b2a6ebf1bd4dad1410afba9012a61d87090f03adDamien Neil<html>

9c3531d72aeaad6c5f01efe6a1c82023e1379e4dDavid Lawrence<head>

bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley<title>rndc</title>

9a4ce0c25809073f31226faa6ed94c70474cf363Bob Halley<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">

9a4ce0c25809073f31226faa6ed94c70474cf363Bob Halley<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">

9a4ce0c25809073f31226faa6ed94c70474cf363Bob Halley<link rel="prev" href="man.nsupdate.html" title="nsupdate">

9c4f33b6718407e94d50dbfb4977e16d3f83de9dDavid Lawrence<link rel="next" href="man.rndc.conf.html" title="rndc.conf">

9c4f33b6718407e94d50dbfb4977e16d3f83de9dDavid Lawrence</head>

bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">

bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley<div class="navheader">

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington<table width="100%" summary="Navigation header">

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington<tr><th colspan="3" align="center"><span class="application">rndc</span></th></tr>

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington<tr>

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington<td width="20%" align="left">

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington<a accesskey="p" href="man.nsupdate.html">Prev</a>�</td>

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington<th width="60%" align="center">Manual pages</th>

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington<td width="20%" align="right">�<a accesskey="n" href="man.rndc.conf.html">Next</a>

01956482905dd861a9b07d417d469955466b728dDamien Neil</td>

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil</tr>

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil</table>

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil<hr>

b2a6ebf1bd4dad1410afba9012a61d87090f03adDamien Neil</div>

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil<div class="refentry" lang="en">

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil<a name="man.rndc"></a><div class="titlepage"></div>

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil<div class="refnamediv">

b2a6ebf1bd4dad1410afba9012a61d87090f03adDamien Neil<h2>Name</h2>

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil<p><span class="application">rndc</span> &#8212; name server control utility</p>

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil</div>

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil<div class="refsynopsisdiv">

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington<h2>Synopsis</h2>

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington<div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-q</code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil</div>

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil<div class="refsect1" lang="en">

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil<a name="id2661246"></a><h2>DESCRIPTION</h2>

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil<p><span><strong class="command">rndc</strong></span>

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil controls the operation of a name

bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley server. It supersedes the <span><strong class="command">ndc</strong></span> utility

bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley that was provided in old BIND releases. If

bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley <span><strong class="command">rndc</strong></span> is invoked with no command line

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil options or arguments, it prints a short summary of the

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington supported commands and the available options and their

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington arguments.

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington </p>

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil<p><span><strong class="command">rndc</strong></span>

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington communicates with the name server over a TCP connection, sending

bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley commands authenticated with digital signatures. In the current

bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley versions of

bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley <span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span>,

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington the only supported authentication algorithms are HMAC-MD5

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil (default), HMAC-SHA384 and HMAC-SHA512.

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil They use a shared secret on each end of the connection.

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil This provides TSIG-style authentication for the command

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil request and the name server's response. All commands sent

bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley over the channel must be signed by a key_id known to the

bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley server.

bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley </p>

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil<p><span><strong class="command">rndc</strong></span>

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil reads a configuration file to

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil determine how to contact the name server and decide what

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil algorithm and key it should use.

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil </p>

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil</div>

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil<div class="refsect1" lang="en">

f671a5c51cc59e266620c0c4026b054908fdd80cBob Halley<a name="id2661297"></a><h2>OPTIONS</h2>

e4b9761b0ef03597c35d1ef1d86e12514c621f90Michael Graff<div class="variablelist"><dl>

f671a5c51cc59e266620c0c4026b054908fdd80cBob Halley<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil<dd><p>

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil Use <em class="replaceable"><code>source-address</code></em>

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil as the source address for the connection to the server.

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil Multiple instances are permitted to allow setting of both

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil the IPv4 and IPv6 source addresses.

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil </p></dd>

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>

bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley<dd><p>

bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley Use <em class="replaceable"><code>config-file</code></em>

bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley as the configuration file instead of the default,

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil <code class="filename">/etc/rndc.conf</code>.

bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley </p></dd>

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington<dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt>

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington<dd><p>

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington Use <em class="replaceable"><code>key-file</code></em>

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington as the key file instead of the default,

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington <code class="filename">/etc/rndc.key</code>. The key in

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington <code class="filename">/etc/rndc.key</code> will be used to

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington authenticate

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington commands sent to the server if the <em class="replaceable"><code>config-file</code></em>

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington does not exist.

