2 - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
3 - Copyright (C) 2000-2003 Internet Software Consortium.
5 - Permission to use, copy, modify, and/or distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
20 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
22 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
23 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
24 <link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
25 <link rel="prev" href="man.nsupdate.html" title="nsupdate">
26 <link rel="next" href="man.rndc.conf.html" title="rndc.conf">
28 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
29 <div class="navheader">
30 <table width="100%" summary="Navigation header">
31 <tr><th colspan="3" align="center"><span class="application">rndc</span></th></tr>
33 <td width="20%" align="left">
34 <a accesskey="p" href="man.nsupdate.html">Prev</a> </td>
35 <th width="60%" align="center">Manual pages</th>
36 <td width="20%" align="right"> <a accesskey="n" href="man.rndc.conf.html">Next</a>
42 <div class="refentry" lang="en">
43 <a name="man.rndc"></a><div class="titlepage"></div>
44 <div class="refnamediv">
46 <p><span class="application">rndc</span> — name server control utility</p>
48 <div class="refsynopsisdiv">
50 <div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
52 <div class="refsect1" lang="en">
53 <a name="id2640790"></a><h2>DESCRIPTION</h2>
54 <p><span><strong class="command">rndc</strong></span>
55 controls the operation of a name
56 server. It supersedes the <span><strong class="command">ndc</strong></span> utility
57 that was provided in old BIND releases. If
58 <span><strong class="command">rndc</strong></span> is invoked with no command line
59 options or arguments, it prints a short summary of the
60 supported commands and the available options and their
63 <p><span><strong class="command">rndc</strong></span>
64 communicates with the name server
65 over a TCP connection, sending commands authenticated with
66 digital signatures. In the current versions of
67 <span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span>,
68 the only supported authentication algorithm is HMAC-MD5,
69 which uses a shared secret on each end of the connection.
70 This provides TSIG-style authentication for the command
71 request and the name server's response. All commands sent
72 over the channel must be signed by a key_id known to the
75 <p><span><strong class="command">rndc</strong></span>
76 reads a configuration file to
77 determine how to contact the name server and decide what
78 algorithm and key it should use.
81 <div class="refsect1" lang="en">
82 <a name="id2640840"></a><h2>OPTIONS</h2>
83 <div class="variablelist"><dl>
84 <dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
86 Use <em class="replaceable"><code>source-address</code></em>
87 as the source address for the connection to the server.
88 Multiple instances are permitted to allow setting of both
89 the IPv4 and IPv6 source addresses.
91 <dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
93 Use <em class="replaceable"><code>config-file</code></em>
94 as the configuration file instead of the default,
95 <code class="filename">/etc/rndc.conf</code>.
97 <dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt>
99 Use <em class="replaceable"><code>key-file</code></em>
100 as the key file instead of the default,
101 <code class="filename">/etc/rndc.key</code>. The key in
102 <code class="filename">/etc/rndc.key</code> will be used to
104 commands sent to the server if the <em class="replaceable"><code>config-file</code></em>
107 <dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
108 <dd><p><em class="replaceable"><code>server</code></em> is
109 the name or address of the server which matches a
110 server statement in the configuration file for
111 <span><strong class="command">rndc</strong></span>. If no server is supplied on the
112 command line, the host named by the default-server clause
113 in the options statement of the <span><strong class="command">rndc</strong></span>
114 configuration file will be used.
116 <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
118 Send commands to TCP port
119 <em class="replaceable"><code>port</code></em>
121 of BIND 9's default control channel port, 953.
123 <dt><span class="term">-V</span></dt>
125 Enable verbose logging.
127 <dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt>
129 Use the key <em class="replaceable"><code>key_id</code></em>
130 from the configuration file.
131 <em class="replaceable"><code>key_id</code></em>
133 known by named with the same algorithm and secret string
134 in order for control message validation to succeed.
135 If no <em class="replaceable"><code>key_id</code></em>
136 is specified, <span><strong class="command">rndc</strong></span> will first look
137 for a key clause in the server statement of the server
138 being used, or if no server statement is present for that
139 host, then the default-key clause of the options statement.
