man.rndc.html revision 1700442a7751c2bbdafe2d039cebbd8316496957
6c2a76b3e2ccd32c35814b6e0f54da00190749d7Evan Hunt - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater - Copyright (C) 2000-2003 Internet Software Consortium.
19558a04decde0e7261d489d92d04ad88104217bTinderbox User - Permission to use, copy, modify, and/or distribute this software for any
2fee8782a6fd57d86a67949092ab9197111af390Evan Hunt - purpose with or without fee is hereby granted, provided that the above
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - copyright notice and this permission notice appear in all copies.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
f4ee48be3994797a8332b86c101db4d7b54799ceTinderbox User - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
8de3f14f1c300c3e1ed99084cc03485b42c92bf1Tinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - PERFORMANCE OF THIS SOFTWARE.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
b91d11bfcc30b96f2c80f3a76d12e3dcc8597a68Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="prev" href="man.nsupdate.html" title="nsupdate">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<link rel="next" href="man.rndc.conf.html" title="rndc.conf">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<table width="100%" summary="Navigation header">
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<tr><th colspan="3" align="center"><span class="application">rndc</span></th></tr>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<a accesskey="p" href="man.nsupdate.html">Prev</a>�</td>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<th width="60%" align="center">Manual pages</th>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<td width="20%" align="right">�<a accesskey="n" href="man.rndc.conf.html">Next</a>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<a name="man.rndc"></a><div class="titlepage"></div>
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User<p><span class="application">rndc</span> — name server control utility</p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-q</code>] [<code class="option">-r</code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p><span class="command"><strong>rndc</strong></span>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt controls the operation of a name
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews server. It supersedes the <span class="command"><strong>ndc</strong></span> utility
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews that was provided in old BIND releases. If
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt <span class="command"><strong>rndc</strong></span> is invoked with no command line
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews options or arguments, it prints a short summary of the
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews supported commands and the available options and their
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<p><span class="command"><strong>rndc</strong></span>
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater communicates with the name server over a TCP connection, sending
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews commands authenticated with digital signatures. In the current
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span class="command"><strong>rndc</strong></span> and <span class="command"><strong>named</strong></span>,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews the only supported authentication algorithms are HMAC-MD5
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews (default), HMAC-SHA384 and HMAC-SHA512.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews They use a shared secret on each end of the connection.
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt This provides TSIG-style authentication for the command
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews request and the name server's response. All commands sent
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews over the channel must be signed by a key_id known to the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<p><span class="command"><strong>rndc</strong></span>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews reads a configuration file to
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt determine how to contact the name server and decide what
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews algorithm and key it should use.
b91d11bfcc30b96f2c80f3a76d12e3dcc8597a68Mark Andrews<div class="variablelist"><dl class="variablelist">
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt Use <em class="replaceable"><code>source-address</code></em>
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt as the source address for the connection to the server.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews Multiple instances are permitted to allow setting of both
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt the IPv4 and IPv6 source addresses.
7cc0a5d21ef046bfd630c4769943d896a7d7472cTinderbox User<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Use <em class="replaceable"><code>config-file</code></em>
549c517e2ecad52bb1d32f08920e29d4e8cda71eTinderbox User as the configuration file instead of the default,
549c517e2ecad52bb1d32f08920e29d4e8cda71eTinderbox User <code class="filename">/etc/rndc.conf</code>.
549c517e2ecad52bb1d32f08920e29d4e8cda71eTinderbox User<dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt>
8f4e6ea383aa9a953c0adb5be6c4d8dc8dbd5c4aWitold Krecicki Use <em class="replaceable"><code>key-file</code></em>
3bd8b5a8fb126e45c67ff53b68183c889cc27918Tinderbox User as the key file instead of the default,
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <code class="filename">/etc/rndc.key</code>. The key in
b91d11bfcc30b96f2c80f3a76d12e3dcc8597a68Mark Andrews <code class="filename">/etc/rndc.key</code> will be used to
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews authenticate
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews commands sent to the server if the <em class="replaceable"><code>config-file</code></em>
aef6cf0f147a5014d4891c9689b9f463399e16e7Tinderbox User does not exist.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dd><p><em class="replaceable"><code>server</code></em> is
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User the name or address of the server which matches a
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews server statement in the configuration file for
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt <span class="command"><strong>rndc</strong></span>. If no server is supplied on the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews command line, the host named by the default-server clause
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User in the options statement of the <span class="command"><strong>rndc</strong></span>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews configuration file will be used.
