man.rndc.html revision 1ca759b3f5c0672b2a66bc02288fe010cabbfe37
803b50652fd6ad81d04d18fc04332c8a94f8fe9aAndreas Gustafsson<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews - Copyright (C) 2000-2015 Internet Systems Consortium, Inc. ("ISC")
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - This Source Code Form is subject to the terms of the Mozilla Public
803b50652fd6ad81d04d18fc04332c8a94f8fe9aAndreas Gustafsson - License, v. 2.0. If a copy of the MPL was not distributed with this
803b50652fd6ad81d04d18fc04332c8a94f8fe9aAndreas Gustafsson - file, You can obtain one at http://mozilla.org/MPL/2.0/.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
803b50652fd6ad81d04d18fc04332c8a94f8fe9aAndreas Gustafsson<link rel="prev" href="man.nsupdate.html" title="nsupdate">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="man.rndc.conf.html" title="rndc.conf">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<table width="100%" summary="Navigation header">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr><th colspan="3" align="center"><span class="application">rndc</span></th></tr>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<a accesskey="p" href="man.nsupdate.html">Prev</a>�</td>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<th width="60%" align="center">Manual pages</th>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<td width="20%" align="right">�<a accesskey="n" href="man.rndc.conf.html">Next</a>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<a name="man.rndc"></a><div class="titlepage"></div>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<p><span class="application">rndc</span> — name server control utility</p>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-q</code>] [<code class="option">-r</code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<a name="id-1.14.27.7"></a><h2>DESCRIPTION</h2>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<p><span class="command"><strong>rndc</strong></span>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User controls the operation of a name
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User server. It supersedes the <span class="command"><strong>ndc</strong></span> utility
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User that was provided in old BIND releases. If
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>rndc</strong></span> is invoked with no command line
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User options or arguments, it prints a short summary of the
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User supported commands and the available options and their
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<p><span class="command"><strong>rndc</strong></span>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User communicates with the name server over a TCP connection, sending
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User commands authenticated with digital signatures. In the current
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>rndc</strong></span> and <span class="command"><strong>named</strong></span>,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User the only supported authentication algorithms are HMAC-MD5
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User (default), HMAC-SHA384 and HMAC-SHA512.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User They use a shared secret on each end of the connection.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User This provides TSIG-style authentication for the command
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User request and the name server's response. All commands sent
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User over the channel must be signed by a key_id known to the
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<p><span class="command"><strong>rndc</strong></span>
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater reads a configuration file to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein determine how to contact the name server and decide what
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein algorithm and key it should use.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="variablelist"><dl class="variablelist">
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Use <em class="replaceable"><code>source-address</code></em>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein as the source address for the connection to the server.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Multiple instances are permitted to allow setting of both
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the IPv4 and IPv6 source addresses.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Use <em class="replaceable"><code>config-file</code></em>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein as the configuration file instead of the default,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt>
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater Use <em class="replaceable"><code>key-file</code></em>
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater as the key file instead of the default,
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater <code class="filename">/etc/rndc.key</code>. The key in
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <code class="filename">/etc/rndc.key</code> will be used to
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User commands sent to the server if the <em class="replaceable"><code>config-file</code></em>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User does not exist.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User<dd><p><em class="replaceable"><code>server</code></em> is
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater the name or address of the server which matches a
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater server statement in the configuration file for
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater <span class="command"><strong>rndc</strong></span>. If no server is supplied on the
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater command line, the host named by the default-server clause
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User in the options statement of the <span class="command"><strong>rndc</strong></span>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User configuration file will be used.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Send commands to TCP port
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <em class="replaceable"><code>port</code></em>
ed4475f3f583f6137b4ff7fea775c5363a4fdb29Automatic Updater of BIND 9's default control channel port, 953.
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater Quiet mode: Message text returned by the server
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater will not be printed except when there is an error.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Instructs <span class="command"><strong>rndc</strong></span> to print the result code
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User returned by <span class="command"><strong>named</strong></span> after executing the
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User requested command (e.g., ISC_R_SUCCESS, ISC_R_FAILURE, etc).
