rndc.html revision 217efc6ec8d3ea9f96d428aae04acb1ef04b3368
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
ec5347e2c775f027573ce5648b910361aa926c01Automatic Updater - This Source Code Form is subject to the terms of the Mozilla Public
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington - License, v. 2.0. If a copy of the MPL was not distributed with this
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington - file, You can obtain one at http://mozilla.org/MPL/2.0/.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington<a name="man.rndc"></a><div class="titlepage"></div>
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence — name server control utility
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>]
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>]
a49acbf201a411a47e18d136b38bbea8cf283adaBrian Wellington [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>]
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington [<code class="option">-s <em class="replaceable"><code>server</code></em></code>]
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington [<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>]
bf9b852c3eaf2c9847f926751b57a06f1ae3d72aEvan Hunt <p><span class="command"><strong>rndc</strong></span>
bf9b852c3eaf2c9847f926751b57a06f1ae3d72aEvan Hunt controls the operation of a name
bf9b852c3eaf2c9847f926751b57a06f1ae3d72aEvan Hunt server. It supersedes the <span class="command"><strong>ndc</strong></span> utility
b984520acca2532d048eae929dc0682dd334c7a3Brian Wellington that was provided in old BIND releases. If
a00c5e2151cc03c06bae5cdd3b40a5de05664059Brian Wellington <span class="command"><strong>rndc</strong></span> is invoked with no command line
a00c5e2151cc03c06bae5cdd3b40a5de05664059Brian Wellington options or arguments, it prints a short summary of the
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews supported commands and the available options and their
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews <p><span class="command"><strong>rndc</strong></span>
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews communicates with the name server over a TCP connection, sending
0e5d6900bdfcbeef8919e6fb453ca6c44f62ccd8Brian Wellington commands authenticated with digital signatures. In the current
f2338a0d6aa0327372eb20ab5dc29502bc8c71efBrian Wellington <span class="command"><strong>rndc</strong></span> and <span class="command"><strong>named</strong></span>,
1e2749dba8aae3233b8962f1efe15385e92a77d9Brian Wellington the only supported authentication algorithms are HMAC-MD5
1e2749dba8aae3233b8962f1efe15385e92a77d9Brian Wellington (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson (default), HMAC-SHA384 and HMAC-SHA512.
4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson They use a shared secret on each end of the connection.
1e2749dba8aae3233b8962f1efe15385e92a77d9Brian Wellington This provides TSIG-style authentication for the command
4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson request and the name server's response. All commands sent
4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson over the channel must be signed by a key_id known to the
4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson <p><span class="command"><strong>rndc</strong></span>
4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson reads a configuration file to
4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson determine how to contact the name server and decide what
1e2749dba8aae3233b8962f1efe15385e92a77d9Brian Wellington algorithm and key it should use.
4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson <div class="variablelist"><dl class="variablelist">
4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson Use <em class="replaceable"><code>source-address</code></em>
a00c5e2151cc03c06bae5cdd3b40a5de05664059Brian Wellington as the source address for the connection to the server.
e61793f0865117ad87a19d6e245bea8f3b712d1bDanny Mayer Multiple instances are permitted to allow setting of both
a00c5e2151cc03c06bae5cdd3b40a5de05664059Brian Wellington the IPv4 and IPv6 source addresses.
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson Use <em class="replaceable"><code>config-file</code></em>
4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson as the configuration file instead of the default,
4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson <code class="filename">/etc/rndc.conf</code>.
4755b174df8221dff7e872f21d42b3572a74bf2fAndreas Gustafsson<dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt>
0e5d6900bdfcbeef8919e6fb453ca6c44f62ccd8Brian Wellington Use <em class="replaceable"><code>key-file</code></em>
e61793f0865117ad87a19d6e245bea8f3b712d1bDanny Mayer as the key file instead of the default,
0e5d6900bdfcbeef8919e6fb453ca6c44f62ccd8Brian Wellington <code class="filename">/etc/rndc.key</code>. The key in
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews <code class="filename">/etc/rndc.key</code> will be used to
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews authenticate
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews commands sent to the server if the <em class="replaceable"><code>config-file</code></em>
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews does not exist.
2f012d936b5ccdf6520c96a4de23721dc58a2221Automatic Updater<dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
2f012d936b5ccdf6520c96a4de23721dc58a2221Automatic Updater <p><em class="replaceable"><code>server</code></em> is
2f012d936b5ccdf6520c96a4de23721dc58a2221Automatic Updater the name or address of the server which matches a
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews server statement in the configuration file for
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews <span class="command"><strong>rndc</strong></span>. If no server is supplied on the
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews command line, the host named by the default-server clause
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews in the options statement of the <span class="command"><strong>rndc</strong></span>
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews configuration file will be used.
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
2f012d936b5ccdf6520c96a4de23721dc58a2221Automatic Updater Send commands to TCP port
2f012d936b5ccdf6520c96a4de23721dc58a2221Automatic Updater <em class="replaceable"><code>port</code></em>
2f012d936b5ccdf6520c96a4de23721dc58a2221Automatic Updater of BIND 9's default control channel port, 953.
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews Quiet mode: Message text returned by the server
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews will not be printed except when there is an error.
2f012d936b5ccdf6520c96a4de23721dc58a2221Automatic Updater Instructs <span class="command"><strong>rndc</strong></span> to print the result code
2f012d936b5ccdf6520c96a4de23721dc58a2221Automatic Updater returned by <span class="command"><strong>named</strong></span> after executing the
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews requested command (e.g., ISC_R_SUCCESS, ISC_R_FAILURE, etc).
