2 - Copyright (C) 2004, 2005, 2007, 2013-2015 Internet Systems Consortium, Inc. ("ISC")
3 - Copyright (C) 2000, 2001 Internet Software Consortium.
5 - Permission to use, copy, modify, and/or distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
18 <!-- Converted by db4-upgrade version 1.0 -->
19 <refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc">
21 <date>2013-12-04</date>
24 <corpname>ISC</corpname>
25 <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
29 <refentrytitle><application>rndc</application></refentrytitle>
30 <manvolnum>8</manvolnum>
31 <refmiscinfo>BIND9</refmiscinfo>
35 <refname><application>rndc</application></refname>
36 <refpurpose>name server control utility</refpurpose>
47 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
52 <holder>Internet Software Consortium.</holder>
57 <cmdsynopsis sepchar=" ">
58 <command>rndc</command>
59 <arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">source-address</replaceable></option></arg>
60 <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
61 <arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">key-file</replaceable></option></arg>
62 <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">server</replaceable></option></arg>
63 <arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">port</replaceable></option></arg>
64 <arg choice="opt" rep="norepeat"><option>-V</option></arg>
65 <arg choice="opt" rep="norepeat"><option>-y <replaceable class="parameter">key_id</replaceable></option></arg>
66 <arg choice="req" rep="norepeat">command</arg>
70 <refsection><info><title>DESCRIPTION</title></info>
72 <para><command>rndc</command>
73 controls the operation of a name
74 server. It supersedes the <command>ndc</command> utility
75 that was provided in old BIND releases. If
76 <command>rndc</command> is invoked with no command line
77 options or arguments, it prints a short summary of the
78 supported commands and the available options and their
81 <para><command>rndc</command>
82 communicates with the name server
83 over a TCP connection, sending commands authenticated with
84 digital signatures. In the current versions of
85 <command>rndc</command> and <command>named</command>,
86 the only supported authentication algorithm is HMAC-MD5,
87 which uses a shared secret on each end of the connection.
88 This provides TSIG-style authentication for the command
89 request and the name server's response. All commands sent
90 over the channel must be signed by a key_id known to the
93 <para><command>rndc</command>
94 reads a configuration file to
95 determine how to contact the name server and decide what
96 algorithm and key it should use.
100 <refsection><info><title>OPTIONS</title></info>
105 <term>-b <replaceable class="parameter">source-address</replaceable></term>
108 Use <replaceable class="parameter">source-address</replaceable>
109 as the source address for the connection to the server.
110 Multiple instances are permitted to allow setting of both
111 the IPv4 and IPv6 source addresses.
117 <term>-c <replaceable class="parameter">config-file</replaceable></term>
120 Use <replaceable class="parameter">config-file</replaceable>
121 as the configuration file instead of the default,
122 <filename>/etc/rndc.conf</filename>.
128 <term>-k <replaceable class="parameter">key-file</replaceable></term>
131 Use <replaceable class="parameter">key-file</replaceable>
132 as the key file instead of the default,
133 <filename>/etc/rndc.key</filename>. The key in
134 <filename>/etc/rndc.key</filename> will be used to
136 commands sent to the server if the <replaceable class="parameter">config-file</replaceable>
143 <term>-s <replaceable class="parameter">server</replaceable></term>
145 <para><replaceable class="parameter">server</replaceable> is
146 the name or address of the server which matches a
147 server statement in the configuration file for
148 <command>rndc</command>. If no server is supplied on the
149 command line, the host named by the default-server clause
150 in the options statement of the <command>rndc</command>
151 configuration file will be used.
157 <term>-p <replaceable class="parameter">port</replaceable></term>
160 Send commands to TCP port
161 <replaceable class="parameter">port</replaceable>
163 of BIND 9's default control channel port, 953.
172 Enable verbose logging.
178 <term>-y <replaceable class="parameter">key_id</replaceable></term>
181 Use the key <replaceable class="parameter">key_id</replaceable>
182 from the configuration file.
183 <replaceable class="parameter">key_id</replaceable>
185 known by <command>named</command> with the same algorithm and secret string
186 in order for control message validation to succeed.
