rndc.html revision 6d45011a65dfc43f476ca15c3fd9ee5227eb968f
665a24faf6b3711e4012ac02ae5f0981c093ac1eTinderbox User - Copyright (C) 2004, 2005, 2007, 2013-2015 Internet Systems Consortium, Inc. ("ISC")
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews - Copyright (C) 2000, 2001 Internet Software Consortium.
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
fb84f9014321c5f33c4682de5661b579fcde318fAndreas Gustafsson - purpose with or without fee is hereby granted, provided that the above
fb84f9014321c5f33c4682de5661b579fcde318fAndreas Gustafsson - copyright notice and this permission notice appear in all copies.
af5073d03288a53b646ec3b807ac25ced64d7879Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
af5073d03288a53b646ec3b807ac25ced64d7879Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
af5073d03288a53b646ec3b807ac25ced64d7879Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
af5073d03288a53b646ec3b807ac25ced64d7879Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
af5073d03288a53b646ec3b807ac25ced64d7879Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
af5073d03288a53b646ec3b807ac25ced64d7879Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="man.rndc"></a><div class="titlepage"></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span class="application">rndc</span> — name server control utility</p>
b46346eb3026ba4bebc093bc93cfe159131e541eTinderbox User<div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-q</code>] [<code class="option">-r</code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User<p><span><strong class="command">rndc</strong></span>
b46346eb3026ba4bebc093bc93cfe159131e541eTinderbox User controls the operation of a name
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User server. It supersedes the <span><strong class="command">ndc</strong></span> utility
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein that was provided in old BIND releases. If
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">rndc</strong></span> is invoked with no command line
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein options or arguments, it prints a short summary of the
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User supported commands and the available options and their
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User<p><span><strong class="command">rndc</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein communicates with the name server over a TCP connection, sending
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein commands authenticated with digital signatures. In the current
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the only supported authentication algorithms are HMAC-MD5
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein (default), HMAC-SHA384 and HMAC-SHA512.
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews They use a shared secret on each end of the connection.
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User This provides TSIG-style authentication for the command
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein request and the name server's response. All commands sent
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein over the channel must be signed by a key_id known to the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span><strong class="command">rndc</strong></span>
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User reads a configuration file to
03c0efc6892ef2ed17338b2ecbb2c5f23fbad0c9Tinderbox User determine how to contact the name server and decide what
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User algorithm and key it should use.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User Use <em class="replaceable"><code>source-address</code></em>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein as the source address for the connection to the server.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Multiple instances are permitted to allow setting of both
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the IPv4 and IPv6 source addresses.
b3cbb2f1ad021349e89807f3492df6e4e679cd56Mark Andrews<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
665a24faf6b3711e4012ac02ae5f0981c093ac1eTinderbox User Use <em class="replaceable"><code>config-file</code></em>
b49958b502ee45022010a0b1bed3968f598895a4Automatic Updater as the configuration file instead of the default,
b49958b502ee45022010a0b1bed3968f598895a4Automatic Updater <code class="filename">/etc/rndc.conf</code>.
b3cbb2f1ad021349e89807f3492df6e4e679cd56Mark Andrews<dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt>
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User Use <em class="replaceable"><code>key-file</code></em>
b46346eb3026ba4bebc093bc93cfe159131e541eTinderbox User as the key file instead of the default,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">/etc/rndc.key</code>. The key in
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User <code class="filename">/etc/rndc.key</code> will be used to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein authenticate
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein commands sent to the server if the <em class="replaceable"><code>config-file</code></em>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein does not exist.
61e1dc26d62c2a0059e3ca7efe2ad0f4a5b8df92Mark Andrews<dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><p><em class="replaceable"><code>server</code></em> is
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User the name or address of the server which matches a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein server statement in the configuration file for
d8620c7234281056fdfd2ee40cf16636b8281092Tinderbox User <span><strong class="command">rndc</strong></span>. If no server is supplied on the
d8620c7234281056fdfd2ee40cf16636b8281092Tinderbox User command line, the host named by the default-server clause
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User in the options statement of the <span><strong class="command">rndc</strong></span>
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User configuration file will be used.
