man.rndc.html revision f5c27ecceb6dcba6ad8b75172fe5f9823d7a6d42
6c2a76b3e2ccd32c35814b6e0f54da00190749d7Evan Hunt - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater - Copyright (C) 2000-2003 Internet Software Consortium.
c7fd128f8ea8a527fe27c1b95ab46df7155bc8e4Tinderbox User - Permission to use, copy, modify, and/or distribute this software for any
2fee8782a6fd57d86a67949092ab9197111af390Evan Hunt - purpose with or without fee is hereby granted, provided that the above
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - copyright notice and this permission notice appear in all copies.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
0726d872f6f36901ea09321df57084614e5bb6faTinderbox User - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
8de3f14f1c300c3e1ed99084cc03485b42c92bf1Tinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - PERFORMANCE OF THIS SOFTWARE.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<!-- $Id$ -->
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<link rel="prev" href="man.nsupdate.html" title="nsupdate">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<link rel="next" href="man.rndc.conf.html" title="rndc.conf">
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<table width="100%" summary="Navigation header">
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<tr><th colspan="3" align="center"><span class="application">rndc</span></th></tr>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<a accesskey="p" href="man.nsupdate.html">Prev</a>�</td>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<th width="60%" align="center">Manual pages</th>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<td width="20%" align="right">�<a accesskey="n" href="man.rndc.conf.html">Next</a>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<a name="man.rndc"></a><div class="titlepage"></div>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p><span class="application">rndc</span> — name server control utility</p>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-q</code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<p><span><strong class="command">rndc</strong></span>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews controls the operation of a name
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews server. It supersedes the <span><strong class="command">ndc</strong></span> utility
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt that was provided in old BIND releases. If
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span><strong class="command">rndc</strong></span> is invoked with no command line
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews options or arguments, it prints a short summary of the
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews supported commands and the available options and their
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater<p><span><strong class="command">rndc</strong></span>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews communicates with the name server over a TCP connection, sending
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt commands authenticated with digital signatures. In the current
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span>,
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater the only supported authentication algorithms are HMAC-MD5
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews (default), HMAC-SHA384 and HMAC-SHA512.
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt They use a shared secret on each end of the connection.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews This provides TSIG-style authentication for the command
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews request and the name server's response. All commands sent
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews over the channel must be signed by a key_id known to the
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<p><span><strong class="command">rndc</strong></span>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt reads a configuration file to
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews determine how to contact the name server and decide what
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User algorithm and key it should use.
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews Use <em class="replaceable"><code>source-address</code></em>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews as the source address for the connection to the server.
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt Multiple instances are permitted to allow setting of both
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt the IPv4 and IPv6 source addresses.
e76dfff967cfbe00f4d1540434832e4499a9cd83Tinderbox User<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
549c517e2ecad52bb1d32f08920e29d4e8cda71eTinderbox User Use <em class="replaceable"><code>config-file</code></em>
549c517e2ecad52bb1d32f08920e29d4e8cda71eTinderbox User as the configuration file instead of the default,
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt>
3bd8b5a8fb126e45c67ff53b68183c889cc27918Tinderbox User Use <em class="replaceable"><code>key-file</code></em>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews as the key file instead of the default,
b91d11bfcc30b96f2c80f3a76d12e3dcc8597a68Mark Andrews <code class="filename">/etc/rndc.key</code>. The key in
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <code class="filename">/etc/rndc.key</code> will be used to
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews authenticate
aef6cf0f147a5014d4891c9689b9f463399e16e7Tinderbox User commands sent to the server if the <em class="replaceable"><code>config-file</code></em>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews does not exist.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<dd><p><em class="replaceable"><code>server</code></em> is
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews the name or address of the server which matches a
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt server statement in the configuration file for
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span><strong class="command">rndc</strong></span>. If no server is supplied on the
415d630b6309922caee8469384a6fab75cf05032Mark Andrews command line, the host named by the default-server clause
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews in the options statement of the <span><strong class="command">rndc</strong></span>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews configuration file will be used.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson Send commands to TCP port
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt of BIND 9's default control channel port, 953.
