2 - Copyright (C) 2004, 2005, 2007, 2013-2015 Internet Systems Consortium, Inc. ("ISC")
3 - Copyright (C) 2000, 2001 Internet Software Consortium.
5 - Permission to use, copy, modify, and/or distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
20 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
22 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
24 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
25 <a name="man.rndc"></a><div class="titlepage"></div>
26 <div class="refnamediv">
28 <p><span class="application">rndc</span> — name server control utility</p>
30 <div class="refsynopsisdiv">
32 <div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
34 <div class="refsect1" lang="en">
35 <a name="id2543431"></a><h2>DESCRIPTION</h2>
36 <p><span><strong class="command">rndc</strong></span>
37 controls the operation of a name
38 server. It supersedes the <span><strong class="command">ndc</strong></span> utility
39 that was provided in old BIND releases. If
40 <span><strong class="command">rndc</strong></span> is invoked with no command line
41 options or arguments, it prints a short summary of the
42 supported commands and the available options and their
45 <p><span><strong class="command">rndc</strong></span>
46 communicates with the name server
47 over a TCP connection, sending commands authenticated with
48 digital signatures. In the current versions of
49 <span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span>,
50 the only supported authentication algorithm is HMAC-MD5,
51 which uses a shared secret on each end of the connection.
52 This provides TSIG-style authentication for the command
53 request and the name server's response. All commands sent
54 over the channel must be signed by a key_id known to the
57 <p><span><strong class="command">rndc</strong></span>
58 reads a configuration file to
59 determine how to contact the name server and decide what
60 algorithm and key it should use.
63 <div class="refsect1" lang="en">
64 <a name="id2543466"></a><h2>OPTIONS</h2>
65 <div class="variablelist"><dl>
66 <dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
68 Use <em class="replaceable"><code>source-address</code></em>
69 as the source address for the connection to the server.
70 Multiple instances are permitted to allow setting of both
71 the IPv4 and IPv6 source addresses.
73 <dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
75 Use <em class="replaceable"><code>config-file</code></em>
76 as the configuration file instead of the default,
77 <code class="filename">/etc/rndc.conf</code>.
79 <dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt>
81 Use <em class="replaceable"><code>key-file</code></em>
82 as the key file instead of the default,
83 <code class="filename">/etc/rndc.key</code>. The key in
84 <code class="filename">/etc/rndc.key</code> will be used to
86 commands sent to the server if the <em class="replaceable"><code>config-file</code></em>
89 <dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
90 <dd><p><em class="replaceable"><code>server</code></em> is
91 the name or address of the server which matches a
92 server statement in the configuration file for
93 <span><strong class="command">rndc</strong></span>. If no server is supplied on the
94 command line, the host named by the default-server clause
95 in the options statement of the <span><strong class="command">rndc</strong></span>
96 configuration file will be used.
98 <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
100 Send commands to TCP port
101 <em class="replaceable"><code>port</code></em>
103 of BIND 9's default control channel port, 953.
105 <dt><span class="term">-V</span></dt>
107 Enable verbose logging.
109 <dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt>
111 Use the key <em class="replaceable"><code>key_id</code></em>
112 from the configuration file.
113 <em class="replaceable"><code>key_id</code></em>
115 known by <span><strong class="command">named</strong></span> with the same algorithm and secret string
116 in order for control message validation to succeed.
117 If no <em class="replaceable"><code>key_id</code></em>
118 is specified, <span><strong class="command">rndc</strong></span> will first look
119 for a key clause in the server statement of the server
120 being used, or if no server statement is present for that
121 host, then the default-key clause of the options statement.
122 Note that the configuration file contains shared secrets
123 which are used to send authenticated control commands
124 to name servers. It should therefore not have general read
129 <div class="refsect1" lang="en">
130 <a name="id2543667"></a><h2>COMMANDS</h2>
132 A list of commands supported by <span><strong class="command">rndc</strong></span> can
133 be seen by running <span><strong class="command">rndc</strong></span> without arguments.