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User Send commands to TCP port
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User <em class="replaceable"><code>port</code></em>
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User of BIND 9's default control channel port, 953.
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User Quiet mode: Message text returned by the server
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User will not be printed except when there is an error.
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User Instructs <span><strong class="command">rndc</strong></span> to print the result code
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User returned by <span><strong class="command">named</strong></span> after executing the
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User requested command (e.g., ISC_R_SUCCESS, ISC_R_FAILURE, etc).
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User Enable verbose logging.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt>
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User Use the key <em class="replaceable"><code>key_id</code></em>
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User from the configuration file.
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User <em class="replaceable"><code>key_id</code></em>
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User known by <span><strong class="command">named</strong></span> with the same algorithm and secret string
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User in order for control message validation to succeed.
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User If no <em class="replaceable"><code>key_id</code></em>
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User is specified, <span><strong class="command">rndc</strong></span> will first look
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein for a key clause in the server statement of the server
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein being used, or if no server statement is present for that
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein host, then the default-key clause of the options statement.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Note that the configuration file contains shared secrets
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User which are used to send authenticated control commands
b46346eb3026ba4bebc093bc93cfe159131e541eTinderbox User to name servers. It should therefore not have general read
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein or write access.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A list of commands supported by <span><strong class="command">rndc</strong></span> can
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein be seen by running <span><strong class="command">rndc</strong></span> without arguments.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Currently supported commands are:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><strong class="userinput"><code>addzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Add a zone while the server is running. This
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein command requires the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">allow-new-zones</strong></span> option to be set
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews to <strong class="userinput"><code>yes</code></strong>. The
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <em class="replaceable"><code>configuration</code></em> string
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User specified on the command line is the zone
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein configuration text that would ordinarily be
1c09d68dfd18b6e839c8cd68b78c11b3ccca4160Automatic Updater placed in <code class="filename">named.conf</code>.
1c09d68dfd18b6e839c8cd68b78c11b3ccca4160Automatic Updater The configuration is saved in a file called
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename"><em class="replaceable"><code>name</code></em>.nzf</code>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein where <em class="replaceable"><code>name</code></em> is the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein name of the view, or if it contains characters
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User that are incompatible with use as a file name, a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein cryptographic hash generated from the name
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of the view.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When <span><strong class="command">named</strong></span> is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein restarted, the file will be loaded into the view
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein configuration, so that zones that were added
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein can persist after a restart.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This sample <span><strong class="command">addzone</strong></span> command
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User would add the zone <code class="literal">example.com</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to the default view:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein (Note the brackets and semi-colon around the zone
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein configuration text.)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein See also <span><strong class="command">rndc delzone</strong></span> and <span><strong class="command">rndc modzone</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><strong class="userinput"><code>delzone [<span class="optional">-clean</span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
665a24faf6b3711e4012ac02ae5f0981c093ac1eTinderbox User Delete a zone while the server is running.
b46346eb3026ba4bebc093bc93cfe159131e541eTinderbox User If the <code class="option">-clean</code> argument is specified,
b46346eb3026ba4bebc093bc93cfe159131e541eTinderbox User the zone's master file (and journal file, if any)
b46346eb3026ba4bebc093bc93cfe159131e541eTinderbox User will be deleted along with the zone. Without the
b46346eb3026ba4bebc093bc93cfe159131e541eTinderbox User <code class="option">-clean</code> option, zone files must
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein be cleaned up by hand. (If the zone is of
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews type "slave" or "stub", the files needing to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein be cleaned up will be reported in the output
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of the <span><strong class="command">rndc delzone</strong></span> command.)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If the zone was originally added via
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User <span><strong class="command">rndc addzone</strong></span>, then it will be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein removed permanently. However, if it was originally
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein configured in <code class="filename">named.conf</code>, then
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein that original configuration is still in place; when
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the server is restarted or reconfigured, the zone will
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein come back. To remove it permanently, it must also be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein removed from <code class="filename">named.conf</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein See also <span><strong class="command">rndc addzone</strong></span> and <span><strong class="command">rndc modzone</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Dump the server's caches (default) and/or zones to
7329012471d165cd3dc4180ad2a0a43de91e7f01Mark Andrews dump file for the specified views. If no view is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein specified, all
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein views are dumped.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein (See the <span><strong class="command">dump-file</strong></span> option in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the BIND 9 Administrator Reference Manual.)
