doc/arm/man.rndc.html

	man.rndc.html revision 94479b38340a00f0daf0ae0e1d3d673f845609ff
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<!--
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap - Copyright (C) 2000-2003 Internet Software Consortium.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap -
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap - Permission to use, copy, modify, and/or distribute this software for any
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap - purpose with or without fee is hereby granted, provided that the above
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap - copyright notice and this permission notice appear in all copies.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap -
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap - PERFORMANCE OF THIS SOFTWARE.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap-->
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<!-- $Id$ -->
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<html>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<head>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<title>rndc</title>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<link rel="prev" href="man.nsupdate.html" title="nsupdate">
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<link rel="next" href="man.rndc.conf.html" title="rndc.conf">
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap</head>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<div class="navheader">
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<table width="100%" summary="Navigation header">
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<tr><th colspan="3" align="center"><span class="application">rndc</span></th></tr>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<tr>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<td width="20%" align="left">
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<a accesskey="p" href="man.nsupdate.html">Prev</a>�</td>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<th width="60%" align="center">Manual pages</th>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<td width="20%" align="right">�<a accesskey="n" href="man.rndc.conf.html">Next</a>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap</td>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap</tr>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap</table>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<hr>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap</div>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<div class="refentry" lang="en">
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<a name="man.rndc"></a><div class="titlepage"></div>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<div class="refnamediv">
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<h2>Name</h2>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<p><span class="application">rndc</span> &#8212; name server control utility</p>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap</div>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<div class="refsynopsisdiv">
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<h2>Synopsis</h2>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<div class="cmdsynopsis"><p><code class="command">rndc</code>  [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap</div>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<div class="refsect1" lang="en">
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<a name="id2643561"></a><h2>DESCRIPTION</h2>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<p><span><strong class="command">rndc</strong></span>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap      controls the operation of a name
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap      server.  It supersedes the <span><strong class="command">ndc</strong></span> utility
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap      that was provided in old BIND releases.  If
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap      <span><strong class="command">rndc</strong></span> is invoked with no command line
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap      options or arguments, it prints a short summary of the
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap      supported commands and the available options and their
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap      arguments.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap    </p>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<p><span><strong class="command">rndc</strong></span>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap      communicates with the name server over a TCP connection, sending
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap      commands authenticated with digital signatures.  In the current
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap      versions of
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap      <span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span>,
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap      the only supported authentication algorithms are HMAC-MD5
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap      (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap      (default), HMAC-SHA384 and HMAC-SHA512.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap      They use a shared secret on each end of the connection.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap      This provides TSIG-style authentication for the command
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap      request and the name server's response.  All commands sent
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap      over the channel must be signed by a key_id known to the
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap      server.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap    </p>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<p><span><strong class="command">rndc</strong></span>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap      reads a configuration file to
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap      determine how to contact the name server and decide what
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap      algorithm and key it should use.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap    </p>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap</div>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<div class="refsect1" lang="en">
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<a name="id2643611"></a><h2>OPTIONS</h2>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<div class="variablelist"><dl>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<dd><p>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap            Use <em class="replaceable"><code>source-address</code></em>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap            as the source address for the connection to the server.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap            Multiple instances are permitted to allow setting of both
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap            the IPv4 and IPv6 source addresses.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap          </p></dd>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<dd><p>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap            Use <em class="replaceable"><code>config-file</code></em>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap            as the configuration file instead of the default,
            <code class="filename">/etc/rndc.conf</code>.
          </p></dd>
<dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt>
<dd><p>
            Use <em class="replaceable"><code>key-file</code></em>
            as the key file instead of the default,
            <code class="filename">/etc/rndc.key</code>.  The key in
            <code class="filename">/etc/rndc.key</code> will be used to
            authenticate
            commands sent to the server if the <em class="replaceable"><code>config-file</code></em>
            does not exist.
          </p></dd>
<dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
<dd><p><em class="replaceable"><code>server</code></em> is
            the name or address of the server which matches a
            server statement in the configuration file for
            <span><strong class="command">rndc</strong></span>.  If no server is supplied on the
            command line, the host named by the default-server clause
            in the options statement of the <span><strong class="command">rndc</strong></span>
            configuration file will be used.
          </p></dd>
<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
<dd><p>
            Send commands to TCP port
            <em class="replaceable"><code>port</code></em>
            instead
            of BIND 9's default control channel port, 953.
          </p></dd>
<dt><span class="term">-V</span></dt>
<dd><p>
            Enable verbose logging.
          </p></dd>
<dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt>
<dd><p>
            Use the key <em class="replaceable"><code>key_id</code></em>
            from the configuration file.
