man.rndc.html revision 947d37484ed01966a9e89dd27f62c1b427324dc2
fa9e4066f08beec538e775443c5be79dd423fcabahrens - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
fa9e4066f08beec538e775443c5be79dd423fcabahrens - Copyright (C) 2000-2003 Internet Software Consortium.
ea8dc4b6d2251b437950c0056bc626b311c73c27eschrock - Permission to use, copy, modify, and/or distribute this software for any
ea8dc4b6d2251b437950c0056bc626b311c73c27eschrock - purpose with or without fee is hereby granted, provided that the above
fa9e4066f08beec538e775443c5be79dd423fcabahrens - copyright notice and this permission notice appear in all copies.
fa9e4066f08beec538e775443c5be79dd423fcabahrens - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
fa9e4066f08beec538e775443c5be79dd423fcabahrens - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
fa9e4066f08beec538e775443c5be79dd423fcabahrens - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
fa9e4066f08beec538e775443c5be79dd423fcabahrens - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
fa9e4066f08beec538e775443c5be79dd423fcabahrens - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
fa9e4066f08beec538e775443c5be79dd423fcabahrens - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
fa9e4066f08beec538e775443c5be79dd423fcabahrens - PERFORMANCE OF THIS SOFTWARE.
fa9e4066f08beec538e775443c5be79dd423fcabahrens<!-- $Id$ -->
fa9e4066f08beec538e775443c5be79dd423fcabahrens<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
5aba80db367b061758a29154d304977d00d8e4f4ck<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
fa9e4066f08beec538e775443c5be79dd423fcabahrens<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
fa9e4066f08beec538e775443c5be79dd423fcabahrens<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
fa9e4066f08beec538e775443c5be79dd423fcabahrens<link rel="prev" href="man.nsupdate.html" title="nsupdate">
fa9e4066f08beec538e775443c5be79dd423fcabahrens<link rel="next" href="man.rndc.conf.html" title="rndc.conf">
fa9e4066f08beec538e775443c5be79dd423fcabahrens<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
fa9e4066f08beec538e775443c5be79dd423fcabahrens<tr><th colspan="3" align="center"><span class="application">rndc</span></th></tr>
fa9e4066f08beec538e775443c5be79dd423fcabahrens<a accesskey="p" href="man.nsupdate.html">Prev</a>�</td>
fa9e4066f08beec538e775443c5be79dd423fcabahrens<td width="20%" align="right">�<a accesskey="n" href="man.rndc.conf.html">Next</a>
fa9e4066f08beec538e775443c5be79dd423fcabahrens<p><span class="application">rndc</span> — name server control utility</p>
99653d4ee642c6528e88224f12409a5f23060994eschrock<div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-q</code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
99653d4ee642c6528e88224f12409a5f23060994eschrock<p><span><strong class="command">rndc</strong></span>
99653d4ee642c6528e88224f12409a5f23060994eschrock controls the operation of a name
99653d4ee642c6528e88224f12409a5f23060994eschrock server. It supersedes the <span><strong class="command">ndc</strong></span> utility
99653d4ee642c6528e88224f12409a5f23060994eschrock that was provided in old BIND releases. If
99653d4ee642c6528e88224f12409a5f23060994eschrock <span><strong class="command">rndc</strong></span> is invoked with no command line
fa9e4066f08beec538e775443c5be79dd423fcabahrens options or arguments, it prints a short summary of the
99653d4ee642c6528e88224f12409a5f23060994eschrock supported commands and the available options and their
99653d4ee642c6528e88224f12409a5f23060994eschrock<p><span><strong class="command">rndc</strong></span>
99653d4ee642c6528e88224f12409a5f23060994eschrock communicates with the name server over a TCP connection, sending
99653d4ee642c6528e88224f12409a5f23060994eschrock commands authenticated with digital signatures. In the current
99653d4ee642c6528e88224f12409a5f23060994eschrock versions of
99653d4ee642c6528e88224f12409a5f23060994eschrock <span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span>,
99653d4ee642c6528e88224f12409a5f23060994eschrock the only supported authentication algorithms are HMAC-MD5
99653d4ee642c6528e88224f12409a5f23060994eschrock (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
99653d4ee642c6528e88224f12409a5f23060994eschrock (default), HMAC-SHA384 and HMAC-SHA512.
99653d4ee642c6528e88224f12409a5f23060994eschrock They use a shared secret on each end of the connection.
99653d4ee642c6528e88224f12409a5f23060994eschrock This provides TSIG-style authentication for the command
99653d4ee642c6528e88224f12409a5f23060994eschrock request and the name server's response. All commands sent
99653d4ee642c6528e88224f12409a5f23060994eschrock over the channel must be signed by a key_id known to the
99653d4ee642c6528e88224f12409a5f23060994eschrock<p><span><strong class="command">rndc</strong></span>
99653d4ee642c6528e88224f12409a5f23060994eschrock reads a configuration file to
99653d4ee642c6528e88224f12409a5f23060994eschrock determine how to contact the name server and decide what
99653d4ee642c6528e88224f12409a5f23060994eschrock algorithm and key it should use.
99653d4ee642c6528e88224f12409a5f23060994eschrock<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
99653d4ee642c6528e88224f12409a5f23060994eschrock Use <em class="replaceable"><code>source-address</code></em>
99653d4ee642c6528e88224f12409a5f23060994eschrock as the source address for the connection to the server.
99653d4ee642c6528e88224f12409a5f23060994eschrock Multiple instances are permitted to allow setting of both
99653d4ee642c6528e88224f12409a5f23060994eschrock the IPv4 and IPv6 source addresses.