61e1dc26d62c2a0059e3ca7efe2ad0f4a5b8df92Mark Andrews<dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Flushes the server's cache.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Flushes the given name from the view's DNS cache
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and, if applicable, from the view's nameserver address
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User database, bad server cache and SERVFAIL cache.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><strong class="userinput"><code>flushtree</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User Flushes the given name, and all of its subdomains,
b46346eb3026ba4bebc093bc93cfe159131e541eTinderbox User from the view's DNS cache, address database,
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User bad server cache, and SERVFAIL cache.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><strong class="userinput"><code>freeze [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Suspend updates to a dynamic zone. If no zone is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein specified, then all zones are suspended. This allows
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein manual edits to be made to a zone normally updated by
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein dynamic update. It also causes changes in the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein journal file to be synced into the master file.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein All dynamic update attempts will be refused while
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the zone is frozen.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein See also <span><strong class="command">rndc thaw</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Stop the server immediately. Recent changes
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User made through dynamic update or IXFR are not saved to
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User the master files, but will be rolled forward from the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein journal files when the server is restarted.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User This allows an external process to determine when <span><strong class="command">named</strong></span>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User had completed halting.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User See also <span><strong class="command">rndc stop</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
370c55dfcdc559b8761ef3eb4921498580caf14cAutomatic Updater Fetch all DNSSEC keys for the given zone
370c55dfcdc559b8761ef3eb4921498580caf14cAutomatic Updater from the key directory. If they are within
370c55dfcdc559b8761ef3eb4921498580caf14cAutomatic Updater their publication period, merge them into the
370c55dfcdc559b8761ef3eb4921498580caf14cAutomatic Updater zone's DNSKEY RRset. Unlike <span><strong class="command">rndc
370c55dfcdc559b8761ef3eb4921498580caf14cAutomatic Updater sign</strong></span>, however, the zone is not
370c55dfcdc559b8761ef3eb4921498580caf14cAutomatic Updater immediately re-signed by the new keys, but is
77dccf2a5d9327d16b4374a135cdb99bdd48620eAutomatic Updater allowed to incrementally re-sign over time.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User This command requires that the
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <span><strong class="command">auto-dnssec</strong></span> zone option
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User be set to <code class="literal">maintain</code>,
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User and also requires the zone to be configured to
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User allow dynamic DNS.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User (See "Dynamic Update Policies" in the Administrator
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Reference Manual for more details.)
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<dt><span class="term"><strong class="userinput"><code>managed-keys <em class="replaceable"><code>(status | refresh | sync)</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User When run with the "status" keyword, print the current
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User status of the managed-keys database for the specified
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User view, or for all views if none is specified. When run
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User with the "refresh" keyword, force an immediate refresh
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User of all the managed-keys in the specified view, or all
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User views. When run with the "sync" keyword, force an
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User immediate dump of the managed-keys database to disk (in
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User the file <code class="filename">managed-keys.bind</code> or
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User (<code class="filename"><em class="replaceable"><code>viewname</code></em>.mkeys</code>).
