man.rndc.html revision 233da446071f469f0f2fc175a460b2f1f8ef36cc
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano - Copyright (C) 2000-2003 Internet Software Consortium.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano - Permission to use, copy, modify, and/or distribute this software for any
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano - purpose with or without fee is hereby granted, provided that the above
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano - copyright notice and this permission notice appear in all copies.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano - PERFORMANCE OF THIS SOFTWARE.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<!-- $Id$ -->
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<link rel="prev" href="man.nsupdate.html" title="nsupdate">
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<link rel="next" href="man.rndc.conf.html" title="rndc.conf">
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<tr><th colspan="3" align="center"><span class="application">rndc</span></th></tr>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<a accesskey="p" href="man.nsupdate.html">Prev</a>�</td>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<td width="20%" align="right">�<a accesskey="n" href="man.rndc.conf.html">Next</a>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<a name="man.rndc"></a><div class="titlepage"></div>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<p><span class="application">rndc</span> — name server control utility</p>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-q</code>] [<code class="option">-r</code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<p><span><strong class="command">rndc</strong></span>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano controls the operation of a name
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano server. It supersedes the <span><strong class="command">ndc</strong></span> utility
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano that was provided in old BIND releases. If
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <span><strong class="command">rndc</strong></span> is invoked with no command line
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano options or arguments, it prints a short summary of the
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano supported commands and the available options and their
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<p><span><strong class="command">rndc</strong></span>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano communicates with the name server over a TCP connection, sending
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano commands authenticated with digital signatures. In the current
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim <span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span>,
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim the only supported authentication algorithms are HMAC-MD5
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano (default), HMAC-SHA384 and HMAC-SHA512.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano They use a shared secret on each end of the connection.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano This provides TSIG-style authentication for the command
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano request and the name server's response. All commands sent
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano over the channel must be signed by a key_id known to the
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<p><span><strong class="command">rndc</strong></span>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano reads a configuration file to
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano determine how to contact the name server and decide what
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano algorithm and key it should use.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
82d5ae15e7196e2c917457203a47c1e1d83e81b6Daniel Lezcano Use <em class="replaceable"><code>source-address</code></em>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano as the source address for the connection to the server.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Multiple instances are permitted to allow setting of both
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano the IPv4 and IPv6 source addresses.
4bf1968d3c0bb29ca4c068194f02975a5dfa2385Daniel Lezcano<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Use <em class="replaceable"><code>config-file</code></em>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano as the configuration file instead of the default,
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Use <em class="replaceable"><code>key-file</code></em>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano as the key file instead of the default,
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <code class="filename">/etc/rndc.key</code>. The key in
82d5ae15e7196e2c917457203a47c1e1d83e81b6Daniel Lezcano <code class="filename">/etc/rndc.key</code> will be used to
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano authenticate
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano commands sent to the server if the <em class="replaceable"><code>config-file</code></em>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano does not exist.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dd><p><em class="replaceable"><code>server</code></em> is
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano the name or address of the server which matches a
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano server statement in the configuration file for
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <span><strong class="command">rndc</strong></span>. If no server is supplied on the
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano command line, the host named by the default-server clause
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano in the options statement of the <span><strong class="command">rndc</strong></span>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano configuration file will be used.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Send commands to TCP port
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano of BIND 9's default control channel port, 953.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Quiet mode: Message text returned by the server
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano will not be printed except when there is an error.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Instructs <span><strong class="command">rndc</strong></span> to print the result code
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano returned by <span><strong class="command">named</strong></span> after executing the
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano requested command (e.g., ISC_R_SUCCESS, ISC_R_FAILURE, etc).