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Enable verbose logging.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Use the key <em class="replaceable"><code>key_id</code></em>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User from the configuration file.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="replaceable"><code>key_id</code></em>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User known by <span class="command"><strong>named</strong></span> with the same algorithm and secret string
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User in order for control message validation to succeed.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User If no <em class="replaceable"><code>key_id</code></em>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User is specified, <span class="command"><strong>rndc</strong></span> will first look
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User for a key clause in the server statement of the server
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User being used, or if no server statement is present for that
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User host, then the default-key clause of the options statement.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Note that the configuration file contains shared secrets
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User which are used to send authenticated control commands
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User to name servers. It should therefore not have general read
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User or write access.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User A list of commands supported by <span class="command"><strong>rndc</strong></span> can
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User be seen by running <span class="command"><strong>rndc</strong></span> without arguments.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Currently supported commands are:
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User<div class="variablelist"><dl class="variablelist">
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term"><strong class="userinput"><code>addzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Add a zone while the server is running. This
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User command requires the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <span class="command"><strong>allow-new-zones</strong></span> option to be set
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User to <strong class="userinput"><code>yes</code></strong>. The
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <em class="replaceable"><code>configuration</code></em> string
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User specified on the command line is the zone
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User configuration text that would ordinarily be
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User placed in <code class="filename">named.conf</code>.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User The configuration is saved in a file called
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <code class="filename"><em class="replaceable"><code>name</code></em>.nzf</code>,
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User where <em class="replaceable"><code>name</code></em> is the
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User name of the view, or if it contains characters
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User that are incompatible with use as a file name, a
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User cryptographic hash generated from the name
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User When <span class="command"><strong>named</strong></span> is
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User restarted, the file will be loaded into the view
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User configuration, so that zones that were added
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User can persist after a restart.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User This sample <span class="command"><strong>addzone</strong></span> command
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User would add the zone <code class="literal">example.com</code>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User to the default view:
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User<code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User (Note the brackets and semi-colon around the zone
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User configuration text.)
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User See also <span class="command"><strong>rndc delzone</strong></span> and <span class="command"><strong>rndc modzone</strong></span>.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User<dt><span class="term"><strong class="userinput"><code>delzone [<span class="optional">-clean</span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Delete a zone while the server is running.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User If the <code class="option">-clean</code> argument is specified,
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User the zone's master file (and journal file, if any)
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User will be deleted along with the zone. Without the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <code class="option">-clean</code> option, zone files must
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User be cleaned up by hand. (If the zone is of
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User type "slave" or "stub", the files needing to
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User be cleaned up will be reported in the output
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User of the <span class="command"><strong>rndc delzone</strong></span> command.)
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User If the zone was originally added via
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <span class="command"><strong>rndc addzone</strong></span>, then it will be
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User removed permanently. However, if it was originally
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User configured in <code class="filename">named.conf</code>, then
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User that original configuration is still in place; when
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User the server is restarted or reconfigured, the zone will
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User come back. To remove it permanently, it must also be
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User removed from <code class="filename">named.conf</code>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User See also <span class="command"><strong>rndc addzone</strong></span> and <span class="command"><strong>rndc modzone</strong></span>.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User<dt><span class="term"><strong class="userinput"><code>dnstap ( -reopen | -roll [<span class="optional"><em class="replaceable"><code>number</code></em></span>] )</code></strong></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Close and re-open DNSTAP output files.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <span class="command"><strong>rndc dnstap -reopen</strong></span> allows the output
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User file to be renamed externally, so
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User that <span class="command"><strong>named</strong></span> can truncate and re-open it.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <span class="command"><strong>rndc dnstap -roll</strong></span> causes the output file
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User to be rolled automatically, similar to log files; the most
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User recent output file has ".0" appended to its name; the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User previous most recent output file is moved to ".1", and so on.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User If <em class="replaceable"><code>number</code></em> is specified, then the
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User number of backup log files is limited to that number.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone|-adb|-bad|-fail</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Dump the server's caches (default) and/or zones to
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User dump file for the specified views. If no view is
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User specified, all
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User views are dumped.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User (See the <span class="command"><strong>dump-file</strong></span> option in
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User the BIND 9 Administrator Reference Manual.)