140 Note that the configuration file contains shared secrets
141 which are used to send authenticated control commands
142 to name servers. It should therefore not have general read
147 <div class="refsect1" lang="en">
148 <a name="id2641322"></a><h2>COMMANDS</h2>
150 A list of commands supported by <span><strong class="command">rndc</strong></span> can
151 be seen by running <span><strong class="command">rndc</strong></span> without arguments.
154 Currently supported commands are:
156 <div class="variablelist"><dl>
157 <dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt>
159 Reload configuration file and zones.
161 <dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
163 Reload the given zone.
165 <dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
167 Schedule zone maintenance for the given zone.
169 <dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
171 Retransfer the given zone from the master.
173 <dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
176 Fetch all DNSSEC keys for the given zone
177 from the key directory (see the
178 <span><strong class="command">key-directory</strong></span> option in
179 the BIND 9 Administrator Reference Manual). If they are within
180 their publication period, merge them into the
181 zone's DNSKEY RRset. If the DNSKEY RRset
182 is changed, then the zone is automatically
183 re-signed with the new key set.
186 This command requires that the
187 <span><strong class="command">auto-dnssec</strong></span> zone option be set
188 to <code class="literal">allow</code> or
189 <code class="literal">maintain</code>,
190 and also requires the zone to be configured to
192 (See "Dynamic Update Policies" in the Administrator
193 Reference Manual for more details.)
196 <dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
199 Fetch all DNSSEC keys for the given zone
200 from the key directory. If they are within
201 their publication period, merge them into the
202 zone's DNSKEY RRset. Unlike <span><strong class="command">rndc
203 sign</strong></span>, however, the zone is not
204 immediately re-signed by the new keys, but is
205 allowed to incrementally re-sign over time.
208 This command requires that the
209 <span><strong class="command">auto-dnssec</strong></span> zone option
210 be set to <code class="literal">maintain</code>,
211 and also requires the zone to be configured to
213 (See "Dynamic Update Policies" in the Administrator
214 Reference Manual for more details.)
217 <dt><span class="term"><strong class="userinput"><code>freeze [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
219 Suspend updates to a dynamic zone. If no zone is
220 specified, then all zones are suspended. This allows
221 manual edits to be made to a zone normally updated by
222 dynamic update. It also causes changes in the
223 journal file to be synced into the master file,
224 and the journal file to be removed.
225 All dynamic update attempts will be refused while
228 <dt><span class="term"><strong class="userinput"><code>thaw [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
230 Enable updates to a frozen dynamic zone. If no
231 zone is specified, then all frozen zones are
232 enabled. This causes the server to reload the zone
233 from disk, and re-enables dynamic updates after the
234 load has completed. After a zone is thawed,
235 dynamic updates will no longer be refused.
237 <dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
239 Resend NOTIFY messages for the zone.
241 <dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt>
243 Reload the configuration file and load new zones,
244 but do not reload existing zone files even if they
246 This is faster than a full <span><strong class="command">reload</strong></span> when there
247 is a large number of zones because it avoids the need
249 modification times of the zones files.
251 <dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt>
253 Write server statistics to the statistics file.
255 <dt><span class="term"><strong class="userinput"><code>querylog</code></strong> [<span class="optional">on|off</span>] </span></dt>
257 Toggle query logging. Query logging can also be enabled
258 by explicitly directing the <span><strong class="command">queries</strong></span>
259 <span><strong class="command">category</strong></span> to a
260 <span><strong class="command">channel</strong></span> in the
261 <span><strong class="command">logging</strong></span> section of
262 <code class="filename">named.conf</code> or by specifying
263 <span><strong class="command">querylog yes;</strong></span> in the
264 <span><strong class="command">options</strong></span> section of
265 <code class="filename">named.conf</code>.
267 <dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
269 Dump the server's caches (default) and/or zones to
271 dump file for the specified views. If no view is
275 <dt><span class="term"><strong class="userinput"><code>secroots [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
277 Dump the server's security roots to the secroots
278 file for the specified views. If no view is
279 specified, security roots for all
282 <dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>
284 Stop the server, making sure any recent changes
285 made through dynamic update or IXFR are first saved to
286 the master files of the updated zones.