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Enable verbose logging.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Use the key <em class="replaceable"><code>key_id</code></em>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano from the configuration file.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano known by <span><strong class="command">named</strong></span> with the same algorithm and secret string
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano in order for control message validation to succeed.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano If no <em class="replaceable"><code>key_id</code></em>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano is specified, <span><strong class="command">rndc</strong></span> will first look
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano for a key clause in the server statement of the server
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano being used, or if no server statement is present for that
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano host, then the default-key clause of the options statement.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Note that the configuration file contains shared secrets
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano which are used to send authenticated control commands
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano to name servers. It should therefore not have general read
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano or write access.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano A list of commands supported by <span><strong class="command">rndc</strong></span> can
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano be seen by running <span><strong class="command">rndc</strong></span> without arguments.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Currently supported commands are:
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term"><strong class="userinput"><code>addzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Add a zone while the server is running. This
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano command requires the
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <span><strong class="command">allow-new-zones</strong></span> option to be set
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano to <strong class="userinput"><code>yes</code></strong>. The
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <em class="replaceable"><code>configuration</code></em> string
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano specified on the command line is the zone
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano configuration text that would ordinarily be
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano placed in <code class="filename">named.conf</code>.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano The configuration is saved in a file called
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <code class="filename"><em class="replaceable"><code>name</code></em>.nzf</code>,
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano where <em class="replaceable"><code>name</code></em> is the
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano name of the view, or if it contains characters
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano that are incompatible with use as a file name, a
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano cryptographic hash generated from the name
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano of the view.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano When <span><strong class="command">named</strong></span> is
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano restarted, the file will be loaded into the view
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano configuration, so that zones that were added
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano can persist after a restart.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano This sample <span><strong class="command">addzone</strong></span> command
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano would add the zone <code class="literal">example.com</code>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano to the default view:
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano (Note the brackets and semi-colon around the zone
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano configuration text.)
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano See also <span><strong class="command">rndc delzone</strong></span> and <span><strong class="command">rndc modzone</strong></span>.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term"><strong class="userinput"><code>delzone [<span class="optional">-clean</span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Delete a zone while the server is running.
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano If the <code class="option">-clean</code> argument is specified,
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano the zone's master file (and journal file, if any)
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano will be deleted along with the zone. Without the
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano <code class="option">-clean</code> option, zone files must
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano be cleaned up by hand. (If the zone is of
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano type "slave" or "stub", the files needing to
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano be cleaned up will be reported in the output
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano of the <span><strong class="command">rndc delzone</strong></span> command.)
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano If the zone was originally added via
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano <span><strong class="command">rndc addzone</strong></span>, then it will be
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano removed permanently. However, if it was originally
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano configured in <code class="filename">named.conf</code>, then
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano that original configuration is still in place; when
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano the server is restarted or reconfigured, the zone will
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano come back. To remove it permanently, it must also be
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano removed from <code class="filename">named.conf</code>
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano See also <span><strong class="command">rndc addzone</strong></span> and <span><strong class="command">rndc modzone</strong></span>.
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone|-adb|-bad|-fail</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano Dump the server's caches (default) and/or zones to
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano dump file for the specified views. If no view is
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano specified, all
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano views are dumped.
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano (See the <span><strong class="command">dump-file</strong></span> option in
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano the BIND 9 Administrator Reference Manual.)
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano<dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt>
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano Flushes the server's cache.
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano<dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano Flushes the given name from the view's DNS cache
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano and, if applicable, from the view's nameserver address
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano database, bad server cache and SERVFAIL cache.
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano<dt><span class="term"><strong class="userinput"><code>flushtree</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano Flushes the given name, and all of its subdomains,
75d09f83b82f35a610f4922e06ad897692062fabDaniel Lezcano from the view's DNS cache, address database,
497353b66b504f12cf8b6e166bba7cb309486dc3Daniel Lezcano bad server cache, and SERVFAIL cache.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term"><strong class="userinput"><code>freeze [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
497353b66b504f12cf8b6e166bba7cb309486dc3Daniel Lezcano Suspend updates to a dynamic zone. If no zone is
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano specified, then all zones are suspended. This allows
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano manual edits to be made to a zone normally updated by
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano dynamic update. It also causes changes in the
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano journal file to be synced into the master file.