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews Enable verbose logging.
2f012d936b5ccdf6520c96a4de23721dc58a2221Automatic Updater<dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt>
2f012d936b5ccdf6520c96a4de23721dc58a2221Automatic Updater Use the key <em class="replaceable"><code>key_id</code></em>
2f012d936b5ccdf6520c96a4de23721dc58a2221Automatic Updater from the configuration file.
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews <em class="replaceable"><code>key_id</code></em>
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews known by <span class="command"><strong>named</strong></span> with the same algorithm and secret string
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews in order for control message validation to succeed.
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews If no <em class="replaceable"><code>key_id</code></em>
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews is specified, <span class="command"><strong>rndc</strong></span> will first look
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews for a key clause in the server statement of the server
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews being used, or if no server statement is present for that
2f012d936b5ccdf6520c96a4de23721dc58a2221Automatic Updater host, then the default-key clause of the options statement.
2f012d936b5ccdf6520c96a4de23721dc58a2221Automatic Updater Note that the configuration file contains shared secrets
2f012d936b5ccdf6520c96a4de23721dc58a2221Automatic Updater which are used to send authenticated control commands
2f012d936b5ccdf6520c96a4de23721dc58a2221Automatic Updater to name servers. It should therefore not have general read
2f012d936b5ccdf6520c96a4de23721dc58a2221Automatic Updater or write access.
76c8294c81fb48b1da6e1fc5b83322a4cedb8e58Andreas Gustafsson A list of commands supported by <span class="command"><strong>rndc</strong></span> can
76c8294c81fb48b1da6e1fc5b83322a4cedb8e58Andreas Gustafsson be seen by running <span class="command"><strong>rndc</strong></span> without arguments.
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews Currently supported commands are:
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews <div class="variablelist"><dl class="variablelist">
020ebf119089ef68070d6a0df2def3142f1eeff4Brian Wellington<dt><span class="term"><strong class="userinput"><code>addzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
020ebf119089ef68070d6a0df2def3142f1eeff4Brian Wellington Add a zone while the server is running. This
020ebf119089ef68070d6a0df2def3142f1eeff4Brian Wellington command requires the
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews <span class="command"><strong>allow-new-zones</strong></span> option to be set
020ebf119089ef68070d6a0df2def3142f1eeff4Brian Wellington to <strong class="userinput"><code>yes</code></strong>. The
020ebf119089ef68070d6a0df2def3142f1eeff4Brian Wellington <em class="replaceable"><code>configuration</code></em> string
020ebf119089ef68070d6a0df2def3142f1eeff4Brian Wellington specified on the command line is the zone
020ebf119089ef68070d6a0df2def3142f1eeff4Brian Wellington configuration text that would ordinarily be
020ebf119089ef68070d6a0df2def3142f1eeff4Brian Wellington placed in <code class="filename">named.conf</code>.
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews The configuration is saved in a file called
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews <code class="filename"><em class="replaceable"><code>name</code></em>.nzf</code>,
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews where <em class="replaceable"><code>name</code></em> is the
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews name of the view, or if it contains characters
020ebf119089ef68070d6a0df2def3142f1eeff4Brian Wellington that are incompatible with use as a file name, a
020ebf119089ef68070d6a0df2def3142f1eeff4Brian Wellington cryptographic hash generated from the name
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews When <span class="command"><strong>named</strong></span> is
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews restarted, the file will be loaded into the view
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews configuration, so that zones that were added
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews can persist after a restart.
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews This sample <span class="command"><strong>addzone</strong></span> command
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews would add the zone <code class="literal">example.com</code>
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews to the default view:
bf9b852c3eaf2c9847f926751b57a06f1ae3d72aEvan Hunt<code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong>
bf9b852c3eaf2c9847f926751b57a06f1ae3d72aEvan Hunt (Note the brackets and semi-colon around the zone
bf9b852c3eaf2c9847f926751b57a06f1ae3d72aEvan Hunt configuration text.)
bf9b852c3eaf2c9847f926751b57a06f1ae3d72aEvan Hunt See also <span class="command"><strong>rndc delzone</strong></span> and <span class="command"><strong>rndc modzone</strong></span>.
bf9b852c3eaf2c9847f926751b57a06f1ae3d72aEvan Hunt<dt><span class="term"><strong class="userinput"><code>delzone [<span class="optional">-clean</span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
bf9b852c3eaf2c9847f926751b57a06f1ae3d72aEvan Hunt Delete a zone while the server is running.
bf9b852c3eaf2c9847f926751b57a06f1ae3d72aEvan Hunt If the <code class="option">-clean</code> argument is specified,
bf9b852c3eaf2c9847f926751b57a06f1ae3d72aEvan Hunt the zone's master file (and journal file, if any)
bf9b852c3eaf2c9847f926751b57a06f1ae3d72aEvan Hunt will be deleted along with the zone. Without the
bf9b852c3eaf2c9847f926751b57a06f1ae3d72aEvan Hunt <code class="option">-clean</code> option, zone files must
bf9b852c3eaf2c9847f926751b57a06f1ae3d72aEvan Hunt be cleaned up by hand. (If the zone is of
bf9b852c3eaf2c9847f926751b57a06f1ae3d72aEvan Hunt type "slave" or "stub", the files needing to
bf9b852c3eaf2c9847f926751b57a06f1ae3d72aEvan Hunt be cleaned up will be reported in the output
bf9b852c3eaf2c9847f926751b57a06f1ae3d72aEvan Hunt of the <span class="command"><strong>rndc delzone</strong></span> command.)