415d630b6309922caee8469384a6fab75cf05032Mark Andrews Quiet mode: Message text returned by the server
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews will not be printed except when there is an error.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Enable verbose logging.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews Use the key <em class="replaceable"><code>key_id</code></em>
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews from the configuration file.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <em class="replaceable"><code>key_id</code></em>
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews known by named with the same algorithm and secret string
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont in order for control message validation to succeed.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews If no <em class="replaceable"><code>key_id</code></em>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews is specified, <span><strong class="command">rndc</strong></span> will first look
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont for a key clause in the server statement of the server
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews being used, or if no server statement is present for that
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews host, then the default-key clause of the options statement.
8f4e6ea383aa9a953c0adb5be6c4d8dc8dbd5c4aWitold Krecicki Note that the configuration file contains shared secrets
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews which are used to send authenticated control commands
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews to name servers. It should therefore not have general read
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews or write access.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews A list of commands supported by <span><strong class="command">rndc</strong></span> can
549c517e2ecad52bb1d32f08920e29d4e8cda71eTinderbox User be seen by running <span><strong class="command">rndc</strong></span> without arguments.
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews Currently supported commands are:
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews<dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Reload configuration file and zones.
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater<dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt Reload the given zone.
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews Schedule zone maintenance for the given zone.
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User Retransfer the given slave zone from the master server.
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt If the zone is configured to use
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span><strong class="command">inline-signing</strong></span>, the signed
415d630b6309922caee8469384a6fab75cf05032Mark Andrews version of the zone is discarded; after the
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater retransfer of the unsigned version is complete, the
415d630b6309922caee8469384a6fab75cf05032Mark Andrews signed version will be regenerated with all new
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews Fetch all DNSSEC keys for the given zone
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt from the key directory (see the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span><strong class="command">key-directory</strong></span> option in
415d630b6309922caee8469384a6fab75cf05032Mark Andrews the BIND 9 Administrator Reference Manual). If they are within
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater their publication period, merge them into the
415d630b6309922caee8469384a6fab75cf05032Mark Andrews zone's DNSKEY RRset. If the DNSKEY RRset
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews is changed, then the zone is automatically
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt re-signed with the new key set.
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater This command requires that the
415d630b6309922caee8469384a6fab75cf05032Mark Andrews <span><strong class="command">auto-dnssec</strong></span> zone option be set
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews and also requires the zone to be configured to
415d630b6309922caee8469384a6fab75cf05032Mark Andrews allow dynamic DNS.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson (See "Dynamic Update Policies" in the Administrator
415d630b6309922caee8469384a6fab75cf05032Mark Andrews Reference Manual for more details.)
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews Fetch all DNSSEC keys for the given zone
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews from the key directory. If they are within
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt their publication period, merge them into the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews zone's DNSKEY RRset. Unlike <span><strong class="command">rndc
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User sign</strong></span>, however, the zone is not
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User immediately re-signed by the new keys, but is
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User allowed to incrementally re-sign over time.
dc7e5458bbcb59ea310ed64ac7e77016e62e9c15Tinderbox User This command requires that the
34d1f3b65324f8fcf358fa2f47891441d4b1d2f0Tinderbox User <span><strong class="command">auto-dnssec</strong></span> zone option
1fce11b1d3f2d461d261156b8cdc64ab864f06a9Tinderbox User be set to <code class="literal">maintain</code>,
fab54780409846f7c71f6026d665f18c77c649efTinderbox User and also requires the zone to be configured to
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews allow dynamic DNS.
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User (See "Dynamic Update Policies" in the Administrator
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Reference Manual for more details.)