497353b66b504f12cf8b6e166bba7cb309486dc3Daniel Lezcano All dynamic update attempts will be refused while
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano the zone is frozen.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano See also <span><strong class="command">rndc thaw</strong></span>.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Stop the server immediately. Recent changes
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano made through dynamic update or IXFR are not saved to
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano the master files, but will be rolled forward from the
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano journal files when the server is restarted.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano This allows an external process to determine when <span><strong class="command">named</strong></span>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano had completed halting.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano See also <span><strong class="command">rndc stop</strong></span>.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Fetch all DNSSEC keys for the given zone
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano from the key directory. If they are within
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano their publication period, merge them into the
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano zone's DNSKEY RRset. Unlike <span><strong class="command">rndc
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano immediately re-signed by the new keys, but is
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano allowed to incrementally re-sign over time.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano This command requires that the
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <span><strong class="command">auto-dnssec</strong></span> zone option
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano and also requires the zone to be configured to
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano allow dynamic DNS.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano (See "Dynamic Update Policies" in the Administrator
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Reference Manual for more details.)
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term"><strong class="userinput"><code>managed-keys <em class="replaceable"><code>(status | refresh | sync)</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano When run with the "status" keyword, print the current
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano status of the managed-keys database for the specified
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano view, or for all views if none is specified. When run
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano with the "refresh" keyword, force an immediate refresh
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano of all the managed-keys in the specified view, or all
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano views. When run with the "sync" keyword, force an
497353b66b504f12cf8b6e166bba7cb309486dc3Daniel Lezcano immediate dump of the managed-keys database to disk (in
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano the file <code class="filename">managed-keys.bind</code> or
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano (<code class="filename"><em class="replaceable"><code>viewname</code></em>.mkeys</code>).
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term"><strong class="userinput"><code>modzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Modify the configuration of a zone while the server
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano is running. This command requires the
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <span><strong class="command">allow-new-zones</strong></span> option to be
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano set to <strong class="userinput"><code>yes</code></strong>. As with
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <span><strong class="command">addzone</strong></span>, the
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <em class="replaceable"><code>configuration</code></em> string
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano specified on the command line is the zone
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano configuration text that would ordinarily be
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano placed in <code class="filename">named.conf</code>.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano If the zone was originally added via
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <span><strong class="command">rndc addzone</strong></span>, the configuration
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano changes will be recorded permanently and will still be
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano in effect after the server is restarted or reconfigured.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano However, if it was originally configured in
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <code class="filename">named.conf</code>, then that original
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano configuration is still in place; when the server is
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano restarted or reconfigured, the zone will revert to
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano its original configuration. To make the changes
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano permanent, it must also be modified in
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano See also <span><strong class="command">rndc addzone</strong></span> and <span><strong class="command">rndc delzone</strong></span>.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Resend NOTIFY messages for the zone.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Sets the server's debugging level to 0.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano See also <span><strong class="command">rndc trace</strong></span>.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term"><strong class="userinput"><code>nta
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano [<span class="optional">( -d | -f | -r | -l <em class="replaceable"><code>duration</code></em>)</span>]
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano [<span class="optional"><em class="replaceable"><code>view</code></em></span>]
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Sets a DNSSEC negative trust anchor (NTA)
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano for <code class="option">domain</code>, with a lifetime of
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <code class="option">duration</code>. The default lifetime is
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano configured in <code class="filename">named.conf</code> via the
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <code class="option">nta-lifetime</code> option, and defaults to
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano one hour. The lifetime cannot exceed one week.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano A negative trust anchor selectively disables
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano DNSSEC validation for zones that are known to be
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano failing because of misconfiguration rather than
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano an attack. When data to be validated is
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano at or below an active NTA (and above any other
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano configured trust anchors), <span><strong class="command">named</strong></span> will
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano abort the DNSSEC validation process and treat the data as
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano insecure rather than bogus. This continues until the
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano NTA's lifetime is elapsed.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano NTAs persist across restarts of the <span><strong class="command">named</strong></span> server.