287 If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
288 This allows an external process to determine when <span><strong class="command">named</strong></span>
289 had completed stopping.
291 <dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
293 Stop the server immediately. Recent changes
294 made through dynamic update or IXFR are not saved to
295 the master files, but will be rolled forward from the
296 journal files when the server is restarted.
297 If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
298 This allows an external process to determine when <span><strong class="command">named</strong></span>
299 had completed halting.
301 <dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
303 Increment the servers debugging level by one.
305 <dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt>
307 Sets the server's debugging level to an explicit
310 <dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt>
312 Sets the server's debugging level to 0.
314 <dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt>
316 Flushes the server's cache.
318 <dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
320 Flushes the given name from the server's cache.
322 <dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>
324 Display status of the server.
325 Note that the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone
326 and the default <span><strong class="command">./IN</strong></span>
327 hint zone if there is not an
328 explicit root zone configured.
330 <dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
332 Dump the list of queries <span><strong class="command">named</strong></span> is currently recursing
335 <dt><span class="term"><strong class="userinput"><code>validation ( on | off | check ) [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>] </code></strong></span></dt>
337 Enable, disable, or check the current status of
339 Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
340 set to <strong class="userinput"><code>yes</code></strong> or
341 <strong class="userinput"><code>auto</code></strong> to be effective.
342 It defaults to enabled.
344 <dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt>
346 List the names of all TSIG keys currently configured
347 for use by <span><strong class="command">named</strong></span> in each view. The
348 list both statically configured keys and dynamic
349 TKEY-negotiated keys.
351 <dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong> <em class="replaceable"><code>keyname</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt>
353 Delete a given TKEY-negotiated key from the server.
354 (This does not apply to statically configured TSIG
357 <dt><span class="term"><strong class="userinput"><code>addzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
360 Add a zone while the server is running. This
362 <span><strong class="command">allow-new-zones</strong></span> option to be set
363 to <strong class="userinput"><code>yes</code></strong>. The
364 <em class="replaceable"><code>configuration</code></em> string
365 specified on the command line is the zone
366 configuration text that would ordinarily be
367 placed in <code class="filename">named.conf</code>.
370 The configuration is saved in a file called
371 <code class="filename"><em class="replaceable"><code>hash</code></em>.nzf</code>,
372 where <em class="replaceable"><code>hash</code></em> is a
373 cryptographic hash generated from the name of
374 the view. When <span><strong class="command">named</strong></span> is
375 restarted, the file will be loaded into the view
376 configuration, so that zones that were added
377 can persist after a restart.
380 This sample <span><strong class="command">addzone</strong></span> command
381 would add the zone <code class="literal">example.com</code>
385 <code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong>
388 (Note the brackets and semi-colon around the zone
392 <dt><span class="term"><strong class="userinput"><code>delzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
394 Delete a zone while the server is running.
395 Only zones that were originally added via
396 <span><strong class="command">rndc addzone</strong></span> can be deleted
401 <div class="refsect1" lang="en">
402 <a name="id2677090"></a><h2>LIMITATIONS</h2>
404 There is currently no way to provide the shared secret for a
405 <code class="option">key_id</code> without using the configuration file.
408 Several error messages could be clearer.
411 <div class="refsect1" lang="en">
412 <a name="id2677108"></a><h2>SEE ALSO</h2>
413 <p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
414 <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
415 <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
416 <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
417 <span class="citerefentry"><span class="refentrytitle">ndc</span>(8)</span>,
418 <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
421 <div class="refsect1" lang="en">
422 <a name="id2677232"></a><h2>AUTHOR</h2>
423 <p><span class="corpauthor">Internet Systems Consortium</span>
427 <div class="navfooter">
429 <table width="100%" summary="Navigation footer">
431 <td width="40%" align="left">
432 <a accesskey="p" href="man.nsupdate.html">Prev</a> </td>
433 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
434 <td width="40%" align="right"> <a accesskey="n" href="man.rndc.conf.html">Next</a>
438 <td width="40%" align="left" valign="top">
439 <span class="application">nsupdate</span> </td>
440 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
441 <td width="40%" align="right" valign="top"> <code class="filename">rndc.conf</code>