man.rndc.html revision 7911e6f9de303bca5a3d8b34f4330c8f7cecffae
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpotts<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster - Copyright (C) 2000-2016 Internet Systems Consortium, Inc. ("ISC")
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster - This Source Code Form is subject to the terms of the Mozilla Public
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster - License, v. 2.0. If a copy of the MPL was not distributed with this
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster - file, You can obtain one at http://mozilla.org/MPL/2.0/.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<link rel="prev" href="man.nsupdate.html" title="nsupdate">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<link rel="next" href="man.rndc.conf.html" title="rndc.conf">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<table width="100%" summary="Navigation header">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<tr><th colspan="3" align="center"><span class="application">rndc</span></th></tr>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<a accesskey="p" href="man.nsupdate.html">Prev</a>�</td>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<th width="60%" align="center">Manual pages</th>
fd21d481e26774c37a197c7cc8ab56096a21e7aaPhill Cunnington<td width="20%" align="right">�<a accesskey="n" href="man.rndc.conf.html">Next</a>
7b3fa0c4c626865e92012ef9f885e91d945850eaCraig McDonnell<a name="man.rndc"></a><div class="titlepage"></div>
26304a2a091af368cfc16c977bcce6d17195360aTom Rumsey — name server control utility
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>]
3cfef899c650ea8fa23c64ad5a66b8986bf77bb2Tom Rumsey [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>]
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>]
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott [<code class="option">-s <em class="replaceable"><code>server</code></em></code>]
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott [<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
7b3fa0c4c626865e92012ef9f885e91d945850eaCraig McDonnell [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>]
01a939641aeb0a095851921879620c3fab295cb2Robert Wapshott <p><span class="command"><strong>rndc</strong></span>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster controls the operation of a name
01a939641aeb0a095851921879620c3fab295cb2Robert Wapshott server. It supersedes the <span class="command"><strong>ndc</strong></span> utility
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster that was provided in old BIND releases. If
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <span class="command"><strong>rndc</strong></span> is invoked with no command line
01a939641aeb0a095851921879620c3fab295cb2Robert Wapshott options or arguments, it prints a short summary of the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster supported commands and the available options and their
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <p><span class="command"><strong>rndc</strong></span>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster communicates with the name server over a TCP connection, sending
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster commands authenticated with digital signatures. In the current
0c893a059f84246bf91e2f0fbf63e4c92f8e5165Tony Bamford <span class="command"><strong>rndc</strong></span> and <span class="command"><strong>named</strong></span>,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster the only supported authentication algorithms are HMAC-MD5
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster (default), HMAC-SHA384 and HMAC-SHA512.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster They use a shared secret on each end of the connection.
a90aba9cbcbb8e7fe95e45590d853959efe0d354Tom Rumsey This provides TSIG-style authentication for the command
321cc59fdbbb9b6eebdfc714f2d86b785965d50eTom Rumsey request and the name server's response. All commands sent
321cc59fdbbb9b6eebdfc714f2d86b785965d50eTom Rumsey over the channel must be signed by a key_id known to the
7b3fa0c4c626865e92012ef9f885e91d945850eaCraig McDonnell <p><span class="command"><strong>rndc</strong></span>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster reads a configuration file to
7b3fa0c4c626865e92012ef9f885e91d945850eaCraig McDonnell determine how to contact the name server and decide what
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster algorithm and key it should use.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <div class="variablelist"><dl class="variablelist">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Use <em class="replaceable"><code>source-address</code></em>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster as the source address for the connection to the server.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Multiple instances are permitted to allow setting of both
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster the IPv4 and IPv6 source addresses.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Use <em class="replaceable"><code>config-file</code></em>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster as the configuration file instead of the default,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Use <em class="replaceable"><code>key-file</code></em>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster as the key file instead of the default,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <code class="filename">/etc/rndc.key</code>. The key in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <code class="filename">/etc/rndc.key</code> will be used to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authenticate
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster commands sent to the server if the <em class="replaceable"><code>config-file</code></em>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster does not exist.
fd21d481e26774c37a197c7cc8ab56096a21e7aaPhill Cunnington<dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
fd21d481e26774c37a197c7cc8ab56096a21e7aaPhill Cunnington <p><em class="replaceable"><code>server</code></em> is
fd21d481e26774c37a197c7cc8ab56096a21e7aaPhill Cunnington the name or address of the server which matches a
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster server statement in the configuration file for
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <span class="command"><strong>rndc</strong></span>. If no server is supplied on the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster command line, the host named by the default-server clause
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster in the options statement of the <span class="command"><strong>rndc</strong></span>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster configuration file will be used.
