2 - Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
3 - Copyright (C) 2000-2003 Internet Software Consortium.
5 - Permission to use, copy, modify, and/or distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
17 <!-- $Id: Bv9ARM.ch03.html,v 1.83.8.1 2011-05-24 02:37:17 tbox Exp $ -->
20 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
21 <title>Chapter 3. Name Server Configuration</title>
22 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
23 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
24 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
25 <link rel="prev" href="Bv9ARM.ch02.html" title="Chapter 2. BIND Resource Requirements">
26 <link rel="next" href="Bv9ARM.ch04.html" title="Chapter 4. Advanced DNS Features">
28 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
29 <div class="navheader">
30 <table width="100%" summary="Navigation header">
31 <tr><th colspan="3" align="center">Chapter 3. Name Server Configuration</th></tr>
33 <td width="20%" align="left">
34 <a accesskey="p" href="Bv9ARM.ch02.html">Prev</a> </td>
35 <th width="60%" align="center"> </th>
36 <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch04.html">Next</a>
42 <div class="chapter" lang="en">
43 <div class="titlepage"><div><div><h2 class="title">
44 <a name="Bv9ARM.ch03"></a>Chapter 3. Name Server Configuration</h2></div></div></div>
46 <p><b>Table of Contents</b></p>
48 <dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
50 <dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567767">A Caching-only Name Server</a></span></dt>
51 <dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567988">An Authoritative-only Name Server</a></span></dt>
53 <dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568010">Load Balancing</a></span></dt>
54 <dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568364">Name Server Operations</a></span></dt>
56 <dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568370">Tools for Use With the Name Server Daemon</a></span></dt>
57 <dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570378">Signals</a></span></dt>
62 In this chapter we provide some suggested configurations along
63 with guidelines for their use. We suggest reasonable values for
64 certain option settings.
66 <div class="sect1" lang="en">
67 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
68 <a name="sample_configuration"></a>Sample Configurations</h2></div></div></div>
69 <div class="sect2" lang="en">
70 <div class="titlepage"><div><div><h3 class="title">
71 <a name="id2567767"></a>A Caching-only Name Server</h3></div></div></div>
73 The following sample configuration is appropriate for a caching-only
74 name server for use by clients internal to a corporation. All
76 from outside clients are refused using the <span><strong class="command">allow-query</strong></span>
77 option. Alternatively, the same effect could be achieved using
81 <pre class="programlisting">
82 // Two corporate subnets we wish to allow queries from.
83 acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
86 directory "/etc/namedb";
88 allow-query { corpnets; };
90 // Provide a reverse mapping for the loopback
92 zone "0.0.127.in-addr.arpa" {
99 <div class="sect2" lang="en">
100 <div class="titlepage"><div><div><h3 class="title">
101 <a name="id2567988"></a>An Authoritative-only Name Server</h3></div></div></div>
103 This sample configuration is for an authoritative-only server
104 that is the master server for "<code class="filename">example.com</code>"
105 and a slave for the subdomain "<code class="filename">eng.example.com</code>".
107 <pre class="programlisting">
110 directory "/etc/namedb";
111 // Do not allow access to cache
112 allow-query-cache { none; };
113 // This is the default
114 allow-query { any; };
115 // Do not provide recursive service
119 // Provide a reverse mapping for the loopback
121 zone "0.0.127.in-addr.arpa" {
123 file "localhost.rev";
126 // We are the master server for example.com
129 file "example.com.db";
130 // IP addresses of slave servers allowed to
131 // transfer example.com
137 // We are a slave server for eng.example.com
138 zone "eng.example.com" {
140 file "eng.example.com.bk";
141 // IP address of eng.example.com master server
142 masters { 192.168.4.12; };
147 <div class="sect1" lang="en">
148 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
149 <a name="id2568010"></a>Load Balancing</h2></div></div></div>
151 A primitive form of load balancing can be achieved in
152 the <acronym class="acronym">DNS</acronym> by using multiple records
153 (such as multiple A records) for one name.
