1 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
3 [<!ENTITY mdash "—">]>
5 - Copyright (C) 2004, 2005, 2007, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
6 - Copyright (C) 2000, 2001 Internet Software Consortium.
8 - Permission to use, copy, modify, and/or distribute this software for any
9 - purpose with or without fee is hereby granted, provided that the above
10 - copyright notice and this permission notice appear in all copies.
12 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
13 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
14 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
15 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
16 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
17 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
18 - PERFORMANCE OF THIS SOFTWARE.
21 <refentry id="man.rndc">
23 <date>December 04, 2013</date>
27 <refentrytitle><application>rndc</application></refentrytitle>
28 <manvolnum>8</manvolnum>
29 <refmiscinfo>BIND9</refmiscinfo>
33 <refname><application>rndc</application></refname>
34 <refpurpose>name server control utility</refpurpose>
44 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
49 <holder>Internet Software Consortium.</holder>
55 <command>rndc</command>
56 <arg><option>-b <replaceable class="parameter">source-address</replaceable></option></arg>
57 <arg><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
58 <arg><option>-k <replaceable class="parameter">key-file</replaceable></option></arg>
59 <arg><option>-s <replaceable class="parameter">server</replaceable></option></arg>
60 <arg><option>-p <replaceable class="parameter">port</replaceable></option></arg>
61 <arg><option>-V</option></arg>
62 <arg><option>-y <replaceable class="parameter">key_id</replaceable></option></arg>
63 <arg choice="req">command</arg>
68 <title>DESCRIPTION</title>
69 <para><command>rndc</command>
70 controls the operation of a name
71 server. It supersedes the <command>ndc</command> utility
72 that was provided in old BIND releases. If
73 <command>rndc</command> is invoked with no command line
74 options or arguments, it prints a short summary of the
75 supported commands and the available options and their
78 <para><command>rndc</command>
79 communicates with the name server
80 over a TCP connection, sending commands authenticated with
81 digital signatures. In the current versions of
82 <command>rndc</command> and <command>named</command>,
83 the only supported authentication algorithm is HMAC-MD5,
84 which uses a shared secret on each end of the connection.
85 This provides TSIG-style authentication for the command
86 request and the name server's response. All commands sent
87 over the channel must be signed by a key_id known to the
90 <para><command>rndc</command>
91 reads a configuration file to
92 determine how to contact the name server and decide what
93 algorithm and key it should use.
98 <title>OPTIONS</title>
102 <term>-b <replaceable class="parameter">source-address</replaceable></term>
105 Use <replaceable class="parameter">source-address</replaceable>
106 as the source address for the connection to the server.
107 Multiple instances are permitted to allow setting of both
108 the IPv4 and IPv6 source addresses.
114 <term>-c <replaceable class="parameter">config-file</replaceable></term>
117 Use <replaceable class="parameter">config-file</replaceable>
118 as the configuration file instead of the default,
119 <filename>/etc/rndc.conf</filename>.
125 <term>-k <replaceable class="parameter">key-file</replaceable></term>
128 Use <replaceable class="parameter">key-file</replaceable>
129 as the key file instead of the default,
130 <filename>/etc/rndc.key</filename>. The key in
131 <filename>/etc/rndc.key</filename> will be used to
133 commands sent to the server if the <replaceable class="parameter">config-file</replaceable>
140 <term>-s <replaceable class="parameter">server</replaceable></term>
142 <para><replaceable class="parameter">server</replaceable> is
143 the name or address of the server which matches a
144 server statement in the configuration file for
145 <command>rndc</command>. If no server is supplied on the
146 command line, the host named by the default-server clause
147 in the options statement of the <command>rndc</command>
148 configuration file will be used.
154 <term>-p <replaceable class="parameter">port</replaceable></term>
157 Send commands to TCP port
158 <replaceable class="parameter">port</replaceable>
160 of BIND 9's default control channel port, 953.