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
c184142912cff04e5442d8bf70febe477285fb1cCraig McDonnell Send commands to TCP port
c184142912cff04e5442d8bf70febe477285fb1cCraig McDonnell <em class="replaceable"><code>port</code></em>
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell of BIND 9's default control channel port, 953.
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell Quiet mode: Message text returned by the server
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell will not be printed except when there is an error.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Instructs <span class="command"><strong>rndc</strong></span> to print the result code
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster returned by <span class="command"><strong>named</strong></span> after executing the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster requested command (e.g., ISC_R_SUCCESS, ISC_R_FAILURE, etc).
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Enable verbose logging.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Use the key <em class="replaceable"><code>key_id</code></em>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster from the configuration file.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <em class="replaceable"><code>key_id</code></em>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster known by <span class="command"><strong>named</strong></span> with the same algorithm and secret string
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster in order for control message validation to succeed.
321cc59fdbbb9b6eebdfc714f2d86b785965d50eTom Rumsey If no <em class="replaceable"><code>key_id</code></em>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster is specified, <span class="command"><strong>rndc</strong></span> will first look
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott for a key clause in the server statement of the server
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott being used, or if no server statement is present for that
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster host, then the default-key clause of the options statement.
d0da70ccbba38b773e7a7cc71bc124b06206d201Robert Wapshott Note that the configuration file contains shared secrets
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster which are used to send authenticated control commands
0c893a059f84246bf91e2f0fbf63e4c92f8e5165Tony Bamford to name servers. It should therefore not have general read
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster or write access.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster A list of commands supported by <span class="command"><strong>rndc</strong></span> can
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster be seen by running <span class="command"><strong>rndc</strong></span> without arguments.
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott Currently supported commands are:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <div class="variablelist"><dl class="variablelist">
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott<dt><span class="term"><strong class="userinput"><code>addzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott Add a zone while the server is running. This
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott command requires the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <span class="command"><strong>allow-new-zones</strong></span> option to be set
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott to <strong class="userinput"><code>yes</code></strong>. The
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <em class="replaceable"><code>configuration</code></em> string
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster specified on the command line is the zone
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott configuration text that would ordinarily be
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott placed in <code class="filename">named.conf</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster The configuration is saved in a file called
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott <code class="filename"><em class="replaceable"><code>name</code></em>.nzf</code>,
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott where <em class="replaceable"><code>name</code></em> is the
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott name of the view, or if it contains characters
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott that are incompatible with use as a file name, a
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott cryptographic hash generated from the name
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott When <span class="command"><strong>named</strong></span> is
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott restarted, the file will be loaded into the view
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott configuration, so that zones that were added
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott can persist after a restart.
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott This sample <span class="command"><strong>addzone</strong></span> command
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott would add the zone <code class="literal">example.com</code>
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott to the default view:
3cfef899c650ea8fa23c64ad5a66b8986bf77bb2Tom Rumsey<code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong>
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott (Note the brackets and semi-colon around the zone
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster configuration text.)
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott See also <span class="command"><strong>rndc delzone</strong></span> and <span class="command"><strong>rndc modzone</strong></span>.
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott<dt><span class="term"><strong class="userinput"><code>delzone [<span class="optional">-clean</span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Delete a zone while the server is running.
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott If the <code class="option">-clean</code> argument is specified,
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell the zone's master file (and journal file, if any)
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott will be deleted along with the zone. Without the
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott <code class="option">-clean</code> option, zone files must
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott be cleaned up by hand. (If the zone is of
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott type "slave" or "stub", the files needing to
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott be cleaned up will be reported in the output
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott of the <span class="command"><strong>rndc delzone</strong></span> command.)