187 If no <replaceable class="parameter">key_id</replaceable>
188 is specified, <command>rndc</command> will first look
189 for a key clause in the server statement of the server
190 being used, or if no server statement is present for that
191 host, then the default-key clause of the options statement.
192 Note that the configuration file contains shared secrets
193 which are used to send authenticated control commands
194 to name servers. It should therefore not have general read
203 <refsection><info><title>COMMANDS</title></info>
206 A list of commands supported by <command>rndc</command> can
207 be seen by running <command>rndc</command> without arguments.
210 Currently supported commands are:
216 <term><userinput>addzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> <replaceable>configuration</replaceable> </userinput></term>
219 Add a zone while the server is running. This
221 <command>allow-new-zones</command> option to be set
222 to <userinput>yes</userinput>. The
223 <replaceable>configuration</replaceable> string
224 specified on the command line is the zone
225 configuration text that would ordinarily be
226 placed in <filename>named.conf</filename>.
229 The configuration is saved in a file called
230 <filename><replaceable>hash</replaceable>.nzf</filename>,
231 where <replaceable>hash</replaceable> is a
232 cryptographic hash generated from the name of
233 the view. When <command>named</command> is
234 restarted, the file will be loaded into the view
235 configuration, so that zones that were added
236 can persist after a restart.
239 This sample <command>addzone</command> command
240 would add the zone <literal>example.com</literal>
244 <prompt>$ </prompt><userinput>rndc addzone example.com '{ type master; file "example.com.db"; };'</userinput>
247 (Note the brackets and semi-colon around the zone
251 See also <command>rndc delzone</command>.
257 <term><userinput>delzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
260 Delete a zone while the server is running.
261 Only zones that were originally added via
262 <command>rndc addzone</command> can be deleted
266 See also <command>rndc addzone</command>
272 <term><userinput>dumpdb <optional>-all|-cache|-zone|-adb|-bad</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term>
275 Dump the server's caches (default) and/or zones to
277 dump file for the specified views. If no view is
280 (See the <command>dump-file</command> option in
281 the BIND 9 Administrator Reference Manual.)
287 <term><userinput>flush</userinput></term>
290 Flushes the server's cache.
296 <term><userinput>flushname</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term>
299 Flushes the given name from the view's DNS cache
300 and, if applicable, from the view's nameserver address
301 database or bad-server cache.
307 <term><userinput>flushtree</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term>
310 Flushes the given name, and all of its subdomains,
311 from the view's DNS cache. Note that this does
312 <emphasis>not</emphasis> affect he server's address
313 database or bad-server cache.
319 <term><userinput>freeze <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
322 Suspend updates to a dynamic zone. If no zone is
323 specified, then all zones are suspended. This allows
324 manual edits to be made to a zone normally updated by
325 dynamic update. It also causes changes in the
326 journal file to be synced into the master file.
327 All dynamic update attempts will be refused while
331 See also <command>rndc thaw</command>.
337 <term><userinput>halt <optional>-p</optional></userinput></term>
340 Stop the server immediately. Recent changes
341 made through dynamic update or IXFR are not saved to
342 the master files, but will be rolled forward from the
343 journal files when the server is restarted.
344 If <option>-p</option> is specified <command>named</command>'s process id is returned.
345 This allows an external process to determine when <command>named</command>
346 had completed halting.
349 See also <command>rndc stop</command>.
355 <term><userinput>loadkeys <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
358 Fetch all DNSSEC keys for the given zone
359 from the key directory. If they are within
360 their publication period, merge them into the
361 zone's DNSKEY RRset. Unlike <command>rndc
362 sign</command>, however, the zone is not
363 immediately re-signed by the new keys, but is
364 allowed to incrementally re-sign over time.
367 This command requires that the
368 <command>auto-dnssec</command> zone option
369 be set to <literal>maintain</literal>,
370 and also requires the zone to be configured to
372 (See "Dynamic Update Policies" in the Administrator
373 Reference Manual for more details.)
379 <term><userinput>notify <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
382 Resend NOTIFY messages for the zone.
388 <term><userinput>notrace</userinput></term>
391 Sets the server's debugging level to 0.
394 See also <command>rndc trace</command>.
400 <term><userinput>querylog</userinput> <optional>on|off</optional> </term>
403 Enable or disable query logging. (For backward
404 compatibility, this command can also be used without
405 an argument to toggle query logging on and off.)