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User Send commands to TCP port
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson <em class="replaceable"><code>port</code></em>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews of BIND 9's default control channel port, 953.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson Quiet mode: Message text returned by the server
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User will not be printed except when there is an error.
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews Instructs <span class="command"><strong>rndc</strong></span> to print the result code
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews returned by <span class="command"><strong>named</strong></span> after executing the
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews requested command (e.g., ISC_R_SUCCESS, ISC_R_FAILURE, etc).
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews Enable verbose logging.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Use the key <em class="replaceable"><code>key_id</code></em>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews from the configuration file.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <em class="replaceable"><code>key_id</code></em>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews known by <span class="command"><strong>named</strong></span> with the same algorithm and secret string
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews in order for control message validation to succeed.
8f4e6ea383aa9a953c0adb5be6c4d8dc8dbd5c4aWitold Krecicki If no <em class="replaceable"><code>key_id</code></em>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews is specified, <span class="command"><strong>rndc</strong></span> will first look
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews for a key clause in the server statement of the server
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews being used, or if no server statement is present for that
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews host, then the default-key clause of the options statement.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews Note that the configuration file contains shared secrets
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews which are used to send authenticated control commands
7f9e2fff07b9c17e0d7a0ea7abc9304ce9d01b61Tinderbox User to name servers. It should therefore not have general read
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews or write access.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews A list of commands supported by <span class="command"><strong>rndc</strong></span> can
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews be seen by running <span class="command"><strong>rndc</strong></span> without arguments.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Currently supported commands are:
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater<div class="variablelist"><dl class="variablelist">
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<dt><span class="term"><strong class="userinput"><code>addzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User Add a zone while the server is running. This
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater command requires the
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <span class="command"><strong>allow-new-zones</strong></span> option to be set
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews to <strong class="userinput"><code>yes</code></strong>. The
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt <em class="replaceable"><code>configuration</code></em> string
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews specified on the command line is the zone
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User configuration text that would ordinarily be
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User placed in <code class="filename">named.conf</code>.
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt The configuration is saved in a file called
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <code class="filename"><em class="replaceable"><code>name</code></em>.nzf</code>,
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User where <em class="replaceable"><code>name</code></em> is the
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater name of the view, or if it contains characters
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User that are incompatible with use as a file name, a
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews cryptographic hash generated from the name
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt of the view.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews When <span class="command"><strong>named</strong></span> is
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User restarted, the file will be loaded into the view
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson configuration, so that zones that were added
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User can persist after a restart.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews This sample <span class="command"><strong>addzone</strong></span> command
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User would add the zone <code class="literal">example.com</code>
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater to the default view:
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong>
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater (Note the brackets and semi-colon around the zone
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User configuration text.)
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews See also <span class="command"><strong>rndc delzone</strong></span> and <span class="command"><strong>rndc modzone</strong></span>.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<dt><span class="term"><strong class="userinput"><code>delzone [<span class="optional">-clean</span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Delete a zone while the server is running.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User If the <code class="option">-clean</code> argument is specified,
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews the zone's master file (and journal file, if any)
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt will be deleted along with the zone. Without the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <code class="option">-clean</code> option, zone files must
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User be cleaned up by hand. (If the zone is of
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User type "slave" or "stub", the files needing to
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User be cleaned up will be reported in the output
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User of the <span class="command"><strong>rndc delzone</strong></span> command.)