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim The NTAs for a view are saved in a file called
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim <code class="filename"><em class="replaceable"><code>name</code></em>.nta</code>,
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim where <em class="replaceable"><code>name</code></em> is the
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim name of the view, or if it contains characters
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim that are incompatible with use as a file name, a
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim cryptographic hash generated from the name
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim An existing NTA can be removed by using the
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim <code class="option">-remove</code> option.
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim An NTA's lifetime can be specified with the
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim <code class="option">-lifetime</code> option. TTL-style
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim suffixes can be used to specify the lifetime in
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim seconds, minutes, or hours. If the specified NTA
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim already exists, its lifetime will be updated to the
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim new value. Setting <code class="option">lifetime</code> to zero
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim is equivalent to <code class="option">-remove</code>.
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim If <code class="option">-dump</code> is used, any other arguments
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim are ignored, and a list of existing NTAs is printed
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim (note that this may include NTAs that are expired but
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim have not yet been cleaned up).
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim Normally, <span><strong class="command">named</strong></span> will periodically
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim test to see whether data below an NTA can now be
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim validated (see the <code class="option">nta-recheck</code> option
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim in the Administrator Reference Manual for details).
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim If data can be validated, then the NTA is regarded as
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim no longer necessary, and will be allowed to expire
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim early. The <code class="option">-force</code> overrides this
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim behavior and forces an NTA to persist for its entire
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim lifetime, regardless of whether data could be
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim validated if the NTA were not present.
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim All of these options can be shortened, i.e., to
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim <code class="option">-l</code>, <code class="option">-r</code>, <code class="option">-d</code>,
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim<dt><span class="term"><strong class="userinput"><code>querylog</code></strong> [<span class="optional">on|off</span>] </span></dt>
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim Enable or disable query logging. (For backward
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim compatibility, this command can also be used without
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim an argument to toggle query logging on and off.)
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim Query logging can also be enabled
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim by explicitly directing the <span><strong class="command">queries</strong></span>
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim <span><strong class="command">category</strong></span> to a
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim <span><strong class="command">channel</strong></span> in the
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim <span><strong class="command">logging</strong></span> section of
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim <code class="filename">named.conf</code> or by specifying
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim <span><strong class="command">querylog yes;</strong></span> in the
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim <span><strong class="command">options</strong></span> section of
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim<dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt>
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim Reload the configuration file and load new zones,
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim but do not reload existing zone files even if they
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim have changed.
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim This is faster than a full <span><strong class="command">reload</strong></span> when there
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim is a large number of zones because it avoids the need
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim to examine the
26c390288bbe04bbaba26f4ec1bbe68cb9d2b602Jamal Hadi Salim modification times of the zones files.
497353b66b504f12cf8b6e166bba7cb309486dc3Daniel Lezcano<dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Dump the list of queries <span><strong class="command">named</strong></span> is currently
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano recursing on, and the list of domains to which iterative
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano queries are currently being sent. (The second list includes
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano the number of fetches currently active for the given domain,
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano and how many have been passed or dropped because of the
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <code class="option">fetches-per-zone</code> option.)