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt If the zone was originally added via
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt <span class="command"><strong>rndc addzone</strong></span>, then it will be
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt removed permanently. However, if it was originally
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt configured in <code class="filename">named.conf</code>, then
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt that original configuration is still in place; when
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt the server is restarted or reconfigured, the zone will
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt come back. To remove it permanently, it must also be
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt removed from <code class="filename">named.conf</code>
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt See also <span class="command"><strong>rndc addzone</strong></span> and <span class="command"><strong>rndc modzone</strong></span>.
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt<dt><span class="term"><strong class="userinput"><code>dnstap ( -reopen | -roll [<span class="optional"><em class="replaceable"><code>number</code></em></span>] )</code></strong></span></dt>
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt Close and re-open DNSTAP output files.
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt <span class="command"><strong>rndc dnstap -reopen</strong></span> allows the output
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt file to be renamed externally, so
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt that <span class="command"><strong>named</strong></span> can truncate and re-open it.
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt <span class="command"><strong>rndc dnstap -roll</strong></span> causes the output file
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt to be rolled automatically, similar to log files; the most
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt recent output file has ".0" appended to its name; the
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt previous most recent output file is moved to ".1", and so on.
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt If <em class="replaceable"><code>number</code></em> is specified, then the
bf9b852c3eaf2c9847f926751b57a06f1ae3d72aEvan Hunt number of backup log files is limited to that number.
bf9b852c3eaf2c9847f926751b57a06f1ae3d72aEvan Hunt<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zones|-adb|-bad|-fail</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
bf9b852c3eaf2c9847f926751b57a06f1ae3d72aEvan Hunt Dump the server's caches (default) and/or zones to
bf9b852c3eaf2c9847f926751b57a06f1ae3d72aEvan Hunt the dump file for the specified views. If no view
bf9b852c3eaf2c9847f926751b57a06f1ae3d72aEvan Hunt is specified, all views are dumped.
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt (See the <span class="command"><strong>dump-file</strong></span> option in
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt the BIND 9 Administrator Reference Manual.)
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt<dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt>
a00c5e2151cc03c06bae5cdd3b40a5de05664059Brian Wellington Flushes the server's cache.
a00c5e2151cc03c06bae5cdd3b40a5de05664059Brian Wellington<dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington Flushes the given name from the view's DNS cache
100d0d2ec64ab1a85f8c0d2da9b47ae411a10b21Brian Wellington and, if applicable, from the view's nameserver address
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington database, bad server cache and SERVFAIL cache.
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington<dt><span class="term"><strong class="userinput"><code>flushtree</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington Flushes the given name, and all of its subdomains,
e552b980379e3a7ffce1411a939c62e27f953133Brian Wellington from the view's DNS cache, address database,
e552b980379e3a7ffce1411a939c62e27f953133Brian Wellington bad server cache, and SERVFAIL cache.
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington<dt><span class="term"><strong class="userinput"><code>freeze [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington Suspend updates to a dynamic zone. If no zone is
1f1d36a87b65186d9f89aac7f456ab1fd2a39ef6Andreas Gustafsson specified, then all zones are suspended. This allows
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington manual edits to be made to a zone normally updated by
ff7b9eede951083d1f8a1ad919611659c3e20b34Brian Wellington dynamic update. It also causes changes in the
f2338a0d6aa0327372eb20ab5dc29502bc8c71efBrian Wellington journal file to be synced into the master file.
ff7b9eede951083d1f8a1ad919611659c3e20b34Brian Wellington All dynamic update attempts will be refused while
ff7b9eede951083d1f8a1ad919611659c3e20b34Brian Wellington the zone is frozen.
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews See also <span class="command"><strong>rndc thaw</strong></span>.
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews<dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews Stop the server immediately. Recent changes
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews made through dynamic update or IXFR are not saved to
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews the master files, but will be rolled forward from the
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews journal files when the server is restarted.
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews If <code class="option">-p</code> is specified <span class="command"><strong>named</strong></span>'s process id is returned.
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews This allows an external process to determine when <span class="command"><strong>named</strong></span>
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews had completed halting.
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews See also <span class="command"><strong>rndc stop</strong></span>.
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews<dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews Fetch all DNSSEC keys for the given zone
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews from the key directory. If they are within
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews their publication period, merge them into the
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews zone's DNSKEY RRset. Unlike <span class="command"><strong>rndc
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews immediately re-signed by the new keys, but is
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews allowed to incrementally re-sign over time.
