2 - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
3 - Copyright (C) 2000-2003 Internet Software Consortium.
5 - Permission to use, copy, modify, and/or distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
20 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
22 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
23 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
24 <link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
25 <link rel="prev" href="man.nsupdate.html" title="nsupdate">
26 <link rel="next" href="man.rndc.conf.html" title="rndc.conf">
28 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
29 <div class="navheader">
30 <table width="100%" summary="Navigation header">
31 <tr><th colspan="3" align="center"><span class="application">rndc</span></th></tr>
33 <td width="20%" align="left">
34 <a accesskey="p" href="man.nsupdate.html">Prev</a> </td>
35 <th width="60%" align="center">Manual pages</th>
36 <td width="20%" align="right"> <a accesskey="n" href="man.rndc.conf.html">Next</a>
42 <div class="refentry" lang="en">
43 <a name="man.rndc"></a><div class="titlepage"></div>
44 <div class="refnamediv">
46 <p><span class="application">rndc</span> — name server control utility</p>
48 <div class="refsynopsisdiv">
50 <div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
52 <div class="refsect1" lang="en">
53 <a name="id2644443"></a><h2>DESCRIPTION</h2>
54 <p><span><strong class="command">rndc</strong></span>
55 controls the operation of a name
56 server. It supersedes the <span><strong class="command">ndc</strong></span> utility
57 that was provided in old BIND releases. If
58 <span><strong class="command">rndc</strong></span> is invoked with no command line
59 options or arguments, it prints a short summary of the
60 supported commands and the available options and their
63 <p><span><strong class="command">rndc</strong></span>
64 communicates with the name server
65 over a TCP connection, sending commands authenticated with
66 digital signatures. In the current versions of
67 <span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span>,
68 the only supported authentication algorithm is HMAC-MD5,
69 which uses a shared secret on each end of the connection.
70 This provides TSIG-style authentication for the command
71 request and the name server's response. All commands sent
72 over the channel must be signed by a key_id known to the
75 <p><span><strong class="command">rndc</strong></span>
76 reads a configuration file to
77 determine how to contact the name server and decide what
78 algorithm and key it should use.
81 <div class="refsect1" lang="en">
82 <a name="id2644562"></a><h2>OPTIONS</h2>
83 <div class="variablelist"><dl>
84 <dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
86 Use <em class="replaceable"><code>source-address</code></em>
87 as the source address for the connection to the server.
88 Multiple instances are permitted to allow setting of both
89 the IPv4 and IPv6 source addresses.
91 <dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
93 Use <em class="replaceable"><code>config-file</code></em>
94 as the configuration file instead of the default,
95 <code class="filename">/etc/rndc.conf</code>.
97 <dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt>
99 Use <em class="replaceable"><code>key-file</code></em>
100 as the key file instead of the default,
101 <code class="filename">/etc/rndc.key</code>. The key in
102 <code class="filename">/etc/rndc.key</code> will be used to
104 commands sent to the server if the <em class="replaceable"><code>config-file</code></em>
107 <dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
108 <dd><p><em class="replaceable"><code>server</code></em> is
109 the name or address of the server which matches a
110 server statement in the configuration file for
111 <span><strong class="command">rndc</strong></span>. If no server is supplied on the
112 command line, the host named by the default-server clause
113 in the options statement of the <span><strong class="command">rndc</strong></span>
114 configuration file will be used.
116 <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
118 Send commands to TCP port
119 <em class="replaceable"><code>port</code></em>
121 of BIND 9's default control channel port, 953.
123 <dt><span class="term">-V</span></dt>
125 Enable verbose logging.
127 <dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt>
129 Use the key <em class="replaceable"><code>key_id</code></em>
130 from the configuration file.
131 <em class="replaceable"><code>key_id</code></em>
133 known by named with the same algorithm and secret string
134 in order for control message validation to succeed.
135 If no <em class="replaceable"><code>key_id</code></em>
136 is specified, <span><strong class="command">rndc</strong></span> will first look
137 for a key clause in the server statement of the server
138 being used, or if no server statement is present for that
139 host, then the default-key clause of the options statement.