            <em class="replaceable"><code>key_id</code></em>
            must be
            known by named with the same algorithm and secret string
            in order for control message validation to succeed.
            If no <em class="replaceable"><code>key_id</code></em>
            is specified, <span><strong class="command">rndc</strong></span> will first look
            for a key clause in the server statement of the server
            being used, or if no server statement is present for that
            host, then the default-key clause of the options statement.
            Note that the configuration file contains shared secrets
            which are used to send authenticated control commands
            to name servers.  It should therefore not have general read
            or write access.
          </p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2643957"></a><h2>COMMANDS</h2>
<p>
      A list of commands supported by <span><strong class="command">rndc</strong></span> can
      be seen by running <span><strong class="command">rndc</strong></span> without arguments.
    </p>
<p>
      Currently supported commands are:
    </p>
<div class="variablelist"><dl>
<dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt>
<dd><p>
            Reload configuration file and zones.
          </p></dd>
<dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<dd><p>
            Reload the given zone.
          </p></dd>
<dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<dd><p>
            Schedule zone maintenance for the given zone.
          </p></dd>
<dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<dd><p>
            Retransfer the given zone from the master.
          </p></dd>
<dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<dd>
<p>
            Fetch all DNSSEC keys for the given zone
            from the key directory (see the
            <span><strong class="command">key-directory</strong></span> option in
            the BIND 9 Administrator Reference Manual).  If they are within
            their publication period, merge them into the
            zone's DNSKEY RRset.  If the DNSKEY RRset
            is changed, then the zone is automatically
            re-signed with the new key set.
          </p>
<p>
            This command requires that the
            <span><strong class="command">auto-dnssec</strong></span> zone option be set
            to <code class="literal">allow</code> or
            <code class="literal">maintain</code>,
            and also requires the zone to be configured to
            allow dynamic DNS.
            (See "Dynamic Update Policies" in the Administrator
            Reference Manual for more details.)
          </p>
</dd>
<dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<dd>
<p>
            Fetch all DNSSEC keys for the given zone
            from the key directory.  If they are within
            their publication period, merge them into the
            zone's DNSKEY RRset.  Unlike <span><strong class="command">rndc
            sign</strong></span>, however, the zone is not
            immediately re-signed by the new keys, but is
            allowed to incrementally re-sign over time.
          </p>
<p>
            This command requires that the
            <span><strong class="command">auto-dnssec</strong></span> zone option
            be set to <code class="literal">maintain</code>,
            and also requires the zone to be configured to
            allow dynamic DNS.
            (See "Dynamic Update Policies" in the Administrator
            Reference Manual for more details.)
          </p>
</dd>
<dt><span class="term"><strong class="userinput"><code>freeze [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
<dd><p>
            Suspend updates to a dynamic zone.  If no zone is
            specified, then all zones are suspended.  This allows
            manual edits to be made to a zone normally updated by
            dynamic update.  It also causes changes in the
            journal file to be synced into the master file.
            All dynamic update attempts will be refused while
            the zone is frozen.
          </p></dd>
<dt><span class="term"><strong class="userinput"><code>thaw [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
<dd><p>
            Enable updates to a frozen dynamic zone.  If no
            zone is specified, then all frozen zones are
            enabled.  This causes the server to reload the zone
            from disk, and re-enables dynamic updates after the
            load has completed.  After a zone is thawed,
            dynamic updates will no longer be refused.  If
            the zone has changed and the
            <span><strong class="command">ixfr-from-differences</strong></span> option is
            in use, then the journal file will be updated to
            reflect changes in the zone.  Otherwise, if the
            zone has changed, any existing journal file will be
            removed.
          </p></dd>
<dt><span class="term"><strong class="userinput"><code>sync [<span class="optional">-clean</span>] [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
<dd><p>
            Sync changes in the journal file for a dynamic zone
            to the master file.  If the "-clean" option is
            specified, the journal file is also removed.  If
            no zone is specified, then all zones are synced.
          </p></dd>
<dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<dd><p>
            Resend NOTIFY messages for the zone.
          </p></dd>
<dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt>
<dd><p>
            Reload the configuration file and load new zones,
            but do not reload existing zone files even if they
            have changed.
            This is faster than a full <span><strong class="command">reload</strong></span> when there
            is a large number of zones because it avoids the need
            to examine the
            modification times of the zones files.
          </p></dd>
<dt><span class="term"><strong class="userinput"><code>zonestatus [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
<dd><p>
            Displays the current status of the given zone,
            including the master file name and any include
            files from which it was loaded, when it was most
            recently loaded, the current serial number, the
            number of nodes, whether the zone supports
            dynamic updates, whether the zone is DNSSEC
            signed, whether it uses automatic DNSSEC key
            management or inline signing, and the scheduled
            refresh or expiry times for the zone.