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott If the zone was originally added via
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott <span class="command"><strong>rndc addzone</strong></span>, then it will be
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott removed permanently. However, if it was originally
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell configured in <code class="filename">named.conf</code>, then
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott that original configuration is still in place; when
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott the server is restarted or reconfigured, the zone will
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott come back. To remove it permanently, it must also be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster removed from <code class="filename">named.conf</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster See also <span class="command"><strong>rndc addzone</strong></span> and <span class="command"><strong>rndc modzone</strong></span>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term"><strong class="userinput"><code>dnstap ( -reopen | -roll [<span class="optional"><em class="replaceable"><code>number</code></em></span>] )</code></strong></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Close and re-open DNSTAP output files.
6309b849c2de831a0eaed9c27b5794bed9bd8fd1Neil Madden <span class="command"><strong>rndc dnstap -reopen</strong></span> allows the output
6309b849c2de831a0eaed9c27b5794bed9bd8fd1Neil Madden file to be renamed externally, so
6309b849c2de831a0eaed9c27b5794bed9bd8fd1Neil Madden that <span class="command"><strong>named</strong></span> can truncate and re-open it.
6309b849c2de831a0eaed9c27b5794bed9bd8fd1Neil Madden <span class="command"><strong>rndc dnstap -roll</strong></span> causes the output file
6309b849c2de831a0eaed9c27b5794bed9bd8fd1Neil Madden to be rolled automatically, similar to log files; the most
6309b849c2de831a0eaed9c27b5794bed9bd8fd1Neil Madden recent output file has ".0" appended to its name; the
6309b849c2de831a0eaed9c27b5794bed9bd8fd1Neil Madden previous most recent output file is moved to ".1", and so on.
6309b849c2de831a0eaed9c27b5794bed9bd8fd1Neil Madden If <em class="replaceable"><code>number</code></em> is specified, then the
6309b849c2de831a0eaed9c27b5794bed9bd8fd1Neil Madden number of backup log files is limited to that number.
0c893a059f84246bf91e2f0fbf63e4c92f8e5165Tony Bamford<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone|-adb|-bad|-fail</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
7b3fa0c4c626865e92012ef9f885e91d945850eaCraig McDonnell Dump the server's caches (default) and/or zones to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster dump file for the specified views. If no view is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster specified, all
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster views are dumped.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster (See the <span class="command"><strong>dump-file</strong></span> option in
0c893a059f84246bf91e2f0fbf63e4c92f8e5165Tony Bamford the BIND 9 Administrator Reference Manual.)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Flushes the server's cache.
0c893a059f84246bf91e2f0fbf63e4c92f8e5165Tony Bamford<dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Flushes the given name from the view's DNS cache
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster and, if applicable, from the view's nameserver address
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster database, bad server cache and SERVFAIL cache.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term"><strong class="userinput"><code>flushtree</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Flushes the given name, and all of its subdomains,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster from the view's DNS cache, address database,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster bad server cache, and SERVFAIL cache.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term"><strong class="userinput"><code>freeze [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Suspend updates to a dynamic zone. If no zone is
0c893a059f84246bf91e2f0fbf63e4c92f8e5165Tony Bamford specified, then all zones are suspended. This allows
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster manual edits to be made to a zone normally updated by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster dynamic update. It also causes changes in the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster journal file to be synced into the master file.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster All dynamic update attempts will be refused while
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster the zone is frozen.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster See also <span class="command"><strong>rndc thaw</strong></span>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Stop the server immediately. Recent changes
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster made through dynamic update or IXFR are not saved to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster the master files, but will be rolled forward from the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster journal files when the server is restarted.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster If <code class="option">-p</code> is specified <span class="command"><strong>named</strong></span>'s process id is returned.
321cc59fdbbb9b6eebdfc714f2d86b785965d50eTom Rumsey This allows an external process to determine when <span class="command"><strong>named</strong></span>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster had completed halting.