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews This command requires that the
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews <span class="command"><strong>auto-dnssec</strong></span> zone option
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews be set to <code class="literal">maintain</code>,
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews and also requires the zone to be configured to
ff7b9eede951083d1f8a1ad919611659c3e20b34Brian Wellington allow dynamic DNS.
a00c5e2151cc03c06bae5cdd3b40a5de05664059Brian Wellington (See "Dynamic Update Policies" in the Administrator
ff7b9eede951083d1f8a1ad919611659c3e20b34Brian Wellington Reference Manual for more details.)
ff7b9eede951083d1f8a1ad919611659c3e20b34Brian Wellington<dt><span class="term"><strong class="userinput"><code>managed-keys <em class="replaceable"><code>(status | refresh | sync)</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
ff7b9eede951083d1f8a1ad919611659c3e20b34Brian Wellington When run with the "status" keyword, print the current
ff7b9eede951083d1f8a1ad919611659c3e20b34Brian Wellington status of the managed-keys database for the specified
ff7b9eede951083d1f8a1ad919611659c3e20b34Brian Wellington view, or for all views if none is specified. When run
ff7b9eede951083d1f8a1ad919611659c3e20b34Brian Wellington with the "refresh" keyword, force an immediate refresh
ff7b9eede951083d1f8a1ad919611659c3e20b34Brian Wellington of all the managed-keys in the specified view, or all
713ad87a7f95d06f4bb3e0b92b91172cbebd6c68Mark Andrews views. When run with the "sync" keyword, force an
7863e6bd4396e99a82805feccb59275530670829Andreas Gustafsson immediate dump of the managed-keys database to disk (in
f2338a0d6aa0327372eb20ab5dc29502bc8c71efBrian Wellington the file <code class="filename">managed-keys.bind</code> or
f2338a0d6aa0327372eb20ab5dc29502bc8c71efBrian Wellington (<code class="filename"><em class="replaceable"><code>viewname</code></em>.mkeys</code>).
f2338a0d6aa0327372eb20ab5dc29502bc8c71efBrian Wellington<dt><span class="term"><strong class="userinput"><code>modzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
f2338a0d6aa0327372eb20ab5dc29502bc8c71efBrian Wellington Modify the configuration of a zone while the server
f2338a0d6aa0327372eb20ab5dc29502bc8c71efBrian Wellington is running. This command requires the
f2338a0d6aa0327372eb20ab5dc29502bc8c71efBrian Wellington <span class="command"><strong>allow-new-zones</strong></span> option to be
f2338a0d6aa0327372eb20ab5dc29502bc8c71efBrian Wellington set to <strong class="userinput"><code>yes</code></strong>. As with
1f1d36a87b65186d9f89aac7f456ab1fd2a39ef6Andreas Gustafsson <span class="command"><strong>addzone</strong></span>, the
1f1d36a87b65186d9f89aac7f456ab1fd2a39ef6Andreas Gustafsson <em class="replaceable"><code>configuration</code></em> string
f2338a0d6aa0327372eb20ab5dc29502bc8c71efBrian Wellington specified on the command line is the zone
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington configuration text that would ordinarily be
d598338952797df77417e69fcb8782b73651f9a9Brian Wellington placed in <code class="filename">named.conf</code>.
d598338952797df77417e69fcb8782b73651f9a9Brian Wellington If the zone was originally added via
d598338952797df77417e69fcb8782b73651f9a9Brian Wellington <span class="command"><strong>rndc addzone</strong></span>, the configuration
d598338952797df77417e69fcb8782b73651f9a9Brian Wellington changes will be recorded permanently and will still be
d598338952797df77417e69fcb8782b73651f9a9Brian Wellington in effect after the server is restarted or reconfigured.
4be64854b4a3da0465bf962caa8488699e0e0681Brian Wellington However, if it was originally configured in
d598338952797df77417e69fcb8782b73651f9a9Brian Wellington <code class="filename">named.conf</code>, then that original
d598338952797df77417e69fcb8782b73651f9a9Brian Wellington configuration is still in place; when the server is
d598338952797df77417e69fcb8782b73651f9a9Brian Wellington restarted or reconfigured, the zone will revert to
d598338952797df77417e69fcb8782b73651f9a9Brian Wellington its original configuration. To make the changes
1e2749dba8aae3233b8962f1efe15385e92a77d9Brian Wellington permanent, it must also be modified in
49c8a96fba8d85810d470fdc7dd3388f0c767c9eBrian Wellington See also <span class="command"><strong>rndc addzone</strong></span> and <span class="command"><strong>rndc delzone</strong></span>.
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt<dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
18d0b5e54be891a1aa938c165b6d439859121ec8Mark Andrews Resend NOTIFY messages for the zone.
18d0b5e54be891a1aa938c165b6d439859121ec8Mark Andrews<dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt>
fb01226bcd598c36b5edc566489c890c39f03ed3Brian Wellington Sets the server's debugging level to 0.
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence See also <span class="command"><strong>rndc trace</strong></span>.
18d0b5e54be891a1aa938c165b6d439859121ec8Mark Andrews<dt><span class="term"><strong class="userinput"><code>nta
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt [<span class="optional">( -d | -f | -r | -l <em class="replaceable"><code>duration</code></em>)</span>]
18d0b5e54be891a1aa938c165b6d439859121ec8Mark Andrews [<span class="optional"><em class="replaceable"><code>view</code></em></span>]
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews Sets a DNSSEC negative trust anchor (NTA)
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews for <code class="option">domain</code>, with a lifetime of
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews <code class="option">duration</code>. The default lifetime is
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews configured in <code class="filename">named.conf</code> via the
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews <code class="option">nta-lifetime</code> option, and defaults to
70d950d16e9623fec1bc89b158047de507071ce3Brian Wellington one hour. The lifetime cannot exceed one week.