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil </p></dd>

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil<dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil<dd><p><em class="replaceable"><code>server</code></em> is

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil the name or address of the server which matches a

e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil server statement in the configuration file for

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington <span><strong class="command">rndc</strong></span>. If no server is supplied on the

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington command line, the host named by the default-server clause

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington in the options statement of the <span><strong class="command">rndc</strong></span>

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington configuration file will be used.

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington </p></dd>

26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>

bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley<dd><p>

Send commands to TCP port

<em class="replaceable"><code>port</code></em>

instead

of BIND 9's default control channel port, 953.

</p></dd>

<dt><span class="term">-q</span></dt>

<dd><p>

Quiet mode: Message text returned by the server

will not be printed except when there is an error.

</p></dd>

<dt><span class="term">-V</span></dt>

<dd><p>

Enable verbose logging.

</p></dd>

<dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt>

<dd><p>

Use the key <em class="replaceable"><code>key_id</code></em>

from the configuration file.

<em class="replaceable"><code>key_id</code></em>

must be

known by <span><strong class="command">named</strong></span> with the same algorithm and secret string

in order for control message validation to succeed.

If no <em class="replaceable"><code>key_id</code></em>

is specified, <span><strong class="command">rndc</strong></span> will first look

for a key clause in the server statement of the server

being used, or if no server statement is present for that

host, then the default-key clause of the options statement.

Note that the configuration file contains shared secrets

which are used to send authenticated control commands

to name servers. It should therefore not have general read

or write access.

</p></dd>

</dl></div>

</div>

<div class="refsect1" lang="en">

<a name="id2661661"></a><h2>COMMANDS</h2>

<p>

A list of commands supported by <span><strong class="command">rndc</strong></span> can

be seen by running <span><strong class="command">rndc</strong></span> without arguments.

</p>

<p>

Currently supported commands are:

</p>

<div class="variablelist"><dl>

<dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt>

<dd><p>

Reload configuration file and zones.

</p></dd>

<dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>

<dd><p>

Reload the given zone.

</p></dd>

<dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>

<dd><p>

Schedule zone maintenance for the given zone.

</p></dd>

<dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>

<dd>

<p>

Retransfer the given slave zone from the master server.

</p>

<p>

If the zone is configured to use

<span><strong class="command">inline-signing</strong></span>, the signed

version of the zone is discarded; after the

retransfer of the unsigned version is complete, the

signed version will be regenerated with all new

signatures.

</p>

</dd>

<dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>

<dd>

<p>

Fetch all DNSSEC keys for the given zone

from the key directory (see the

<span><strong class="command">key-directory</strong></span> option in

the BIND 9 Administrator Reference Manual). If they are within

their publication period, merge them into the

zone's DNSKEY RRset. If the DNSKEY RRset

is changed, then the zone is automatically

re-signed with the new key set.

</p>

<p>

This command requires that the

<span><strong class="command">auto-dnssec</strong></span> zone option be set

to <code class="literal">allow</code> or

<code class="literal">maintain</code>,

and also requires the zone to be configured to

allow dynamic DNS.

(See "Dynamic Update Policies" in the Administrator

Reference Manual for more details.)

</p>

</dd>

<dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>

<dd>

<p>

Fetch all DNSSEC keys for the given zone

from the key directory. If they are within

their publication period, merge them into the

zone's DNSKEY RRset. Unlike <span><strong class="command">rndc

sign</strong></span>, however, the zone is not

immediately re-signed by the new keys, but is

allowed to incrementally re-sign over time.

</p>

<p>

This command requires that the

<span><strong class="command">auto-dnssec</strong></span> zone option

be set to <code class="literal">maintain</code>,

and also requires the zone to be configured to

allow dynamic DNS.

(See "Dynamic Update Policies" in the Administrator

Reference Manual for more details.)

</p>

</dd>

<dt><span class="term"><strong class="userinput"><code>freeze [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>

<dd><p>

Suspend updates to a dynamic zone. If no zone is

specified, then all zones are suspended. This allows

manual edits to be made to a zone normally updated by

dynamic update. It also causes changes in the

journal file to be synced into the master file.