140 Note that the configuration file contains shared secrets
141 which are used to send authenticated control commands
142 to name servers. It should therefore not have general read
147 <div class="refsect1" lang="en">
148 <a name="id2645112"></a><h2>COMMANDS</h2>
150 A list of commands supported by <span><strong class="command">rndc</strong></span> can
151 be seen by running <span><strong class="command">rndc</strong></span> without arguments.
154 Currently supported commands are:
156 <div class="variablelist"><dl>
157 <dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt>
159 Reload configuration file and zones.
161 <dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
163 Reload the given zone.
165 <dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
167 Schedule zone maintenance for the given zone.
169 <dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
172 Retransfer the given slave zone from the master server.
175 If the zone is configured to use
176 <span><strong class="command">inline-signing</strong></span>, the signed
177 version of the zone is discarded; after the
178 retransfer of the unsigned version is complete, the
179 signed version will be regenerated with all new
183 <dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
186 Fetch all DNSSEC keys for the given zone
187 from the key directory (see the
188 <span><strong class="command">key-directory</strong></span> option in
189 the BIND 9 Administrator Reference Manual). If they are within
190 their publication period, merge them into the
191 zone's DNSKEY RRset. If the DNSKEY RRset
192 is changed, then the zone is automatically
193 re-signed with the new key set.
196 This command requires that the
197 <span><strong class="command">auto-dnssec</strong></span> zone option be set
198 to <code class="literal">allow</code> or
199 <code class="literal">maintain</code>,
200 and also requires the zone to be configured to
202 (See "Dynamic Update Policies" in the Administrator
203 Reference Manual for more details.)
206 <dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
209 Fetch all DNSSEC keys for the given zone
210 from the key directory. If they are within
211 their publication period, merge them into the
212 zone's DNSKEY RRset. Unlike <span><strong class="command">rndc
213 sign</strong></span>, however, the zone is not
214 immediately re-signed by the new keys, but is
215 allowed to incrementally re-sign over time.
218 This command requires that the
219 <span><strong class="command">auto-dnssec</strong></span> zone option
220 be set to <code class="literal">maintain</code>,
221 and also requires the zone to be configured to
223 (See "Dynamic Update Policies" in the Administrator
224 Reference Manual for more details.)
227 <dt><span class="term"><strong class="userinput"><code>freeze [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
229 Suspend updates to a dynamic zone. If no zone is
230 specified, then all zones are suspended. This allows
231 manual edits to be made to a zone normally updated by
232 dynamic update. It also causes changes in the
233 journal file to be synced into the master file.
234 All dynamic update attempts will be refused while
237 <dt><span class="term"><strong class="userinput"><code>thaw [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
239 Enable updates to a frozen dynamic zone. If no
240 zone is specified, then all frozen zones are
241 enabled. This causes the server to reload the zone
242 from disk, and re-enables dynamic updates after the
243 load has completed. After a zone is thawed,
244 dynamic updates will no longer be refused. If
245 the zone has changed and the
246 <span><strong class="command">ixfr-from-differences</strong></span> option is
247 in use, then the journal file will be updated to
248 reflect changes in the zone. Otherwise, if the
249 zone has changed, any existing journal file will be
252 <dt><span class="term"><strong class="userinput"><code>sync [<span class="optional">-clean</span>] [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
254 Sync changes in the journal file for a dynamic zone
255 to the master file. If the "-clean" option is
256 specified, the journal file is also removed. If
257 no zone is specified, then all zones are synced.
259 <dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
261 Resend NOTIFY messages for the zone.
263 <dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt>
265 Reload the configuration file and load new zones,
266 but do not reload existing zone files even if they
268 This is faster than a full <span><strong class="command">reload</strong></span> when there
269 is a large number of zones because it avoids the need
271 modification times of the zones files.
273 <dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt>
275 Write server statistics to the statistics file.
277 <dt><span class="term"><strong class="userinput"><code>querylog</code></strong> [<span class="optional">on|off</span>] </span></dt>
280 Enable or disable query logging. (For backward
281 compatibility, this command can also be used without
282 an argument to toggle query logging on and off.)