          </p></dd>
<dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt>
<dd><p>
            Write server statistics to the statistics file.
          </p></dd>
<dt><span class="term"><strong class="userinput"><code>querylog</code></strong> [<span class="optional">on|off</span>] </span></dt>
<dd>
<p>
            Enable or disable query logging.  (For backward
            compatibility, this command can also be used without
            an argument to toggle query logging on and off.)
          </p>
<p>
            Query logging can also be enabled
            by explicitly directing the <span><strong class="command">queries</strong></span>
            <span><strong class="command">category</strong></span> to a
            <span><strong class="command">channel</strong></span> in the
            <span><strong class="command">logging</strong></span> section of
            <code class="filename">named.conf</code> or by specifying
            <span><strong class="command">querylog yes;</strong></span> in the
            <span><strong class="command">options</strong></span> section of
            <code class="filename">named.conf</code>.
          </p>
</dd>
<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
<dd><p>
            Dump the server's caches (default) and/or zones to
            the
            dump file for the specified views.  If no view is
            specified, all
            views are dumped.
          </p></dd>
<dt><span class="term"><strong class="userinput"><code>secroots [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
<dd><p>
            Dump the server's security roots to the secroots
            file for the specified views.  If no view is
            specified, security roots for all
            views are dumped.
          </p></dd>
<dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>
<dd><p>
            Stop the server, making sure any recent changes
            made through dynamic update or IXFR are first saved to
            the master files of the updated zones.
            If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
            This allows an external process to determine when <span><strong class="command">named</strong></span>
            had completed stopping.
          </p></dd>
<dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
<dd><p>
            Stop the server immediately.  Recent changes
            made through dynamic update or IXFR are not saved to
            the master files, but will be rolled forward from the
            journal files when the server is restarted.
            If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
            This allows an external process to determine when <span><strong class="command">named</strong></span>
            had completed halting.
          </p></dd>
<dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
<dd><p>
            Increment the servers debugging level by one.
          </p></dd>
<dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt>
<dd><p>
            Sets the server's debugging level to an explicit
            value.
          </p></dd>
<dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt>
<dd><p>
            Sets the server's debugging level to 0.
          </p></dd>
<dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt>
<dd><p>
            Flushes the server's cache.
          </p></dd>
<dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
<dd><p>
            Flushes the given name from the server's DNS cache
            and, if applicable, from the server's nameserver address
            database or bad-server cache.
          </p></dd>
<dt><span class="term"><strong class="userinput"><code>flushtree</code></strong> [<span class="optional">-all</span>] <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
<dd><p>
            Flushes the given name, and all of its subdomains,
            from the server's DNS cache.  By default, this does
            <span class="emphasis"><em>not</em></span> affect the server's address
            database or bad-server cache.  To eliminate matching
            names from those databases as well, use
            the <code class="option">-all</code> option.
          </p></dd>
<dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>
<dd><p>
            Display status of the server.
            Note that the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone
            and the default <span><strong class="command">/IN</strong></span>
            hint zone if there is not an
            explicit root zone configured.
          </p></dd>
<dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
<dd><p>
            Dump the list of queries <span><strong class="command">named</strong></span> is currently recursing
            on.
          </p></dd>
<dt><span class="term"><strong class="userinput"><code>validation ( on | off | check ) [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>] </code></strong></span></dt>
<dd><p>
            Enable, disable, or check the current status of
            DNSSEC validation.
            Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
            set to <strong class="userinput"><code>yes</code></strong> or
            <strong class="userinput"><code>auto</code></strong> to be effective.
            It defaults to enabled.
          </p></dd>
<dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt>
<dd><p>
            List the names of all TSIG keys currently configured
            for use by <span><strong class="command">named</strong></span> in each view.  The
            list both statically configured keys and dynamic
            TKEY-negotiated keys.
          </p></dd>
<dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong> <em class="replaceable"><code>keyname</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt>
<dd><p>
            Delete a given TKEY-negotiated key from the server.
            (This does not apply to statically configured TSIG
            keys.)
          </p></dd>
<dt><span class="term"><strong class="userinput"><code>addzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
<dd>
<p>
            Add a zone while the server is running.  This
            command requires the
            <span><strong class="command">allow-new-zones</strong></span> option to be set
            to <strong class="userinput"><code>yes</code></strong>.  The
            <em class="replaceable"><code>configuration</code></em> string
            specified on the command line is the zone
            configuration text that would ordinarily be
            placed in <code class="filename">named.conf</code>.
          </p>
<p>
            The configuration is saved in a file called
           <code class="filename"><em class="replaceable"><code>hash</code></em>.nzf</code>,
            where <em class="replaceable"><code>hash</code></em> is a
            cryptographic hash generated from the name of
            the view.  When <span><strong class="command">named</strong></span> is
            restarted, the file will be loaded into the view
            configuration, so that zones that were added
            can persist after a restart.