136 Currently supported commands are:
138 <div class="variablelist"><dl>
139 <dt><span class="term"><strong class="userinput"><code>addzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
142 Add a zone while the server is running. This
144 <span><strong class="command">allow-new-zones</strong></span> option to be set
145 to <strong class="userinput"><code>yes</code></strong>. The
146 <em class="replaceable"><code>configuration</code></em> string
147 specified on the command line is the zone
148 configuration text that would ordinarily be
149 placed in <code class="filename">named.conf</code>.
152 The configuration is saved in a file called
153 <code class="filename"><em class="replaceable"><code>hash</code></em>.nzf</code>,
154 where <em class="replaceable"><code>hash</code></em> is a
155 cryptographic hash generated from the name of
156 the view. When <span><strong class="command">named</strong></span> is
157 restarted, the file will be loaded into the view
158 configuration, so that zones that were added
159 can persist after a restart.
162 This sample <span><strong class="command">addzone</strong></span> command
163 would add the zone <code class="literal">example.com</code>
167 <code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong>
170 (Note the brackets and semi-colon around the zone
174 See also <span><strong class="command">rndc delzone</strong></span>.
177 <dt><span class="term"><strong class="userinput"><code>delzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
180 Delete a zone while the server is running.
181 Only zones that were originally added via
182 <span><strong class="command">rndc addzone</strong></span> can be deleted
186 See also <span><strong class="command">rndc addzone</strong></span>
189 <dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone|-adb|-bad</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
191 Dump the server's caches (default) and/or zones to
193 dump file for the specified views. If no view is
196 (See the <span><strong class="command">dump-file</strong></span> option in
197 the BIND 9 Administrator Reference Manual.)
199 <dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt>
201 Flushes the server's cache.
203 <dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
205 Flushes the given name from the view's DNS cache
206 and, if applicable, from the view's nameserver address
207 database or bad-server cache.
209 <dt><span class="term"><strong class="userinput"><code>flushtree</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
211 Flushes the given name, and all of its subdomains,
212 from the view's DNS cache. Note that this does
213 <span class="emphasis"><em>not</em></span> affect he server's address
214 database or bad-server cache.
216 <dt><span class="term"><strong class="userinput"><code>freeze [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
219 Suspend updates to a dynamic zone. If no zone is
220 specified, then all zones are suspended. This allows
221 manual edits to be made to a zone normally updated by
222 dynamic update. It also causes changes in the
223 journal file to be synced into the master file.
224 All dynamic update attempts will be refused while
228 See also <span><strong class="command">rndc thaw</strong></span>.
231 <dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
234 Stop the server immediately. Recent changes
235 made through dynamic update or IXFR are not saved to
236 the master files, but will be rolled forward from the
237 journal files when the server is restarted.
238 If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
239 This allows an external process to determine when <span><strong class="command">named</strong></span>
240 had completed halting.
243 See also <span><strong class="command">rndc stop</strong></span>.
246 <dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
249 Fetch all DNSSEC keys for the given zone
250 from the key directory. If they are within
251 their publication period, merge them into the
252 zone's DNSKEY RRset. Unlike <span><strong class="command">rndc
253 sign</strong></span>, however, the zone is not
254 immediately re-signed by the new keys, but is
255 allowed to incrementally re-sign over time.
258 This command requires that the
259 <span><strong class="command">auto-dnssec</strong></span> zone option
260 be set to <code class="literal">maintain</code>,
261 and also requires the zone to be configured to
263 (See "Dynamic Update Policies" in the Administrator
264 Reference Manual for more details.)
267 <dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
269 Resend NOTIFY messages for the zone.
271 <dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt>
274 Sets the server's debugging level to 0.
277 See also <span><strong class="command">rndc trace</strong></span>.
280 <dt><span class="term"><strong class="userinput"><code>querylog</code></strong> [<span class="optional">on|off</span>] </span></dt>
283 Enable or disable query logging. (For backward
284 compatibility, this command can also be used without
285 an argument to toggle query logging on and off.)
288 Query logging can also be enabled
289 by explicitly directing the <span><strong class="command">queries</strong></span>
290 <span><strong class="command">category</strong></span> to a
291 <span><strong class="command">channel</strong></span> in the
292 <span><strong class="command">logging</strong></span> section of
293 <code class="filename">named.conf</code> or by specifying
294 <span><strong class="command">querylog yes;</strong></span> in the
295 <span><strong class="command">options</strong></span> section of
296 <code class="filename">named.conf</code>.