34d1f3b65324f8fcf358fa2f47891441d4b1d2f0Tinderbox User If the zone was originally added via
1fce11b1d3f2d461d261156b8cdc64ab864f06a9Tinderbox User <span class="command"><strong>rndc addzone</strong></span>, then it will be
fab54780409846f7c71f6026d665f18c77c649efTinderbox User removed permanently. However, if it was originally
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews configured in <code class="filename">named.conf</code>, then
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User that original configuration is still in place; when
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews the server is restarted or reconfigured, the zone will
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User come back. To remove it permanently, it must also be
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews removed from <code class="filename">named.conf</code>
6c2a76b3e2ccd32c35814b6e0f54da00190749d7Evan Hunt See also <span class="command"><strong>rndc addzone</strong></span> and <span class="command"><strong>rndc modzone</strong></span>.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term"><strong class="userinput"><code>dnstap ( -reopen | -roll [<span class="optional"><em class="replaceable"><code>number</code></em></span>] )</code></strong></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Close and re-open DNSTAP output files.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span class="command"><strong>rndc dnstap -reopen</strong></span> allows the output
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews file to be renamed externally, then re-opened.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span class="command"><strong>rndc dnstap -roll</strong></span> causes the output file
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews to be rolled automatically, similar to log files; the most
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews recent output file has ".0" appended to its name; the
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews previous most recent output file is moved to ".1", and so on.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews If <em class="replaceable"><code>number</code></em> is specified, then the
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User number of backup log files is limited to that number.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone|-adb|-bad|-fail</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Dump the server's caches (default) and/or zones to
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews dump file for the specified views. If no view is
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews specified, all
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews views are dumped.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews (See the <span class="command"><strong>dump-file</strong></span> option in
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews the BIND 9 Administrator Reference Manual.)
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Flushes the server's cache.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Flushes the given name from the view's DNS cache
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews and, if applicable, from the view's nameserver address
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews database, bad server cache and SERVFAIL cache.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term"><strong class="userinput"><code>flushtree</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Flushes the given name, and all of its subdomains,
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews from the view's DNS cache, address database,
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews bad server cache, and SERVFAIL cache.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="term"><strong class="userinput"><code>freeze [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Suspend updates to a dynamic zone. If no zone is
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews specified, then all zones are suspended. This allows
7d638dd31ecb633aaefca994b60b70c58b5def03Tinderbox User manual edits to be made to a zone normally updated by
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews dynamic update. It also causes changes in the
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews journal file to be synced into the master file.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews All dynamic update attempts will be refused while
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews the zone is frozen.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews See also <span class="command"><strong>rndc thaw</strong></span>.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User Stop the server immediately. Recent changes
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User made through dynamic update or IXFR are not saved to
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews the master files, but will be rolled forward from the
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews journal files when the server is restarted.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews If <code class="option">-p</code> is specified <span class="command"><strong>named</strong></span>'s process id is returned.
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User This allows an external process to determine when <span class="command"><strong>named</strong></span>
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User had completed halting.
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User See also <span class="command"><strong>rndc stop</strong></span>.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
6c2a76b3e2ccd32c35814b6e0f54da00190749d7Evan Hunt Fetch all DNSSEC keys for the given zone
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User from the key directory. If they are within
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews their publication period, merge them into the
3857cb6fcabeb79d85de4b3e3e4ab99912b701f8Mark Andrews zone's DNSKEY RRset. Unlike <span class="command"><strong>rndc
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews immediately re-signed by the new keys, but is
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews allowed to incrementally re-sign over time.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User This command requires that the
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews <span class="command"><strong>auto-dnssec</strong></span> zone option
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews and also requires the zone to be configured to
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User allow dynamic DNS.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews (See "Dynamic Update Policies" in the Administrator
8292deab031e7599cd7622aa7675fbe139ca6095Mark Andrews Reference Manual for more details.)