70d950d16e9623fec1bc89b158047de507071ce3Brian Wellington A negative trust anchor selectively disables
26a5f97dd8770ced729025488091b77d8beb0ab6Brian Wellington DNSSEC validation for zones that are known to be
26a5f97dd8770ced729025488091b77d8beb0ab6Brian Wellington failing because of misconfiguration rather than
70d950d16e9623fec1bc89b158047de507071ce3Brian Wellington an attack. When data to be validated is
351b62535d4c4f89883bfdba025999dd32490266Evan Hunt at or below an active NTA (and above any other
b6666e61dc9b91f4ac6af3aa1172bfd8a5f2d6ffBrian Wellington configured trust anchors), <span class="command"><strong>named</strong></span> will
b6666e61dc9b91f4ac6af3aa1172bfd8a5f2d6ffBrian Wellington abort the DNSSEC validation process and treat the data as
b6666e61dc9b91f4ac6af3aa1172bfd8a5f2d6ffBrian Wellington insecure rather than bogus. This continues until the
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington NTA's lifetime is elapsed.
18d0b5e54be891a1aa938c165b6d439859121ec8Mark Andrews NTAs persist across restarts of the <span class="command"><strong>named</strong></span> server.
18d0b5e54be891a1aa938c165b6d439859121ec8Mark Andrews The NTAs for a view are saved in a file called
18d0b5e54be891a1aa938c165b6d439859121ec8Mark Andrews <code class="filename"><em class="replaceable"><code>name</code></em>.nta</code>,
18d0b5e54be891a1aa938c165b6d439859121ec8Mark Andrews where <em class="replaceable"><code>name</code></em> is the
18d0b5e54be891a1aa938c165b6d439859121ec8Mark Andrews name of the view, or if it contains characters
18d0b5e54be891a1aa938c165b6d439859121ec8Mark Andrews that are incompatible with use as a file name, a
18d0b5e54be891a1aa938c165b6d439859121ec8Mark Andrews cryptographic hash generated from the name
18d0b5e54be891a1aa938c165b6d439859121ec8Mark Andrews of the view.
f2338a0d6aa0327372eb20ab5dc29502bc8c71efBrian Wellington An existing NTA can be removed by using the
f2338a0d6aa0327372eb20ab5dc29502bc8c71efBrian Wellington <code class="option">-remove</code> option.
f2338a0d6aa0327372eb20ab5dc29502bc8c71efBrian Wellington An NTA's lifetime can be specified with the
f2338a0d6aa0327372eb20ab5dc29502bc8c71efBrian Wellington <code class="option">-lifetime</code> option. TTL-style
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington suffixes can be used to specify the lifetime in
f2338a0d6aa0327372eb20ab5dc29502bc8c71efBrian Wellington seconds, minutes, or hours. If the specified NTA
ddbc279e7b6a2d6ba682e60ca12956406030054bBrian Wellington already exists, its lifetime will be updated to the
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington new value. Setting <code class="option">lifetime</code> to zero
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington is equivalent to <code class="option">-remove</code>.
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews If <code class="option">-dump</code> is used, any other arguments
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews are ignored, and a list of existing NTAs is printed
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews (note that this may include NTAs that are expired but
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews have not yet been cleaned up).
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews Normally, <span class="command"><strong>named</strong></span> will periodically
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews test to see whether data below an NTA can now be
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews validated (see the <code class="option">nta-recheck</code> option
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews in the Administrator Reference Manual for details).
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews If data can be validated, then the NTA is regarded as
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews no longer necessary, and will be allowed to expire
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews early. The <code class="option">-force</code> overrides this
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews behavior and forces an NTA to persist for its entire
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews lifetime, regardless of whether data could be
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews validated if the NTA were not present.
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews All of these options can be shortened, i.e., to
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews <code class="option">-l</code>, <code class="option">-r</code>, <code class="option">-d</code>,
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews<dt><span class="term"><strong class="userinput"><code>querylog</code></strong> [<span class="optional"> on | off </span>] </span></dt>
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews Enable or disable query logging. (For backward
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews compatibility, this command can also be used without
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews an argument to toggle query logging on and off.)
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews Query logging can also be enabled
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews by explicitly directing the <span class="command"><strong>queries</strong></span>
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews <span class="command"><strong>category</strong></span> to a
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews <span class="command"><strong>channel</strong></span> in the
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews <span class="command"><strong>logging</strong></span> section of
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews <code class="filename">named.conf</code> or by specifying
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews <span class="command"><strong>querylog yes;</strong></span> in the
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews <span class="command"><strong>options</strong></span> section of
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews<dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt>
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews Reload the configuration file and load new zones,
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews but do not reload existing zone files even if they
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews have changed.
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews This is faster than a full <span class="command"><strong>reload</strong></span> when there
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews is a large number of zones because it avoids the need
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews to examine the
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews modification times of the zones files.
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews<dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
a00c5e2151cc03c06bae5cdd3b40a5de05664059Brian Wellington Dump the list of queries <span class="command"><strong>named</strong></span> is currently
a00c5e2151cc03c06bae5cdd3b40a5de05664059Brian Wellington recursing on, and the list of domains to which iterative
a00c5e2151cc03c06bae5cdd3b40a5de05664059Brian Wellington queries are currently being sent. (The second list includes
a00c5e2151cc03c06bae5cdd3b40a5de05664059Brian Wellington the number of fetches currently active for the given domain,
a00c5e2151cc03c06bae5cdd3b40a5de05664059Brian Wellington and how many have been passed or dropped because of the
a00c5e2151cc03c06bae5cdd3b40a5de05664059Brian Wellington <code class="option">fetches-per-zone</code> option.)
a00c5e2151cc03c06bae5cdd3b40a5de05664059Brian Wellington<dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
a00c5e2151cc03c06bae5cdd3b40a5de05664059Brian Wellington Schedule zone maintenance for the given zone.