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Schedule zone maintenance for the given zone.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Reload configuration file and zones.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Reload the given zone.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Retransfer the given slave zone from the master server.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano If the zone is configured to use
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <span><strong class="command">inline-signing</strong></span>, the signed
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano version of the zone is discarded; after the
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano retransfer of the unsigned version is complete, the
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano signed version will be regenerated with all new
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano signatures.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term"><strong class="userinput"><code>scan</code></strong></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Scan the list of available network interfaces
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano for changes, without performing a full
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <span><strong class="command">reconfig</strong></span> or waiting for the
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <span><strong class="command">interface-interval</strong></span> timer.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term"><strong class="userinput"><code>secroots [<span class="optional">-</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Dump the server's security roots and negative trust anchors
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano for the specified views. If no view is specified, all views
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano are dumped.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano If the first argument is "-", then the output is
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano returned via the <span><strong class="command">rndc</strong></span> response channel
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano and printed to the standard output.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Otherwise, it is written to the secroots dump file, which
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano defaults to <code class="filename">named.secroots</code>, but can be
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano overridden via the <code class="option">secroots-file</code> option in
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano See also <span><strong class="command">rndc managed-keys</strong></span>.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term"><strong class="userinput"><code>showzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Print the configuration of a running zone.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano See also <span><strong class="command">rndc zonestatus</strong></span>.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Fetch all DNSSEC keys for the given zone
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano from the key directory (see the
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <span><strong class="command">key-directory</strong></span> option in
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano the BIND 9 Administrator Reference Manual). If they are within
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano their publication period, merge them into the
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano zone's DNSKEY RRset. If the DNSKEY RRset
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano is changed, then the zone is automatically
22ebac194efcfc38f8ba36a9853057c54589fd2cdlezcano re-signed with the new key set.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano This command requires that the
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <span><strong class="command">auto-dnssec</strong></span> zone option be set
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano and also requires the zone to be configured to
22ebac194efcfc38f8ba36a9853057c54589fd2cdlezcano allow dynamic DNS.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano (See "Dynamic Update Policies" in the Administrator
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Reference Manual for more details.)
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano See also <span><strong class="command">rndc loadkeys</strong></span>.
497353b66b504f12cf8b6e166bba7cb309486dc3Daniel Lezcano<dt><span class="term"><strong class="userinput"><code>signing [<span class="optional">( -list | -clear <em class="replaceable"><code>keyid/algorithm</code></em> | -clear <code class="literal">all</code> | -nsec3param ( <em class="replaceable"><code>parameters</code></em> | <code class="literal">none</code> ) | -serial <em class="replaceable"><code>value</code></em> ) </span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano List, edit, or remove the DNSSEC signing state records
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano for the specified zone. The status of ongoing DNSSEC
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano operations (such as signing or generating
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano NSEC3 chains) is stored in the zone in the form
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano of DNS resource records of type
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <span><strong class="command">sig-signing-type</strong></span>.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <span><strong class="command">rndc signing -list</strong></span> converts
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano these records into a human-readable form,
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano indicating which keys are currently signing
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano or have finished signing the zone, and which NSEC3
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano chains are being created or removed.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <span><strong class="command">rndc signing -clear</strong></span> can remove
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano a single key (specified in the same format that
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <span><strong class="command">rndc signing -list</strong></span> uses to
497353b66b504f12cf8b6e166bba7cb309486dc3Daniel Lezcano display it), or all keys. In either case, only
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano completed keys are removed; any record indicating
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano that a key has not yet finished signing the zone
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano will be retained.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <span><strong class="command">rndc signing -nsec3param</strong></span> sets
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano the NSEC3 parameters for a zone. This is the
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano only supported mechanism for using NSEC3 with
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <span><strong class="command">inline-signing</strong></span> zones.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Parameters are specified in the same format as
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano an NSEC3PARAM resource record: hash algorithm,
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano flags, iterations, and salt, in that order.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Currently, the only defined value for hash algorithm
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano is <code class="literal">1</code>, representing SHA-1.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano The <code class="option">flags</code> may be set to
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <code class="literal">0</code> or <code class="literal">1</code>,
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano depending on whether you wish to set the opt-out
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano bit in the NSEC3 chain. <code class="option">iterations</code>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano defines the number of additional times to apply
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano the algorithm when generating an NSEC3 hash. The
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <code class="option">salt</code> is a string of data expressed
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano in hexadecimal, a hyphen (`-') if no salt is
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano to be used, or the keyword <code class="literal">auto</code>,
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano which causes <span><strong class="command">named</strong></span> to generate a
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano random 64-bit salt.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano So, for example, to create an NSEC3 chain using
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano the SHA-1 hash algorithm, no opt-out flag,
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano 10 iterations, and a salt value of "FFFF", use:
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <span><strong class="command">rndc signing -nsec3param 1 0 10 FFFF <em class="replaceable"><code>zone</code></em></strong></span>.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano To set the opt-out flag, 15 iterations, and no
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <span><strong class="command">rndc signing -nsec3param 1 1 15 - <em class="replaceable"><code>zone</code></em></strong></span>.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <span><strong class="command">rndc signing -nsec3param none</strong></span>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano removes an existing NSEC3 chain and replaces it
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <span><strong class="command">rndc signing -serial value</strong></span> sets
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano the serial number of the zone to value. If the value
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano would cause the serial number to go backwards it will
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano be rejected. The primary use is to set the serial on
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano inline signed zones.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Write server statistics to the statistics file.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano (See the <span><strong class="command">statistics-file</strong></span> option in
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano the BIND 9 Administrator Reference Manual.)