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term"><strong class="userinput"><code>freeze [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
6c2a76b3e2ccd32c35814b6e0f54da00190749d7Evan Hunt Suspend updates to a dynamic zone. If no zone is
8927a982bde7e4b665966b55f0fa57c5cf21b9d8Mark Andrews specified, then all zones are suspended. This allows
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User manual edits to be made to a zone normally updated by
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews dynamic update. It also causes changes in the
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User journal file to be synced into the master file.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews All dynamic update attempts will be refused while
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews the zone is frozen.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term"><strong class="userinput"><code>thaw [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Enable updates to a frozen dynamic zone. If no
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews zone is specified, then all frozen zones are
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews enabled. This causes the server to reload the zone
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User from disk, and re-enables dynamic updates after the
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews load has completed. After a zone is thawed,
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews dynamic updates will no longer be refused. If
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews the zone has changed and the
c317b09bf112121245fafe61f38b95dc6e96acabTinderbox User <span><strong class="command">ixfr-from-differences</strong></span> option is
cdf1c3d486ec082ef6c92297d22d54a67cca0c90Tinderbox User in use, then the journal file will be updated to
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews reflect changes in the zone. Otherwise, if the
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews zone has changed, any existing journal file will be
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term"><strong class="userinput"><code>scan</code></strong></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Scan the list of available network interfaces
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews for changes, without performing a full
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span><strong class="command">reconfig</strong></span> or waiting for the
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span><strong class="command">interface-interval</strong></span> timer.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term"><strong class="userinput"><code>sync [<span class="optional">-clean</span>] [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Sync changes in the journal file for a dynamic zone
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews to the master file. If the "-clean" option is
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews specified, the journal file is also removed. If
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews no zone is specified, then all zones are synced.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Resend NOTIFY messages for the zone.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt>
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User Reload the configuration file and load new zones,
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews but do not reload existing zone files even if they
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews have changed.
7d638dd31ecb633aaefca994b60b70c58b5def03Tinderbox User This is faster than a full <span><strong class="command">reload</strong></span> when there
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews is a large number of zones because it avoids the need
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews to examine the
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews modification times of the zones files.
2ca9cf1582ae972f8edc2b03bd846973b05dee6bTinderbox User<dt><span class="term"><strong class="userinput"><code>zonestatus [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Displays the current status of the given zone,
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User including the master file name and any include
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews files from which it was loaded, when it was most
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews recently loaded, the current serial number, the
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews number of nodes, whether the zone supports
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews dynamic updates, whether the zone is DNSSEC
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User signed, whether it uses automatic DNSSEC key
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User management or inline signing, and the scheduled
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews refresh or expiry times for the zone.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt>
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User Write server statistics to the statistics file.
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User<dt><span class="term"><strong class="userinput"><code>querylog</code></strong> [<span class="optional">on|off</span>] </span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Enable or disable query logging. (For backward
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews compatibility, this command can also be used without
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User an argument to toggle query logging on and off.)
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User Query logging can also be enabled
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews by explicitly directing the <span><strong class="command">queries</strong></span>
3857cb6fcabeb79d85de4b3e3e4ab99912b701f8Mark Andrews <span><strong class="command">category</strong></span> to a
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span><strong class="command">channel</strong></span> in the
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span><strong class="command">logging</strong></span> section of
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <code class="filename">named.conf</code> or by specifying
415d630b6309922caee8469384a6fab75cf05032Mark Andrews <span><strong class="command">querylog yes;</strong></span> in the
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson <span><strong class="command">options</strong></span> section of
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Dump the server's caches (default) and/or zones to
c1e2310a3725eeed45e5e7c86750c64c5a02e993Francis Dupont dump file for the specified views. If no view is
c1e2310a3725eeed45e5e7c86750c64c5a02e993Francis Dupont specified, all
4b61b671f5de767ec1d1b8e6cf7b849bddf08e98Tinderbox User views are dumped.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<dt><span class="term"><strong class="userinput"><code>secroots [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Dump the server's security roots to the secroots
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews file for the specified views. If no view is
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews specified, security roots for all
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont views are dumped.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>
f1a2709aad7baa4161fdb6f63edf99b0150af252Evan Hunt Stop the server, making sure any recent changes
f1a2709aad7baa4161fdb6f63edf99b0150af252Evan Hunt made through dynamic update or IXFR are first saved to
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews the master files of the updated zones.
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews This allows an external process to determine when <span><strong class="command">named</strong></span>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews had completed stopping.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews Stop the server immediately. Recent changes
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews made through dynamic update or IXFR are not saved to
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt the master files, but will be rolled forward from the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews journal files when the server is restarted.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater This allows an external process to determine when <span><strong class="command">named</strong></span>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews had completed halting.
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews Increment the servers debugging level by one.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt Sets the server's debugging level to an explicit
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews Sets the server's debugging level to 0.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt>
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews Flushes the server's cache.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
168cf0ede1cf13a095e48af6749d88fbc432f096Evan Hunt Flushes the given name from the server's DNS cache
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews and, if applicable, from the server's nameserver address
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews database or bad-server cache.