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpotts See also <span class="command"><strong>rndc stop</strong></span>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Fetch all DNSSEC keys for the given zone
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster from the key directory. If they are within
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster their publication period, merge them into the
0c893a059f84246bf91e2f0fbf63e4c92f8e5165Tony Bamford zone's DNSKEY RRset. Unlike <span class="command"><strong>rndc
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster immediately re-signed by the new keys, but is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster allowed to incrementally re-sign over time.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster This command requires that the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <span class="command"><strong>auto-dnssec</strong></span> zone option
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster be set to <code class="literal">maintain</code>,
0c893a059f84246bf91e2f0fbf63e4c92f8e5165Tony Bamford and also requires the zone to be configured to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster allow dynamic DNS.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster (See "Dynamic Update Policies" in the Administrator
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Reference Manual for more details.)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term"><strong class="userinput"><code>managed-keys <em class="replaceable"><code>(status | refresh | sync)</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster When run with the "status" keyword, print the current
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster status of the managed-keys database for the specified
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster view, or for all views if none is specified. When run
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster with the "refresh" keyword, force an immediate refresh
0c893a059f84246bf91e2f0fbf63e4c92f8e5165Tony Bamford of all the managed-keys in the specified view, or all
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster views. When run with the "sync" keyword, force an
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster immediate dump of the managed-keys database to disk (in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster the file <code class="filename">managed-keys.bind</code> or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster (<code class="filename"><em class="replaceable"><code>viewname</code></em>.mkeys</code>).
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term"><strong class="userinput"><code>modzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
fd21d481e26774c37a197c7cc8ab56096a21e7aaPhill Cunnington Modify the configuration of a zone while the server
fd21d481e26774c37a197c7cc8ab56096a21e7aaPhill Cunnington is running. This command requires the
fd21d481e26774c37a197c7cc8ab56096a21e7aaPhill Cunnington <span class="command"><strong>allow-new-zones</strong></span> option to be
321cc59fdbbb9b6eebdfc714f2d86b785965d50eTom Rumsey set to <strong class="userinput"><code>yes</code></strong>. As with
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <span class="command"><strong>addzone</strong></span>, the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <em class="replaceable"><code>configuration</code></em> string
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster specified on the command line is the zone
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster configuration text that would ordinarily be
87d68743726585ee101ba2e7be2cf06cd34ebb80Neil Madden placed in <code class="filename">named.conf</code>.
87d68743726585ee101ba2e7be2cf06cd34ebb80Neil Madden If the zone was originally added via
47c2be2db219abf98d491a0a6625380421d61e42Phill Cunnington <span class="command"><strong>rndc addzone</strong></span>, the configuration
47c2be2db219abf98d491a0a6625380421d61e42Phill Cunnington changes will be recorded permanently and will still be
87d68743726585ee101ba2e7be2cf06cd34ebb80Neil Madden in effect after the server is restarted or reconfigured.
47c2be2db219abf98d491a0a6625380421d61e42Phill Cunnington However, if it was originally configured in
47c2be2db219abf98d491a0a6625380421d61e42Phill Cunnington <code class="filename">named.conf</code>, then that original
47c2be2db219abf98d491a0a6625380421d61e42Phill Cunnington configuration is still in place; when the server is
47c2be2db219abf98d491a0a6625380421d61e42Phill Cunnington restarted or reconfigured, the zone will revert to
47c2be2db219abf98d491a0a6625380421d61e42Phill Cunnington its original configuration. To make the changes
47c2be2db219abf98d491a0a6625380421d61e42Phill Cunnington permanent, it must also be modified in
87d68743726585ee101ba2e7be2cf06cd34ebb80Neil Madden See also <span class="command"><strong>rndc addzone</strong></span> and <span class="command"><strong>rndc delzone</strong></span>.