285 Query logging can also be enabled
286 by explicitly directing the <span><strong class="command">queries</strong></span>
287 <span><strong class="command">category</strong></span> to a
288 <span><strong class="command">channel</strong></span> in the
289 <span><strong class="command">logging</strong></span> section of
290 <code class="filename">named.conf</code> or by specifying
291 <span><strong class="command">querylog yes;</strong></span> in the
292 <span><strong class="command">options</strong></span> section of
293 <code class="filename">named.conf</code>.
296 <dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
298 Dump the server's caches (default) and/or zones to
300 dump file for the specified views. If no view is
304 <dt><span class="term"><strong class="userinput"><code>secroots [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
306 Dump the server's security roots to the secroots
307 file for the specified views. If no view is
308 specified, security roots for all
311 <dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>
313 Stop the server, making sure any recent changes
314 made through dynamic update or IXFR are first saved to
315 the master files of the updated zones.
316 If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
317 This allows an external process to determine when <span><strong class="command">named</strong></span>
318 had completed stopping.
320 <dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
322 Stop the server immediately. Recent changes
323 made through dynamic update or IXFR are not saved to
324 the master files, but will be rolled forward from the
325 journal files when the server is restarted.
326 If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
327 This allows an external process to determine when <span><strong class="command">named</strong></span>
328 had completed halting.
330 <dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
332 Increment the servers debugging level by one.
334 <dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt>
336 Sets the server's debugging level to an explicit
339 <dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt>
341 Sets the server's debugging level to 0.
343 <dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt>
345 Flushes the server's cache.
347 <dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
349 Flushes the given name from the server's DNS cache
350 and, if applicable, from the server's nameserver address
351 database or bad-server cache.
353 <dt><span class="term"><strong class="userinput"><code>flushtree</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
355 Flushes the given name, and all of its subdomains,
356 from the server's DNS cache. Note that this does
357 <span class="emphasis"><em>not</em></span> affect he server's address
358 database or bad-server cache.
360 <dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>
362 Display status of the server.
363 Note that the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone
364 and the default <span><strong class="command">./IN</strong></span>
365 hint zone if there is not an
366 explicit root zone configured.
368 <dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
370 Dump the list of queries <span><strong class="command">named</strong></span> is currently recursing
373 <dt><span class="term"><strong class="userinput"><code>validation ( on | off | check ) [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>] </code></strong></span></dt>
375 Enable, disable, or check the current status of
377 Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
378 set to <strong class="userinput"><code>yes</code></strong> or
379 <strong class="userinput"><code>auto</code></strong> to be effective.
380 It defaults to enabled.
382 <dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt>
384 List the names of all TSIG keys currently configured
385 for use by <span><strong class="command">named</strong></span> in each view. The
386 list both statically configured keys and dynamic
387 TKEY-negotiated keys.
389 <dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong> <em class="replaceable"><code>keyname</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt>
391 Delete a given TKEY-negotiated key from the server.
392 (This does not apply to statically configured TSIG
395 <dt><span class="term"><strong class="userinput"><code>addzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
398 Add a zone while the server is running. This
400 <span><strong class="command">allow-new-zones</strong></span> option to be set
401 to <strong class="userinput"><code>yes</code></strong>. The
402 <em class="replaceable"><code>configuration</code></em> string
403 specified on the command line is the zone
404 configuration text that would ordinarily be
405 placed in <code class="filename">named.conf</code>.
408 The configuration is saved in a file called
409 <code class="filename"><em class="replaceable"><code>hash</code></em>.nzf</code>,
410 where <em class="replaceable"><code>hash</code></em> is a
411 cryptographic hash generated from the name of
412 the view. When <span><strong class="command">named</strong></span> is
413 restarted, the file will be loaded into the view
414 configuration, so that zones that were added
415 can persist after a restart.
