1 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
3 [<!ENTITY mdash "—">]>
5 - Copyright (C) 2004, 2005, 2007, 2013 Internet Systems Consortium, Inc. ("ISC")
6 - Copyright (C) 2000, 2001 Internet Software Consortium.
8 - Permission to use, copy, modify, and/or distribute this software for any
9 - purpose with or without fee is hereby granted, provided that the above
10 - copyright notice and this permission notice appear in all copies.
12 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
13 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
14 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
15 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
16 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
17 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
18 - PERFORMANCE OF THIS SOFTWARE.
21 <!-- $Id: rndc.docbook,v 1.21 2007/12/14 20:39:14 marka Exp $ -->
22 <refentry id="man.rndc">
24 <date>June 7, 2013</date>
28 <refentrytitle><application>rndc</application></refentrytitle>
29 <manvolnum>8</manvolnum>
30 <refmiscinfo>BIND9</refmiscinfo>
34 <refname><application>rndc</application></refname>
35 <refpurpose>name server control utility</refpurpose>
44 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
49 <holder>Internet Software Consortium.</holder>
55 <command>rndc</command>
56 <arg><option>-b <replaceable class="parameter">source-address</replaceable></option></arg>
57 <arg><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
58 <arg><option>-k <replaceable class="parameter">key-file</replaceable></option></arg>
59 <arg><option>-s <replaceable class="parameter">server</replaceable></option></arg>
60 <arg><option>-p <replaceable class="parameter">port</replaceable></option></arg>
61 <arg><option>-V</option></arg>
62 <arg><option>-y <replaceable class="parameter">key_id</replaceable></option></arg>
63 <arg choice="req">command</arg>
68 <title>DESCRIPTION</title>
69 <para><command>rndc</command>
70 controls the operation of a name
71 server. It supersedes the <command>ndc</command> utility
72 that was provided in old BIND releases. If
73 <command>rndc</command> is invoked with no command line
74 options or arguments, it prints a short summary of the
75 supported commands and the available options and their
78 <para><command>rndc</command>
79 communicates with the name server
80 over a TCP connection, sending commands authenticated with
81 digital signatures. In the current versions of
82 <command>rndc</command> and <command>named</command>,
83 the only supported authentication algorithm is HMAC-MD5,
84 which uses a shared secret on each end of the connection.
85 This provides TSIG-style authentication for the command
86 request and the name server's response. All commands sent
87 over the channel must be signed by a key_id known to the
90 <para><command>rndc</command>
91 reads a configuration file to
92 determine how to contact the name server and decide what
93 algorithm and key it should use.
98 <title>OPTIONS</title>
102 <term>-b <replaceable class="parameter">source-address</replaceable></term>
105 Use <replaceable class="parameter">source-address</replaceable>
106 as the source address for the connection to the server.
107 Multiple instances are permitted to allow setting of both
108 the IPv4 and IPv6 source addresses.
114 <term>-c <replaceable class="parameter">config-file</replaceable></term>
117 Use <replaceable class="parameter">config-file</replaceable>
118 as the configuration file instead of the default,
119 <filename>/etc/rndc.conf</filename>.
125 <term>-k <replaceable class="parameter">key-file</replaceable></term>
128 Use <replaceable class="parameter">key-file</replaceable>
129 as the key file instead of the default,
130 <filename>/etc/rndc.key</filename>. The key in
131 <filename>/etc/rndc.key</filename> will be used to
133 commands sent to the server if the <replaceable class="parameter">config-file</replaceable>
140 <term>-s <replaceable class="parameter">server</replaceable></term>
142 <para><replaceable class="parameter">server</replaceable> is
143 the name or address of the server which matches a
144 server statement in the configuration file for
145 <command>rndc</command>. If no server is supplied on the
146 command line, the host named by the default-server clause
147 in the options statement of the <command>rndc</command>
148 configuration file will be used.
154 <term>-p <replaceable class="parameter">port</replaceable></term>
157 Send commands to TCP port
158 <replaceable class="parameter">port</replaceable>
160 of BIND 9's default control channel port, 953.
169 Enable verbose logging.
175 <term>-y <replaceable class="parameter">key_id</replaceable></term>
178 Use the key <replaceable class="parameter">key_id</replaceable>
179 from the configuration file.