321cc59fdbbb9b6eebdfc714f2d86b785965d50eTom Rumsey<dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
321cc59fdbbb9b6eebdfc714f2d86b785965d50eTom Rumsey Resend NOTIFY messages for the zone.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Sets the server's debugging level to 0.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster See also <span class="command"><strong>rndc trace</strong></span>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term"><strong class="userinput"><code>nta
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster [<span class="optional">( -d | -f | -r | -l <em class="replaceable"><code>duration</code></em>)</span>]
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <em class="replaceable"><code>domain</code></em>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster [<span class="optional"><em class="replaceable"><code>view</code></em></span>]
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Sets a DNSSEC negative trust anchor (NTA)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster for <code class="option">domain</code>, with a lifetime of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <code class="option">duration</code>. The default lifetime is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster configured in <code class="filename">named.conf</code> via the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <code class="option">nta-lifetime</code> option, and defaults to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster one hour. The lifetime cannot exceed one week.
c184142912cff04e5442d8bf70febe477285fb1cCraig McDonnell A negative trust anchor selectively disables
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DNSSEC validation for zones that are known to be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster failing because of misconfiguration rather than
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster an attack. When data to be validated is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster at or below an active NTA (and above any other
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster configured trust anchors), <span class="command"><strong>named</strong></span> will
0c893a059f84246bf91e2f0fbf63e4c92f8e5165Tony Bamford abort the DNSSEC validation process and treat the data as
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster insecure rather than bogus. This continues until the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster NTA's lifetime is elapsed.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster NTAs persist across restarts of the <span class="command"><strong>named</strong></span> server.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster The NTAs for a view are saved in a file called
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <code class="filename"><em class="replaceable"><code>name</code></em>.nta</code>,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster where <em class="replaceable"><code>name</code></em> is the
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott name of the view, or if it contains characters
321cc59fdbbb9b6eebdfc714f2d86b785965d50eTom Rumsey that are incompatible with use as a file name, a
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster cryptographic hash generated from the name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster of the view.
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell An existing NTA can be removed by using the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster An NTA's lifetime can be specified with the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <code class="option">-lifetime</code> option. TTL-style
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster suffixes can be used to specify the lifetime in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster seconds, minutes, or hours. If the specified NTA
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster already exists, its lifetime will be updated to the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster new value. Setting <code class="option">lifetime</code> to zero
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster is equivalent to <code class="option">-remove</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster If <code class="option">-dump</code> is used, any other arguments
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott are ignored, and a list of existing NTAs is printed
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster (note that this may include NTAs that are expired but
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster have not yet been cleaned up).
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Normally, <span class="command"><strong>named</strong></span> will periodically
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster test to see whether data below an NTA can now be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster validated (see the <code class="option">nta-recheck</code> option
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster in the Administrator Reference Manual for details).
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster If data can be validated, then the NTA is regarded as
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster no longer necessary, and will be allowed to expire
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster early. The <code class="option">-force</code> overrides this
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster behavior and forces an NTA to persist for its entire
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster lifetime, regardless of whether data could be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster validated if the NTA were not present.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster All of these options can be shortened, i.e., to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <code class="option">-l</code>, <code class="option">-r</code>, <code class="option">-d</code>,
321cc59fdbbb9b6eebdfc714f2d86b785965d50eTom Rumsey<dt><span class="term"><strong class="userinput"><code>querylog</code></strong> [<span class="optional">on|off</span>] </span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Enable or disable query logging. (For backward
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster compatibility, this command can also be used without
0c893a059f84246bf91e2f0fbf63e4c92f8e5165Tony Bamford an argument to toggle query logging on and off.)