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<dt><span class="term"><strong class="userinput"><code>modzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Modify the configuration of a zone while the server
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User is running. This command requires the
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <span><strong class="command">allow-new-zones</strong></span> option to be
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User set to <strong class="userinput"><code>yes</code></strong>. As with
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <span><strong class="command">addzone</strong></span>, the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <em class="replaceable"><code>configuration</code></em> string
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein specified on the command line is the zone
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User configuration text that would ordinarily be
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User placed in <code class="filename">named.conf</code>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If the zone was originally added via
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">rndc addzone</strong></span>, the configuration
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User changes will be recorded permanently and will still be
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User in effect after the server is restarted or reconfigured.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User However, if it was originally configured in
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <code class="filename">named.conf</code>, then that original
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein configuration is still in place; when the server is
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User restarted or reconfigured, the zone will revert to
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User its original configuration. To make the changes
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User permanent, it must also be modified in
e68c527dff2f1f7df2a542f8d6f9181a27e05eb7Tinderbox User See also <span><strong class="command">rndc addzone</strong></span> and <span><strong class="command">rndc delzone</strong></span>.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Resend NOTIFY messages for the zone.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Sets the server's debugging level to 0.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User See also <span><strong class="command">rndc trace</strong></span>.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<dt><span class="term"><strong class="userinput"><code>nta
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User [<span class="optional">( -d | -f | -r | -l <em class="replaceable"><code>duration</code></em>)</span>]
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <em class="replaceable"><code>domain</code></em>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User [<span class="optional"><em class="replaceable"><code>view</code></em></span>]
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User Sets a DNSSEC negative trust anchor (NTA)
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User for <code class="option">domain</code>, with a lifetime of
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User <code class="option">duration</code>. The default lifetime is
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User configured in <code class="filename">named.conf</code> via the
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <code class="option">nta-lifetime</code> option, and defaults to
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User one hour. The lifetime cannot exceed one week.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User A negative trust anchor selectively disables
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User DNSSEC validation for zones that are known to be
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User failing because of misconfiguration rather than
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User an attack. When data to be validated is
d9f0b06dc2bba47e3fe63afdf41c638d3517ceffTinderbox User at or below an active NTA (and above any other
d9f0b06dc2bba47e3fe63afdf41c638d3517ceffTinderbox User configured trust anchors), <span><strong class="command">named</strong></span> will
d9f0b06dc2bba47e3fe63afdf41c638d3517ceffTinderbox User abort the DNSSEC validation process and treat the data as
d9f0b06dc2bba47e3fe63afdf41c638d3517ceffTinderbox User insecure rather than bogus. This continues until the
a24330c4805a224191ab687d0291963062fe3355Tinderbox User NTA's lifetime is elapsed.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User NTAs persist across restarts of the <span><strong class="command">named</strong></span> server.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User The NTAs for a view are saved in a file called
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <code class="filename"><em class="replaceable"><code>name</code></em>.nta</code>,
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User where <em class="replaceable"><code>name</code></em> is the
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User name of the view, or if it contains characters
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User that are incompatible with use as a file name, a
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User cryptographic hash generated from the name
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User An existing NTA can be removed by using the
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User An NTA's lifetime can be specified with the
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <code class="option">-lifetime</code> option. TTL-style
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User suffixes can be used to specify the lifetime in
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User seconds, minutes, or hours. If the specified NTA
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User already exists, its lifetime will be updated to the
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User new value. Setting <code class="option">lifetime</code> to zero
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User is equivalent to <code class="option">-remove</code>.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User If <code class="option">-dump</code> is used, any other arguments
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User are ignored, and a list of existing NTAs is printed
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User (note that this may include NTAs that are expired but
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User have not yet been cleaned up).
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Normally, <span><strong class="command">named</strong></span> will periodically
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User test to see whether data below an NTA can now be
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User validated (see the <code class="option">nta-recheck</code> option
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User in the Administrator Reference Manual for details).