156 For example, if you have three WWW servers with network addresses
157 of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
158 following means that clients will connect to each machine one third
161 <div class="informaltable"><table border="1">
193 Resource Record (RR) Data
200 <code class="literal">www</code>
205 <code class="literal">600</code>
210 <code class="literal">IN</code>
215 <code class="literal">A</code>
220 <code class="literal">10.0.0.1</code>
230 <code class="literal">600</code>
235 <code class="literal">IN</code>
240 <code class="literal">A</code>
245 <code class="literal">10.0.0.2</code>
255 <code class="literal">600</code>
260 <code class="literal">IN</code>
265 <code class="literal">A</code>
270 <code class="literal">10.0.0.3</code>
277 When a resolver queries for these records, <acronym class="acronym">BIND</acronym> will rotate
278 them and respond to the query with the records in a different
279 order. In the example above, clients will randomly receive
280 records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
281 will use the first record returned and discard the rest.
284 For more detail on ordering responses, check the
285 <span><strong class="command">rrset-order</strong></span> sub-statement in the
286 <span><strong class="command">options</strong></span> statement, see
287 <a href="Bv9ARM.ch06.html#rrset_ordering">RRset Ordering</a>.
290 <div class="sect1" lang="en">
291 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
292 <a name="id2568364"></a>Name Server Operations</h2></div></div></div>
293 <div class="sect2" lang="en">
294 <div class="titlepage"><div><div><h3 class="title">
295 <a name="id2568370"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
297 This section describes several indispensable diagnostic,
298 administrative and monitoring tools available to the system
299 administrator for controlling and debugging the name server
302 <div class="sect3" lang="en">
303 <div class="titlepage"><div><div><h4 class="title">
304 <a name="diagnostic_tools"></a>Diagnostic Tools</h4></div></div></div>
306 The <span><strong class="command">dig</strong></span>, <span><strong class="command">host</strong></span>, and
307 <span><strong class="command">nslookup</strong></span> programs are all command
309 for manually querying name servers. They differ in style and
312 <div class="variablelist"><dl>
313 <dt><span class="term"><a name="dig"></a><span><strong class="command">dig</strong></span></span></dt>
316 The domain information groper (<span><strong class="command">dig</strong></span>)
317 is the most versatile and complete of these lookup tools.
318 It has two modes: simple interactive
319 mode for a single query, and batch mode which executes a
321 each in a list of several query lines. All query options are
323 from the command line.
325 <div class="cmdsynopsis"><p><code class="command">dig</code> [@<em class="replaceable"><code>server</code></em>] <em class="replaceable"><code>domain</code></em> [<em class="replaceable"><code>query-type</code></em>] [<em class="replaceable"><code>query-class</code></em>] [+<em class="replaceable"><code>query-option</code></em>] [-<em class="replaceable"><code>dig-option</code></em>] [%<em class="replaceable"><code>comment</code></em>]</p></div>
327 The usual simple use of <span><strong class="command">dig</strong></span> will take the form
330 <span><strong class="command">dig @server domain query-type query-class</strong></span>
333 For more information and a list of available commands and
334 options, see the <span><strong class="command">dig</strong></span> man
338 <dt><span class="term"><span><strong class="command">host</strong></span></span></dt>
341 The <span><strong class="command">host</strong></span> utility emphasizes
343 and ease of use. By default, it converts
344 between host names and Internet addresses, but its
346 can be extended with the use of options.
348 <div class="cmdsynopsis"><p><code class="command">host</code> [-aCdlnrsTwv] [-c <em class="replaceable"><code>class</code></em>] [-N <em class="replaceable"><code>ndots</code></em>] [-t <em class="replaceable"><code>type</code></em>] [-W <em class="replaceable"><code>timeout</code></em>] [-R <em class="replaceable"><code>retries</code></em>] [-m <em class="replaceable"><code>flag</code></em>] [-4] [-6] <em class="replaceable"><code>hostname</code></em> [<em class="replaceable"><code>server</code></em>]</p></div>
350 For more information and a list of available commands and
351 options, see the <span><strong class="command">host</strong></span> man
355 <dt><span class="term"><span><strong class="command">nslookup</strong></span></span></dt>
357 <p><span><strong class="command">nslookup</strong></span>
358 has two modes: interactive and
359 non-interactive. Interactive mode allows the user to
360 query name servers for information about various
361 hosts and domains or to print a list of hosts in a
362 domain. Non-interactive mode is used to print just
363 the name and requested information for a host or
366 <div class="cmdsynopsis"><p><code class="command">nslookup</code> [-option...] [[<em class="replaceable"><code>host-to-find</code></em>] | [- [server]]]</p></div>
368 Interactive mode is entered when no arguments are given (the
369 default name server will be used) or when the first argument
371 hyphen (`-') and the second argument is the host name or
376 Non-interactive mode is used when the name or Internet
378 of the host to be looked up is given as the first argument.