99653d4ee642c6528e88224f12409a5f23060994eschrock<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
99653d4ee642c6528e88224f12409a5f23060994eschrock Use <em class="replaceable"><code>config-file</code></em>
99653d4ee642c6528e88224f12409a5f23060994eschrock as the configuration file instead of the default,
99653d4ee642c6528e88224f12409a5f23060994eschrock<dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt>
99653d4ee642c6528e88224f12409a5f23060994eschrock Use <em class="replaceable"><code>key-file</code></em>
99653d4ee642c6528e88224f12409a5f23060994eschrock as the key file instead of the default,
99653d4ee642c6528e88224f12409a5f23060994eschrock <code class="filename">/etc/rndc.key</code>. The key in
99653d4ee642c6528e88224f12409a5f23060994eschrock <code class="filename">/etc/rndc.key</code> will be used to
99653d4ee642c6528e88224f12409a5f23060994eschrock authenticate
99653d4ee642c6528e88224f12409a5f23060994eschrock commands sent to the server if the <em class="replaceable"><code>config-file</code></em>
99653d4ee642c6528e88224f12409a5f23060994eschrock does not exist.
99653d4ee642c6528e88224f12409a5f23060994eschrock<dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
99653d4ee642c6528e88224f12409a5f23060994eschrock<dd><p><em class="replaceable"><code>server</code></em> is
99653d4ee642c6528e88224f12409a5f23060994eschrock the name or address of the server which matches a
99653d4ee642c6528e88224f12409a5f23060994eschrock server statement in the configuration file for
99653d4ee642c6528e88224f12409a5f23060994eschrock <span><strong class="command">rndc</strong></span>. If no server is supplied on the
99653d4ee642c6528e88224f12409a5f23060994eschrock command line, the host named by the default-server clause
99653d4ee642c6528e88224f12409a5f23060994eschrock in the options statement of the <span><strong class="command">rndc</strong></span>
99653d4ee642c6528e88224f12409a5f23060994eschrock configuration file will be used.
99653d4ee642c6528e88224f12409a5f23060994eschrock<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
99653d4ee642c6528e88224f12409a5f23060994eschrock Send commands to TCP port
99653d4ee642c6528e88224f12409a5f23060994eschrock of BIND 9's default control channel port, 953.
99653d4ee642c6528e88224f12409a5f23060994eschrock Quiet mode: Message text returned by the server
99653d4ee642c6528e88224f12409a5f23060994eschrock will not be printed except when there is an error.
f3861e1a2ceec23a5b699c24d814b7775a9e0b52ahl Enable verbose logging.
f3861e1a2ceec23a5b699c24d814b7775a9e0b52ahl<dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt>
ecd6cf800b63704be73fb264c3f5b6e0dafc068dmarks Use the key <em class="replaceable"><code>key_id</code></em>
ecd6cf800b63704be73fb264c3f5b6e0dafc068dmarks from the configuration file.
99653d4ee642c6528e88224f12409a5f23060994eschrock known by named with the same algorithm and secret string
99653d4ee642c6528e88224f12409a5f23060994eschrock in order for control message validation to succeed.
99653d4ee642c6528e88224f12409a5f23060994eschrock If no <em class="replaceable"><code>key_id</code></em>
99653d4ee642c6528e88224f12409a5f23060994eschrock is specified, <span><strong class="command">rndc</strong></span> will first look
99653d4ee642c6528e88224f12409a5f23060994eschrock for a key clause in the server statement of the server
99653d4ee642c6528e88224f12409a5f23060994eschrock being used, or if no server statement is present for that
99653d4ee642c6528e88224f12409a5f23060994eschrock host, then the default-key clause of the options statement.
99653d4ee642c6528e88224f12409a5f23060994eschrock Note that the configuration file contains shared secrets
99653d4ee642c6528e88224f12409a5f23060994eschrock which are used to send authenticated control commands
99653d4ee642c6528e88224f12409a5f23060994eschrock to name servers. It should therefore not have general read
99653d4ee642c6528e88224f12409a5f23060994eschrock or write access.
06eeb2ad640ce72d394ac521094bed7681044408ek A list of commands supported by <span><strong class="command">rndc</strong></span> can
06eeb2ad640ce72d394ac521094bed7681044408ek be seen by running <span><strong class="command">rndc</strong></span> without arguments.
f3861e1a2ceec23a5b699c24d814b7775a9e0b52ahl Currently supported commands are:
f3861e1a2ceec23a5b699c24d814b7775a9e0b52ahl<dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt>
b1b8ab34de515a5e83206da22c3d7e563241b021lling Reload configuration file and zones.
b1b8ab34de515a5e83206da22c3d7e563241b021lling<dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
b1b8ab34de515a5e83206da22c3d7e563241b021lling Reload the given zone.
b1b8ab34de515a5e83206da22c3d7e563241b021lling<dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
b7661ccca92e6bf5160f4d5d2601efaeaa1f5161mmusante Schedule zone maintenance for the given zone.
8488aeb5df27784d479c16cde06a9e25cd9a1152taylor<dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
8488aeb5df27784d479c16cde06a9e25cd9a1152taylor Retransfer the given slave zone from the master server.
8488aeb5df27784d479c16cde06a9e25cd9a1152taylor If the zone is configured to use
ecd6cf800b63704be73fb264c3f5b6e0dafc068dmarks <span><strong class="command">inline-signing</strong></span>, the signed
ecd6cf800b63704be73fb264c3f5b6e0dafc068dmarks version of the zone is discarded; after the
ecd6cf800b63704be73fb264c3f5b6e0dafc068dmarks retransfer of the unsigned version is complete, the
ecd6cf800b63704be73fb264c3f5b6e0dafc068dmarks signed version will be regenerated with all new
ecd6cf800b63704be73fb264c3f5b6e0dafc068dmarks signatures.
ecd6cf800b63704be73fb264c3f5b6e0dafc068dmarks<dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
ecd6cf800b63704be73fb264c3f5b6e0dafc068dmarks Fetch all DNSSEC keys for the given zone
ecd6cf800b63704be73fb264c3f5b6e0dafc068dmarks from the key directory (see the
ecd6cf800b63704be73fb264c3f5b6e0dafc068dmarks <span><strong class="command">key-directory</strong></span> option in
ecd6cf800b63704be73fb264c3f5b6e0dafc068dmarks the BIND 9 Administrator Reference Manual). If they are within
ecd6cf800b63704be73fb264c3f5b6e0dafc068dmarks their publication period, merge them into the
99653d4ee642c6528e88224f12409a5f23060994eschrock zone's DNSKEY RRset. If the DNSKEY RRset
99653d4ee642c6528e88224f12409a5f23060994eschrock is changed, then the zone is automatically
99653d4ee642c6528e88224f12409a5f23060994eschrock re-signed with the new key set.