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User If data can be validated, then the NTA is regarded as
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User no longer necessary, and will be allowed to expire
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User early. The <code class="option">-force</code> overrides this
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User behavior and forces an NTA to persist for its entire
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User lifetime, regardless of whether data could be
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User validated if the NTA were not present.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User All of these options can be shortened, i.e., to
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <code class="option">-l</code>, <code class="option">-r</code>, <code class="option">-d</code>,
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<dt><span class="term"><strong class="userinput"><code>querylog</code></strong> [<span class="optional">on|off</span>] </span></dt>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Enable or disable query logging. (For backward
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User compatibility, this command can also be used without
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User an argument to toggle query logging on and off.)
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Query logging can also be enabled
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User by explicitly directing the <span><strong class="command">queries</strong></span>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <span><strong class="command">category</strong></span> to a
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <span><strong class="command">channel</strong></span> in the
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <span><strong class="command">logging</strong></span> section of
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <code class="filename">named.conf</code> or by specifying
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <span><strong class="command">querylog yes;</strong></span> in the
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <span><strong class="command">options</strong></span> section of
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Reload the configuration file and load new zones,
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User but do not reload existing zone files even if they
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User have changed.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User This is faster than a full <span><strong class="command">reload</strong></span> when there
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User is a large number of zones because it avoids the need
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User to examine the
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User modification times of the zones files.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Dump the list of queries <span><strong class="command">named</strong></span> is currently recursing
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Schedule zone maintenance for the given zone.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Reload configuration file and zones.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Reload the given zone.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Retransfer the given slave zone from the master server.
77dccf2a5d9327d16b4374a135cdb99bdd48620eAutomatic Updater If the zone is configured to use
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User <span><strong class="command">inline-signing</strong></span>, the signed
77dccf2a5d9327d16b4374a135cdb99bdd48620eAutomatic Updater version of the zone is discarded; after the
77dccf2a5d9327d16b4374a135cdb99bdd48620eAutomatic Updater retransfer of the unsigned version is complete, the
77dccf2a5d9327d16b4374a135cdb99bdd48620eAutomatic Updater signed version will be regenerated with all new
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<dt><span class="term"><strong class="userinput"><code>scan</code></strong></span></dt>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Scan the list of available network interfaces
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User for changes, without performing a full
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <span><strong class="command">reconfig</strong></span> or waiting for the
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <span><strong class="command">interface-interval</strong></span> timer.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<dt><span class="term"><strong class="userinput"><code>secroots [<span class="optional">-</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Dump the server's security roots and negative trust anchors
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User for the specified views. If no view is specified, all views
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User If the first argument is "-", then the output is
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User returned via the <span><strong class="command">rndc</strong></span> response channel
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User and printed to the standard output.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Otherwise, it is written to the secroots dump file, which
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User defaults to <code class="filename">named.secroots</code>, but can be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein overridden via the <code class="option">secroots-file</code> option in
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User See also <span><strong class="command">rndc managed-keys</strong></span>.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<dt><span class="term"><strong class="userinput"><code>showzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
be6c1c506161e6f45fcff5d0425f78801bc267c1Automatic Updater Print the configuration of a running zone.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User See also <span><strong class="command">rndc zonestatus</strong></span>.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Fetch all DNSSEC keys for the given zone
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User from the key directory (see the
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <span><strong class="command">key-directory</strong></span> option in
be6c1c506161e6f45fcff5d0425f78801bc267c1Automatic Updater the BIND 9 Administrator Reference Manual). If they are within
be6c1c506161e6f45fcff5d0425f78801bc267c1Automatic Updater their publication period, merge them into the
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User zone's DNSKEY RRset. If the DNSKEY RRset
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User is changed, then the zone is automatically
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User re-signed with the new key set.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User This command requires that the
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <span><strong class="command">auto-dnssec</strong></span> zone option be set
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and also requires the zone to be configured to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein allow dynamic DNS.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User (See "Dynamic Update Policies" in the Administrator
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Reference Manual for more details.)