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User<dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Flushes the server's cache.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User<dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Flushes the given name from the view's DNS cache
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User and, if applicable, from the view's nameserver address
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User database, bad server cache and SERVFAIL cache.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User<dt><span class="term"><strong class="userinput"><code>flushtree</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Flushes the given name, and all of its subdomains,
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User from the view's DNS cache, address database,
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User bad server cache, and SERVFAIL cache.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User<dt><span class="term"><strong class="userinput"><code>freeze [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Suspend updates to a dynamic zone. If no zone is
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User specified, then all zones are suspended. This allows
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User manual edits to be made to a zone normally updated by
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User dynamic update. It also causes changes in the
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User journal file to be synced into the master file.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User All dynamic update attempts will be refused while
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User the zone is frozen.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User See also <span class="command"><strong>rndc thaw</strong></span>.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User<dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Stop the server immediately. Recent changes
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User made through dynamic update or IXFR are not saved to
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User the master files, but will be rolled forward from the
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User journal files when the server is restarted.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User If <code class="option">-p</code> is specified <span class="command"><strong>named</strong></span>'s process id is returned.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User This allows an external process to determine when <span class="command"><strong>named</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein had completed halting.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein See also <span class="command"><strong>rndc stop</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Fetch all DNSSEC keys for the given zone
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein from the key directory. If they are within
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein their publication period, merge them into the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zone's DNSKEY RRset. Unlike <span class="command"><strong>rndc
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User sign</strong></span>, however, the zone is not
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein immediately re-signed by the new keys, but is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein allowed to incrementally re-sign over time.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User This command requires that the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>auto-dnssec</strong></span> zone option
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein be set to <code class="literal">maintain</code>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and also requires the zone to be configured to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein allow dynamic DNS.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User (See "Dynamic Update Policies" in the Administrator
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Reference Manual for more details.)
69f175fc57a578dd85c1548ed3f34284321f9d3aMark Andrews<dt><span class="term"><strong class="userinput"><code>managed-keys <em class="replaceable"><code>(status | refresh | sync)</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User When run with the "status" keyword, print the current
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User status of the managed-keys database for the specified
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User view, or for all views if none is specified. When run
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User with the "refresh" keyword, force an immediate refresh
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User of all the managed-keys in the specified view, or all
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User views. When run with the "sync" keyword, force an
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User immediate dump of the managed-keys database to disk (in
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User the file <code class="filename">managed-keys.bind</code> or
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User (<code class="filename"><em class="replaceable"><code>viewname</code></em>.mkeys</code>).
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User<dt><span class="term"><strong class="userinput"><code>modzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Modify the configuration of a zone while the server
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User is running. This command requires the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <span class="command"><strong>allow-new-zones</strong></span> option to be
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User set to <strong class="userinput"><code>yes</code></strong>. As with
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <span class="command"><strong>addzone</strong></span>, the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="replaceable"><code>configuration</code></em> string
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User specified on the command line is the zone
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User configuration text that would ordinarily be
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User placed in <code class="filename">named.conf</code>.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User If the zone was originally added via
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <span class="command"><strong>rndc addzone</strong></span>, the configuration
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User changes will be recorded permanently and will still be
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User in effect after the server is restarted or reconfigured.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User However, if it was originally configured in
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <code class="filename">named.conf</code>, then that original
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User configuration is still in place; when the server is
61e1dc26d62c2a0059e3ca7efe2ad0f4a5b8df92Mark Andrews restarted or reconfigured, the zone will revert to
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User its original configuration. To make the changes
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User permanent, it must also be modified in
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User See also <span class="command"><strong>rndc addzone</strong></span> and <span class="command"><strong>rndc delzone</strong></span>.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
69f175fc57a578dd85c1548ed3f34284321f9d3aMark Andrews Resend NOTIFY messages for the zone.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User<dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Sets the server's debugging level to 0.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User See also <span class="command"><strong>rndc trace</strong></span>.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term"><strong class="userinput"><code>nta
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User [<span class="optional">( -d | -f | -r | -l <em class="replaceable"><code>duration</code></em>)</span>]
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <em class="replaceable"><code>domain</code></em>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User [<span class="optional"><em class="replaceable"><code>view</code></em></span>]
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Sets a DNSSEC negative trust anchor (NTA)
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User for <code class="option">domain</code>, with a lifetime of
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <code class="option">duration</code>. The default lifetime is
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User configured in <code class="filename">named.conf</code> via the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <code class="option">nta-lifetime</code> option, and defaults to
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User one hour. The lifetime cannot exceed one week.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User A negative trust anchor selectively disables
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User DNSSEC validation for zones that are known to be
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater failing because of misconfiguration rather than
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User an attack. When data to be validated is
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User at or below an active NTA (and above any other
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User configured trust anchors), <span class="command"><strong>named</strong></span> will
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User abort the DNSSEC validation process and treat the data as
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User insecure rather than bogus. This continues until the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User NTA's lifetime is elapsed.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User NTAs persist across restarts of the <span class="command"><strong>named</strong></span> server.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User The NTAs for a view are saved in a file called
69f175fc57a578dd85c1548ed3f34284321f9d3aMark Andrews <code class="filename"><em class="replaceable"><code>name</code></em>.nta</code>,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User where <em class="replaceable"><code>name</code></em> is the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User name of the view, or if it contains characters
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User that are incompatible with use as a file name, a
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User cryptographic hash generated from the name
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User An existing NTA can be removed by using the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User An NTA's lifetime can be specified with the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <code class="option">-lifetime</code> option. TTL-style
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User suffixes can be used to specify the lifetime in
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User seconds, minutes, or hours. If the specified NTA
7c6b9b263898daf28d657f65dbd75c330ca4aa13Automatic Updater already exists, its lifetime will be updated to the
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User new value. Setting <code class="option">lifetime</code> to zero
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User is equivalent to <code class="option">-remove</code>.