0c893a059f84246bf91e2f0fbf63e4c92f8e5165Tony Bamford Query logging can also be enabled
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster by explicitly directing the <span class="command"><strong>queries</strong></span>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <span class="command"><strong>category</strong></span> to a
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott <span class="command"><strong>channel</strong></span> in the
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell <span class="command"><strong>logging</strong></span> section of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <code class="filename">named.conf</code> or by specifying
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <span class="command"><strong>querylog yes;</strong></span> in the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <span class="command"><strong>options</strong></span> section of
0c893a059f84246bf91e2f0fbf63e4c92f8e5165Tony Bamford<dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Reload the configuration file and load new zones,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster but do not reload existing zone files even if they
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster have changed.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster This is faster than a full <span class="command"><strong>reload</strong></span> when there
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster is a large number of zones because it avoids the need
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster to examine the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster modification times of the zones files.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Dump the list of queries <span class="command"><strong>named</strong></span> is currently
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster recursing on, and the list of domains to which iterative
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster queries are currently being sent. (The second list includes
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster the number of fetches currently active for the given domain,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster and how many have been passed or dropped because of the
0c893a059f84246bf91e2f0fbf63e4c92f8e5165Tony Bamford <code class="option">fetches-per-zone</code> option.)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott Schedule zone maintenance for the given zone.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Reload configuration file and zones.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Reload the given zone.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott Retransfer the given slave zone from the master server.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster If the zone is configured to use
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <span class="command"><strong>inline-signing</strong></span>, the signed
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster version of the zone is discarded; after the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster retransfer of the unsigned version is complete, the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster signed version will be regenerated with all new
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term"><strong class="userinput"><code>scan</code></strong></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Scan the list of available network interfaces
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster for changes, without performing a full
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <span class="command"><strong>reconfig</strong></span> or waiting for the
a90aba9cbcbb8e7fe95e45590d853959efe0d354Tom Rumsey <span class="command"><strong>interface-interval</strong></span> timer.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term"><strong class="userinput"><code>secroots [<span class="optional">-</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott Dump the server's security roots and negative trust anchors
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster for the specified views. If no view is specified, all views
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster If the first argument is "-", then the output is
0c893a059f84246bf91e2f0fbf63e4c92f8e5165Tony Bamford returned via the <span class="command"><strong>rndc</strong></span> response channel
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster and printed to the standard output.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Otherwise, it is written to the secroots dump file, which
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster defaults to <code class="filename">named.secroots</code>, but can be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster overridden via the <code class="option">secroots-file</code> option in
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott See also <span class="command"><strong>rndc managed-keys</strong></span>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term"><strong class="userinput"><code>showzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Print the configuration of a running zone.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster See also <span class="command"><strong>rndc zonestatus</strong></span>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
f79113ae65937c28690ec71f68f54f862b758baePhill Cunnington Fetch all DNSSEC keys for the given zone
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster from the key directory (see the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <span class="command"><strong>key-directory</strong></span> option in
f79113ae65937c28690ec71f68f54f862b758baePhill Cunnington the BIND 9 Administrator Reference Manual). If they are within
f79113ae65937c28690ec71f68f54f862b758baePhill Cunnington their publication period, merge them into the
f79113ae65937c28690ec71f68f54f862b758baePhill Cunnington zone's DNSKEY RRset. If the DNSKEY RRset
f79113ae65937c28690ec71f68f54f862b758baePhill Cunnington is changed, then the zone is automatically
f79113ae65937c28690ec71f68f54f862b758baePhill Cunnington re-signed with the new key set.
f79113ae65937c28690ec71f68f54f862b758baePhill Cunnington This command requires that the
f79113ae65937c28690ec71f68f54f862b758baePhill Cunnington <span class="command"><strong>auto-dnssec</strong></span> zone option be set
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell and also requires the zone to be configured to
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott allow dynamic DNS.
f79113ae65937c28690ec71f68f54f862b758baePhill Cunnington (See "Dynamic Update Policies" in the Administrator
f79113ae65937c28690ec71f68f54f862b758baePhill Cunnington Reference Manual for more details.)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster See also <span class="command"><strong>rndc loadkeys</strong></span>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term"><strong class="userinput"><code>signing [<span class="optional">( -list | -clear <em class="replaceable"><code>keyid/algorithm</code></em> | -clear <code class="literal">all</code> | -nsec3param ( <em class="replaceable"><code>parameters</code></em> | <code class="literal">none</code> ) | -serial <em class="replaceable"><code>value</code></em> ) </span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster List, edit, or remove the DNSSEC signing state records
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster for the specified zone. The status of ongoing DNSSEC
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster operations (such as signing or generating
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster NSEC3 chains) is stored in the zone in the form
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster of DNS resource records of type
26304a2a091af368cfc16c977bcce6d17195360aTom Rumsey <span class="command"><strong>sig-signing-type</strong></span>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <span class="command"><strong>rndc signing -list</strong></span> converts
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster these records into a human-readable form,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster indicating which keys are currently signing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster or have finished signing the zone, and which NSEC3
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster chains are being created or removed.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <span class="command"><strong>rndc signing -clear</strong></span> can remove
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster a single key (specified in the same format that
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <span class="command"><strong>rndc signing -list</strong></span> uses to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster display it), or all keys. In either case, only
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster completed keys are removed; any record indicating
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster that a key has not yet finished signing the zone
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster will be retained.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <span class="command"><strong>rndc signing -nsec3param</strong></span> sets
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster the NSEC3 parameters for a zone. This is the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster only supported mechanism for using NSEC3 with
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <span class="command"><strong>inline-signing</strong></span> zones.