99653d4ee642c6528e88224f12409a5f23060994eschrock This command requires that the
99653d4ee642c6528e88224f12409a5f23060994eschrock <span><strong class="command">auto-dnssec</strong></span> zone option be set
fa9e4066f08beec538e775443c5be79dd423fcabahrens and also requires the zone to be configured to
99653d4ee642c6528e88224f12409a5f23060994eschrock allow dynamic DNS.
fa9e4066f08beec538e775443c5be79dd423fcabahrens (See "Dynamic Update Policies" in the Administrator
fa9e4066f08beec538e775443c5be79dd423fcabahrens Reference Manual for more details.)
fa9e4066f08beec538e775443c5be79dd423fcabahrens<dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
99653d4ee642c6528e88224f12409a5f23060994eschrock Fetch all DNSSEC keys for the given zone
99653d4ee642c6528e88224f12409a5f23060994eschrock from the key directory. If they are within
99653d4ee642c6528e88224f12409a5f23060994eschrock their publication period, merge them into the
99653d4ee642c6528e88224f12409a5f23060994eschrock zone's DNSKEY RRset. Unlike <span><strong class="command">rndc
99653d4ee642c6528e88224f12409a5f23060994eschrock immediately re-signed by the new keys, but is
99653d4ee642c6528e88224f12409a5f23060994eschrock allowed to incrementally re-sign over time.
99653d4ee642c6528e88224f12409a5f23060994eschrock This command requires that the
99653d4ee642c6528e88224f12409a5f23060994eschrock <span><strong class="command">auto-dnssec</strong></span> zone option
99653d4ee642c6528e88224f12409a5f23060994eschrock and also requires the zone to be configured to
99653d4ee642c6528e88224f12409a5f23060994eschrock allow dynamic DNS.
99653d4ee642c6528e88224f12409a5f23060994eschrock (See "Dynamic Update Policies" in the Administrator
99653d4ee642c6528e88224f12409a5f23060994eschrock Reference Manual for more details.)
99653d4ee642c6528e88224f12409a5f23060994eschrock<dt><span class="term"><strong class="userinput"><code>freeze [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
99653d4ee642c6528e88224f12409a5f23060994eschrock Suspend updates to a dynamic zone. If no zone is
99653d4ee642c6528e88224f12409a5f23060994eschrock specified, then all zones are suspended. This allows
99653d4ee642c6528e88224f12409a5f23060994eschrock manual edits to be made to a zone normally updated by
99653d4ee642c6528e88224f12409a5f23060994eschrock dynamic update. It also causes changes in the
99653d4ee642c6528e88224f12409a5f23060994eschrock journal file to be synced into the master file.
b1b8ab34de515a5e83206da22c3d7e563241b021lling All dynamic update attempts will be refused while
99653d4ee642c6528e88224f12409a5f23060994eschrock the zone is frozen.
fa9e4066f08beec538e775443c5be79dd423fcabahrens<dt><span class="term"><strong class="userinput"><code>thaw [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
99653d4ee642c6528e88224f12409a5f23060994eschrock Enable updates to a frozen dynamic zone. If no
ece3d9b3bacef51a5f34d993935eedbb7bb87059lling zone is specified, then all frozen zones are
ece3d9b3bacef51a5f34d993935eedbb7bb87059lling enabled. This causes the server to reload the zone
ece3d9b3bacef51a5f34d993935eedbb7bb87059lling from disk, and re-enables dynamic updates after the
ece3d9b3bacef51a5f34d993935eedbb7bb87059lling load has completed. After a zone is thawed,
ece3d9b3bacef51a5f34d993935eedbb7bb87059lling dynamic updates will no longer be refused. If
ece3d9b3bacef51a5f34d993935eedbb7bb87059lling the zone has changed and the
99653d4ee642c6528e88224f12409a5f23060994eschrock <span><strong class="command">ixfr-from-differences</strong></span> option is
99653d4ee642c6528e88224f12409a5f23060994eschrock in use, then the journal file will be updated to
ece3d9b3bacef51a5f34d993935eedbb7bb87059lling reflect changes in the zone. Otherwise, if the
99653d4ee642c6528e88224f12409a5f23060994eschrock zone has changed, any existing journal file will be
99653d4ee642c6528e88224f12409a5f23060994eschrock<dt><span class="term"><strong class="userinput"><code>scan</code></strong></span></dt>
99653d4ee642c6528e88224f12409a5f23060994eschrock Scan the list of available network interfaces
fa9e4066f08beec538e775443c5be79dd423fcabahrens for changes, without performing a full
fa9e4066f08beec538e775443c5be79dd423fcabahrens <span><strong class="command">reconfig</strong></span> or waiting for the
99653d4ee642c6528e88224f12409a5f23060994eschrock <span><strong class="command">interface-interval</strong></span> timer.
fa9e4066f08beec538e775443c5be79dd423fcabahrens<dt><span class="term"><strong class="userinput"><code>sync [<span class="optional">-clean</span>] [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
99653d4ee642c6528e88224f12409a5f23060994eschrock Sync changes in the journal file for a dynamic zone
99653d4ee642c6528e88224f12409a5f23060994eschrock to the master file. If the "-clean" option is
99653d4ee642c6528e88224f12409a5f23060994eschrock specified, the journal file is also removed. If
99653d4ee642c6528e88224f12409a5f23060994eschrock no zone is specified, then all zones are synced.