7c6b9b263898daf28d657f65dbd75c330ca4aa13Automatic Updater If <code class="option">-dump</code> is used, any other arguments
24abfe433efd98bb2099b867fb14d049b2f1f531Tinderbox User are ignored, and a list of existing NTAs is printed
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User (note that this may include NTAs that are expired but
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User have not yet been cleaned up).
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Normally, <span class="command"><strong>named</strong></span> will periodically
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User test to see whether data below an NTA can now be
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User validated (see the <code class="option">nta-recheck</code> option
7c6b9b263898daf28d657f65dbd75c330ca4aa13Automatic Updater in the Administrator Reference Manual for details).
7c6b9b263898daf28d657f65dbd75c330ca4aa13Automatic Updater If data can be validated, then the NTA is regarded as
24abfe433efd98bb2099b867fb14d049b2f1f531Tinderbox User no longer necessary, and will be allowed to expire
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User early. The <code class="option">-force</code> overrides this
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User behavior and forces an NTA to persist for its entire
7c6b9b263898daf28d657f65dbd75c330ca4aa13Automatic Updater lifetime, regardless of whether data could be
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User validated if the NTA were not present.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User All of these options can be shortened, i.e., to
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <code class="option">-l</code>, <code class="option">-r</code>, <code class="option">-d</code>,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term"><strong class="userinput"><code>querylog</code></strong> [<span class="optional">on|off</span>] </span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Enable or disable query logging. (For backward
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User compatibility, this command can also be used without
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User an argument to toggle query logging on and off.)
b68a2d272b958eb2c40cce59ee33e71c5f5f521bTinderbox User Query logging can also be enabled
b68a2d272b958eb2c40cce59ee33e71c5f5f521bTinderbox User by explicitly directing the <span class="command"><strong>queries</strong></span>
b68a2d272b958eb2c40cce59ee33e71c5f5f521bTinderbox User <span class="command"><strong>category</strong></span> to a
b68a2d272b958eb2c40cce59ee33e71c5f5f521bTinderbox User <span class="command"><strong>channel</strong></span> in the
b68a2d272b958eb2c40cce59ee33e71c5f5f521bTinderbox User <span class="command"><strong>logging</strong></span> section of
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <code class="filename">named.conf</code> or by specifying
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>querylog yes;</strong></span> in the
69f175fc57a578dd85c1548ed3f34284321f9d3aMark Andrews <span class="command"><strong>options</strong></span> section of
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Reload the configuration file and load new zones,
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User but do not reload existing zone files even if they
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User have changed.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User This is faster than a full <span class="command"><strong>reload</strong></span> when there
69f175fc57a578dd85c1548ed3f34284321f9d3aMark Andrews is a large number of zones because it avoids the need
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User to examine the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User modification times of the zones files.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Dump the list of queries <span class="command"><strong>named</strong></span> is currently
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User recursing on, and the list of domains to which iterative
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User queries are currently being sent. (The second list includes
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User the number of fetches currently active for the given domain,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User and how many have been passed or dropped because of the
69f175fc57a578dd85c1548ed3f34284321f9d3aMark Andrews <code class="option">fetches-per-zone</code> option.)