168cf0ede1cf13a095e48af6749d88fbc432f096Evan Hunt<dt><span class="term"><strong class="userinput"><code>flushtree</code></strong> [<span class="optional">-all</span>] <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews Flushes the given name, and all of its subdomains,
3bd8b5a8fb126e45c67ff53b68183c889cc27918Tinderbox User from the server's DNS cache, the address database,
168cf0ede1cf13a095e48af6749d88fbc432f096Evan Hunt and the bad server cache.
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews<dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews Display status of the server.
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews Note that the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews and the default <span><strong class="command">/IN</strong></span>
8927a982bde7e4b665966b55f0fa57c5cf21b9d8Mark Andrews hint zone if there is not an
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews explicit root zone configured.
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews<dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
4840ef4581a577a29a18d180b6bc2e7355378ed7Mark Andrews Dump the list of queries <span><strong class="command">named</strong></span> is currently recursing
bcfc5188be220e1334218dfe638dffce4744e792Tinderbox User<dt><span class="term"><strong class="userinput"><code>validation ( on | off | check ) [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>] </code></strong></span></dt>
8927a982bde7e4b665966b55f0fa57c5cf21b9d8Mark Andrews Enable, disable, or check the current status of
8927a982bde7e4b665966b55f0fa57c5cf21b9d8Mark Andrews DNSSEC validation.
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews set to <strong class="userinput"><code>yes</code></strong> or
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews <strong class="userinput"><code>auto</code></strong> to be effective.
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews It defaults to enabled.
ab833877278ad5535eef57e4f62291becaea5bc5Mark Andrews<dt><span class="term"><strong class="userinput"><code>nta <em class="replaceable"><code>domain</code></em> <em class="replaceable"><code>duration</code></em> </code></strong></span></dt>
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User Sets a DNSSEC negative trust anchor (NTA)
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews for <code class="option">domain</code>, with a lifetime of
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <code class="option">duration</code> (up to a limit of one day).
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews A negative trust anchor selectively disables
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews DNSSEC validation for zones that known to be
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews failing because of misconfiguration rather than
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews an attack. When data to be validated is
8927a982bde7e4b665966b55f0fa57c5cf21b9d8Mark Andrews at or below an active NTA (and above any other
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews configured trust anchors), <span><strong class="command">named</strong></span> will
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews abort the DNSSEC validation process and treat the data as
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews insecure rather than bogus. This continues until the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews NTA's lifetime is elapsed, or until the server is
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson restarted (NTA's do not persist across restarts).
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt TTL-style suffixes can be used to specify
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <code class="option">duration</code> in seconds, minutes, or hours.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews If the specified domain already has an NTA, its duration
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt will be updated to the new value. Setting
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <code class="option">duration</code> to zero will delete the NTA.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews List the names of all TSIG keys currently configured
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews for use by <span><strong class="command">named</strong></span> in each view. The
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews list both statically configured keys and dynamic
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews TKEY-negotiated keys.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong> <em class="replaceable"><code>keyname</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt Delete a given TKEY-negotiated key from the server.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews (This does not apply to statically configured TSIG
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term"><strong class="userinput"><code>addzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews Add a zone while the server is running. This
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews command requires the
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews <span><strong class="command">allow-new-zones</strong></span> option to be set
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews to <strong class="userinput"><code>yes</code></strong>. The
e1ebc476b08b4a498fcf3477e42c986eb1991360Tinderbox User <em class="replaceable"><code>configuration</code></em> string
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews specified on the command line is the zone
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews configuration text that would ordinarily be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington placed in <code class="filename">named.conf</code>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The configuration is saved in a file called
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="filename"><em class="replaceable"><code>hash</code></em>.nzf</code>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington where <em class="replaceable"><code>hash</code></em> is a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington cryptographic hash generated from the name of
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the view. When <span><strong class="command">named</strong></span> is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington restarted, the file will be loaded into the view
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington configuration, so that zones that were added
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington can persist after a restart.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This sample <span><strong class="command">addzone</strong></span> command
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington would add the zone <code class="literal">example.com</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to the default view:
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington (Note the brackets and semi-colon around the zone
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington configuration text.)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term"><strong class="userinput"><code>delzone [<span class="optional">-clean</span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Delete a zone while the server is running.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Only zones that were originally added via