99653d4ee642c6528e88224f12409a5f23060994eschrock<dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
99653d4ee642c6528e88224f12409a5f23060994eschrock Resend NOTIFY messages for the zone.
99653d4ee642c6528e88224f12409a5f23060994eschrock<dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt>
ecd6cf800b63704be73fb264c3f5b6e0dafc068dmarks Reload the configuration file and load new zones,
ecd6cf800b63704be73fb264c3f5b6e0dafc068dmarks but do not reload existing zone files even if they
ecd6cf800b63704be73fb264c3f5b6e0dafc068dmarks have changed.
99653d4ee642c6528e88224f12409a5f23060994eschrock This is faster than a full <span><strong class="command">reload</strong></span> when there
99653d4ee642c6528e88224f12409a5f23060994eschrock is a large number of zones because it avoids the need
99653d4ee642c6528e88224f12409a5f23060994eschrock to examine the
99653d4ee642c6528e88224f12409a5f23060994eschrock modification times of the zones files.
99653d4ee642c6528e88224f12409a5f23060994eschrock<dt><span class="term"><strong class="userinput"><code>zonestatus [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
99653d4ee642c6528e88224f12409a5f23060994eschrock Displays the current status of the given zone,
99653d4ee642c6528e88224f12409a5f23060994eschrock including the master file name and any include
99653d4ee642c6528e88224f12409a5f23060994eschrock files from which it was loaded, when it was most
99653d4ee642c6528e88224f12409a5f23060994eschrock recently loaded, the current serial number, the
99653d4ee642c6528e88224f12409a5f23060994eschrock number of nodes, whether the zone supports
ece3d9b3bacef51a5f34d993935eedbb7bb87059lling dynamic updates, whether the zone is DNSSEC
ece3d9b3bacef51a5f34d993935eedbb7bb87059lling signed, whether it uses automatic DNSSEC key
ece3d9b3bacef51a5f34d993935eedbb7bb87059lling management or inline signing, and the scheduled
ece3d9b3bacef51a5f34d993935eedbb7bb87059lling refresh or expiry times for the zone.
ece3d9b3bacef51a5f34d993935eedbb7bb87059lling<dt><span class="term"><strong class="userinput"><code>managed-keys <em class="replaceable"><code>(status | refresh | sync)</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
99653d4ee642c6528e88224f12409a5f23060994eschrock When run with the "status" keyword, print the current
ece3d9b3bacef51a5f34d993935eedbb7bb87059lling status of the managed-keys database for the specified
fa9e4066f08beec538e775443c5be79dd423fcabahrens view, or for all views if none is specified. When run
fa9e4066f08beec538e775443c5be79dd423fcabahrens with the "refresh" keyword, force an immediate refresh
fa9e4066f08beec538e775443c5be79dd423fcabahrens of all the managed-keys in the specified view, or all
fa9e4066f08beec538e775443c5be79dd423fcabahrens views. When run with the "sync" keyword, force an
fa9e4066f08beec538e775443c5be79dd423fcabahrens immediate dump of the managed-keys database to disk (in
99653d4ee642c6528e88224f12409a5f23060994eschrock the file <code class="filename">managed-keys.bind</code> or
99653d4ee642c6528e88224f12409a5f23060994eschrock (<code class="filename"><em class="replaceable"><code>viewname</code></em>.mkeys</code>).
fa9e4066f08beec538e775443c5be79dd423fcabahrens<dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt>
fa9e4066f08beec538e775443c5be79dd423fcabahrens Write server statistics to the statistics file.
99653d4ee642c6528e88224f12409a5f23060994eschrock<dt><span class="term"><strong class="userinput"><code>querylog</code></strong> [<span class="optional">on|off</span>] </span></dt>
99653d4ee642c6528e88224f12409a5f23060994eschrock Enable or disable query logging. (For backward
99653d4ee642c6528e88224f12409a5f23060994eschrock compatibility, this command can also be used without
99653d4ee642c6528e88224f12409a5f23060994eschrock an argument to toggle query logging on and off.)
99653d4ee642c6528e88224f12409a5f23060994eschrock Query logging can also be enabled
99653d4ee642c6528e88224f12409a5f23060994eschrock by explicitly directing the <span><strong class="command">queries</strong></span>
99653d4ee642c6528e88224f12409a5f23060994eschrock <span><strong class="command">category</strong></span> to a
99653d4ee642c6528e88224f12409a5f23060994eschrock <span><strong class="command">channel</strong></span> in the
99653d4ee642c6528e88224f12409a5f23060994eschrock <span><strong class="command">logging</strong></span> section of
99653d4ee642c6528e88224f12409a5f23060994eschrock <code class="filename">named.conf</code> or by specifying
99653d4ee642c6528e88224f12409a5f23060994eschrock <span><strong class="command">querylog yes;</strong></span> in the
99653d4ee642c6528e88224f12409a5f23060994eschrock <span><strong class="command">options</strong></span> section of
99653d4ee642c6528e88224f12409a5f23060994eschrock<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
99653d4ee642c6528e88224f12409a5f23060994eschrock dump file for the specified views. If no view is
99653d4ee642c6528e88224f12409a5f23060994eschrock specified, all
99653d4ee642c6528e88224f12409a5f23060994eschrock views are dumped.
ecd6cf800b63704be73fb264c3f5b6e0dafc068dmarks<dt><span class="term"><strong class="userinput"><code>secroots [<span class="optional">-</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
ecd6cf800b63704be73fb264c3f5b6e0dafc068dmarks Dump the server's security roots and negative trust anchors
b7661ccca92e6bf5160f4d5d2601efaeaa1f5161mmusante for the specified views. If no view is specified, all views
b7661ccca92e6bf5160f4d5d2601efaeaa1f5161mmusante are dumped.