All dynamic update attempts will be refused while

the zone is frozen.

</p></dd>

<dt><span class="term"><strong class="userinput"><code>thaw [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>

<dd><p>

Enable updates to a frozen dynamic zone. If no

zone is specified, then all frozen zones are

enabled. This causes the server to reload the zone

from disk, and re-enables dynamic updates after the

load has completed. After a zone is thawed,

dynamic updates will no longer be refused. If

the zone has changed and the

<span><strong class="command">ixfr-from-differences</strong></span> option is

in use, then the journal file will be updated to

reflect changes in the zone. Otherwise, if the

zone has changed, any existing journal file will be

removed.

</p></dd>

<dt><span class="term"><strong class="userinput"><code>scan</code></strong></span></dt>

<dd><p>

Scan the list of available network interfaces

for changes, without performing a full

<span><strong class="command">reconfig</strong></span> or waiting for the

<span><strong class="command">interface-interval</strong></span> timer.

</p></dd>

<dt><span class="term"><strong class="userinput"><code>sync [<span class="optional">-clean</span>] [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>

<dd><p>

Sync changes in the journal file for a dynamic zone

to the master file. If the <code class="option">-clean</code> option is

specified, the journal file is also removed. If

no zone is specified, then all zones are synced.

</p></dd>

<dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>

<dd><p>

Resend NOTIFY messages for the zone.

</p></dd>

<dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt>

<dd><p>

Reload the configuration file and load new zones,

but do not reload existing zone files even if they

have changed.

This is faster than a full <span><strong class="command">reload</strong></span> when there

is a large number of zones because it avoids the need

to examine the

modification times of the zones files.

</p></dd>

<dt><span class="term"><strong class="userinput"><code>zonestatus [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>

<dd><p>

Displays the current status of the given zone,

including the master file name and any include

files from which it was loaded, when it was most

recently loaded, the current serial number, the

number of nodes, whether the zone supports

dynamic updates, whether the zone is DNSSEC

signed, whether it uses automatic DNSSEC key

management or inline signing, and the scheduled

refresh or expiry times for the zone.

</p></dd>

<dt><span class="term"><strong class="userinput"><code>managed-keys <em class="replaceable"><code>(status | refresh | sync)</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>

<dd><p>

When run with the "status" keyword, print the current

status of the managed-keys database for the specified

view, or for all views if none is specified. When run

with the "refresh" keyword, force an immediate refresh

of all the managed-keys in the specified view, or all

views. When run with the "sync" keyword, force an

immediate dump of the managed-keys database to disk (in

the file <code class="filename">managed-keys.bind</code> or

(<code class="filename"><em class="replaceable"><code>viewname</code></em>.mkeys</code>).

</p></dd>

<dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt>

<dd><p>

Write server statistics to the statistics file.

</p></dd>

<dt><span class="term"><strong class="userinput"><code>querylog</code></strong> [<span class="optional">on|off</span>] </span></dt>

<dd>

<p>

Enable or disable query logging. (For backward

compatibility, this command can also be used without

an argument to toggle query logging on and off.)

</p>

<p>

Query logging can also be enabled

by explicitly directing the <span><strong class="command">queries</strong></span>

<span><strong class="command">category</strong></span> to a

<span><strong class="command">channel</strong></span> in the

<span><strong class="command">logging</strong></span> section of

<code class="filename">named.conf</code> or by specifying

<span><strong class="command">querylog yes;</strong></span> in the

<span><strong class="command">options</strong></span> section of

<code class="filename">named.conf</code>.

</p>

</dd>

<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>

<dd><p>

Dump the server's caches (default) and/or zones to

the

dump file for the specified views. If no view is

specified, all

views are dumped.

</p></dd>

<dt><span class="term"><strong class="userinput"><code>secroots [<span class="optional">-</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>

<dd>

<p>

Dump the server's security roots and negative trust anchors

for the specified views. If no view is specified, all views

are dumped.

</p>

<p>

If the first argument is "-", then the output is

returned via the <span><strong class="command">rndc</strong></span> response channel

and printed to the standard output.

Otherwise, it is written to the secroots dump file, which

defaults to <code class="filename">named.secroots</code>, but can be

overridden via the <code class="option">secroots-file</code> option in

<code class="filename">named.conf</code>.

</p>

</dd>

<dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>

<dd><p>

Stop the server, making sure any recent changes

made through dynamic update or IXFR are first saved to

the master files of the updated zones.