          </p>
<p>
            This sample <span><strong class="command">addzone</strong></span> command
            would add the zone <code class="literal">example.com</code>
            to the default view:
          </p>
<p>
<code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong>
          </p>
<p>
            (Note the brackets and semi-colon around the zone
            configuration text.)
          </p>
</dd>
<dt><span class="term"><strong class="userinput"><code>delzone [<span class="optional">-clean</span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
<dd>
<p>
            Delete a zone while the server is running.
            Only zones that were originally added via
            <span><strong class="command">rndc addzone</strong></span> can be deleted
            in this manner.
          </p>
<p>
            If the <code class="option">-clean</code> is specified,
            the zone's master file (and journal file, if any)
            will be deleted along with the zone.  Without the
            <code class="option">-clean</code> option, zone files must
            be cleaned up by hand.  (If the zone is of
            type "slave" or "stub", the files needing to
            be cleaned up will be reported in the output
            of the <span><strong class="command">rndc delzone</strong></span> command.)
          </p>
</dd>
<dt><span class="term"><strong class="userinput"><code>signing [<span class="optional">( -list | -clear <em class="replaceable"><code>keyid/algorithm</code></em> | -clear <code class="literal">all</code> | -nsec3param ( <em class="replaceable"><code>parameters</code></em> | <code class="literal">none</code> ) ) </span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
<dd>
<p>
            List, edit, or remove the DNSSEC signing state for
            the specified zone.  The status of ongoing DNSSEC
            operations (such as signing or generating
            NSEC3 chains) is stored in the zone in the form
            of DNS resource records of type
            <span><strong class="command">sig-signing-type</strong></span>.
            <span><strong class="command">rndc signing -list</strong></span> converts
            these records into a human-readable form,
            indicating which keys are currently signing
            or have finished signing the zone, and which NSEC3
            chains are being created or removed.
          </p>
<p>
            <span><strong class="command">rndc signing -clear</strong></span> can remove
            a single key (specified in the same format that
            <span><strong class="command">rndc signing -list</strong></span> uses to
            display it), or all keys.  In either case, only
            completed keys are removed; any record indicating
            that a key has not yet finished signing the zone
            will be retained.
          </p>
<p>
            <span><strong class="command">rndc signing -nsec3param</strong></span> sets
            the NSEC3 parameters for a zone.  This is the
            only supported mechanism for using NSEC3 with
            <span><strong class="command">inline-signing</strong></span> zones.
            Parameters are specified in the same format as
            an NSEC3PARAM resource record: hash algorithm,
            flags, iterations, and salt, in that order.
          </p>
<p>
            Currently, the only defined value for hash algorithm
            is <code class="literal">1</code>, representing SHA-1.
            The <code class="option">flags</code> may be set to
            <code class="literal">0</code> or <code class="literal">1</code>,
            depending on whether you wish to set the opt-out
            bit in the NSEC3 chain.  <code class="option">iterations</code>
            defines the number of additional times to apply
            the algorithm when generating an NSEC3 hash.  The
            <code class="option">salt</code> is a string of data expressed
            in hexidecimal, or a hyphen (`-') if no salt is
            to be used.
          </p>
<p>
            So, for example, to create an NSEC3 chain using
            the SHA-1 hash algorithm, no opt-out flag,
            10 iterations, and a salt value of "FFFF", use:
            <span><strong class="command">rndc signing -nsec3param 1 0 10 FFFF <em class="replaceable"><code>zone</code></em></strong></span>.
            To set the opt-out flag, 15 iterations, and no
            salt, use:
            <span><strong class="command">rndc signing -nsec3param 1 1 15 - <em class="replaceable"><code>zone</code></em></strong></span>.
          </p>
<p>
            <span><strong class="command">rndc signing -nsec3param none</strong></span>
            removes an existing NSEC3 chain and replaces it
            with NSEC.
          </p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2681832"></a><h2>LIMITATIONS</h2>
<p>
      There is currently no way to provide the shared secret for a
      <code class="option">key_id</code> without using the configuration file.
    </p>
<p>
      Several error messages could be clearer.
    </p>
</div>
<div class="refsect1" lang="en">
<a name="id2681850"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
      <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
      <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
      <span class="citerefentry"><span class="refentrytitle">ndc</span>(8)</span>,
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
    </p>
</div>
<div class="refsect1" lang="en">
<a name="id2681974"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.nsupdate.html">Prev</a>�</td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
<td width="40%" align="right">�<a accesskey="n" href="man.rndc.conf.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">nsupdate</span>�</td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top">�<code class="filename">rndc.conf</code>
</td>
</tr>
</table>
</div>
</body>
</html>