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User See also <span><strong class="command">rndc loadkeys</strong></span>.
a24330c4805a224191ab687d0291963062fe3355Tinderbox User<dt><span class="term"><strong class="userinput"><code>signing [<span class="optional">( -list | -clear <em class="replaceable"><code>keyid/algorithm</code></em> | -clear <code class="literal">all</code> | -nsec3param ( <em class="replaceable"><code>parameters</code></em> | <code class="literal">none</code> ) | -serial <em class="replaceable"><code>value</code></em> ) </span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User List, edit, or remove the DNSSEC signing state records
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein for the specified zone. The status of ongoing DNSSEC
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User operations (such as signing or generating
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User NSEC3 chains) is stored in the zone in the form
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User of DNS resource records of type
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <span><strong class="command">sig-signing-type</strong></span>.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <span><strong class="command">rndc signing -list</strong></span> converts
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User these records into a human-readable form,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein indicating which keys are currently signing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein or have finished signing the zone, and which NSEC3
fb84f9014321c5f33c4682de5661b579fcde318fAndreas Gustafsson chains are being created or removed.
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews <span><strong class="command">rndc signing -clear</strong></span> can remove
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User a single key (specified in the same format that
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User <span><strong class="command">rndc signing -list</strong></span> uses to
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User display it), or all keys. In either case, only
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User completed keys are removed; any record indicating
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User that a key has not yet finished signing the zone
f39512a917cdd06c611d366603374f6ef570c80eTinderbox User will be retained.
00124ad0406365d39f4b2d1011ef6a76706e9df0Mark Andrews <span><strong class="command">rndc signing -nsec3param</strong></span> sets
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User the NSEC3 parameters for a zone. This is the
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User only supported mechanism for using NSEC3 with
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <span><strong class="command">inline-signing</strong></span> zones.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Parameters are specified in the same format as
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User an NSEC3PARAM resource record: hash algorithm,
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User flags, iterations, and salt, in that order.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Currently, the only defined value for hash algorithm
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User is <code class="literal">1</code>, representing SHA-1.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User The <code class="option">flags</code> may be set to
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <code class="literal">0</code> or <code class="literal">1</code>,
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User depending on whether you wish to set the opt-out
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User bit in the NSEC3 chain. <code class="option">iterations</code>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User defines the number of additional times to apply
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User the algorithm when generating an NSEC3 hash. The
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <code class="option">salt</code> is a string of data expressed
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User in hexadecimal, a hyphen (`-') if no salt is
6c8a888822cfe45f0525e7496dcaa27d341b6a5eAutomatic Updater to be used, or the keyword <code class="literal">auto</code>,
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User which causes <span><strong class="command">named</strong></span> to generate a
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User random 64-bit salt.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User So, for example, to create an NSEC3 chain using
6c8a888822cfe45f0525e7496dcaa27d341b6a5eAutomatic Updater the SHA-1 hash algorithm, no opt-out flag,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein 10 iterations, and a salt value of "FFFF", use:
90153b6536f7a5078e1c157c980110dbcd7fe205Mark Andrews <span><strong class="command">rndc signing -nsec3param 1 0 10 FFFF <em class="replaceable"><code>zone</code></em></strong></span>.
90153b6536f7a5078e1c157c980110dbcd7fe205Mark Andrews To set the opt-out flag, 15 iterations, and no
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User <span><strong class="command">rndc signing -nsec3param 1 1 15 - <em class="replaceable"><code>zone</code></em></strong></span>.
90153b6536f7a5078e1c157c980110dbcd7fe205Mark Andrews <span><strong class="command">rndc signing -nsec3param none</strong></span>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User removes an existing NSEC3 chain and replaces it
90153b6536f7a5078e1c157c980110dbcd7fe205Mark Andrews <span><strong class="command">rndc signing -serial value</strong></span> sets
90153b6536f7a5078e1c157c980110dbcd7fe205Mark Andrews the serial number of the zone to value. If the value
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User would cause the serial number to go backwards it will
90153b6536f7a5078e1c157c980110dbcd7fe205Mark Andrews be rejected. The primary use is to set the serial on
90153b6536f7a5078e1c157c980110dbcd7fe205Mark Andrews inline signed zones.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Write server statistics to the statistics file.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User (See the <span><strong class="command">statistics-file</strong></span> option in
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User the BIND 9 Administrator Reference Manual.)