If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.

This allows an external process to determine when <span><strong class="command">named</strong></span>

had completed stopping.

</p></dd>

<dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>

<dd><p>

Stop the server immediately. Recent changes

made through dynamic update or IXFR are not saved to

the master files, but will be rolled forward from the

journal files when the server is restarted.

If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.

This allows an external process to determine when <span><strong class="command">named</strong></span>

had completed halting.

</p></dd>

<dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>

<dd><p>

Increment the servers debugging level by one.

</p></dd>

<dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt>

<dd><p>

Sets the server's debugging level to an explicit

value.

</p></dd>

<dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt>

<dd><p>

Sets the server's debugging level to 0.

</p></dd>

<dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt>

<dd><p>

Flushes the server's cache.

</p></dd>

<dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>

<dd><p>

Flushes the given name from the view's DNS cache

and, if applicable, from the view's nameserver address

database, bad server cache and SERVFAIL cache.

</p></dd>

<dt><span class="term"><strong class="userinput"><code>flushtree</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>

<dd><p>

Flushes the given name, and all of its subdomains,

from the view's DNS cache, address database,

bad server cache, and SERVFAIL cache.

</p></dd>

<dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>

<dd><p>

Display status of the server.

Note that the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone

and the default <span><strong class="command">/IN</strong></span>

hint zone if there is not an

explicit root zone configured.

</p></dd>

<dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>

<dd><p>

Dump the list of queries <span><strong class="command">named</strong></span> is currently recursing

on.

</p></dd>

<dt><span class="term"><strong class="userinput"><code>validation ( on | off | check ) [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>] </code></strong></span></dt>

<dd><p>

Enable, disable, or check the current status of

DNSSEC validation.

Note <span><strong class="command">dnssec-enable</strong></span> also needs to be

set to <strong class="userinput"><code>yes</code></strong> or

<strong class="userinput"><code>auto</code></strong> to be effective.

It defaults to enabled.

</p></dd>

<dt><span class="term"><strong class="userinput"><code>nta

[<span class="optional">( -d | -f | -r | -l <em class="replaceable"><code>duration</code></em>)</span>]

<em class="replaceable"><code>domain</code></em>

[<span class="optional"><em class="replaceable"><code>view</code></em></span>]

</code></strong></span></dt>

<dd>

<p>

Sets a DNSSEC negative trust anchor (NTA)

for <code class="option">domain</code>, with a lifetime of

<code class="option">duration</code>. The default lifetime is

configured in <code class="filename">named.conf</code> via the

<code class="option">nta-lifetime</code> option, and defaults to

one hour. The lifetime cannot exceed one week.

</p>

<p>

A negative trust anchor selectively disables

DNSSEC validation for zones that are known to be

failing because of misconfiguration rather than

an attack. When data to be validated is

at or below an active NTA (and above any other

configured trust anchors), <span><strong class="command">named</strong></span> will

abort the DNSSEC validation process and treat the data as

insecure rather than bogus. This continues until the

NTA's lifetime is elapsed.

</p>

<p>

NTAs persist across restarts of the <span><strong class="command">named</strong></span> server.

The NTAs for a view are saved in a file called

<code class="filename"><em class="replaceable"><code>name</code></em>.nta</code>,

where <em class="replaceable"><code>name</code></em> is the

name of the view, or if it contains characters

that are incompatible with use as a file name, a

cryptographic hash generated from the name

of the view.

</p>

<p>

An existing NTA can be removed by using the

<code class="option">-remove</code> option.

</p>

<p>

An NTA's lifetime can be specified with the

<code class="option">-lifetime</code> option. TTL-style

suffixes can be used to specify the lifetime in

seconds, minutes, or hours. If the specified NTA

already exists, its lifetime will be updated to the

new value. Setting <code class="option">lifetime</code> to zero

is equivalent to <code class="option">-remove</code>.

</p>

<p>

If <code class="option">-dump</code> is used, any other arguments

are ignored, and a list of existing NTAs is printed

(note that this may include NTAs that are expired but

have not yet been cleaned up).

</p>

<p>

Normally, <span><strong class="command">named</strong></span> will periodically

test to see whether data below an NTA can now be

validated (see the <code class="option">nta-recheck</code> option

in the Administrator Reference Manual for details).