408 Query logging can also be enabled
409 by explicitly directing the <command>queries</command>
410 <command>category</command> to a
411 <command>channel</command> in the
412 <command>logging</command> section of
413 <filename>named.conf</filename> or by specifying
414 <command>querylog yes;</command> in the
415 <command>options</command> section of
416 <filename>named.conf</filename>.
422 <term><userinput>reconfig</userinput></term>
425 Reload the configuration file and load new zones,
426 but do not reload existing zone files even if they
428 This is faster than a full <command>reload</command> when there
429 is a large number of zones because it avoids the need
431 modification times of the zones files.
437 <term><userinput>recursing</userinput></term>
440 Dump the list of queries <command>named</command> is currently
441 recursing on, and the list of domains to which iterative
442 queries are currently being sent. (The second list includes
443 the number of fetches currently active for the given domain,
444 and how many have been passed or dropped because of the
445 <option>fetches-per-zone</option> option.)
451 <term><userinput>refresh <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
454 Schedule zone maintenance for the given zone.
460 <term><userinput>reload</userinput></term>
463 Reload configuration file and zones.
469 <term><userinput>reload <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
472 Reload the given zone.
478 <term><userinput>retransfer <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
481 Retransfer the given slave zone from the master server.
484 If the zone is configured to use
485 <command>inline-signing</command>, the signed
486 version of the zone is discarded; after the
487 retransfer of the unsigned version is complete, the
488 signed version will be regenerated with all new
495 <term><userinput>secroots <optional><replaceable>view ...</replaceable></optional></userinput></term>
498 Dump the server's security roots to the secroots
499 file for the specified views. If no view is
500 specified, security roots for all
507 <term><userinput>sign <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
510 Fetch all DNSSEC keys for the given zone
511 from the key directory (see the
512 <command>key-directory</command> option in
513 the BIND 9 Administrator Reference Manual). If they are within
514 their publication period, merge them into the
515 zone's DNSKEY RRset. If the DNSKEY RRset
516 is changed, then the zone is automatically
517 re-signed with the new key set.
520 This command requires that the
521 <command>auto-dnssec</command> zone option be set
522 to <literal>allow</literal> or
523 <literal>maintain</literal>,
524 and also requires the zone to be configured to
526 (See "Dynamic Update Policies" in the Administrator
527 Reference Manual for more details.)
530 See also <command>rndc loadkeys</command>.
536 <term><userinput>signing <optional>( -list | -clear <replaceable>keyid/algorithm</replaceable> | -clear <literal>all</literal> | -nsec3param ( <replaceable>parameters</replaceable> | <literal>none</literal> ) ) </optional> <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
539 List, edit, or remove the DNSSEC signing state records
540 for the specified zone. The status of ongoing DNSSEC
541 operations (such as signing or generating
542 NSEC3 chains) is stored in the zone in the form
543 of DNS resource records of type
544 <command>sig-signing-type</command>.
545 <command>rndc signing -list</command> converts
546 these records into a human-readable form,
547 indicating which keys are currently signing
548 or have finished signing the zone, and which NSEC3
549 chains are being created or removed.
552 <command>rndc signing -clear</command> can remove
553 a single key (specified in the same format that
554 <command>rndc signing -list</command> uses to
555 display it), or all keys. In either case, only
556 completed keys are removed; any record indicating
557 that a key has not yet finished signing the zone
561 <command>rndc signing -nsec3param</command> sets
562 the NSEC3 parameters for a zone. This is the
563 only supported mechanism for using NSEC3 with
564 <command>inline-signing</command> zones.
565 Parameters are specified in the same format as
566 an NSEC3PARAM resource record: hash algorithm,
567 flags, iterations, and salt, in that order.
570 Currently, the only defined value for hash algorithm
571 is <literal>1</literal>, representing SHA-1.