169 Enable verbose logging.
175 <term>-y <replaceable class="parameter">key_id</replaceable></term>
178 Use the key <replaceable class="parameter">key_id</replaceable>
179 from the configuration file.
180 <replaceable class="parameter">key_id</replaceable>
182 known by named with the same algorithm and secret string
183 in order for control message validation to succeed.
184 If no <replaceable class="parameter">key_id</replaceable>
185 is specified, <command>rndc</command> will first look
186 for a key clause in the server statement of the server
187 being used, or if no server statement is present for that
188 host, then the default-key clause of the options statement.
189 Note that the configuration file contains shared secrets
190 which are used to send authenticated control commands
191 to name servers. It should therefore not have general read
201 <title>COMMANDS</title>
203 A list of commands supported by <command>rndc</command> can
204 be seen by running <command>rndc</command> without arguments.
207 Currently supported commands are:
212 <term><userinput>reload</userinput></term>
215 Reload configuration file and zones.
221 <term><userinput>reload <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
224 Reload the given zone.
230 <term><userinput>refresh <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
233 Schedule zone maintenance for the given zone.
239 <term><userinput>retransfer <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
242 Retransfer the given slave zone from the master server.
245 If the zone is configured to use
246 <command>inline-signing</command>, the signed
247 version of the zone is discarded; after the
248 retransfer of the unsigned version is complete, the
249 signed version will be regenerated with all new
256 <term><userinput>sign <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
259 Fetch all DNSSEC keys for the given zone
260 from the key directory (see the
261 <command>key-directory</command> option in
262 the BIND 9 Administrator Reference Manual). If they are within
263 their publication period, merge them into the
264 zone's DNSKEY RRset. If the DNSKEY RRset
265 is changed, then the zone is automatically
266 re-signed with the new key set.
269 This command requires that the
270 <command>auto-dnssec</command> zone option be set
271 to <literal>allow</literal> or
272 <literal>maintain</literal>,
273 and also requires the zone to be configured to
275 (See "Dynamic Update Policies" in the Administrator
276 Reference Manual for more details.)
282 <term><userinput>loadkeys <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
285 Fetch all DNSSEC keys for the given zone
286 from the key directory. If they are within
287 their publication period, merge them into the
288 zone's DNSKEY RRset. Unlike <command>rndc
289 sign</command>, however, the zone is not
290 immediately re-signed by the new keys, but is
291 allowed to incrementally re-sign over time.
294 This command requires that the
295 <command>auto-dnssec</command> zone option
296 be set to <literal>maintain</literal>,
297 and also requires the zone to be configured to
299 (See "Dynamic Update Policies" in the Administrator
300 Reference Manual for more details.)
306 <term><userinput>freeze <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
309 Suspend updates to a dynamic zone. If no zone is
310 specified, then all zones are suspended. This allows
311 manual edits to be made to a zone normally updated by
312 dynamic update. It also causes changes in the
313 journal file to be synced into the master file.
314 All dynamic update attempts will be refused while
321 <term><userinput>thaw <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
324 Enable updates to a frozen dynamic zone. If no
325 zone is specified, then all frozen zones are
326 enabled. This causes the server to reload the zone
327 from disk, and re-enables dynamic updates after the
328 load has completed. After a zone is thawed,
329 dynamic updates will no longer be refused. If
330 the zone has changed and the
331 <command>ixfr-from-differences</command> option is
332 in use, then the journal file will be updated to
333 reflect changes in the zone. Otherwise, if the
334 zone has changed, any existing journal file will be
341 <term><userinput>sync <optional>-clean</optional> <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
344 Sync changes in the journal file for a dynamic zone
345 to the master file. If the "-clean" option is
346 specified, the journal file is also removed. If
347 no zone is specified, then all zones are synced.
353 <term><userinput>notify <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
356 Resend NOTIFY messages for the zone.
362 <term><userinput>reconfig</userinput></term>
365 Reload the configuration file and load new zones,
366 but do not reload existing zone files even if they
368 This is faster than a full <command>reload</command> when there
369 is a large number of zones because it avoids the need
371 modification times of the zones files.