4b61b671f5de767ec1d1b8e6cf7b849bddf08e98Tinderbox User<dt><span class="term"><strong class="userinput"><code>managed-keys <em class="replaceable"><code>(status | refresh | sync)</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews When run with the "status" keyword, print the current
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont status of the managed-keys database for the specified
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews view, or for all views if none is specified. When run
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews with the "refresh" keyword, force an immediate refresh
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews of all the managed-keys in the specified view, or all
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont views. When run with the "sync" keyword, force an
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews immediate dump of the managed-keys database to disk (in
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews the file <code class="filename">managed-keys.bind</code> or
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews (<code class="filename"><em class="replaceable"><code>viewname</code></em>.mkeys</code>).
f1a2709aad7baa4161fdb6f63edf99b0150af252Evan Hunt<dt><span class="term"><strong class="userinput"><code>modzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Modify the configuration of a zone while the server
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews is running. This command requires the
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews <span class="command"><strong>allow-new-zones</strong></span> option to be
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews set to <strong class="userinput"><code>yes</code></strong>. As with
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater <span class="command"><strong>addzone</strong></span>, the
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <em class="replaceable"><code>configuration</code></em> string
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews specified on the command line is the zone
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt configuration text that would ordinarily be
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews placed in <code class="filename">named.conf</code>.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews If the zone was originally added via
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews <span class="command"><strong>rndc addzone</strong></span>, the configuration
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt changes will be recorded permanently and will still be
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews in effect after the server is restarted or reconfigured.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews However, if it was originally configured in
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater <code class="filename">named.conf</code>, then that original
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews configuration is still in place; when the server is
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews restarted or reconfigured, the zone will revert to
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt its original configuration. To make the changes
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews permanent, it must also be modified in
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews See also <span class="command"><strong>rndc addzone</strong></span> and <span class="command"><strong>rndc delzone</strong></span>.
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews<dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews Resend NOTIFY messages for the zone.
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews<dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt>
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews Sets the server's debugging level to 0.
3bd8b5a8fb126e45c67ff53b68183c889cc27918Tinderbox User See also <span class="command"><strong>rndc trace</strong></span>.
168cf0ede1cf13a095e48af6749d88fbc432f096Evan Hunt<dt><span class="term"><strong class="userinput"><code>nta
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews [<span class="optional">( -d | -f | -r | -l <em class="replaceable"><code>duration</code></em>)</span>]
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews <em class="replaceable"><code>domain</code></em>
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews [<span class="optional"><em class="replaceable"><code>view</code></em></span>]
8927a982bde7e4b665966b55f0fa57c5cf21b9d8Mark Andrews Sets a DNSSEC negative trust anchor (NTA)
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews for <code class="option">domain</code>, with a lifetime of
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews <code class="option">duration</code>. The default lifetime is
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews configured in <code class="filename">named.conf</code> via the
8927a982bde7e4b665966b55f0fa57c5cf21b9d8Mark Andrews <code class="option">nta-lifetime</code> option, and defaults to
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews one hour. The lifetime cannot exceed one week.
bcfc5188be220e1334218dfe638dffce4744e792Tinderbox User A negative trust anchor selectively disables
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews DNSSEC validation for zones that are known to be
8927a982bde7e4b665966b55f0fa57c5cf21b9d8Mark Andrews failing because of misconfiguration rather than
8927a982bde7e4b665966b55f0fa57c5cf21b9d8Mark Andrews an attack. When data to be validated is
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews at or below an active NTA (and above any other
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews configured trust anchors), <span class="command"><strong>named</strong></span> will
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews abort the DNSSEC validation process and treat the data as
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews insecure rather than bogus. This continues until the
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews NTA's lifetime is elapsed.
3bd8b5a8fb126e45c67ff53b68183c889cc27918Tinderbox User NTAs persist across restarts of the <span class="command"><strong>named</strong></span> server.
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User The NTAs for a view are saved in a file called
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <code class="filename"><em class="replaceable"><code>name</code></em>.nta</code>,
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews where <em class="replaceable"><code>name</code></em> is the
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews name of the view, or if it contains characters
fab54780409846f7c71f6026d665f18c77c649efTinderbox User that are incompatible with use as a file name, a
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews cryptographic hash generated from the name
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews of the view.