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews<dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt>
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews Reload configuration file and zones.
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews<dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews Reload the given zone.
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews<dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews Retransfer the given slave zone from the master server.
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews If the zone is configured to use
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews <span class="command"><strong>inline-signing</strong></span>, the signed
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews version of the zone is discarded; after the
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews retransfer of the unsigned version is complete, the
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews signed version will be regenerated with all new
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews<dt><span class="term"><strong class="userinput"><code>scan</code></strong></span></dt>
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews Scan the list of available network interfaces
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews for changes, without performing a full
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews <span class="command"><strong>reconfig</strong></span> or waiting for the
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews <span class="command"><strong>interface-interval</strong></span> timer.
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews<dt><span class="term"><strong class="userinput"><code>secroots [<span class="optional">-</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews Dump the server's security roots and negative trust anchors
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews for the specified views. If no view is specified, all views
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews If the first argument is "-", then the output is
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews returned via the <span class="command"><strong>rndc</strong></span> response channel
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews and printed to the standard output.
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews Otherwise, it is written to the secroots dump file, which
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews defaults to <code class="filename">named.secroots</code>, but can be
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews overridden via the <code class="option">secroots-file</code> option in
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews See also <span class="command"><strong>rndc managed-keys</strong></span>.
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews<dt><span class="term"><strong class="userinput"><code>showzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews Print the configuration of a running zone.
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews See also <span class="command"><strong>rndc zonestatus</strong></span>.
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews<dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews Fetch all DNSSEC keys for the given zone
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews from the key directory (see the
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews <span class="command"><strong>key-directory</strong></span> option in
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews the BIND 9 Administrator Reference Manual). If they are within
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews their publication period, merge them into the
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews zone's DNSKEY RRset. If the DNSKEY RRset
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews is changed, then the zone is automatically
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews re-signed with the new key set.
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews This command requires that the
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews <span class="command"><strong>auto-dnssec</strong></span> zone option be set
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews and also requires the zone to be configured to
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews allow dynamic DNS.
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews (See "Dynamic Update Policies" in the Administrator
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews Reference Manual for more details.)
a00c5e2151cc03c06bae5cdd3b40a5de05664059Brian Wellington See also <span class="command"><strong>rndc loadkeys</strong></span>.
a00c5e2151cc03c06bae5cdd3b40a5de05664059Brian Wellington<dt><span class="term"><strong class="userinput"><code>signing [<span class="optional">( -list | -clear <em class="replaceable"><code>keyid/algorithm</code></em> | -clear <code class="literal">all</code> | -nsec3param ( <em class="replaceable"><code>parameters</code></em> | <code class="literal">none</code> ) | -serial <em class="replaceable"><code>value</code></em> ) </span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
a00c5e2151cc03c06bae5cdd3b40a5de05664059Brian Wellington List, edit, or remove the DNSSEC signing state records
a00c5e2151cc03c06bae5cdd3b40a5de05664059Brian Wellington for the specified zone. The status of ongoing DNSSEC
af602636644fdfaabc331bd926b0aabb9432e152Brian Wellington operations (such as signing or generating
af602636644fdfaabc331bd926b0aabb9432e152Brian Wellington NSEC3 chains) is stored in the zone in the form
af602636644fdfaabc331bd926b0aabb9432e152Brian Wellington of DNS resource records of type
af602636644fdfaabc331bd926b0aabb9432e152Brian Wellington <span class="command"><strong>sig-signing-type</strong></span>.
af602636644fdfaabc331bd926b0aabb9432e152Brian Wellington <span class="command"><strong>rndc signing -list</strong></span> converts
100d0d2ec64ab1a85f8c0d2da9b47ae411a10b21Brian Wellington these records into a human-readable form,
af602636644fdfaabc331bd926b0aabb9432e152Brian Wellington indicating which keys are currently signing
af602636644fdfaabc331bd926b0aabb9432e152Brian Wellington or have finished signing the zone, and which NSEC3
af602636644fdfaabc331bd926b0aabb9432e152Brian Wellington chains are being created or removed.
af602636644fdfaabc331bd926b0aabb9432e152Brian Wellington <span class="command"><strong>rndc signing -clear</strong></span> can remove
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington a single key (specified in the same format that
af602636644fdfaabc331bd926b0aabb9432e152Brian Wellington <span class="command"><strong>rndc signing -list</strong></span> uses to
af602636644fdfaabc331bd926b0aabb9432e152Brian Wellington display it), or all keys. In either case, only
f2338a0d6aa0327372eb20ab5dc29502bc8c71efBrian Wellington completed keys are removed; any record indicating
f2338a0d6aa0327372eb20ab5dc29502bc8c71efBrian Wellington that a key has not yet finished signing the zone
f2338a0d6aa0327372eb20ab5dc29502bc8c71efBrian Wellington will be retained.