377 <term><userinput>stats</userinput></term>
380 Write server statistics to the statistics file.
386 <term><userinput>querylog</userinput> <optional>on|off</optional> </term>
389 Enable or disable query logging. (For backward
390 compatibility, this command can also be used without
391 an argument to toggle query logging on and off.)
394 Query logging can also be enabled
395 by explicitly directing the <command>queries</command>
396 <command>category</command> to a
397 <command>channel</command> in the
398 <command>logging</command> section of
399 <filename>named.conf</filename> or by specifying
400 <command>querylog yes;</command> in the
401 <command>options</command> section of
402 <filename>named.conf</filename>.
408 <term><userinput>dumpdb <optional>-all|-cache|-zone</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term>
411 Dump the server's caches (default) and/or zones to
413 dump file for the specified views. If no view is
421 <term><userinput>secroots <optional><replaceable>view ...</replaceable></optional></userinput></term>
424 Dump the server's security roots to the secroots
425 file for the specified views. If no view is
426 specified, security roots for all
433 <term><userinput>stop <optional>-p</optional></userinput></term>
436 Stop the server, making sure any recent changes
437 made through dynamic update or IXFR are first saved to
438 the master files of the updated zones.
439 If <option>-p</option> is specified <command>named</command>'s process id is returned.
440 This allows an external process to determine when <command>named</command>
441 had completed stopping.
447 <term><userinput>halt <optional>-p</optional></userinput></term>
450 Stop the server immediately. Recent changes
451 made through dynamic update or IXFR are not saved to
452 the master files, but will be rolled forward from the
453 journal files when the server is restarted.
454 If <option>-p</option> is specified <command>named</command>'s process id is returned.
455 This allows an external process to determine when <command>named</command>
456 had completed halting.
462 <term><userinput>trace</userinput></term>
465 Increment the servers debugging level by one.
471 <term><userinput>trace <replaceable>level</replaceable></userinput></term>
474 Sets the server's debugging level to an explicit
481 <term><userinput>notrace</userinput></term>
484 Sets the server's debugging level to 0.
490 <term><userinput>flush</userinput></term>
493 Flushes the server's cache.
499 <term><userinput>flushname</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term>
502 Flushes the given name from the server's DNS cache
503 and, if applicable, from the server's nameserver address
504 database or bad-server cache.
510 <term><userinput>flushtree</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term>
513 Flushes the given name, and all of its subdomains,
514 from the server's DNS cache. Note that this does
515 <emphasis>not</emphasis> affect he server's address
516 database or bad-server cache.
522 <term><userinput>status</userinput></term>
525 Display status of the server.
526 Note that the number of zones includes the internal <command>bind/CH</command> zone
527 and the default <command>./IN</command>
528 hint zone if there is not an
529 explicit root zone configured.
535 <term><userinput>recursing</userinput></term>
538 Dump the list of queries <command>named</command> is currently recursing
545 <term><userinput>validation ( on | off | check ) <optional><replaceable>view ...</replaceable></optional> </userinput></term>
548 Enable, disable, or check the current status of
550 Note <command>dnssec-enable</command> also needs to be
551 set to <userinput>yes</userinput> or
552 <userinput>auto</userinput> to be effective.
553 It defaults to enabled.
559 <term><userinput>tsig-list</userinput></term>
562 List the names of all TSIG keys currently configured
563 for use by <command>named</command> in each view. The
564 list both statically configured keys and dynamic
565 TKEY-negotiated keys.
571 <term><userinput>tsig-delete</userinput> <replaceable>keyname</replaceable> <optional><replaceable>view</replaceable></optional></term>
574 Delete a given TKEY-negotiated key from the server.
575 (This does not apply to statically configured TSIG
582 <term><userinput>addzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> <replaceable>configuration</replaceable> </userinput></term>
585 Add a zone while the server is running. This
587 <command>allow-new-zones</command> option to be set
588 to <userinput>yes</userinput>. The
589 <replaceable>configuration</replaceable> string
590 specified on the command line is the zone
591 configuration text that would ordinarily be
592 placed in <filename>named.conf</filename>.