8927a982bde7e4b665966b55f0fa57c5cf21b9d8Mark Andrews An existing NTA can be removed by using the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews An NTA's lifetime can be specified with the
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson <code class="option">-lifetime</code> option. TTL-style
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews suffixes can be used to specify the lifetime in
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews seconds, minutes, or hours. If the specified NTA
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt already exists, its lifetime will be updated to the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews new value. Setting <code class="option">lifetime</code> to zero
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews is equivalent to <code class="option">-remove</code>.
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt If <code class="option">-dump</code> is used, any other arguments
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews are ignored, and a list of existing NTAs is printed
3a988722ad9e209ba4064604d482dc4efe0e19ebTinderbox User (note that this may include NTAs that are expired but
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington have not yet been cleaned up).
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Normally, <span class="command"><strong>named</strong></span> will periodically
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews test to see whether data below an NTA can now be
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews validated (see the <code class="option">nta-recheck</code> option
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews in the Administrator Reference Manual for details).
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews If data can be validated, then the NTA is regarded as
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews no longer necessary, and will be allowed to expire
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews early. The <code class="option">-force</code> overrides this
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt behavior and forces an NTA to persist for its entire
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews lifetime, regardless of whether data could be
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews validated if the NTA were not present.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews All of these options can be shortened, i.e., to
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <code class="option">-l</code>, <code class="option">-r</code>, <code class="option">-d</code>,
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term"><strong class="userinput"><code>querylog</code></strong> [<span class="optional">on|off</span>] </span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Enable or disable query logging. (For backward
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington compatibility, this command can also be used without
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington an argument to toggle query logging on and off.)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Query logging can also be enabled
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington by explicitly directing the <span class="command"><strong>queries</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>category</strong></span> to a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>channel</strong></span> in the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>logging</strong></span> section of
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="filename">named.conf</code> or by specifying
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>querylog yes;</strong></span> in the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>options</strong></span> section of
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Reload the configuration file and load new zones,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington but do not reload existing zone files even if they
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington have changed.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This is faster than a full <span class="command"><strong>reload</strong></span> when there
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington is a large number of zones because it avoids the need
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to examine the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington modification times of the zones files.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Dump the list of queries <span class="command"><strong>named</strong></span> is currently
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington recursing on, and the list of domains to which iterative
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington queries are currently being sent. (The second list includes
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the number of fetches currently active for the given domain,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington and how many have been passed or dropped because of the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="option">fetches-per-zone</code> option.)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Schedule zone maintenance for the given zone.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Reload configuration file and zones.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Reload the given zone.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Retransfer the given slave zone from the master server.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews If the zone is configured to use
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span class="command"><strong>inline-signing</strong></span>, the signed
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews version of the zone is discarded; after the
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt retransfer of the unsigned version is complete, the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews signed version will be regenerated with all new
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater<dt><span class="term"><strong class="userinput"><code>scan</code></strong></span></dt>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater Scan the list of available network interfaces
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater for changes, without performing a full
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span class="command"><strong>reconfig</strong></span> or waiting for the
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater <span class="command"><strong>interface-interval</strong></span> timer.
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater<dt><span class="term"><strong class="userinput"><code>secroots [<span class="optional">-</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater Dump the server's security roots and negative trust anchors
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater for the specified views. If no view is specified, all views
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User If the first argument is "-", then the output is
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User returned via the <span class="command"><strong>rndc</strong></span> response channel
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User and printed to the standard output.
