92d0ffcb30b186010a2c8ca2c80d2ac09e34dastoddard in this manner.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding the zone's master file (and journal file, if any)
577a76180006add04a166b12f1ad130aeedeaa5estoddard will be deleted along with the zone. Without the
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding be cleaned up by hand. (If the zone is of
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding type "slave" or "stub", the files needing to
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding be cleaned up will be reported in the output
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding </listitem>
<term><userinput>signing <optional>( -list | -clear <replaceable>keyid/algorithm</replaceable> | -clear <literal>all</literal> | -nsec3param ( <replaceable>parameters</replaceable> | <literal>none</literal> ) ) </optional> <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>