299 <dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt>
301 Reload the configuration file and load new zones,
302 but do not reload existing zone files even if they
304 This is faster than a full <span><strong class="command">reload</strong></span> when there
305 is a large number of zones because it avoids the need
307 modification times of the zones files.
309 <dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
311 Dump the list of queries <span><strong class="command">named</strong></span> is currently
312 recursing on, and the list of domains to which iterative
313 queries are currently being sent. (The second list includes
314 the number of fetches currently active for the given domain,
315 and how many have been passed or dropped because of the
316 <code class="option">fetches-per-zone</code> option.)
318 <dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
320 Schedule zone maintenance for the given zone.
322 <dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt>
324 Reload configuration file and zones.
326 <dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
328 Reload the given zone.
330 <dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
333 Retransfer the given slave zone from the master server.
336 If the zone is configured to use
337 <span><strong class="command">inline-signing</strong></span>, the signed
338 version of the zone is discarded; after the
339 retransfer of the unsigned version is complete, the
340 signed version will be regenerated with all new
344 <dt><span class="term"><strong class="userinput"><code>secroots [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
346 Dump the server's security roots to the secroots
347 file for the specified views. If no view is
348 specified, security roots for all
351 <dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
354 Fetch all DNSSEC keys for the given zone
355 from the key directory (see the
356 <span><strong class="command">key-directory</strong></span> option in
357 the BIND 9 Administrator Reference Manual). If they are within
358 their publication period, merge them into the
359 zone's DNSKEY RRset. If the DNSKEY RRset
360 is changed, then the zone is automatically
361 re-signed with the new key set.
364 This command requires that the
365 <span><strong class="command">auto-dnssec</strong></span> zone option be set
366 to <code class="literal">allow</code> or
367 <code class="literal">maintain</code>,
368 and also requires the zone to be configured to
370 (See "Dynamic Update Policies" in the Administrator
371 Reference Manual for more details.)
374 See also <span><strong class="command">rndc loadkeys</strong></span>.
377 <dt><span class="term"><strong class="userinput"><code>signing [<span class="optional">( -list | -clear <em class="replaceable"><code>keyid/algorithm</code></em> | -clear <code class="literal">all</code> | -nsec3param ( <em class="replaceable"><code>parameters</code></em> | <code class="literal">none</code> ) ) </span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
380 List, edit, or remove the DNSSEC signing state records
381 for the specified zone. The status of ongoing DNSSEC
382 operations (such as signing or generating
383 NSEC3 chains) is stored in the zone in the form
384 of DNS resource records of type
385 <span><strong class="command">sig-signing-type</strong></span>.
386 <span><strong class="command">rndc signing -list</strong></span> converts
387 these records into a human-readable form,
388 indicating which keys are currently signing
389 or have finished signing the zone, and which NSEC3
390 chains are being created or removed.
393 <span><strong class="command">rndc signing -clear</strong></span> can remove
394 a single key (specified in the same format that
395 <span><strong class="command">rndc signing -list</strong></span> uses to
396 display it), or all keys. In either case, only
397 completed keys are removed; any record indicating
398 that a key has not yet finished signing the zone
402 <span><strong class="command">rndc signing -nsec3param</strong></span> sets
403 the NSEC3 parameters for a zone. This is the
404 only supported mechanism for using NSEC3 with
405 <span><strong class="command">inline-signing</strong></span> zones.
406 Parameters are specified in the same format as
407 an NSEC3PARAM resource record: hash algorithm,
408 flags, iterations, and salt, in that order.
411 Currently, the only defined value for hash algorithm
412 is <code class="literal">1</code>, representing SHA-1.