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User Otherwise, it is written to the secroots dump file, which
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User defaults to <code class="filename">named.secroots</code>, but can be
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User overridden via the <code class="option">secroots-file</code> option in
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews See also <span class="command"><strong>rndc managed-keys</strong></span>.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term"><strong class="userinput"><code>showzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User Print the configuration of a running zone.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews See also <span class="command"><strong>rndc zonestatus</strong></span>.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Fetch all DNSSEC keys for the given zone
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews from the key directory (see the
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span class="command"><strong>key-directory</strong></span> option in
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews the BIND 9 Administrator Reference Manual). If they are within
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews their publication period, merge them into the
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews zone's DNSKEY RRset. If the DNSKEY RRset
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews is changed, then the zone is automatically
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews re-signed with the new key set.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews This command requires that the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span class="command"><strong>auto-dnssec</strong></span> zone option be set
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt and also requires the zone to be configured to
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews allow dynamic DNS.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews (See "Dynamic Update Policies" in the Administrator
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Reference Manual for more details.)
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews See also <span class="command"><strong>rndc loadkeys</strong></span>.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term"><strong class="userinput"><code>signing [<span class="optional">( -list | -clear <em class="replaceable"><code>keyid/algorithm</code></em> | -clear <code class="literal">all</code> | -nsec3param ( <em class="replaceable"><code>parameters</code></em> | <code class="literal">none</code> ) | -serial <em class="replaceable"><code>value</code></em> ) </span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington List, edit, or remove the DNSSEC signing state records
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington for the specified zone. The status of ongoing DNSSEC
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington operations (such as signing or generating
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington NSEC3 chains) is stored in the zone in the form
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington of DNS resource records of type
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>sig-signing-type</strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>rndc signing -list</strong></span> converts
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington these records into a human-readable form,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington indicating which keys are currently signing
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington or have finished signing the zone, and which NSEC3
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington chains are being created or removed.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>rndc signing -clear</strong></span> can remove
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington a single key (specified in the same format that
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>rndc signing -list</strong></span> uses to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington display it), or all keys. In either case, only
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington completed keys are removed; any record indicating
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews that a key has not yet finished signing the zone
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews will be retained.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span class="command"><strong>rndc signing -nsec3param</strong></span> sets
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews the NSEC3 parameters for a zone. This is the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews only supported mechanism for using NSEC3 with
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span class="command"><strong>inline-signing</strong></span> zones.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews Parameters are specified in the same format as
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt an NSEC3PARAM resource record: hash algorithm,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews flags, iterations, and salt, in that order.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Currently, the only defined value for hash algorithm
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews is <code class="literal">1</code>, representing SHA-1.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews The <code class="option">flags</code> may be set to
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <code class="literal">0</code> or <code class="literal">1</code>,
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews depending on whether you wish to set the opt-out
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt bit in the NSEC3 chain. <code class="option">iterations</code>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews defines the number of additional times to apply
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews the algorithm when generating an NSEC3 hash. The
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <code class="option">salt</code> is a string of data expressed
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews in hexadecimal, a hyphen (`-') if no salt is
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews to be used, or the keyword <code class="literal">auto</code>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington which causes <span class="command"><strong>named</strong></span> to generate a
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews random 64-bit salt.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington So, for example, to create an NSEC3 chain using
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the SHA-1 hash algorithm, no opt-out flag,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington 10 iterations, and a salt value of "FFFF", use:
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>rndc signing -nsec3param 1 0 10 FFFF <em class="replaceable"><code>zone</code></em></strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington To set the opt-out flag, 15 iterations, and no
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>rndc signing -nsec3param 1 1 15 - <em class="replaceable"><code>zone</code></em></strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>rndc signing -nsec3param none</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington removes an existing NSEC3 chain and replaces it
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>rndc signing -serial value</strong></span> sets
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews the serial number of the zone to value. If the value
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington would cause the serial number to go backwards it will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be rejected. The primary use is to set the serial on
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington inline signed zones.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews Write server statistics to the statistics file.