If data can be validated, then the NTA is regarded as

no longer necessary, and will be allowed to expire

early. The <code class="option">-force</code> overrides this

behavior and forces an NTA to persist for its entire

lifetime, regardless of whether data could be

validated if the NTA were not present.

</p>

<p>

All of these options can be shortened, i.e., to

<code class="option">-l</code>, <code class="option">-r</code>, <code class="option">-d</code>,

and <code class="option">-f</code>.

</p>

</dd>

<dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt>

<dd><p>

List the names of all TSIG keys currently configured

for use by <span><strong class="command">named</strong></span> in each view. The

list both statically configured keys and dynamic

TKEY-negotiated keys.

</p></dd>

<dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong> <em class="replaceable"><code>keyname</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt>

<dd><p>

Delete a given TKEY-negotiated key from the server.

(This does not apply to statically configured TSIG

keys.)

</p></dd>

<dt><span class="term"><strong class="userinput"><code>addzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>

<dd>

<p>

Add a zone while the server is running. This

command requires the

<span><strong class="command">allow-new-zones</strong></span> option to be set

to <strong class="userinput"><code>yes</code></strong>. The

<em class="replaceable"><code>configuration</code></em> string

specified on the command line is the zone

configuration text that would ordinarily be

placed in <code class="filename">named.conf</code>.

</p>

<p>

The configuration is saved in a file called

<code class="filename"><em class="replaceable"><code>name</code></em>.nzf</code>,

where <em class="replaceable"><code>name</code></em> is the

name of the view, or if it contains characters

that are incompatible with use as a file name, a

cryptographic hash generated from the name

of the view.

When <span><strong class="command">named</strong></span> is

restarted, the file will be loaded into the view

configuration, so that zones that were added

can persist after a restart.

</p>

<p>

This sample <span><strong class="command">addzone</strong></span> command

would add the zone <code class="literal">example.com</code>

to the default view:

</p>

<p>

<code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong>

</p>

<p>

(Note the brackets and semi-colon around the zone

configuration text.)

</p>

</dd>

<dt><span class="term"><strong class="userinput"><code>modzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>

<dd>

<p>

Modify the configuration of a zone while the server

is running. This command requires the

<span><strong class="command">allow-new-zones</strong></span> option to be

set to <strong class="userinput"><code>yes</code></strong>. As with

<span><strong class="command">addzone</strong></span>, the

<em class="replaceable"><code>configuration</code></em> string

specified on the command line is the zone

configuration text that would ordinarily be

placed in <code class="filename">named.conf</code>.

</p>

<p>

If the zone was originally added via

<span><strong class="command">rndc addzone</strong></span>, the configuration

changes will be recorded permanently and will still be

in effect after the server is restarted or reconfigured.

However, if it was originally configured in

<code class="filename">named.conf</code>, then that original

configuration is still in place; when the server is

restarted or reconfigured, the zone will revert to

its original configuration. To make the changes

permanent, it must also be modified in

<code class="filename">named.conf</code>

</p>

</dd>

<dt><span class="term"><strong class="userinput"><code>delzone [<span class="optional">-clean</span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>

<dd>

<p>

Delete a zone while the server is running.

</p>

<p>

If the <code class="option">-clean</code> is specified,

the zone's master file (and journal file, if any)

will be deleted along with the zone. Without the

<code class="option">-clean</code> option, zone files must

be cleaned up by hand. (If the zone is of

type "slave" or "stub", the files needing to

be cleaned up will be reported in the output

of the <span><strong class="command">rndc delzone</strong></span> command.)

</p>

<p>

If the zone was originally added via

<span><strong class="command">rndc addzone</strong></span>, then it will be

removed permanently. However, if it was originally

configured in <code class="filename">named.conf</code>, then

that original configuration is still in place; when

the server is restarted or reconfigured, the zone will

come back. To remove it permanently, it must also be

removed from <code class="filename">named.conf</code>

</p>

</dd>

<dt><span class="term"><strong class="userinput"><code>showzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>

<dd><p>

Print the configuration of a running zone.