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User<dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Schedule zone maintenance for the given zone.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Reload configuration file and zones.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User<dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Reload the given zone.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User<dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Retransfer the given slave zone from the master server.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User If the zone is configured to use
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <span class="command"><strong>inline-signing</strong></span>, the signed
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User version of the zone is discarded; after the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User retransfer of the unsigned version is complete, the
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User signed version will be regenerated with all new
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User<dt><span class="term"><strong class="userinput"><code>scan</code></strong></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Scan the list of available network interfaces
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User for changes, without performing a full
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <span class="command"><strong>reconfig</strong></span> or waiting for the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <span class="command"><strong>interface-interval</strong></span> timer.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term"><strong class="userinput"><code>secroots [<span class="optional">-</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Dump the server's security roots and negative trust anchors
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User for the specified views. If no view is specified, all views
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User If the first argument is "-", then the output is
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User returned via the <span class="command"><strong>rndc</strong></span> response channel
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User and printed to the standard output.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Otherwise, it is written to the secroots dump file, which
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User defaults to <code class="filename">named.secroots</code>, but can be
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User overridden via the <code class="option">secroots-file</code> option in
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User See also <span class="command"><strong>rndc managed-keys</strong></span>.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User<dt><span class="term"><strong class="userinput"><code>showzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Print the configuration of a running zone.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User See also <span class="command"><strong>rndc zonestatus</strong></span>.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User<dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Fetch all DNSSEC keys for the given zone
69f175fc57a578dd85c1548ed3f34284321f9d3aMark Andrews from the key directory (see the
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>key-directory</strong></span> option in
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User the BIND 9 Administrator Reference Manual). If they are within
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User their publication period, merge them into the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User zone's DNSKEY RRset. If the DNSKEY RRset
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User is changed, then the zone is automatically
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User re-signed with the new key set.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User This command requires that the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <span class="command"><strong>auto-dnssec</strong></span> zone option be set
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User and also requires the zone to be configured to
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User allow dynamic DNS.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User (See "Dynamic Update Policies" in the Administrator
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Reference Manual for more details.)
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User See also <span class="command"><strong>rndc loadkeys</strong></span>.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term"><strong class="userinput"><code>signing [<span class="optional">( -list | -clear <em class="replaceable"><code>keyid/algorithm</code></em> | -clear <code class="literal">all</code> | -nsec3param ( <em class="replaceable"><code>parameters</code></em> | <code class="literal">none</code> ) | -serial <em class="replaceable"><code>value</code></em> ) </span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User List, edit, or remove the DNSSEC signing state records
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User for the specified zone. The status of ongoing DNSSEC
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User operations (such as signing or generating
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User NSEC3 chains) is stored in the zone in the form
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User of DNS resource records of type
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <span class="command"><strong>sig-signing-type</strong></span>.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>rndc signing -list</strong></span> converts
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User these records into a human-readable form,
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User indicating which keys are currently signing
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User or have finished signing the zone, and which NSEC3
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User chains are being created or removed.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>rndc signing -clear</strong></span> can remove
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User a single key (specified in the same format that
69f175fc57a578dd85c1548ed3f34284321f9d3aMark Andrews <span class="command"><strong>rndc signing -list</strong></span> uses to
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User display it), or all keys. In either case, only
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User completed keys are removed; any record indicating
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User that a key has not yet finished signing the zone
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User will be retained.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <span class="command"><strong>rndc signing -nsec3param</strong></span> sets
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User the NSEC3 parameters for a zone. This is the
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User only supported mechanism for using NSEC3 with
69f175fc57a578dd85c1548ed3f34284321f9d3aMark Andrews <span class="command"><strong>inline-signing</strong></span> zones.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Parameters are specified in the same format as
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User an NSEC3PARAM resource record: hash algorithm,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User flags, iterations, and salt, in that order.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User Currently, the only defined value for hash algorithm
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User is <code class="literal">1</code>, representing SHA-1.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User The <code class="option">flags</code> may be set to
69f175fc57a578dd85c1548ed3f34284321f9d3aMark Andrews <code class="literal">0</code> or <code class="literal">1</code>,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User depending on whether you wish to set the opt-out
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User bit in the NSEC3 chain. <code class="option">iterations</code>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User defines the number of additional times to apply
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User the algorithm when generating an NSEC3 hash. The
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <code class="option">salt</code> is a string of data expressed
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User in hexadecimal, a hyphen (`-') if no salt is
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User to be used, or the keyword <code class="literal">auto</code>,
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater which causes <span class="command"><strong>named</strong></span> to generate a
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User random 64-bit salt.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User So, for example, to create an NSEC3 chain using
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User the SHA-1 hash algorithm, no opt-out flag,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User 10 iterations, and a salt value of "FFFF", use:
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="command"><strong>rndc signing -nsec3param 1 0 10 FFFF <em class="replaceable"><code>zone</code></em></strong></span>.