418 This sample <span><strong class="command">addzone</strong></span> command
419 would add the zone <code class="literal">example.com</code>
423 <code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong>
426 (Note the brackets and semi-colon around the zone
430 <dt><span class="term"><strong class="userinput"><code>delzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
432 Delete a zone while the server is running.
433 Only zones that were originally added via
434 <span><strong class="command">rndc addzone</strong></span> can be deleted
437 <dt><span class="term"><strong class="userinput"><code>signing [<span class="optional">( -list | -clear <em class="replaceable"><code>keyid/algorithm</code></em> | -clear <code class="literal">all</code> | -nsec3param ( <em class="replaceable"><code>parameters</code></em> | <code class="literal">none</code> ) ) </span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
440 List, edit, or remove the DNSSEC signing state records
441 for the specified zone. The status of ongoing DNSSEC
442 operations (such as signing or generating
443 NSEC3 chains) is stored in the zone in the form
444 of DNS resource records of type
445 <span><strong class="command">sig-signing-type</strong></span>.
446 <span><strong class="command">rndc signing -list</strong></span> converts
447 these records into a human-readable form,
448 indicating which keys are currently signing
449 or have finished signing the zone, and which NSEC3
450 chains are being created or removed.
453 <span><strong class="command">rndc signing -clear</strong></span> can remove
454 a single key (specified in the same format that
455 <span><strong class="command">rndc signing -list</strong></span> uses to
456 display it), or all keys. In either case, only
457 completed keys are removed; any record indicating
458 that a key has not yet finished signing the zone
462 <span><strong class="command">rndc signing -nsec3param</strong></span> sets
463 the NSEC3 parameters for a zone. This is the
464 only supported mechanism for using NSEC3 with
465 <span><strong class="command">inline-signing</strong></span> zones.
466 Parameters are specified in the same format as
467 an NSEC3PARAM resource record: hash algorithm,
468 flags, iterations, and salt, in that order.
471 Currently, the only defined value for hash algorithm
472 is <code class="literal">1</code>, representing SHA-1.
473 The <code class="option">flags</code> may be set to
474 <code class="literal">0</code> or <code class="literal">1</code>,
475 depending on whether you wish to set the opt-out
476 bit in the NSEC3 chain. <code class="option">iterations</code>
477 defines the number of additional times to apply
478 the algorithm when generating an NSEC3 hash. The
479 <code class="option">salt</code> is a string of data expressed
480 in hexadecimal, or a hyphen (`-') if no salt is
484 So, for example, to create an NSEC3 chain using
485 the SHA-1 hash algorithm, no opt-out flag,
486 10 iterations, and a salt value of "FFFF", use:
487 <span><strong class="command">rndc signing -nsec3param 1 0 10 FFFF <em class="replaceable"><code>zone</code></em></strong></span>.
488 To set the opt-out flag, 15 iterations, and no
490 <span><strong class="command">rndc signing -nsec3param 1 1 15 - <em class="replaceable"><code>zone</code></em></strong></span>.
493 <span><strong class="command">rndc signing -nsec3param none</strong></span>
494 removes an existing NSEC3 chain and replaces it
500 <div class="refsect1" lang="en">
501 <a name="id2681511"></a><h2>LIMITATIONS</h2>
503 There is currently no way to provide the shared secret for a
504 <code class="option">key_id</code> without using the configuration file.
507 Several error messages could be clearer.
510 <div class="refsect1" lang="en">
511 <a name="id2681529"></a><h2>SEE ALSO</h2>
512 <p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
513 <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
514 <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
515 <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
516 <span class="citerefentry"><span class="refentrytitle">ndc</span>(8)</span>,
517 <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
520 <div class="refsect1" lang="en">
521 <a name="id2681585"></a><h2>AUTHOR</h2>
522 <p><span class="corpauthor">Internet Systems Consortium</span>
526 <div class="navfooter">
528 <table width="100%" summary="Navigation footer">
530 <td width="40%" align="left">
531 <a accesskey="p" href="man.nsupdate.html">Prev</a> </td>
532 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
533 <td width="40%" align="right"> <a accesskey="n" href="man.rndc.conf.html">Next</a>
537 <td width="40%" align="left" valign="top">
538 <span class="application">nsupdate</span> </td>
539 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
540 <td width="40%" align="right" valign="top"> <code class="filename">rndc.conf</code>
545 <p style="text-align: center;">BIND Version 9.9</p>