380 optional second argument specifies the host name or address
384 Due to its arcane user interface and frequently inconsistent
385 behavior, we do not recommend the use of <span><strong class="command">nslookup</strong></span>.
386 Use <span><strong class="command">dig</strong></span> instead.
391 <div class="sect3" lang="en">
392 <div class="titlepage"><div><div><h4 class="title">
393 <a name="admin_tools"></a>Administrative Tools</h4></div></div></div>
395 Administrative tools play an integral part in the management
398 <div class="variablelist"><dl>
400 <a name="named-checkconf"></a><span class="term"><span><strong class="command">named-checkconf</strong></span></span>
404 The <span><strong class="command">named-checkconf</strong></span> program
405 checks the syntax of a <code class="filename">named.conf</code> file.
407 <div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [-jvz] [-t <em class="replaceable"><code>directory</code></em>] [<em class="replaceable"><code>filename</code></em>]</p></div>
410 <a name="named-checkzone"></a><span class="term"><span><strong class="command">named-checkzone</strong></span></span>
414 The <span><strong class="command">named-checkzone</strong></span> program
415 checks a master file for
416 syntax and consistency.
418 <div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [-djqvD] [-c <em class="replaceable"><code>class</code></em>] [-o <em class="replaceable"><code>output</code></em>] [-t <em class="replaceable"><code>directory</code></em>] [-w <em class="replaceable"><code>directory</code></em>] [-k <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-n <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-W <em class="replaceable"><code>(ignore|warn)</code></em>] <em class="replaceable"><code>zone</code></em> [<em class="replaceable"><code>filename</code></em>]</p></div>
421 <a name="named-compilezone"></a><span class="term"><span><strong class="command">named-compilezone</strong></span></span>
424 Similar to <span><strong class="command">named-checkzone,</strong></span> but
425 it always dumps the zone content to a specified file
426 (typically in a different format).
429 <a name="rndc"></a><span class="term"><span><strong class="command">rndc</strong></span></span>
433 The remote name daemon control
434 (<span><strong class="command">rndc</strong></span>) program allows the
436 administrator to control the operation of a name server.
437 Since <acronym class="acronym">BIND</acronym> 9.2, <span><strong class="command">rndc</strong></span>
438 supports all the commands of the BIND 8 <span><strong class="command">ndc</strong></span>
439 utility except <span><strong class="command">ndc start</strong></span> and
440 <span><strong class="command">ndc restart</strong></span>, which were also
441 not supported in <span><strong class="command">ndc</strong></span>'s
443 If you run <span><strong class="command">rndc</strong></span> without any
445 it will display a usage message as follows:
447 <div class="cmdsynopsis"><p><code class="command">rndc</code> [-c <em class="replaceable"><code>config</code></em>] [-s <em class="replaceable"><code>server</code></em>] [-p <em class="replaceable"><code>port</code></em>] [-y <em class="replaceable"><code>key</code></em>] <em class="replaceable"><code>command</code></em> [<em class="replaceable"><code>command</code></em>...]</p></div>
448 <p>The <span><strong class="command">command</strong></span>
449 is one of the following:
451 <div class="variablelist"><dl>
452 <dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt>
454 Reload configuration file and zones.
456 <dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em>
457 [<span class="optional"><em class="replaceable"><code>class</code></em>
458 [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
460 Reload the given zone.
462 <dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em>
463 [<span class="optional"><em class="replaceable"><code>class</code></em>
464 [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
466 Schedule zone maintenance for the given zone.
468 <dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em>
470 [<span class="optional"><em class="replaceable"><code>class</code></em>
471 [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
473 Retransfer the given zone from the master.
475 <dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em>
476 [<span class="optional"><em class="replaceable"><code>class</code></em>
477 [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
480 Fetch all DNSSEC keys for the given zone
481 from the key directory (see
482 <span><strong class="command">key-directory</strong></span> in
483 <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
484 Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
485 Usage”</a>). If they are within
486 their publication period, merge them into the
487 zone's DNSKEY RRset. If the DNSKEY RRset
488 is changed, then the zone is automatically
489 re-signed with the new key set.