b46346eb3026ba4bebc093bc93cfe159131e541eTinderbox User To set the opt-out flag, 15 iterations, and no
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <span class="command"><strong>rndc signing -nsec3param 1 1 15 - <em class="replaceable"><code>zone</code></em></strong></span>.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <span class="command"><strong>rndc signing -nsec3param none</strong></span>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User removes an existing NSEC3 chain and replaces it
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User <span class="command"><strong>rndc signing -serial value</strong></span> sets
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User the serial number of the zone to value. If the value
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User would cause the serial number to go backwards it will
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User be rejected. The primary use is to set the serial on
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User inline signed zones.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Write server statistics to the statistics file.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User (See the <span class="command"><strong>statistics-file</strong></span> option in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the BIND 9 Administrator Reference Manual.)
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Display status of the server.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Note that the number of zones includes the internal <span class="command"><strong>bind/CH</strong></span> zone
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User and the default <span class="command"><strong>/IN</strong></span>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User hint zone if there is not an
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User explicit root zone configured.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Stop the server, making sure any recent changes
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein made through dynamic update or IXFR are first saved to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the master files of the updated zones.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If <code class="option">-p</code> is specified <span class="command"><strong>named</strong></span>'s process id is returned.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This allows an external process to determine when <span class="command"><strong>named</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein had completed stopping.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>See also <span class="command"><strong>rndc halt</strong></span>.</p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><strong class="userinput"><code>sync [<span class="optional">-clean</span>] [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sync changes in the journal file for a dynamic zone
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to the master file. If the "-clean" option is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein specified, the journal file is also removed. If
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein no zone is specified, then all zones are synced.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term"><strong class="userinput"><code>thaw [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Enable updates to a frozen dynamic zone. If no
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews zone is specified, then all frozen zones are
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein enabled. This causes the server to reload the zone
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews from disk, and re-enables dynamic updates after the
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews load has completed. After a zone is thawed,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein dynamic updates will no longer be refused. If
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the zone has changed and the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="command"><strong>ixfr-from-differences</strong></span> option is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in use, then the journal file will be updated to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein reflect changes in the zone. Otherwise, if the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zone has changed, any existing journal file will be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>See also <span class="command"><strong>rndc freeze</strong></span>.</p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Increment the servers debugging level by one.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt>
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater Sets the server's debugging level to an explicit
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein See also <span class="command"><strong>rndc notrace</strong></span>.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong> <em class="replaceable"><code>keyname</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Delete a given TKEY-negotiated key from the server.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User (This does not apply to statically configured TSIG
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt>
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User List the names of all TSIG keys currently configured
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User for use by <span class="command"><strong>named</strong></span> in each view. The
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User list both statically configured keys and dynamic
90c38ab4e6904126bec2f2f57f60cd834ce759cbAutomatic Updater TKEY-negotiated keys.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term"><strong class="userinput"><code>validation ( on | off | check ) [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>] </code></strong></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Enable, disable, or check the current status of
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User DNSSEC validation.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Note <span class="command"><strong>dnssec-enable</strong></span> also needs to be
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User set to <strong class="userinput"><code>yes</code></strong> or
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <strong class="userinput"><code>auto</code></strong> to be effective.
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User It defaults to enabled.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<dt><span class="term"><strong class="userinput"><code>zonestatus <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Displays the current status of the given zone,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein including the master file name and any include
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User files from which it was loaded, when it was most
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User recently loaded, the current serial number, the
548a24c3d36837aa5f0e64f7bb8c7308909ffa89Tinderbox User number of nodes, whether the zone supports
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User dynamic updates, whether the zone is DNSSEC
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User signed, whether it uses automatic DNSSEC key
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User management or inline signing, and the scheduled
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User refresh or expiry times for the zone.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User See also <span class="command"><strong>rndc showzone</strong></span>.
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater<a name="id-1.14.27.10"></a><h2>LIMITATIONS</h2>
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater There is currently no way to provide the shared secret for a
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater <code class="option">key_id</code> without using the configuration file.
d060d8669f5558690e7faf4a1c12fe5c02a7c60dAutomatic Updater Several error messages could be clearer.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User <span class="citerefentry"><span class="refentrytitle">ndc</span>(8)</span>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User<table width="100%" summary="Navigation footer">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="man.nsupdate.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="right">�<a accesskey="n" href="man.rndc.conf.html">Next</a>