99653d4ee642c6528e88224f12409a5f23060994eschrock If the first argument is "-", then the output is
99653d4ee642c6528e88224f12409a5f23060994eschrock returned via the <span><strong class="command">rndc</strong></span> response channel
99653d4ee642c6528e88224f12409a5f23060994eschrock and printed to the standard output.
99653d4ee642c6528e88224f12409a5f23060994eschrock Otherwise, it is written to the secroots dump file, which
99653d4ee642c6528e88224f12409a5f23060994eschrock defaults to <code class="filename">named.secroots</code>, but can be
99653d4ee642c6528e88224f12409a5f23060994eschrock overridden via the <code class="option">secroots-file</code> option in
ece3d9b3bacef51a5f34d993935eedbb7bb87059lling<dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>
ece3d9b3bacef51a5f34d993935eedbb7bb87059lling Stop the server, making sure any recent changes
ece3d9b3bacef51a5f34d993935eedbb7bb87059lling made through dynamic update or IXFR are first saved to
ece3d9b3bacef51a5f34d993935eedbb7bb87059lling the master files of the updated zones.
ece3d9b3bacef51a5f34d993935eedbb7bb87059lling If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
99653d4ee642c6528e88224f12409a5f23060994eschrock This allows an external process to determine when <span><strong class="command">named</strong></span>
99653d4ee642c6528e88224f12409a5f23060994eschrock had completed stopping.
fa9e4066f08beec538e775443c5be79dd423fcabahrens<dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
99653d4ee642c6528e88224f12409a5f23060994eschrock Stop the server immediately. Recent changes
99653d4ee642c6528e88224f12409a5f23060994eschrock made through dynamic update or IXFR are not saved to
99653d4ee642c6528e88224f12409a5f23060994eschrock the master files, but will be rolled forward from the
99653d4ee642c6528e88224f12409a5f23060994eschrock journal files when the server is restarted.
99653d4ee642c6528e88224f12409a5f23060994eschrock If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
99653d4ee642c6528e88224f12409a5f23060994eschrock This allows an external process to determine when <span><strong class="command">named</strong></span>
99653d4ee642c6528e88224f12409a5f23060994eschrock had completed halting.
99653d4ee642c6528e88224f12409a5f23060994eschrock<dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
99653d4ee642c6528e88224f12409a5f23060994eschrock Increment the servers debugging level by one.
99653d4ee642c6528e88224f12409a5f23060994eschrock<dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt>
b1b8ab34de515a5e83206da22c3d7e563241b021lling Sets the server's debugging level to an explicit
99653d4ee642c6528e88224f12409a5f23060994eschrock<dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt>
99653d4ee642c6528e88224f12409a5f23060994eschrock Sets the server's debugging level to 0.
99653d4ee642c6528e88224f12409a5f23060994eschrock<dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt>
99653d4ee642c6528e88224f12409a5f23060994eschrock Flushes the server's cache.
99653d4ee642c6528e88224f12409a5f23060994eschrock<dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
99653d4ee642c6528e88224f12409a5f23060994eschrock Flushes the given name from the view's DNS cache
99653d4ee642c6528e88224f12409a5f23060994eschrock and, if applicable, from the view's nameserver address
99653d4ee642c6528e88224f12409a5f23060994eschrock database, bad server cache and SERVFAIL cache.
99653d4ee642c6528e88224f12409a5f23060994eschrock<dt><span class="term"><strong class="userinput"><code>flushtree</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
99653d4ee642c6528e88224f12409a5f23060994eschrock Flushes the given name, and all of its subdomains,
99653d4ee642c6528e88224f12409a5f23060994eschrock from the view's DNS cache, address database,
99653d4ee642c6528e88224f12409a5f23060994eschrock bad server cache, and SERVFAIL cache.
99653d4ee642c6528e88224f12409a5f23060994eschrock<dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>
99653d4ee642c6528e88224f12409a5f23060994eschrock Display status of the server.
b1b8ab34de515a5e83206da22c3d7e563241b021lling Note that the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone
b1b8ab34de515a5e83206da22c3d7e563241b021lling and the default <span><strong class="command">/IN</strong></span>
b1b8ab34de515a5e83206da22c3d7e563241b021lling hint zone if there is not an
b1b8ab34de515a5e83206da22c3d7e563241b021lling explicit root zone configured.
b1b8ab34de515a5e83206da22c3d7e563241b021lling<dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
b1b8ab34de515a5e83206da22c3d7e563241b021lling Dump the list of queries <span><strong class="command">named</strong></span> is currently recursing
ecd6cf800b63704be73fb264c3f5b6e0dafc068dmarks<dt><span class="term"><strong class="userinput"><code>validation ( on | off | check ) [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>] </code></strong></span></dt>
ecd6cf800b63704be73fb264c3f5b6e0dafc068dmarks Enable, disable, or check the current status of
99653d4ee642c6528e88224f12409a5f23060994eschrock DNSSEC validation.
99653d4ee642c6528e88224f12409a5f23060994eschrock Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
99653d4ee642c6528e88224f12409a5f23060994eschrock set to <strong class="userinput"><code>yes</code></strong> or
99653d4ee642c6528e88224f12409a5f23060994eschrock <strong class="userinput"><code>auto</code></strong> to be effective.
99653d4ee642c6528e88224f12409a5f23060994eschrock It defaults to enabled.