492 This command requires that the
493 <span><strong class="command">auto-dnssec</strong></span> zone option be set
494 to <code class="literal">allow</code> or
495 <code class="literal">maintain</code>,
496 and also requires the zone to be configured to
498 See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for
502 <dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em>
503 [<span class="optional"><em class="replaceable"><code>class</code></em>
504 [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
507 Fetch all DNSSEC keys for the given zone
508 from the key directory (see
509 <span><strong class="command">key-directory</strong></span> in
510 <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
511 Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
512 Usage”</a>). If they are within
513 their publication period, merge them into the
514 zone's DNSKEY RRset. Unlike <span><strong class="command">rndc
515 sign</strong></span>, however, the zone is not
516 immediately re-signed by the new keys, but is
517 allowed to incrementally re-sign over time.
520 This command requires that the
521 <span><strong class="command">auto-dnssec</strong></span> zone option
522 be set to <code class="literal">maintain</code>,
523 and also requires the zone to be configured to
525 See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a> for
529 <dt><span class="term"><strong class="userinput"><code>freeze
530 [<span class="optional"><em class="replaceable"><code>zone</code></em>
531 [<span class="optional"><em class="replaceable"><code>class</code></em>
532 [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
534 Suspend updates to a dynamic zone. If no zone is
536 then all zones are suspended. This allows manual
537 edits to be made to a zone normally updated by dynamic
539 also causes changes in the journal file to be synced
541 and the journal file to be removed. All dynamic
543 be refused while the zone is frozen.
545 <dt><span class="term"><strong class="userinput"><code>thaw
546 [<span class="optional"><em class="replaceable"><code>zone</code></em>
547 [<span class="optional"><em class="replaceable"><code>class</code></em>
548 [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
550 Enable updates to a frozen dynamic zone. If no zone
552 specified, then all frozen zones are enabled. This
554 the server to reload the zone from disk, and
555 re-enables dynamic updates
556 after the load has completed. After a zone is thawed,
558 will no longer be refused.
560 <dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em>
561 [<span class="optional"><em class="replaceable"><code>class</code></em>
562 [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
564 Resend NOTIFY messages for the zone.
566 <dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt>
568 Reload the configuration file and load new zones,
569 but do not reload existing zone files even if they
571 This is faster than a full <span><strong class="command">reload</strong></span> when there
572 is a large number of zones because it avoids the need
574 modification times of the zones files.
576 <dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt>
578 Write server statistics to the statistics file.
580 <dt><span class="term"><strong class="userinput"><code>querylog</code></strong></span></dt>
582 Toggle query logging. Query logging can also be enabled
583 by explicitly directing the <span><strong class="command">queries</strong></span>
584 <span><strong class="command">category</strong></span> to a
585 <span><strong class="command">channel</strong></span> in the
586 <span><strong class="command">logging</strong></span> section of
587 <code class="filename">named.conf</code> or by specifying
588 <span><strong class="command">querylog yes;</strong></span> in the
589 <span><strong class="command">options</strong></span> section of
590 <code class="filename">named.conf</code>.
592 <dt><span class="term"><strong class="userinput"><code>dumpdb
593 [<span class="optional">-all|-cache|-zone</span>]
594 [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
596 Dump the server's caches (default) and/or zones to
598 dump file for the specified views. If no view is
602 <dt><span class="term"><strong class="userinput"><code>secroots
603 [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
605 Dump the server's security roots to the secroots
606 file for the specified views. If no view is
607 specified, security roots for all
610 <dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>
612 Stop the server, making sure any recent changes
613 made through dynamic update or IXFR are first saved to
614 the master files of the updated zones.
615 If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
616 This allows an external process to determine when <span><strong class="command">named</strong></span>
617 had completed stopping.
619 <dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
621 Stop the server immediately. Recent changes
622 made through dynamic update or IXFR are not saved to
623 the master files, but will be rolled forward from the
624 journal files when the server is restarted.
625 If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
626 This allows an external process to determine when <span><strong class="command">named</strong></span>
627 had completed halting.
