1 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
3 [<!ENTITY mdash "—">]>
5 - Copyright (C) 2004, 2005, 2007, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
6 - Copyright (C) 2000, 2001 Internet Software Consortium.
8 - Permission to use, copy, modify, and/or distribute this software for any
9 - purpose with or without fee is hereby granted, provided that the above
10 - copyright notice and this permission notice appear in all copies.
12 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
13 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
14 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
15 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
16 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
17 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
18 - PERFORMANCE OF THIS SOFTWARE.
21 <refentry id="man.rndc">
23 <date>August 15, 2014</date>
27 <refentrytitle><application>rndc</application></refentrytitle>
28 <manvolnum>8</manvolnum>
29 <refmiscinfo>BIND9</refmiscinfo>
33 <refname><application>rndc</application></refname>
34 <refpurpose>name server control utility</refpurpose>
44 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
49 <holder>Internet Software Consortium.</holder>
55 <command>rndc</command>
56 <arg><option>-b <replaceable class="parameter">source-address</replaceable></option></arg>
57 <arg><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
58 <arg><option>-k <replaceable class="parameter">key-file</replaceable></option></arg>
59 <arg><option>-s <replaceable class="parameter">server</replaceable></option></arg>
60 <arg><option>-p <replaceable class="parameter">port</replaceable></option></arg>
61 <arg><option>-q</option></arg>
62 <arg><option>-V</option></arg>
63 <arg><option>-y <replaceable class="parameter">key_id</replaceable></option></arg>
64 <arg choice="req">command</arg>
69 <title>DESCRIPTION</title>
70 <para><command>rndc</command>
71 controls the operation of a name
72 server. It supersedes the <command>ndc</command> utility
73 that was provided in old BIND releases. If
74 <command>rndc</command> is invoked with no command line
75 options or arguments, it prints a short summary of the
76 supported commands and the available options and their
79 <para><command>rndc</command>
80 communicates with the name server over a TCP connection, sending
81 commands authenticated with digital signatures. In the current
83 <command>rndc</command> and <command>named</command>,
84 the only supported authentication algorithms are HMAC-MD5
85 (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
86 (default), HMAC-SHA384 and HMAC-SHA512.
87 They use a shared secret on each end of the connection.
88 This provides TSIG-style authentication for the command
89 request and the name server's response. All commands sent
90 over the channel must be signed by a key_id known to the
93 <para><command>rndc</command>
94 reads a configuration file to
95 determine how to contact the name server and decide what
96 algorithm and key it should use.
101 <title>OPTIONS</title>
105 <term>-b <replaceable class="parameter">source-address</replaceable></term>
108 Use <replaceable class="parameter">source-address</replaceable>
109 as the source address for the connection to the server.
110 Multiple instances are permitted to allow setting of both
111 the IPv4 and IPv6 source addresses.
117 <term>-c <replaceable class="parameter">config-file</replaceable></term>
120 Use <replaceable class="parameter">config-file</replaceable>
121 as the configuration file instead of the default,
122 <filename>/etc/rndc.conf</filename>.
128 <term>-k <replaceable class="parameter">key-file</replaceable></term>
131 Use <replaceable class="parameter">key-file</replaceable>
132 as the key file instead of the default,
133 <filename>/etc/rndc.key</filename>. The key in
134 <filename>/etc/rndc.key</filename> will be used to
136 commands sent to the server if the <replaceable class="parameter">config-file</replaceable>
143 <term>-s <replaceable class="parameter">server</replaceable></term>
145 <para><replaceable class="parameter">server</replaceable> is
146 the name or address of the server which matches a
147 server statement in the configuration file for
148 <command>rndc</command>. If no server is supplied on the
149 command line, the host named by the default-server clause
150 in the options statement of the <command>rndc</command>
151 configuration file will be used.
157 <term>-p <replaceable class="parameter">port</replaceable></term>
160 Send commands to TCP port
161 <replaceable class="parameter">port</replaceable>
163 of BIND 9's default control channel port, 953.
172 Quiet mode: Message text returned by the server
173 will not be printed except when there is an error.
182 Enable verbose logging.
188 <term>-y <replaceable class="parameter">key_id</replaceable></term>
191 Use the key <replaceable class="parameter">key_id</replaceable>
192 from the configuration file.
193 <replaceable class="parameter">key_id</replaceable>
195 known by named with the same algorithm and secret string
196 in order for control message validation to succeed.