0c893a059f84246bf91e2f0fbf63e4c92f8e5165Tony Bamford Parameters are specified in the same format as
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott an NSEC3PARAM resource record: hash algorithm,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster flags, iterations, and salt, in that order.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Currently, the only defined value for hash algorithm
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster is <code class="literal">1</code>, representing SHA-1.
0c893a059f84246bf91e2f0fbf63e4c92f8e5165Tony Bamford The <code class="option">flags</code> may be set to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <code class="literal">0</code> or <code class="literal">1</code>,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster depending on whether you wish to set the opt-out
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott bit in the NSEC3 chain. <code class="option">iterations</code>
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott defines the number of additional times to apply
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster the algorithm when generating an NSEC3 hash. The
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <code class="option">salt</code> is a string of data expressed
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster in hexadecimal, a hyphen (`-') if no salt is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster to be used, or the keyword <code class="literal">auto</code>,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster which causes <span class="command"><strong>named</strong></span> to generate a
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster random 64-bit salt.
56ed5bbb263838f338eb8afc978091c01a4f2a2bjeff.schenk So, for example, to create an NSEC3 chain using
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster the SHA-1 hash algorithm, no opt-out flag,
26304a2a091af368cfc16c977bcce6d17195360aTom Rumsey 10 iterations, and a salt value of "FFFF", use:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <span class="command"><strong>rndc signing -nsec3param 1 0 10 FFFF <em class="replaceable"><code>zone</code></em></strong></span>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster To set the opt-out flag, 15 iterations, and no
26304a2a091af368cfc16c977bcce6d17195360aTom Rumsey <span class="command"><strong>rndc signing -nsec3param 1 1 15 - <em class="replaceable"><code>zone</code></em></strong></span>.
6f6d45938671719a3c22abd091398ec1cfcf7788Peter Major <span class="command"><strong>rndc signing -nsec3param none</strong></span>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster removes an existing NSEC3 chain and replaces it
26304a2a091af368cfc16c977bcce6d17195360aTom Rumsey <span class="command"><strong>rndc signing -serial value</strong></span> sets
6f6d45938671719a3c22abd091398ec1cfcf7788Peter Major the serial number of the zone to value. If the value
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster would cause the serial number to go backwards it will
0c893a059f84246bf91e2f0fbf63e4c92f8e5165Tony Bamford be rejected. The primary use is to set the serial on
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster inline signed zones.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt>
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott Write server statistics to the statistics file.
bf2a56fd7e5b3bb37378e87e32829a01402d27f0Tom Rumsey (See the <span class="command"><strong>statistics-file</strong></span> option in
26304a2a091af368cfc16c977bcce6d17195360aTom Rumsey the BIND 9 Administrator Reference Manual.)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Display status of the server.
d0da70ccbba38b773e7a7cc71bc124b06206d201Robert Wapshott Note that the number of zones includes the internal <span class="command"><strong>bind/CH</strong></span> zone
26304a2a091af368cfc16c977bcce6d17195360aTom Rumsey and the default <span class="command"><strong>/IN</strong></span>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster hint zone if there is not an
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster explicit root zone configured.