4bf1968d3c0bb29ca4c068194f02975a5dfa2385Daniel Lezcano<dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Display status of the server.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Note that the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano and the default <span><strong class="command">/IN</strong></span>
4bf1968d3c0bb29ca4c068194f02975a5dfa2385Daniel Lezcano hint zone if there is not an
82d5ae15e7196e2c917457203a47c1e1d83e81b6Daniel Lezcano explicit root zone configured.
4bf1968d3c0bb29ca4c068194f02975a5dfa2385Daniel Lezcano<dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Stop the server, making sure any recent changes
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano made through dynamic update or IXFR are first saved to
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano the master files of the updated zones.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano This allows an external process to determine when <span><strong class="command">named</strong></span>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano had completed stopping.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<p>See also <span><strong class="command">rndc halt</strong></span>.</p>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term"><strong class="userinput"><code>sync [<span class="optional">-clean</span>] [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Sync changes in the journal file for a dynamic zone
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano to the master file. If the "-clean" option is
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano specified, the journal file is also removed. If
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano no zone is specified, then all zones are synced.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term"><strong class="userinput"><code>thaw [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Enable updates to a frozen dynamic zone. If no
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano zone is specified, then all frozen zones are
4bf1968d3c0bb29ca4c068194f02975a5dfa2385Daniel Lezcano enabled. This causes the server to reload the zone
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano from disk, and re-enables dynamic updates after the
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano load has completed. After a zone is thawed,
4bf1968d3c0bb29ca4c068194f02975a5dfa2385Daniel Lezcano dynamic updates will no longer be refused. If
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano the zone has changed and the
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <span><strong class="command">ixfr-from-differences</strong></span> option is
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano in use, then the journal file will be updated to
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano reflect changes in the zone. Otherwise, if the
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano zone has changed, any existing journal file will be
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<p>See also <span><strong class="command">rndc freeze</strong></span>.</p>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Increment the servers debugging level by one.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Sets the server's debugging level to an explicit
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano See also <span><strong class="command">rndc notrace</strong></span>.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong> <em class="replaceable"><code>keyname</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Delete a given TKEY-negotiated key from the server.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano (This does not apply to statically configured TSIG
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano List the names of all TSIG keys currently configured
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano for use by <span><strong class="command">named</strong></span> in each view. The
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano list both statically configured keys and dynamic
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano TKEY-negotiated keys.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term"><strong class="userinput"><code>validation ( on | off | check ) [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>] </code></strong></span></dt>
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Enable, disable, or check the current status of
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano DNSSEC validation.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano set to <strong class="userinput"><code>yes</code></strong> or
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano <strong class="userinput"><code>auto</code></strong> to be effective.
497353b66b504f12cf8b6e166bba7cb309486dc3Daniel Lezcano It defaults to enabled.
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<dt><span class="term"><strong class="userinput"><code>zonestatus <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
497353b66b504f12cf8b6e166bba7cb309486dc3Daniel Lezcano Displays the current status of the given zone,
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano including the master file name and any include
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano files from which it was loaded, when it was most
0ad19a3fc3de5592e2453070a818a5a41687900edlezcano recently loaded, the current serial number, the