180 <replaceable class="parameter">key_id</replaceable>
182 known by named with the same algorithm and secret string
183 in order for control message validation to succeed.
184 If no <replaceable class="parameter">key_id</replaceable>
185 is specified, <command>rndc</command> will first look
186 for a key clause in the server statement of the server
187 being used, or if no server statement is present for that
188 host, then the default-key clause of the options statement.
189 Note that the configuration file contains shared secrets
190 which are used to send authenticated control commands
191 to name servers. It should therefore not have general read
201 <title>COMMANDS</title>
203 A list of commands supported by <command>rndc</command> can
204 be seen by running <command>rndc</command> without arguments.
207 Currently supported commands are:
212 <term><userinput>reload</userinput></term>
215 Reload configuration file and zones.
221 <term><userinput>reload <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
224 Reload the given zone.
230 <term><userinput>refresh <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
233 Schedule zone maintenance for the given zone.
239 <term><userinput>retransfer <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
242 Retransfer the given zone from the master.
248 <term><userinput>sign <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
251 Fetch all DNSSEC keys for the given zone
252 from the key directory (see the
253 <command>key-directory</command> option in
254 the BIND 9 Administrator Reference Manual). If they are within
255 their publication period, merge them into the
256 zone's DNSKEY RRset. If the DNSKEY RRset
257 is changed, then the zone is automatically
258 re-signed with the new key set.
261 This command requires that the
262 <command>auto-dnssec</command> zone option be set
263 to <literal>allow</literal> or
264 <literal>maintain</literal>,
265 and also requires the zone to be configured to
267 (See "Dynamic Update Policies" in the Administrator
268 Reference Manual for more details.)
274 <term><userinput>loadkeys <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
277 Fetch all DNSSEC keys for the given zone
278 from the key directory. If they are within
279 their publication period, merge them into the
280 zone's DNSKEY RRset. Unlike <command>rndc
281 sign</command>, however, the zone is not
282 immediately re-signed by the new keys, but is
283 allowed to incrementally re-sign over time.
286 This command requires that the
287 <command>auto-dnssec</command> zone option
288 be set to <literal>maintain</literal>,
289 and also requires the zone to be configured to
291 (See "Dynamic Update Policies" in the Administrator
292 Reference Manual for more details.)
298 <term><userinput>freeze <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
301 Suspend updates to a dynamic zone. If no zone is
302 specified, then all zones are suspended. This allows
303 manual edits to be made to a zone normally updated by
304 dynamic update. It also causes changes in the
305 journal file to be synced into the master file,
306 and the journal file to be removed.
307 All dynamic update attempts will be refused while
314 <term><userinput>thaw <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
317 Enable updates to a frozen dynamic zone. If no
318 zone is specified, then all frozen zones are
319 enabled. This causes the server to reload the zone
320 from disk, and re-enables dynamic updates after the
321 load has completed. After a zone is thawed,
322 dynamic updates will no longer be refused.
328 <term><userinput>notify <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
331 Resend NOTIFY messages for the zone.
337 <term><userinput>reconfig</userinput></term>
340 Reload the configuration file and load new zones,
341 but do not reload existing zone files even if they
343 This is faster than a full <command>reload</command> when there
344 is a large number of zones because it avoids the need
346 modification times of the zones files.
352 <term><userinput>stats</userinput></term>
355 Write server statistics to the statistics file.
361 <term><userinput>querylog</userinput> <optional>on|off</optional> </term>
364 Toggle query logging. Query logging can also be enabled
365 by explicitly directing the <command>queries</command>
366 <command>category</command> to a
367 <command>channel</command> in the
368 <command>logging</command> section of
369 <filename>named.conf</filename> or by specifying
370 <command>querylog yes;</command> in the
371 <command>options</command> section of
372 <filename>named.conf</filename>.
378 <term><userinput>dumpdb <optional>-all|-cache|-zone</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term>
381 Dump the server's caches (default) and/or zones to
383 dump file for the specified views. If no view is
391 <term><userinput>secroots <optional><replaceable>view ...</replaceable></optional></userinput></term>
394 Dump the server's security roots to the secroots
395 file for the specified views. If no view is
396 specified, security roots for all
403 <term><userinput>stop <optional>-p</optional></userinput></term>
406 Stop the server, making sure any recent changes
407 made through dynamic update or IXFR are first saved to
408 the master files of the updated zones.