0c893a059f84246bf91e2f0fbf63e4c92f8e5165Tony Bamford<dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Stop the server, making sure any recent changes
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster made through dynamic update or IXFR are first saved to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster the master files of the updated zones.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster If <code class="option">-p</code> is specified <span class="command"><strong>named</strong></span>'s process id is returned.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster This allows an external process to determine when <span class="command"><strong>named</strong></span>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster had completed stopping.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <p>See also <span class="command"><strong>rndc halt</strong></span>.</p>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term"><strong class="userinput"><code>sync [<span class="optional">-clean</span>] [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Sync changes in the journal file for a dynamic zone
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster to the master file. If the "-clean" option is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster specified, the journal file is also removed. If
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster no zone is specified, then all zones are synced.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term"><strong class="userinput"><code>thaw [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Enable updates to a frozen dynamic zone. If no
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster zone is specified, then all frozen zones are
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster enabled. This causes the server to reload the zone
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster from disk, and re-enables dynamic updates after the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster load has completed. After a zone is thawed,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster dynamic updates will no longer be refused. If
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster the zone has changed and the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <span class="command"><strong>ixfr-from-differences</strong></span> option is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster in use, then the journal file will be updated to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster reflect changes in the zone. Otherwise, if the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster zone has changed, any existing journal file will be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <p>See also <span class="command"><strong>rndc freeze</strong></span>.</p>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Increment the servers debugging level by one.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Sets the server's debugging level to an explicit
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster See also <span class="command"><strong>rndc notrace</strong></span>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong> <em class="replaceable"><code>keyname</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Delete a given TKEY-negotiated key from the server.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster (This does not apply to statically configured TSIG
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott<dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster List the names of all TSIG keys currently configured
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster for use by <span class="command"><strong>named</strong></span> in each view. The
321cc59fdbbb9b6eebdfc714f2d86b785965d50eTom Rumsey list both statically configured keys and dynamic
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster TKEY-negotiated keys.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term"><strong class="userinput"><code>validation ( on | off | check ) [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>] </code></strong></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Enable, disable, or check the current status of
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott DNSSEC validation.
d0da70ccbba38b773e7a7cc71bc124b06206d201Robert Wapshott Note <span class="command"><strong>dnssec-enable</strong></span> also needs to be
7b3fa0c4c626865e92012ef9f885e91d945850eaCraig McDonnell set to <strong class="userinput"><code>yes</code></strong> or
d0da70ccbba38b773e7a7cc71bc124b06206d201Robert Wapshott <strong class="userinput"><code>auto</code></strong> to be effective.
7b3fa0c4c626865e92012ef9f885e91d945850eaCraig McDonnell It defaults to enabled.
d0da70ccbba38b773e7a7cc71bc124b06206d201Robert Wapshott<dt><span class="term"><strong class="userinput"><code>zonestatus <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
d0da70ccbba38b773e7a7cc71bc124b06206d201Robert Wapshott Displays the current status of the given zone,
d0da70ccbba38b773e7a7cc71bc124b06206d201Robert Wapshott including the master file name and any include
997d6667b8c483bf582a231b1b24f84fbe6c8390Neil Madden files from which it was loaded, when it was most
d0da70ccbba38b773e7a7cc71bc124b06206d201Robert Wapshott recently loaded, the current serial number, the
c184142912cff04e5442d8bf70febe477285fb1cCraig McDonnell number of nodes, whether the zone supports
d0da70ccbba38b773e7a7cc71bc124b06206d201Robert Wapshott dynamic updates, whether the zone is DNSSEC
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster signed, whether it uses automatic DNSSEC key
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell management or inline signing, and the scheduled
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster refresh or expiry times for the zone.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster See also <span class="command"><strong>rndc showzone</strong></span>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<a name="id-1.14.27.10"></a><h2>LIMITATIONS</h2>
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell There is currently no way to provide the shared secret for a
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <code class="option">key_id</code> without using the configuration file.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Several error messages could be clearer.
d0da70ccbba38b773e7a7cc71bc124b06206d201Robert Wapshott <span class="refentrytitle">rndc.conf</span>(5)
d0da70ccbba38b773e7a7cc71bc124b06206d201Robert Wapshott <span class="refentrytitle">rndc-confgen</span>(8)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <span class="refentrytitle">named.conf</span>(5)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<table width="100%" summary="Navigation footer">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<a accesskey="p" href="man.nsupdate.html">Prev</a>�</td>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<td width="40%" align="right">�<a accesskey="n" href="man.rndc.conf.html">Next</a>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott<td width="40%" align="right" valign="top">�<code class="filename">rndc.conf</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0</p>