197 If no <replaceable class="parameter">key_id</replaceable>
198 is specified, <command>rndc</command> will first look
199 for a key clause in the server statement of the server
200 being used, or if no server statement is present for that
201 host, then the default-key clause of the options statement.
202 Note that the configuration file contains shared secrets
203 which are used to send authenticated control commands
204 to name servers. It should therefore not have general read
214 <title>COMMANDS</title>
216 A list of commands supported by <command>rndc</command> can
217 be seen by running <command>rndc</command> without arguments.
220 Currently supported commands are:
225 <term><userinput>reload</userinput></term>
228 Reload configuration file and zones.
234 <term><userinput>reload <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
237 Reload the given zone.
243 <term><userinput>refresh <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
246 Schedule zone maintenance for the given zone.
252 <term><userinput>retransfer <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
255 Retransfer the given slave zone from the master server.
258 If the zone is configured to use
259 <command>inline-signing</command>, the signed
260 version of the zone is discarded; after the
261 retransfer of the unsigned version is complete, the
262 signed version will be regenerated with all new
269 <term><userinput>sign <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
272 Fetch all DNSSEC keys for the given zone
273 from the key directory (see the
274 <command>key-directory</command> option in
275 the BIND 9 Administrator Reference Manual). If they are within
276 their publication period, merge them into the
277 zone's DNSKEY RRset. If the DNSKEY RRset
278 is changed, then the zone is automatically
279 re-signed with the new key set.
282 This command requires that the
283 <command>auto-dnssec</command> zone option be set
284 to <literal>allow</literal> or
285 <literal>maintain</literal>,
286 and also requires the zone to be configured to
288 (See "Dynamic Update Policies" in the Administrator
289 Reference Manual for more details.)
295 <term><userinput>loadkeys <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
298 Fetch all DNSSEC keys for the given zone
299 from the key directory. If they are within
300 their publication period, merge them into the
301 zone's DNSKEY RRset. Unlike <command>rndc
302 sign</command>, however, the zone is not
303 immediately re-signed by the new keys, but is
304 allowed to incrementally re-sign over time.
307 This command requires that the
308 <command>auto-dnssec</command> zone option
309 be set to <literal>maintain</literal>,
310 and also requires the zone to be configured to
312 (See "Dynamic Update Policies" in the Administrator
313 Reference Manual for more details.)
319 <term><userinput>freeze <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
322 Suspend updates to a dynamic zone. If no zone is
323 specified, then all zones are suspended. This allows
324 manual edits to be made to a zone normally updated by
325 dynamic update. It also causes changes in the
326 journal file to be synced into the master file.
327 All dynamic update attempts will be refused while
334 <term><userinput>thaw <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
337 Enable updates to a frozen dynamic zone. If no
338 zone is specified, then all frozen zones are
339 enabled. This causes the server to reload the zone
340 from disk, and re-enables dynamic updates after the
341 load has completed. After a zone is thawed,
342 dynamic updates will no longer be refused. If
343 the zone has changed and the
344 <command>ixfr-from-differences</command> option is
345 in use, then the journal file will be updated to
346 reflect changes in the zone. Otherwise, if the
347 zone has changed, any existing journal file will be
354 <term><userinput>scan</userinput></term>
357 Scan the list of available network interfaces
358 for changes, without performing a full
359 <command>reconfig</command> or waiting for the
360 <command>interface-interval</command> timer.
366 <term><userinput>sync <optional>-clean</optional> <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
369 Sync changes in the journal file for a dynamic zone
370 to the master file. If the "-clean" option is
371 specified, the journal file is also removed. If
372 no zone is specified, then all zones are synced.
378 <term><userinput>notify <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
381 Resend NOTIFY messages for the zone.
387 <term><userinput>reconfig</userinput></term>
390 Reload the configuration file and load new zones,
391 but do not reload existing zone files even if they
393 This is faster than a full <command>reload</command> when there
394 is a large number of zones because it avoids the need
396 modification times of the zones files.
402 <term><userinput>zonestatus <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
405 Displays the current status of the given zone,
406 including the master file name and any include
407 files from which it was loaded, when it was most
408 recently loaded, the current serial number, the
409 number of nodes, whether the zone supports
410 dynamic updates, whether the zone is DNSSEC
411 signed, whether it uses automatic DNSSEC key
412 management or inline signing, and the scheduled
413 refresh or expiry times for the zone.