409 If <option>-p</option> is specified <command>named</command>'s process id is returned.
410 This allows an external process to determine when <command>named</command>
411 had completed stopping.
417 <term><userinput>halt <optional>-p</optional></userinput></term>
420 Stop the server immediately. Recent changes
421 made through dynamic update or IXFR are not saved to
422 the master files, but will be rolled forward from the
423 journal files when the server is restarted.
424 If <option>-p</option> is specified <command>named</command>'s process id is returned.
425 This allows an external process to determine when <command>named</command>
426 had completed halting.
432 <term><userinput>trace</userinput></term>
435 Increment the servers debugging level by one.
441 <term><userinput>trace <replaceable>level</replaceable></userinput></term>
444 Sets the server's debugging level to an explicit
451 <term><userinput>notrace</userinput></term>
454 Sets the server's debugging level to 0.
460 <term><userinput>flush</userinput></term>
463 Flushes the server's cache.
469 <term><userinput>flushname</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term>
472 Flushes the given name from the server's cache.
478 <term><userinput>status</userinput></term>
481 Display status of the server.
482 Note that the number of zones includes the internal <command>bind/CH</command> zone
483 and the default <command>./IN</command>
484 hint zone if there is not an
485 explicit root zone configured.
491 <term><userinput>recursing</userinput></term>
494 Dump the list of queries <command>named</command> is currently recursing
501 <term><userinput>validation ( on | off | check ) <optional><replaceable>view ...</replaceable></optional> </userinput></term>
504 Enable, disable, or check the current status of
506 Note <command>dnssec-enable</command> also needs to be
507 set to <userinput>yes</userinput> or
508 <userinput>auto</userinput> to be effective.
509 It defaults to enabled.
515 <term><userinput>tsig-list</userinput></term>
518 List the names of all TSIG keys currently configured
519 for use by <command>named</command> in each view. The
520 list both statically configured keys and dynamic
521 TKEY-negotiated keys.
527 <term><userinput>tsig-delete</userinput> <replaceable>keyname</replaceable> <optional><replaceable>view</replaceable></optional></term>
530 Delete a given TKEY-negotiated key from the server.
531 (This does not apply to statically configured TSIG
538 <term><userinput>addzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> <replaceable>configuration</replaceable> </userinput></term>
541 Add a zone while the server is running. This
543 <command>allow-new-zones</command> option to be set
544 to <userinput>yes</userinput>. The
545 <replaceable>configuration</replaceable> string
546 specified on the command line is the zone
547 configuration text that would ordinarily be
548 placed in <filename>named.conf</filename>.
551 The configuration is saved in a file called
552 <filename><replaceable>hash</replaceable>.nzf</filename>,
553 where <replaceable>hash</replaceable> is a
554 cryptographic hash generated from the name of
555 the view. When <command>named</command> is
556 restarted, the file will be loaded into the view
557 configuration, so that zones that were added
558 can persist after a restart.
561 This sample <command>addzone</command> command
562 would add the zone <literal>example.com</literal>
566 <prompt>$ </prompt><userinput>rndc addzone example.com '{ type master; file "example.com.db"; };'</userinput>
569 (Note the brackets and semi-colon around the zone
576 <term><userinput>delzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
579 Delete a zone while the server is running.
580 Only zones that were originally added via
581 <command>rndc addzone</command> can be deleted
590 <title>LIMITATIONS</title>
592 There is currently no way to provide the shared secret for a
593 <option>key_id</option> without using the configuration file.
596 Several error messages could be clearer.
601 <title>SEE ALSO</title>
603 <refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum>
606 <refentrytitle>rndc-confgen</refentrytitle><manvolnum>8</manvolnum>
609 <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
612 <refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
615 <refentrytitle>ndc</refentrytitle><manvolnum>8</manvolnum>
617 <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
622 <title>AUTHOR</title>
623 <para><corpauthor>Internet Systems Consortium</corpauthor>