99653d4ee642c6528e88224f12409a5f23060994eschrock<dt><span class="term"><strong class="userinput"><code>nta
fa9e4066f08beec538e775443c5be79dd423fcabahrens [<span class="optional">( -d | -f | -r | -l <em class="replaceable"><code>duration</code></em>)</span>]
fa9e4066f08beec538e775443c5be79dd423fcabahrens [<span class="optional"><em class="replaceable"><code>view</code></em></span>]
99653d4ee642c6528e88224f12409a5f23060994eschrock Sets a DNSSEC negative trust anchor (NTA)
fa9e4066f08beec538e775443c5be79dd423fcabahrens for <code class="option">domain</code>, with a lifetime of
99653d4ee642c6528e88224f12409a5f23060994eschrock <code class="option">duration</code>. The default lifetime is
fa9e4066f08beec538e775443c5be79dd423fcabahrens configured in <code class="filename">named.conf</code> via the
fa9e4066f08beec538e775443c5be79dd423fcabahrens <code class="option">nta-lifetime</code> option, and defaults to
fa9e4066f08beec538e775443c5be79dd423fcabahrens one hour. The lifetime cannot exceed one week.
fa9e4066f08beec538e775443c5be79dd423fcabahrens A negative trust anchor selectively disables
99653d4ee642c6528e88224f12409a5f23060994eschrock DNSSEC validation for zones that are known to be
fa9e4066f08beec538e775443c5be79dd423fcabahrens failing because of misconfiguration rather than
fa9e4066f08beec538e775443c5be79dd423fcabahrens an attack. When data to be validated is
fa9e4066f08beec538e775443c5be79dd423fcabahrens at or below an active NTA (and above any other
fa9e4066f08beec538e775443c5be79dd423fcabahrens configured trust anchors), <span><strong class="command">named</strong></span> will
99653d4ee642c6528e88224f12409a5f23060994eschrock abort the DNSSEC validation process and treat the data as
fa9e4066f08beec538e775443c5be79dd423fcabahrens insecure rather than bogus. This continues until the
fa9e4066f08beec538e775443c5be79dd423fcabahrens NTA's lifetime is elapsed.
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock NTAs persist across restarts of the named server.
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock The NTAs for a view are saved in a file called
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock <code class="filename"><em class="replaceable"><code>name</code></em>.nta</code>,
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock where <em class="replaceable"><code>name</code></em> is the
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock name of the view, or if it contains characters
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock that are incompatible with use as a file name, a
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock cryptographic hash generated from the name
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock of the view.
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock An existing NTA can be removed by using the
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock An NTA's lifetime can be specified with the
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock <code class="option">-lifetime</code> option. TTL-style
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock suffixes can be used to specify the lifetime in
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock seconds, minutes, or hours. If the specified NTA
fa9e4066f08beec538e775443c5be79dd423fcabahrens already exists, its lifetime will be updated to the
fa9e4066f08beec538e775443c5be79dd423fcabahrens new value. Setting <code class="option">lifetime</code> to zero
fa9e4066f08beec538e775443c5be79dd423fcabahrens is equivalent to <code class="option">-remove</code>.
fa9e4066f08beec538e775443c5be79dd423fcabahrens If <code class="option">-dump</code> is used, any other arguments
fa9e4066f08beec538e775443c5be79dd423fcabahrens are ignored, and a list of existing NTAs is printed
fa9e4066f08beec538e775443c5be79dd423fcabahrens (note that this may include NTAs that are expired but
fa9e4066f08beec538e775443c5be79dd423fcabahrens have not yet been cleaned up).
fa9e4066f08beec538e775443c5be79dd423fcabahrens Normally, <span><strong class="command">named</strong></span> will periodically
fa9e4066f08beec538e775443c5be79dd423fcabahrens test to see whether data below an NTA can now be
fa9e4066f08beec538e775443c5be79dd423fcabahrens validated (see the <code class="option">nta-recheck</code> option
fa9e4066f08beec538e775443c5be79dd423fcabahrens in the Administrator Reference Manual for details).
fa9e4066f08beec538e775443c5be79dd423fcabahrens If data can be validated, then the NTA is regarded as
fa9e4066f08beec538e775443c5be79dd423fcabahrens no longer necessary, and will be allowed to expire
fa9e4066f08beec538e775443c5be79dd423fcabahrens early. The <code class="option">-force</code> overrides this
fa9e4066f08beec538e775443c5be79dd423fcabahrens behavior and forces an NTA to persist for its entire
fa9e4066f08beec538e775443c5be79dd423fcabahrens lifetime, regardless of whether data could be
fa9e4066f08beec538e775443c5be79dd423fcabahrens validated if the NTA were not present.
fa9e4066f08beec538e775443c5be79dd423fcabahrens All of these options can be shortened, i.e., to
fa9e4066f08beec538e775443c5be79dd423fcabahrens <code class="option">-l</code>, <code class="option">-r</code>, <code class="option">-d</code>,
fa9e4066f08beec538e775443c5be79dd423fcabahrens<dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt>
fa9e4066f08beec538e775443c5be79dd423fcabahrens List the names of all TSIG keys currently configured
5c7098917783942b65876f681a21342761227dadeschrock for use by <span><strong class="command">named</strong></span> in each view. The
fa9e4066f08beec538e775443c5be79dd423fcabahrens list both statically configured keys and dynamic
5c7098917783942b65876f681a21342761227dadeschrock TKEY-negotiated keys.
5c7098917783942b65876f681a21342761227dadeschrock<dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong> <em class="replaceable"><code>keyname</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt>
5c7098917783942b65876f681a21342761227dadeschrock Delete a given TKEY-negotiated key from the server.
fa9e4066f08beec538e775443c5be79dd423fcabahrens (This does not apply to statically configured TSIG
5c7098917783942b65876f681a21342761227dadeschrock<dt><span class="term"><strong class="userinput"><code>addzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
5c7098917783942b65876f681a21342761227dadeschrock Add a zone while the server is running. This
5c7098917783942b65876f681a21342761227dadeschrock command requires the
5c7098917783942b65876f681a21342761227dadeschrock <span><strong class="command">allow-new-zones</strong></span> option to be set
5c7098917783942b65876f681a21342761227dadeschrock to <strong class="userinput"><code>yes</code></strong>. The
5c7098917783942b65876f681a21342761227dadeschrock <em class="replaceable"><code>configuration</code></em> string
5c7098917783942b65876f681a21342761227dadeschrock specified on the command line is the zone
5c7098917783942b65876f681a21342761227dadeschrock configuration text that would ordinarily be
3d7072f8bd27709dba14f6fe336f149d25d9e207eschrock placed in <code class="filename">named.conf</code>.