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt (See the <span class="command"><strong>statistics-file</strong></span> option in
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews the BIND 9 Administrator Reference Manual.)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Display status of the server.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Note that the number of zones includes the internal <span class="command"><strong>bind/CH</strong></span> zone
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington and the default <span class="command"><strong>/IN</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington hint zone if there is not an
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington explicit root zone configured.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Stop the server, making sure any recent changes
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews made through dynamic update or IXFR are first saved to
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews the master files of the updated zones.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews If <code class="option">-p</code> is specified <span class="command"><strong>named</strong></span>'s process id is returned.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews This allows an external process to determine when <span class="command"><strong>named</strong></span>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews had completed stopping.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p>See also <span class="command"><strong>rndc halt</strong></span>.</p>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term"><strong class="userinput"><code>sync [<span class="optional">-clean</span>] [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User Sync changes in the journal file for a dynamic zone
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User to the master file. If the "-clean" option is
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User specified, the journal file is also removed. If
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User no zone is specified, then all zones are synced.
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User<dt><span class="term"><strong class="userinput"><code>thaw [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User Enable updates to a frozen dynamic zone. If no
872e1437295dce8162ac7374317d593320ac2dd6Tinderbox User zone is specified, then all frozen zones are
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews enabled. This causes the server to reload the zone
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews from disk, and re-enables dynamic updates after the
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews load has completed. After a zone is thawed,
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews dynamic updates will no longer be refused. If
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the zone has changed and the
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews <span class="command"><strong>ixfr-from-differences</strong></span> option is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington in use, then the journal file will be updated to
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews reflect changes in the zone. Otherwise, if the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington zone has changed, any existing journal file will be
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews<p>See also <span class="command"><strong>rndc freeze</strong></span>.</p>
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews<dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Increment the servers debugging level by one.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Sets the server's debugging level to an explicit
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington See also <span class="command"><strong>rndc notrace</strong></span>.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong> <em class="replaceable"><code>keyname</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Delete a given TKEY-negotiated key from the server.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews (This does not apply to statically configured TSIG
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews List the names of all TSIG keys currently configured
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews for use by <span class="command"><strong>named</strong></span> in each view. The
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews list both statically configured keys and dynamic
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews TKEY-negotiated keys.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="term"><strong class="userinput"><code>validation ( on | off | check ) [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>] </code></strong></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Enable, disable, or check the current status of
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews DNSSEC validation.
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt Note <span class="command"><strong>dnssec-enable</strong></span> also needs to be
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews set to <strong class="userinput"><code>yes</code></strong> or
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <strong class="userinput"><code>auto</code></strong> to be effective.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews It defaults to enabled.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term"><strong class="userinput"><code>zonestatus <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Displays the current status of the given zone,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews including the master file name and any include
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews files from which it was loaded, when it was most
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews recently loaded, the current serial number, the
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews number of nodes, whether the zone supports
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt dynamic updates, whether the zone is DNSSEC
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews signed, whether it uses automatic DNSSEC key
1fdd58445074579ee3b65c871137a7a1740eb542Mark Andrews management or inline signing, and the scheduled
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews refresh or expiry times for the zone.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews See also <span class="command"><strong>rndc showzone</strong></span>.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<a name="id-1.14.23.10"></a><h2>LIMITATIONS</h2>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews There is currently no way to provide the shared secret for a
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <code class="option">key_id</code> without using the configuration file.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Several error messages could be clearer.
dde130e859339194eebd7184eaf440981838a7f0Mark Andrews<p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
ae454ec746d1d4db8d04e107d4d25ff13158c37fMark Andrews <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
34d1f3b65324f8fcf358fa2f47891441d4b1d2f0Tinderbox User <span class="citerefentry"><span class="refentrytitle">ndc</span>(8)</span>,
dde130e859339194eebd7184eaf440981838a7f0Mark Andrews <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
dde130e859339194eebd7184eaf440981838a7f0Mark Andrews<table width="100%" summary="Navigation footer">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<a accesskey="p" href="man.nsupdate.html">Prev</a>�</td>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<td width="40%" align="right">�<a accesskey="n" href="man.rndc.conf.html">Next</a>
f4ee48be3994797a8332b86c101db4d7b54799ceTinderbox User<span class="application">nsupdate</span>�</td>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<td width="40%" align="right" valign="top">�<code class="filename">rndc.conf</code>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0b2</p>