af602636644fdfaabc331bd926b0aabb9432e152Brian Wellington <span class="command"><strong>rndc signing -nsec3param</strong></span> sets
af602636644fdfaabc331bd926b0aabb9432e152Brian Wellington the NSEC3 parameters for a zone. This is the
af602636644fdfaabc331bd926b0aabb9432e152Brian Wellington only supported mechanism for using NSEC3 with
af602636644fdfaabc331bd926b0aabb9432e152Brian Wellington <span class="command"><strong>inline-signing</strong></span> zones.
d598338952797df77417e69fcb8782b73651f9a9Brian Wellington Parameters are specified in the same format as
100d0d2ec64ab1a85f8c0d2da9b47ae411a10b21Brian Wellington an NSEC3PARAM resource record: hash algorithm,
dc19dcbc236bc876a6cdb426ec7c5fab964f8dfcMark Andrews flags, iterations, and salt, in that order.
d0345e08f26267c1d11e02af57a6555868068415Brian Wellington Currently, the only defined value for hash algorithm
a49acbf201a411a47e18d136b38bbea8cf283adaBrian Wellington is <code class="literal">1</code>, representing SHA-1.
a49acbf201a411a47e18d136b38bbea8cf283adaBrian Wellington The <code class="option">flags</code> may be set to
100d0d2ec64ab1a85f8c0d2da9b47ae411a10b21Brian Wellington <code class="literal">0</code> or <code class="literal">1</code>,
d0345e08f26267c1d11e02af57a6555868068415Brian Wellington depending on whether you wish to set the opt-out
a49acbf201a411a47e18d136b38bbea8cf283adaBrian Wellington bit in the NSEC3 chain. <code class="option">iterations</code>
a49acbf201a411a47e18d136b38bbea8cf283adaBrian Wellington defines the number of additional times to apply
100d0d2ec64ab1a85f8c0d2da9b47ae411a10b21Brian Wellington the algorithm when generating an NSEC3 hash. The
a49acbf201a411a47e18d136b38bbea8cf283adaBrian Wellington <code class="option">salt</code> is a string of data expressed
100d0d2ec64ab1a85f8c0d2da9b47ae411a10b21Brian Wellington in hexadecimal, a hyphen (`-') if no salt is
d0345e08f26267c1d11e02af57a6555868068415Brian Wellington to be used, or the keyword <code class="literal">auto</code>,
100d0d2ec64ab1a85f8c0d2da9b47ae411a10b21Brian Wellington which causes <span class="command"><strong>named</strong></span> to generate a
a49acbf201a411a47e18d136b38bbea8cf283adaBrian Wellington random 64-bit salt.
d0345e08f26267c1d11e02af57a6555868068415Brian Wellington So, for example, to create an NSEC3 chain using
d0345e08f26267c1d11e02af57a6555868068415Brian Wellington the SHA-1 hash algorithm, no opt-out flag,
949d406b57fe80fabc6a60d36a0dcee927c780b3Brian Wellington 10 iterations, and a salt value of "FFFF", use:
949d406b57fe80fabc6a60d36a0dcee927c780b3Brian Wellington <span class="command"><strong>rndc signing -nsec3param 1 0 10 FFFF <em class="replaceable"><code>zone</code></em></strong></span>.
a49acbf201a411a47e18d136b38bbea8cf283adaBrian Wellington To set the opt-out flag, 15 iterations, and no
a49acbf201a411a47e18d136b38bbea8cf283adaBrian Wellington <span class="command"><strong>rndc signing -nsec3param 1 1 15 - <em class="replaceable"><code>zone</code></em></strong></span>.
a49acbf201a411a47e18d136b38bbea8cf283adaBrian Wellington <span class="command"><strong>rndc signing -nsec3param none</strong></span>
949d406b57fe80fabc6a60d36a0dcee927c780b3Brian Wellington removes an existing NSEC3 chain and replaces it
3f6dc1703f76a24b34ed3bc839447291c33ca837Brian Wellington <span class="command"><strong>rndc signing -serial value</strong></span> sets
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington the serial number of the zone to value. If the value
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington would cause the serial number to go backwards it will
3b2b306f47867d0037fb851623fb5a5736d64348Michael Graff be rejected. The primary use is to set the serial on
4556681e191b7c1654639895ce719d98f2822ee2Michael Graff inline signed zones.
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington<dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt>
d692d9991a731d60b63e6389da1ebf2b2839cfabBrian Wellington Write server statistics to the statistics file.
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington (See the <span class="command"><strong>statistics-file</strong></span> option in
4fe8755480c108a1232b7189fd5434ab35a6b623Brian Wellington the BIND 9 Administrator Reference Manual.)
a00c5e2151cc03c06bae5cdd3b40a5de05664059Brian Wellington<dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>
af602636644fdfaabc331bd926b0aabb9432e152Brian Wellington Display status of the server.
05b6b2e6802d503a9e131415b4720f35ab9f08d1Brian Wellington Note that the number of zones includes the internal <span class="command"><strong>bind/CH</strong></span> zone
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence and the default <span class="command"><strong>/IN</strong></span>
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence hint zone if there is not an
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence explicit root zone configured.
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington<dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington Stop the server, making sure any recent changes
af602636644fdfaabc331bd926b0aabb9432e152Brian Wellington made through dynamic update or IXFR are first saved to
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington the master files of the updated zones.
7e8dd00fce7057d1da8158b65395a09ced43a892Brian Wellington If <code class="option">-p</code> is specified <span class="command"><strong>named</strong></span>'s process id is returned.
7e8dd00fce7057d1da8158b65395a09ced43a892Brian Wellington This allows an external process to determine when <span class="command"><strong>named</strong></span>
7e8dd00fce7057d1da8158b65395a09ced43a892Brian Wellington had completed stopping.