629 <dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
631 Increment the servers debugging level by one.
633 <dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt>
635 Sets the server's debugging level to an explicit
638 <dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt>
640 Sets the server's debugging level to 0.
642 <dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt>
644 Flushes the server's cache.
646 <dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em></span></dt>
648 Flushes the given name from the server's cache.
650 <dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>
652 Display status of the server.
653 Note that the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone
654 and the default <span><strong class="command">./IN</strong></span>
655 hint zone if there is not an
656 explicit root zone configured.
658 <dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
660 Dump the list of queries <span><strong class="command">named</strong></span> is currently recursing
663 <dt><span class="term"><strong class="userinput"><code>validation
664 [<span class="optional">on|off</span>]
665 [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]
666 </code></strong></span></dt>
668 Enable or disable DNSSEC validation.
669 Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
670 set to <strong class="userinput"><code>yes</code></strong> to be effective.
671 It defaults to enabled.
673 <dt><span class="term"><strong class="userinput"><code>addzone
674 <em class="replaceable"><code>zone</code></em>
675 [<span class="optional"><em class="replaceable"><code>class</code></em>
676 [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]
677 <em class="replaceable"><code>configuration</code></em>
678 </code></strong></span></dt>
681 Add a zone while the server is running. This
683 <span><strong class="command">allow-new-zones</strong></span> option to be set
684 to <strong class="userinput"><code>yes</code></strong>. The
685 <em class="replaceable"><code>configuration</code></em> string
686 specified on the command line is the zone
687 configuration text that would ordinarily be
688 placed in <code class="filename">named.conf</code>.
691 The configuration is saved in a file called
692 <code class="filename"><em class="replaceable"><code>hash</code></em>.nzf</code>,
693 where <em class="replaceable"><code>hash</code></em> is a
694 cryptographic hash generated from the name of
695 the view. When <span><strong class="command">named</strong></span> is
696 restarted, the file will be loaded into the view
697 configuration, so that zones that were added
698 can persist after a restart.
701 This sample <span><strong class="command">addzone</strong></span> command
702 would add the zone <code class="literal">example.com</code>
706 <code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong>
709 (Note the brackets and semi-colon around the zone
713 <dt><span class="term"><strong class="userinput"><code>delzone
714 <em class="replaceable"><code>zone</code></em>
715 [<span class="optional"><em class="replaceable"><code>class</code></em>
716 [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]
717 </code></strong></span></dt>
719 Delete a zone while the server is running.
720 Only zones that were originally added via
721 <span><strong class="command">rndc addzone</strong></span> can be deleted
726 A configuration file is required, since all
727 communication with the server is authenticated with
728 digital signatures that rely on a shared secret, and
729 there is no way to provide that secret other than with a
730 configuration file. The default location for the
731 <span><strong class="command">rndc</strong></span> configuration file is
732 <code class="filename">/etc/rndc.conf</code>, but an
734 location can be specified with the <code class="option">-c</code>
735 option. If the configuration file is not found,
736 <span><strong class="command">rndc</strong></span> will also look in
737 <code class="filename">/etc/rndc.key</code> (or whatever
738 <code class="varname">sysconfdir</code> was defined when
739 the <acronym class="acronym">BIND</acronym> build was
741 The <code class="filename">rndc.key</code> file is
743 running <span><strong class="command">rndc-confgen -a</strong></span> as
745 <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
746 Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
750 The format of the configuration file is similar to
751 that of <code class="filename">named.conf</code>, but
753 only four statements, the <span><strong class="command">options</strong></span>,
754 <span><strong class="command">key</strong></span>, <span><strong class="command">server</strong></span> and
755 <span><strong class="command">include</strong></span>
756 statements. These statements are what associate the
757 secret keys to the servers with which they are meant to
758 be shared. The order of statements is not
762 The <span><strong class="command">options</strong></span> statement has
764 <span><strong class="command">default-server</strong></span>, <span><strong class="command">default-key</strong></span>,
765 and <span><strong class="command">default-port</strong></span>.
766 <span><strong class="command">default-server</strong></span> takes a
767 host name or address argument and represents the server
769 be contacted if no <code class="option">-s</code>
770 option is provided on the command line.
771 <span><strong class="command">default-key</strong></span> takes
772 the name of a key as its argument, as defined by a <span><strong class="command">key</strong></span> statement.