5c7098917783942b65876f681a21342761227dadeschrock The configuration is saved in a file called
5c7098917783942b65876f681a21342761227dadeschrock <code class="filename"><em class="replaceable"><code>name</code></em>.nzf</code>,
fa9e4066f08beec538e775443c5be79dd423fcabahrens where <em class="replaceable"><code>name</code></em> is the
99653d4ee642c6528e88224f12409a5f23060994eschrock name of the view, or if it contains characters
99653d4ee642c6528e88224f12409a5f23060994eschrock that are incompatible with use as a file name, a
99653d4ee642c6528e88224f12409a5f23060994eschrock cryptographic hash generated from the name
99653d4ee642c6528e88224f12409a5f23060994eschrock of the view.
99653d4ee642c6528e88224f12409a5f23060994eschrock When <span><strong class="command">named</strong></span> is
99653d4ee642c6528e88224f12409a5f23060994eschrock restarted, the file will be loaded into the view
99653d4ee642c6528e88224f12409a5f23060994eschrock configuration, so that zones that were added
99653d4ee642c6528e88224f12409a5f23060994eschrock can persist after a restart.
99653d4ee642c6528e88224f12409a5f23060994eschrock This sample <span><strong class="command">addzone</strong></span> command
99653d4ee642c6528e88224f12409a5f23060994eschrock would add the zone <code class="literal">example.com</code>
99653d4ee642c6528e88224f12409a5f23060994eschrock to the default view:
99653d4ee642c6528e88224f12409a5f23060994eschrock<code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong>
99653d4ee642c6528e88224f12409a5f23060994eschrock (Note the brackets and semi-colon around the zone
99653d4ee642c6528e88224f12409a5f23060994eschrock configuration text.)
99653d4ee642c6528e88224f12409a5f23060994eschrock<dt><span class="term"><strong class="userinput"><code>modzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
99653d4ee642c6528e88224f12409a5f23060994eschrock Modify the configuration of a zone while the server
99653d4ee642c6528e88224f12409a5f23060994eschrock is running. This command requires the
99653d4ee642c6528e88224f12409a5f23060994eschrock <span><strong class="command">allow-new-zones</strong></span> option to be
99653d4ee642c6528e88224f12409a5f23060994eschrock set to <strong class="userinput"><code>yes</code></strong>. As with
99653d4ee642c6528e88224f12409a5f23060994eschrock <span><strong class="command">addzone</strong></span>, the
99653d4ee642c6528e88224f12409a5f23060994eschrock <em class="replaceable"><code>configuration</code></em> string
99653d4ee642c6528e88224f12409a5f23060994eschrock specified on the command line is the zone
99653d4ee642c6528e88224f12409a5f23060994eschrock configuration text that would ordinarily be
99653d4ee642c6528e88224f12409a5f23060994eschrock placed in <code class="filename">named.conf</code>.
99653d4ee642c6528e88224f12409a5f23060994eschrock If the zone was originally added via
99653d4ee642c6528e88224f12409a5f23060994eschrock <span><strong class="command">rndc addzone</strong></span>, the configuration
99653d4ee642c6528e88224f12409a5f23060994eschrock changes will be recorded permanently and will still be
99653d4ee642c6528e88224f12409a5f23060994eschrock in effect after the server is restarted or reconfigured.
6733190958bbcc0bd6d1d601e7ae0a6994dafb45dougm However, if it was originally configured in
ecd6cf800b63704be73fb264c3f5b6e0dafc068dmarks <code class="filename">named.conf</code>, then that original
ecd6cf800b63704be73fb264c3f5b6e0dafc068dmarks configuration is still in place; when the server is
99653d4ee642c6528e88224f12409a5f23060994eschrock restarted or reconfigured, the zone will revert to
99653d4ee642c6528e88224f12409a5f23060994eschrock its original configuration. To make the changes
99653d4ee642c6528e88224f12409a5f23060994eschrock permanent, it must also be modified in
99653d4ee642c6528e88224f12409a5f23060994eschrock<dt><span class="term"><strong class="userinput"><code>delzone [<span class="optional">-clean</span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
99653d4ee642c6528e88224f12409a5f23060994eschrock Delete a zone while the server is running.
99653d4ee642c6528e88224f12409a5f23060994eschrock If the <code class="option">-clean</code> is specified,
99653d4ee642c6528e88224f12409a5f23060994eschrock the zone's master file (and journal file, if any)
99653d4ee642c6528e88224f12409a5f23060994eschrock will be deleted along with the zone. Without the
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock <code class="option">-clean</code> option, zone files must
5aba80db367b061758a29154d304977d00d8e4f4ck be cleaned up by hand. (If the zone is of
5aba80db367b061758a29154d304977d00d8e4f4ck type "slave" or "stub", the files needing to
5aba80db367b061758a29154d304977d00d8e4f4ck be cleaned up will be reported in the output
5aba80db367b061758a29154d304977d00d8e4f4ck of the <span><strong class="command">rndc delzone</strong></span> command.)
5aba80db367b061758a29154d304977d00d8e4f4ck If the zone was originally added via
5aba80db367b061758a29154d304977d00d8e4f4ck <span><strong class="command">rndc addzone</strong></span>, then it will be
5aba80db367b061758a29154d304977d00d8e4f4ck removed permanently. However, if it was originally
5aba80db367b061758a29154d304977d00d8e4f4ck configured in <code class="filename">named.conf</code>, then
5aba80db367b061758a29154d304977d00d8e4f4ck that original configuration is still in place; when
5aba80db367b061758a29154d304977d00d8e4f4ck the server is restarted or reconfigured, the zone will
5aba80db367b061758a29154d304977d00d8e4f4ck come back. To remove it permanently, it must also be
5aba80db367b061758a29154d304977d00d8e4f4ck<dt><span class="term"><strong class="userinput"><code>showzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
5aba80db367b061758a29154d304977d00d8e4f4ck Print the configuration of a running zone.