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">rndc addzone</strong></span> can be deleted
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington in this manner.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington If the <code class="option">-clean</code> is specified,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the zone's master file (and journal file, if any)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington will be deleted along with the zone. Without the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="option">-clean</code> option, zone files must
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be cleaned up by hand. (If the zone is of
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington type "slave" or "stub", the files needing to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be cleaned up will be reported in the output
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington of the <span><strong class="command">rndc delzone</strong></span> command.)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term"><strong class="userinput"><code>signing [<span class="optional">( -list | -clear <em class="replaceable"><code>keyid/algorithm</code></em> | -clear <code class="literal">all</code> | -nsec3param ( <em class="replaceable"><code>parameters</code></em> | <code class="literal">none</code> ) ) </span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington List, edit, or remove the DNSSEC signing state records
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington for the specified zone. The status of ongoing DNSSEC
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington operations (such as signing or generating
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews NSEC3 chains) is stored in the zone in the form
415d630b6309922caee8469384a6fab75cf05032Mark Andrews of DNS resource records of type
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span><strong class="command">sig-signing-type</strong></span>.
415d630b6309922caee8469384a6fab75cf05032Mark Andrews <span><strong class="command">rndc signing -list</strong></span> converts
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews these records into a human-readable form,
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt indicating which keys are currently signing
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews or have finished signing the zone, and which NSEC3
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews chains are being created or removed.
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater <span><strong class="command">rndc signing -clear</strong></span> can remove
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater a single key (specified in the same format that
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater <span><strong class="command">rndc signing -list</strong></span> uses to
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater display it), or all keys. In either case, only
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews completed keys are removed; any record indicating
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater that a key has not yet finished signing the zone
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater will be retained.
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater <span><strong class="command">rndc signing -nsec3param</strong></span> sets
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater the NSEC3 parameters for a zone. This is the
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater only supported mechanism for using NSEC3 with
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater <span><strong class="command">inline-signing</strong></span> zones.
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews Parameters are specified in the same format as
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User an NSEC3PARAM resource record: hash algorithm,
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User flags, iterations, and salt, in that order.
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User Currently, the only defined value for hash algorithm
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User is <code class="literal">1</code>, representing SHA-1.
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User The <code class="option">flags</code> may be set to
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User <code class="literal">0</code> or <code class="literal">1</code>,
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User depending on whether you wish to set the opt-out
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User bit in the NSEC3 chain. <code class="option">iterations</code>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews defines the number of additional times to apply
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User the algorithm when generating an NSEC3 hash. The
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <code class="option">salt</code> is a string of data expressed
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews in hexadecimal, a hyphen (`-') if no salt is
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User to be used, or the keyword <code class="literal">auto</code>,
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User which causes <span><strong class="command">named</strong></span> to generate a
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User random 64-bit salt.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews So, for example, to create an NSEC3 chain using
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews the SHA-1 hash algorithm, no opt-out flag,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews 10 iterations, and a salt value of "FFFF", use:
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span><strong class="command">rndc signing -nsec3param 1 0 10 FFFF <em class="replaceable"><code>zone</code></em></strong></span>.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews To set the opt-out flag, 15 iterations, and no
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span><strong class="command">rndc signing -nsec3param 1 1 15 - <em class="replaceable"><code>zone</code></em></strong></span>.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span><strong class="command">rndc signing -nsec3param none</strong></span>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews removes an existing NSEC3 chain and replaces it
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews There is currently no way to provide the shared secret for a
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt <code class="option">key_id</code> without using the configuration file.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Several error messages could be clearer.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="citerefentry"><span class="refentrytitle">ndc</span>(8)</span>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p><span class="corpauthor">Internet Systems Consortium</span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<table width="100%" summary="Navigation footer">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a accesskey="p" href="man.nsupdate.html">Prev</a>�</td>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<td width="40%" align="right">�<a accesskey="n" href="man.rndc.conf.html">Next</a>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<td width="40%" align="right" valign="top">�<code class="filename">rndc.conf</code>