595 The configuration is saved in a file called
596 <filename><replaceable>hash</replaceable>.nzf</filename>,
597 where <replaceable>hash</replaceable> is a
598 cryptographic hash generated from the name of
599 the view. When <command>named</command> is
600 restarted, the file will be loaded into the view
601 configuration, so that zones that were added
602 can persist after a restart.
605 This sample <command>addzone</command> command
606 would add the zone <literal>example.com</literal>
610 <prompt>$ </prompt><userinput>rndc addzone example.com '{ type master; file "example.com.db"; };'</userinput>
613 (Note the brackets and semi-colon around the zone
620 <term><userinput>delzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
623 Delete a zone while the server is running.
624 Only zones that were originally added via
625 <command>rndc addzone</command> can be deleted
632 <term><userinput>signing <optional>( -list | -clear <replaceable>keyid/algorithm</replaceable> | -clear <literal>all</literal> | -nsec3param ( <replaceable>parameters</replaceable> | <literal>none</literal> ) ) </optional> <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
635 List, edit, or remove the DNSSEC signing state records
636 for the specified zone. The status of ongoing DNSSEC
637 operations (such as signing or generating
638 NSEC3 chains) is stored in the zone in the form
639 of DNS resource records of type
640 <command>sig-signing-type</command>.
641 <command>rndc signing -list</command> converts
642 these records into a human-readable form,
643 indicating which keys are currently signing
644 or have finished signing the zone, and which NSEC3
645 chains are being created or removed.
648 <command>rndc signing -clear</command> can remove
649 a single key (specified in the same format that
650 <command>rndc signing -list</command> uses to
651 display it), or all keys. In either case, only
652 completed keys are removed; any record indicating
653 that a key has not yet finished signing the zone
657 <command>rndc signing -nsec3param</command> sets
658 the NSEC3 parameters for a zone. This is the
659 only supported mechanism for using NSEC3 with
660 <command>inline-signing</command> zones.
661 Parameters are specified in the same format as
662 an NSEC3PARAM resource record: hash algorithm,
663 flags, iterations, and salt, in that order.
666 Currently, the only defined value for hash algorithm
667 is <literal>1</literal>, representing SHA-1.
668 The <option>flags</option> may be set to
669 <literal>0</literal> or <literal>1</literal>,
670 depending on whether you wish to set the opt-out
671 bit in the NSEC3 chain. <option>iterations</option>
672 defines the number of additional times to apply
673 the algorithm when generating an NSEC3 hash. The
674 <option>salt</option> is a string of data expressed
675 in hexadecimal, or a hyphen (`-') if no salt is
679 So, for example, to create an NSEC3 chain using
680 the SHA-1 hash algorithm, no opt-out flag,
681 10 iterations, and a salt value of "FFFF", use:
682 <command>rndc signing -nsec3param 1 0 10 FFFF <replaceable>zone</replaceable></command>.
683 To set the opt-out flag, 15 iterations, and no
685 <command>rndc signing -nsec3param 1 1 15 - <replaceable>zone</replaceable></command>.
688 <command>rndc signing -nsec3param none</command>
689 removes an existing NSEC3 chain and replaces it
698 <title>LIMITATIONS</title>
700 There is currently no way to provide the shared secret for a
701 <option>key_id</option> without using the configuration file.
704 Several error messages could be clearer.
709 <title>SEE ALSO</title>
711 <refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum>
714 <refentrytitle>rndc-confgen</refentrytitle><manvolnum>8</manvolnum>
717 <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
720 <refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
723 <refentrytitle>ndc</refentrytitle><manvolnum>8</manvolnum>
725 <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
730 <title>AUTHOR</title>
731 <para><corpauthor>Internet Systems Consortium</corpauthor>