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User<dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>
6bcac4b58d16ee91184a72bd4ff05c41538fd932Tinderbox User Display status of the server.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User Note that the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User and the default <span><strong class="command">/IN</strong></span>
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User hint zone if there is not an
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User explicit root zone configured.
8e16b3078757ba3010c24aef805e9e29ed19518bTinderbox User<dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Stop the server, making sure any recent changes
fb84f9014321c5f33c4682de5661b579fcde318fAndreas Gustafsson made through dynamic update or IXFR are first saved to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the master files of the updated zones.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User This allows an external process to determine when <span><strong class="command">named</strong></span>
d9f0b06dc2bba47e3fe63afdf41c638d3517ceffTinderbox User had completed stopping.
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User<p>See also <span><strong class="command">rndc halt</strong></span>.</p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><strong class="userinput"><code>sync [<span class="optional">-clean</span>] [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sync changes in the journal file for a dynamic zone
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to the master file. If the "-clean" option is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein specified, the journal file is also removed. If
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein no zone is specified, then all zones are synced.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><strong class="userinput"><code>thaw [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Enable updates to a frozen dynamic zone. If no
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zone is specified, then all frozen zones are
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein enabled. This causes the server to reload the zone
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein from disk, and re-enables dynamic updates after the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein load has completed. After a zone is thawed,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein dynamic updates will no longer be refused. If
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the zone has changed and the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">ixfr-from-differences</strong></span> option is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in use, then the journal file will be updated to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein reflect changes in the zone. Otherwise, if the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zone has changed, any existing journal file will be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>See also <span><strong class="command">rndc freeze</strong></span>.</p>
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User<dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Increment the servers debugging level by one.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the server's debugging level to an explicit
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User See also <span><strong class="command">rndc notrace</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong> <em class="replaceable"><code>keyname</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt>
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User Delete a given TKEY-negotiated key from the server.
d9f0b06dc2bba47e3fe63afdf41c638d3517ceffTinderbox User (This does not apply to statically configured TSIG
057cafaa3df7be7a6dcca71fbaf8fb498fd83518Mark Andrews<dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt>
057cafaa3df7be7a6dcca71fbaf8fb498fd83518Mark Andrews List the names of all TSIG keys currently configured
057cafaa3df7be7a6dcca71fbaf8fb498fd83518Mark Andrews for use by <span><strong class="command">named</strong></span> in each view. The
057cafaa3df7be7a6dcca71fbaf8fb498fd83518Mark Andrews list both statically configured keys and dynamic
057cafaa3df7be7a6dcca71fbaf8fb498fd83518Mark Andrews TKEY-negotiated keys.
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User<dt><span class="term"><strong class="userinput"><code>validation ( on | off | check ) [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>] </code></strong></span></dt>
057cafaa3df7be7a6dcca71fbaf8fb498fd83518Mark Andrews Enable, disable, or check the current status of
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User DNSSEC validation.
d9f0b06dc2bba47e3fe63afdf41c638d3517ceffTinderbox User Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein set to <strong class="userinput"><code>yes</code></strong> or
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <strong class="userinput"><code>auto</code></strong> to be effective.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein It defaults to enabled.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><strong class="userinput"><code>zonestatus [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Displays the current status of the given zone,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein including the master file name and any include
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein files from which it was loaded, when it was most
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein recently loaded, the current serial number, the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein number of nodes, whether the zone supports
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein dynamic updates, whether the zone is DNSSEC
3afd0ff6628df1e7e20161e4afa99469a1195a5bTinderbox User signed, whether it uses automatic DNSSEC key
d9f0b06dc2bba47e3fe63afdf41c638d3517ceffTinderbox User management or inline signing, and the scheduled
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein refresh or expiry times for the zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein See also <span><strong class="command">rndc showzone</strong></span>.