7e8dd00fce7057d1da8158b65395a09ced43a892Brian Wellington <p>See also <span class="command"><strong>rndc halt</strong></span>.</p>
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington<dt><span class="term"><strong class="userinput"><code>sync [<span class="optional">-clean</span>] [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
7e8dd00fce7057d1da8158b65395a09ced43a892Brian Wellington Sync changes in the journal file for a dynamic zone
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington to the master file. If the "-clean" option is
7e8dd00fce7057d1da8158b65395a09ced43a892Brian Wellington specified, the journal file is also removed. If
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington no zone is specified, then all zones are synced.
d84ce5d5c69a7e144fb90fd4b3c349e88e4dcdddBrian Wellington<dt><span class="term"><strong class="userinput"><code>thaw [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
7e8dd00fce7057d1da8158b65395a09ced43a892Brian Wellington Enable updates to a frozen dynamic zone. If no
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington zone is specified, then all frozen zones are
7e8dd00fce7057d1da8158b65395a09ced43a892Brian Wellington enabled. This causes the server to reload the zone
7e8dd00fce7057d1da8158b65395a09ced43a892Brian Wellington from disk, and re-enables dynamic updates after the
7e8dd00fce7057d1da8158b65395a09ced43a892Brian Wellington load has completed. After a zone is thawed,
1e2749dba8aae3233b8962f1efe15385e92a77d9Brian Wellington dynamic updates will no longer be refused. If
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington the zone has changed and the
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence <span class="command"><strong>ixfr-from-differences</strong></span> option is
1e2749dba8aae3233b8962f1efe15385e92a77d9Brian Wellington in use, then the journal file will be updated to
1e2749dba8aae3233b8962f1efe15385e92a77d9Brian Wellington reflect changes in the zone. Otherwise, if the
1e2749dba8aae3233b8962f1efe15385e92a77d9Brian Wellington zone has changed, any existing journal file will be
1e2749dba8aae3233b8962f1efe15385e92a77d9Brian Wellington <p>See also <span class="command"><strong>rndc freeze</strong></span>.</p>
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington<dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington Increment the servers debugging level by one.
1e2749dba8aae3233b8962f1efe15385e92a77d9Brian Wellington<dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt>
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence Sets the server's debugging level to an explicit
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington See also <span class="command"><strong>rndc notrace</strong></span>.
4fe8755480c108a1232b7189fd5434ab35a6b623Brian Wellington<dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong> <em class="replaceable"><code>keyname</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt>
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington Delete a given TKEY-negotiated key from the server.
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington (This does not apply to statically configured TSIG
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews<dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt>
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington List the names of all TSIG keys currently configured
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington for use by <span class="command"><strong>named</strong></span> in each view. The
0f80bfec687db08a6e6ce945ef1d818da06c7ca9Brian Wellington list both statically configured keys and dynamic
6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence TKEY-negotiated keys.
4fe8755480c108a1232b7189fd5434ab35a6b623Brian Wellington<dt><span class="term"><strong class="userinput"><code>validation ( on | off | status ) [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>] </code></strong></span></dt>
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence Enable, disable, or check the current status of
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence DNSSEC validation.
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence Note <span class="command"><strong>dnssec-enable</strong></span> also needs to be
6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence set to <strong class="userinput"><code>yes</code></strong> or
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington <strong class="userinput"><code>auto</code></strong> to be effective.
6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence It defaults to enabled.
4fe8755480c108a1232b7189fd5434ab35a6b623Brian Wellington<dt><span class="term"><strong class="userinput"><code>zonestatus <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence Displays the current status of the given zone,
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence including the master file name and any include
6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence files from which it was loaded, when it was most
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington recently loaded, the current serial number, the
4fe8755480c108a1232b7189fd5434ab35a6b623Brian Wellington number of nodes, whether the zone supports
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington dynamic updates, whether the zone is DNSSEC
4fe8755480c108a1232b7189fd5434ab35a6b623Brian Wellington signed, whether it uses automatic DNSSEC key
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington management or inline signing, and the scheduled
c7f13217d11f26739a79f0dab391ec372b49b96bBrian Wellington refresh or expiry times for the zone.
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence See also <span class="command"><strong>rndc showzone</strong></span>.
4fe8755480c108a1232b7189fd5434ab35a6b623Brian Wellington There is currently no way to provide the shared secret for a
c7f13217d11f26739a79f0dab391ec372b49b96bBrian Wellington <code class="option">key_id</code> without using the configuration file.
7e8dd00fce7057d1da8158b65395a09ced43a892Brian Wellington Several error messages could be clearer.
0c70ab306505d89983186e9f8bb8647de55b5d04Mark Andrews <span class="refentrytitle">rndc.conf</span>(5)
7e8dd00fce7057d1da8158b65395a09ced43a892Brian Wellington <span class="refentrytitle">rndc-confgen</span>(8)
6d4886fa7430889a96dbf9b88a2a4eb6f9d04674Brian Wellington <span class="refentrytitle">named</span>(8)
c7f13217d11f26739a79f0dab391ec372b49b96bBrian Wellington <span class="refentrytitle">named.conf</span>(5)
7e8dd00fce7057d1da8158b65395a09ced43a892Brian Wellington <em class="citetitle">BIND 9 Administrator Reference Manual</em>.