413 The <code class="option">flags</code> may be set to
414 <code class="literal">0</code> or <code class="literal">1</code>,
415 depending on whether you wish to set the opt-out
416 bit in the NSEC3 chain. <code class="option">iterations</code>
417 defines the number of additional times to apply
418 the algorithm when generating an NSEC3 hash. The
419 <code class="option">salt</code> is a string of data expressed
420 in hexadecimal, or a hyphen (`-') if no salt is
424 So, for example, to create an NSEC3 chain using
425 the SHA-1 hash algorithm, no opt-out flag,
426 10 iterations, and a salt value of "FFFF", use:
427 <span><strong class="command">rndc signing -nsec3param 1 0 10 FFFF <em class="replaceable"><code>zone</code></em></strong></span>.
428 To set the opt-out flag, 15 iterations, and no
430 <span><strong class="command">rndc signing -nsec3param 1 1 15 - <em class="replaceable"><code>zone</code></em></strong></span>.
433 <span><strong class="command">rndc signing -nsec3param none</strong></span>
434 removes an existing NSEC3 chain and replaces it
438 <dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt>
440 Write server statistics to the statistics file.
441 (See the <span><strong class="command">statistics-file</strong></span> option in
442 the BIND 9 Administrator Reference Manual.)
444 <dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>
446 Display status of the server.
447 Note that the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone
448 and the default <span><strong class="command">./IN</strong></span>
449 hint zone if there is not an
450 explicit root zone configured.
452 <dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>
455 Stop the server, making sure any recent changes
456 made through dynamic update or IXFR are first saved to
457 the master files of the updated zones.
458 If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
459 This allows an external process to determine when <span><strong class="command">named</strong></span>
460 had completed stopping.
462 <p>See also <span><strong class="command">rndc halt</strong></span>.</p>
464 <dt><span class="term"><strong class="userinput"><code>sync [<span class="optional">-clean</span>] [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
466 Sync changes in the journal file for a dynamic zone
467 to the master file. If the "-clean" option is
468 specified, the journal file is also removed. If
469 no zone is specified, then all zones are synced.
471 <dt><span class="term"><strong class="userinput"><code>thaw [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
474 Enable updates to a frozen dynamic zone. If no
475 zone is specified, then all frozen zones are
476 enabled. This causes the server to reload the zone
477 from disk, and re-enables dynamic updates after the
478 load has completed. After a zone is thawed,
479 dynamic updates will no longer be refused. If
480 the zone has changed and the
481 <span><strong class="command">ixfr-from-differences</strong></span> option is
482 in use, then the journal file will be updated to
483 reflect changes in the zone. Otherwise, if the
484 zone has changed, any existing journal file will be
487 <p>See also <span><strong class="command">rndc freeze</strong></span>.</p>
489 <dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
491 Increment the servers debugging level by one.
493 <dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt>
496 Sets the server's debugging level to an explicit
500 See also <span><strong class="command">rndc notrace</strong></span>.
503 <dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong> <em class="replaceable"><code>keyname</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt>
505 Delete a given TKEY-negotiated key from the server.
506 (This does not apply to statically configured TSIG
509 <dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt>
511 List the names of all TSIG keys currently configured
512 for use by <span><strong class="command">named</strong></span> in each view. The
513 list both statically configured keys and dynamic
514 TKEY-negotiated keys.
516 <dt><span class="term"><strong class="userinput"><code>validation ( on | off | check ) [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>] </code></strong></span></dt>
518 Enable, disable, or check the current status of
520 Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
521 set to <strong class="userinput"><code>yes</code></strong> or
522 <strong class="userinput"><code>auto</code></strong> to be effective.
523 It defaults to enabled.
527 <div class="refsect1" lang="en">
528 <a name="id2544994"></a><h2>LIMITATIONS</h2>
530 There is currently no way to provide the shared secret for a
531 <code class="option">key_id</code> without using the configuration file.
534 Several error messages could be clearer.
537 <div class="refsect1" lang="en">
538 <a name="id2545012"></a><h2>SEE ALSO</h2>
539 <p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
540 <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
541 <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
542 <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
543 <span class="citerefentry"><span class="refentrytitle">ndc</span>(8)</span>,
544 <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
547 <div class="refsect1" lang="en">
548 <a name="id2545067"></a><h2>AUTHOR</h2>
549 <p><span class="corpauthor">Internet Systems Consortium</span>