572 The <option>flags</option> may be set to
573 <literal>0</literal> or <literal>1</literal>,
574 depending on whether you wish to set the opt-out
575 bit in the NSEC3 chain. <option>iterations</option>
576 defines the number of additional times to apply
577 the algorithm when generating an NSEC3 hash. The
578 <option>salt</option> is a string of data expressed
579 in hexadecimal, or a hyphen (`-') if no salt is
583 So, for example, to create an NSEC3 chain using
584 the SHA-1 hash algorithm, no opt-out flag,
585 10 iterations, and a salt value of "FFFF", use:
586 <command>rndc signing -nsec3param 1 0 10 FFFF <replaceable>zone</replaceable></command>.
587 To set the opt-out flag, 15 iterations, and no
589 <command>rndc signing -nsec3param 1 1 15 - <replaceable>zone</replaceable></command>.
592 <command>rndc signing -nsec3param none</command>
593 removes an existing NSEC3 chain and replaces it
600 <term><userinput>stats</userinput></term>
603 Write server statistics to the statistics file.
604 (See the <command>statistics-file</command> option in
605 the BIND 9 Administrator Reference Manual.)
611 <term><userinput>status</userinput></term>
614 Display status of the server.
615 Note that the number of zones includes the internal <command>bind/CH</command> zone
616 and the default <command>./IN</command>
617 hint zone if there is not an
618 explicit root zone configured.
624 <term><userinput>stop <optional>-p</optional></userinput></term>
627 Stop the server, making sure any recent changes
628 made through dynamic update or IXFR are first saved to
629 the master files of the updated zones.
630 If <option>-p</option> is specified <command>named</command>'s process id is returned.
631 This allows an external process to determine when <command>named</command>
632 had completed stopping.
634 <para>See also <command>rndc halt</command>.</para>
639 <term><userinput>sync <optional>-clean</optional> <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
642 Sync changes in the journal file for a dynamic zone
643 to the master file. If the "-clean" option is
644 specified, the journal file is also removed. If
645 no zone is specified, then all zones are synced.
651 <term><userinput>thaw <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
654 Enable updates to a frozen dynamic zone. If no
655 zone is specified, then all frozen zones are
656 enabled. This causes the server to reload the zone
657 from disk, and re-enables dynamic updates after the
658 load has completed. After a zone is thawed,
659 dynamic updates will no longer be refused. If
660 the zone has changed and the
661 <command>ixfr-from-differences</command> option is
662 in use, then the journal file will be updated to
663 reflect changes in the zone. Otherwise, if the
664 zone has changed, any existing journal file will be
667 <para>See also <command>rndc freeze</command>.</para>
672 <term><userinput>trace</userinput></term>
675 Increment the servers debugging level by one.
681 <term><userinput>trace <replaceable>level</replaceable></userinput></term>
684 Sets the server's debugging level to an explicit
688 See also <command>rndc notrace</command>.
694 <term><userinput>tsig-delete</userinput> <replaceable>keyname</replaceable> <optional><replaceable>view</replaceable></optional></term>
697 Delete a given TKEY-negotiated key from the server.
698 (This does not apply to statically configured TSIG
705 <term><userinput>tsig-list</userinput></term>
708 List the names of all TSIG keys currently configured
709 for use by <command>named</command> in each view. The
710 list both statically configured keys and dynamic
711 TKEY-negotiated keys.
717 <term><userinput>validation ( on | off | check ) <optional><replaceable>view ...</replaceable></optional> </userinput></term>
720 Enable, disable, or check the current status of
722 Note <command>dnssec-enable</command> also needs to be
723 set to <userinput>yes</userinput> or
724 <userinput>auto</userinput> to be effective.
725 It defaults to enabled.
733 <refsection><info><title>LIMITATIONS</title></info>
736 There is currently no way to provide the shared secret for a
737 <option>key_id</option> without using the configuration file.
740 Several error messages could be clearer.
744 <refsection><info><title>SEE ALSO</title></info>
747 <refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum>
750 <refentrytitle>rndc-confgen</refentrytitle><manvolnum>8</manvolnum>
753 <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
756 <refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
759 <refentrytitle>ndc</refentrytitle><manvolnum>8</manvolnum>
761 <citetitle>BIND 9 Administrator Reference Manual</citetitle>.