5aba80db367b061758a29154d304977d00d8e4f4ck<dt><span class="term"><strong class="userinput"><code>signing [<span class="optional">( -list | -clear <em class="replaceable"><code>keyid/algorithm</code></em> | -clear <code class="literal">all</code> | -nsec3param ( <em class="replaceable"><code>parameters</code></em> | <code class="literal">none</code> ) | -serial <em class="replaceable"><code>value</code></em> ) </span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
5aba80db367b061758a29154d304977d00d8e4f4ck List, edit, or remove the DNSSEC signing state records
5aba80db367b061758a29154d304977d00d8e4f4ck for the specified zone. The status of ongoing DNSSEC
5aba80db367b061758a29154d304977d00d8e4f4ck operations (such as signing or generating
5aba80db367b061758a29154d304977d00d8e4f4ck NSEC3 chains) is stored in the zone in the form
5aba80db367b061758a29154d304977d00d8e4f4ck of DNS resource records of type
5aba80db367b061758a29154d304977d00d8e4f4ck <span><strong class="command">sig-signing-type</strong></span>.
5aba80db367b061758a29154d304977d00d8e4f4ck <span><strong class="command">rndc signing -list</strong></span> converts
5aba80db367b061758a29154d304977d00d8e4f4ck these records into a human-readable form,
5aba80db367b061758a29154d304977d00d8e4f4ck indicating which keys are currently signing
5aba80db367b061758a29154d304977d00d8e4f4ck or have finished signing the zone, and which NSEC3
5aba80db367b061758a29154d304977d00d8e4f4ck chains are being created or removed.
5aba80db367b061758a29154d304977d00d8e4f4ck <span><strong class="command">rndc signing -clear</strong></span> can remove
5aba80db367b061758a29154d304977d00d8e4f4ck a single key (specified in the same format that
5aba80db367b061758a29154d304977d00d8e4f4ck <span><strong class="command">rndc signing -list</strong></span> uses to
5aba80db367b061758a29154d304977d00d8e4f4ck display it), or all keys. In either case, only
5aba80db367b061758a29154d304977d00d8e4f4ck completed keys are removed; any record indicating
5aba80db367b061758a29154d304977d00d8e4f4ck that a key has not yet finished signing the zone
5aba80db367b061758a29154d304977d00d8e4f4ck will be retained.
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock <span><strong class="command">rndc signing -nsec3param</strong></span> sets
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock the NSEC3 parameters for a zone. This is the
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock only supported mechanism for using NSEC3 with
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock <span><strong class="command">inline-signing</strong></span> zones.
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock Parameters are specified in the same format as
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock an NSEC3PARAM resource record: hash algorithm,
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock flags, iterations, and salt, in that order.
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock Currently, the only defined value for hash algorithm
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock is <code class="literal">1</code>, representing SHA-1.
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock The <code class="option">flags</code> may be set to
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock <code class="literal">0</code> or <code class="literal">1</code>,
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock depending on whether you wish to set the opt-out
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock bit in the NSEC3 chain. <code class="option">iterations</code>
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock defines the number of additional times to apply
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock the algorithm when generating an NSEC3 hash. The
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock <code class="option">salt</code> is a string of data expressed
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock in hexadecimal, a hyphen (`-') if no salt is
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock to be used, or the keyword <code class="literal">auto</code>,
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock which causes <span><strong class="command">named</strong></span> to generate a
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock random 64-bit salt.
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock So, for example, to create an NSEC3 chain using
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock the SHA-1 hash algorithm, no opt-out flag,
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock 10 iterations, and a salt value of "FFFF", use:
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock <span><strong class="command">rndc signing -nsec3param 1 0 10 FFFF <em class="replaceable"><code>zone</code></em></strong></span>.
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock To set the opt-out flag, 15 iterations, and no
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock <span><strong class="command">rndc signing -nsec3param 1 1 15 - <em class="replaceable"><code>zone</code></em></strong></span>.
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock <span><strong class="command">rndc signing -nsec3param none</strong></span>
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock removes an existing NSEC3 chain and replaces it
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock <span><strong class="command">rndc signing -serial value</strong></span> sets
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock the serial number of the zone to value. If the value
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock would cause the serial number to go backwards it will
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock be rejected. The primary use is to set the serial on
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock inline signed zones.
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock There is currently no way to provide the shared secret for a
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock <code class="option">key_id</code> without using the configuration file.
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock Several error messages could be clearer.
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock<p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock <span class="citerefentry"><span class="refentrytitle">ndc</span>(8)</span>,
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
e9dbad6f263d5570ed7ff5443ec5b958af8c24d7eschrock<p><span class="corpauthor">Internet Systems Consortium</span>
b1b8ab34de515a5e83206da22c3d7e563241b021lling<a accesskey="p" href="man.nsupdate.html">Prev</a>�</td>
b1b8ab34de515a5e83206da22c3d7e563241b021lling<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
b1b8ab34de515a5e83206da22c3d7e563241b021lling<td width="40%" align="right">�<a accesskey="n" href="man.rndc.conf.html">Next</a>
b1b8ab34de515a5e83206da22c3d7e563241b021lling<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
b1b8ab34de515a5e83206da22c3d7e563241b021lling<td width="40%" align="right" valign="top">�<code class="filename">rndc.conf</code>
b1b8ab34de515a5e83206da22c3d7e563241b021lling<p style="text-align: center;">BIND 9.11.0pre-alpha</p>