</p></dd>

<dt><span class="term"><strong class="userinput"><code>signing [<span class="optional">( -list | -clear <em class="replaceable"><code>keyid/algorithm</code></em> | -clear <code class="literal">all</code> | -nsec3param ( <em class="replaceable"><code>parameters</code></em> | <code class="literal">none</code> ) | -serial <em class="replaceable"><code>value</code></em> ) </span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>

<dd>

<p>

List, edit, or remove the DNSSEC signing state records

for the specified zone. The status of ongoing DNSSEC

operations (such as signing or generating

NSEC3 chains) is stored in the zone in the form

of DNS resource records of type

<span><strong class="command">sig-signing-type</strong></span>.

<span><strong class="command">rndc signing -list</strong></span> converts

these records into a human-readable form,

indicating which keys are currently signing

or have finished signing the zone, and which NSEC3

chains are being created or removed.

</p>

<p>

<span><strong class="command">rndc signing -clear</strong></span> can remove

a single key (specified in the same format that

<span><strong class="command">rndc signing -list</strong></span> uses to

display it), or all keys. In either case, only

completed keys are removed; any record indicating

that a key has not yet finished signing the zone

will be retained.

</p>

<p>

<span><strong class="command">rndc signing -nsec3param</strong></span> sets

the NSEC3 parameters for a zone. This is the

only supported mechanism for using NSEC3 with

<span><strong class="command">inline-signing</strong></span> zones.

Parameters are specified in the same format as

an NSEC3PARAM resource record: hash algorithm,

flags, iterations, and salt, in that order.

</p>

<p>

Currently, the only defined value for hash algorithm

is <code class="literal">1</code>, representing SHA-1.

The <code class="option">flags</code> may be set to

<code class="literal">0</code> or <code class="literal">1</code>,

depending on whether you wish to set the opt-out

bit in the NSEC3 chain. <code class="option">iterations</code>

defines the number of additional times to apply

the algorithm when generating an NSEC3 hash. The

<code class="option">salt</code> is a string of data expressed

in hexadecimal, a hyphen (`-') if no salt is

to be used, or the keyword <code class="literal">auto</code>,

which causes <span><strong class="command">named</strong></span> to generate a

random 64-bit salt.

</p>

<p>

So, for example, to create an NSEC3 chain using

the SHA-1 hash algorithm, no opt-out flag,

10 iterations, and a salt value of "FFFF", use:

<span><strong class="command">rndc signing -nsec3param 1 0 10 FFFF <em class="replaceable"><code>zone</code></em></strong></span>.

To set the opt-out flag, 15 iterations, and no

salt, use:

<span><strong class="command">rndc signing -nsec3param 1 1 15 - <em class="replaceable"><code>zone</code></em></strong></span>.

</p>

<p>

<span><strong class="command">rndc signing -nsec3param none</strong></span>

removes an existing NSEC3 chain and replaces it

with NSEC.

</p>

<p>

<span><strong class="command">rndc signing -serial value</strong></span> sets

the serial number of the zone to value. If the value

would cause the serial number to go backwards it will

be rejected. The primary use is to set the serial on

inline signed zones.

</p>

</dd>

</dl></div>

</div>

<div class="refsect1" lang="en">

<a name="id2690555"></a><h2>LIMITATIONS</h2>

<p>

There is currently no way to provide the shared secret for a

<code class="option">key_id</code> without using the configuration file.

</p>

<p>

Several error messages could be clearer.

</p>

</div>

<div class="refsect1" lang="en">

<a name="id2690573"></a><h2>SEE ALSO</h2>

<p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,

<span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,

<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,

<span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,

<span class="citerefentry"><span class="refentrytitle">ndc</span>(8)</span>,

<em class="citetitle">BIND 9 Administrator Reference Manual</em>.

</p>

</div>

<div class="refsect1" lang="en">

<a name="id2690629"></a><h2>AUTHOR</h2>

<p><span class="corpauthor">Internet Systems Consortium</span>

</p>

</div>

</div>

<div class="navfooter">

<hr>

<table width="100%" summary="Navigation footer">

<tr>

<td width="40%" align="left">

<a accesskey="p" href="man.nsupdate.html">Prev</a>�</td>

<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>

<td width="40%" align="right">�<a accesskey="n" href="man.rndc.conf.html">Next</a>

</td>

</tr>

<tr>

<td width="40%" align="left" valign="top">

<span class="application">nsupdate</span>�</td>

<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>

<td width="40%" align="right" valign="top">�<code class="filename">rndc.conf</code>

</td>

</tr>

</table>

</div>

<p style="text-align: center;">BIND 9.11.0pre-alpha</p>

</body>

</html>