773 <span><strong class="command">default-port</strong></span> specifies the
775 <span><strong class="command">rndc</strong></span> should connect if no
776 port is given on the command line or in a
777 <span><strong class="command">server</strong></span> statement.
780 The <span><strong class="command">key</strong></span> statement defines a
782 by <span><strong class="command">rndc</strong></span> when authenticating
784 <span><strong class="command">named</strong></span>. Its syntax is
786 <span><strong class="command">key</strong></span> statement in <code class="filename">named.conf</code>.
787 The keyword <strong class="userinput"><code>key</code></strong> is
788 followed by a key name, which must be a valid
789 domain name, though it need not actually be hierarchical;
791 a string like "<strong class="userinput"><code>rndc_key</code></strong>" is a valid
793 The <span><strong class="command">key</strong></span> statement has two
795 <span><strong class="command">algorithm</strong></span> and <span><strong class="command">secret</strong></span>.
796 While the configuration parser will accept any string as the
798 to algorithm, currently only the string "<strong class="userinput"><code>hmac-md5</code></strong>"
799 has any meaning. The secret is a base-64 encoded string
800 as specified in RFC 3548.
803 The <span><strong class="command">server</strong></span> statement
805 defined using the <span><strong class="command">key</strong></span>
806 statement with a server.
807 The keyword <strong class="userinput"><code>server</code></strong> is followed by a
808 host name or address. The <span><strong class="command">server</strong></span> statement
809 has two clauses: <span><strong class="command">key</strong></span> and <span><strong class="command">port</strong></span>.
810 The <span><strong class="command">key</strong></span> clause specifies the
812 to be used when communicating with this server, and the
813 <span><strong class="command">port</strong></span> clause can be used to
814 specify the port <span><strong class="command">rndc</strong></span> should
819 A sample minimal configuration file is as follows:
821 <pre class="programlisting">
823 algorithm "hmac-md5";
825 "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
828 default-server 127.0.0.1;
829 default-key rndc_key;
833 This file, if installed as <code class="filename">/etc/rndc.conf</code>,
834 would allow the command:
837 <code class="prompt">$ </code><strong class="userinput"><code>rndc reload</code></strong>
840 to connect to 127.0.0.1 port 953 and cause the name server
841 to reload, if a name server on the local machine were
843 following controls statements:
845 <pre class="programlisting">
848 allow { localhost; } keys { rndc_key; };
852 and it had an identical key statement for
853 <code class="literal">rndc_key</code>.
856 Running the <span><strong class="command">rndc-confgen</strong></span>
858 conveniently create a <code class="filename">rndc.conf</code>
859 file for you, and also display the
860 corresponding <span><strong class="command">controls</strong></span>
861 statement that you need to
862 add to <code class="filename">named.conf</code>.
864 you can run <span><strong class="command">rndc-confgen -a</strong></span>
866 a <code class="filename">rndc.key</code> file and not
868 <code class="filename">named.conf</code> at all.
874 <div class="sect2" lang="en">
875 <div class="titlepage"><div><div><h3 class="title">
876 <a name="id2570378"></a>Signals</h3></div></div></div>
878 Certain UNIX signals cause the name server to take specific
879 actions, as described in the following table. These signals can
880 be sent using the <span><strong class="command">kill</strong></span> command.
882 <div class="informaltable"><table border="1">
890 <p><span><strong class="command">SIGHUP</strong></span></p>
894 Causes the server to read <code class="filename">named.conf</code> and
901 <p><span><strong class="command">SIGTERM</strong></span></p>
905 Causes the server to clean up and exit.
911 <p><span><strong class="command">SIGINT</strong></span></p>
915 Causes the server to clean up and exit.
924 <div class="navfooter">
926 <table width="100%" summary="Navigation footer">
928 <td width="40%" align="left">
929 <a accesskey="p" href="Bv9ARM.ch02.html">Prev</a> </td>
930 <td width="20%" align="center"> </td>
931 <td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch04.html">Next</a>
935 <td width="40%" align="left" valign="top">Chapter 2. <acronym class="acronym">BIND</acronym> Resource Requirements </td>
936 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
937 <td width="40%" align="right" valign="top"> Chapter 4. Advanced DNS Features</td>
projects / FreeBSD / releng / 9.0.git / blob