419 <term><userinput>stats</userinput></term>
422 Write server statistics to the statistics file.
428 <term><userinput>querylog</userinput> <optional>on|off</optional> </term>
431 Enable or disable query logging. (For backward
432 compatibility, this command can also be used without
433 an argument to toggle query logging on and off.)
436 Query logging can also be enabled
437 by explicitly directing the <command>queries</command>
438 <command>category</command> to a
439 <command>channel</command> in the
440 <command>logging</command> section of
441 <filename>named.conf</filename> or by specifying
442 <command>querylog yes;</command> in the
443 <command>options</command> section of
444 <filename>named.conf</filename>.
450 <term><userinput>dumpdb <optional>-all|-cache|-zone</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term>
453 Dump the server's caches (default) and/or zones to
455 dump file for the specified views. If no view is
463 <term><userinput>secroots <optional><replaceable>view ...</replaceable></optional></userinput></term>
466 Dump the server's security roots to the secroots
467 file for the specified views. If no view is
468 specified, security roots for all
475 <term><userinput>stop <optional>-p</optional></userinput></term>
478 Stop the server, making sure any recent changes
479 made through dynamic update or IXFR are first saved to
480 the master files of the updated zones.
481 If <option>-p</option> is specified <command>named</command>'s process id is returned.
482 This allows an external process to determine when <command>named</command>
483 had completed stopping.
489 <term><userinput>halt <optional>-p</optional></userinput></term>
492 Stop the server immediately. Recent changes
493 made through dynamic update or IXFR are not saved to
494 the master files, but will be rolled forward from the
495 journal files when the server is restarted.
496 If <option>-p</option> is specified <command>named</command>'s process id is returned.
497 This allows an external process to determine when <command>named</command>
498 had completed halting.
504 <term><userinput>trace</userinput></term>
507 Increment the servers debugging level by one.
513 <term><userinput>trace <replaceable>level</replaceable></userinput></term>
516 Sets the server's debugging level to an explicit
523 <term><userinput>notrace</userinput></term>
526 Sets the server's debugging level to 0.
532 <term><userinput>flush</userinput></term>
535 Flushes the server's cache.
541 <term><userinput>flushname</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term>
544 Flushes the given name from the server's DNS cache
545 and, if applicable, from the server's nameserver address
546 database or bad-server cache.
552 <term><userinput>flushtree</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term>
555 Flushes the given name, and all of its subdomains,
556 from the server's DNS cache, the address database,
557 and the bad server cache.
563 <term><userinput>status</userinput></term>
566 Display status of the server.
567 Note that the number of zones includes the internal <command>bind/CH</command> zone
568 and the default <command>./IN</command>
569 hint zone if there is not an
570 explicit root zone configured.
576 <term><userinput>recursing</userinput></term>
579 Dump the list of queries <command>named</command> is currently recursing
586 <term><userinput>validation ( on | off | check ) <optional><replaceable>view ...</replaceable></optional> </userinput></term>
589 Enable, disable, or check the current status of
591 Note <command>dnssec-enable</command> also needs to be
592 set to <userinput>yes</userinput> or
593 <userinput>auto</userinput> to be effective.
594 It defaults to enabled.
600 <term><userinput>tsig-list</userinput></term>
603 List the names of all TSIG keys currently configured
604 for use by <command>named</command> in each view. The
605 list both statically configured keys and dynamic
606 TKEY-negotiated keys.
612 <term><userinput>tsig-delete</userinput> <replaceable>keyname</replaceable> <optional><replaceable>view</replaceable></optional></term>
615 Delete a given TKEY-negotiated key from the server.
616 (This does not apply to statically configured TSIG
623 <term><userinput>addzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> <replaceable>configuration</replaceable> </userinput></term>
626 Add a zone while the server is running. This
628 <command>allow-new-zones</command> option to be set
629 to <userinput>yes</userinput>. The
630 <replaceable>configuration</replaceable> string
631 specified on the command line is the zone
632 configuration text that would ordinarily be
633 placed in <filename>named.conf</filename>.
636 The configuration is saved in a file called
637 <filename><replaceable>hash</replaceable>.nzf</filename>,
638 where <replaceable>hash</replaceable> is a
639 cryptographic hash generated from the name of
640 the view. When <command>named</command> is
641 restarted, the file will be loaded into the view
642 configuration, so that zones that were added
643 can persist after a restart.
646 This sample <command>addzone</command> command
647 would add the zone <literal>example.com</literal>
651 <prompt>$ </prompt><userinput>rndc addzone example.com '{ type master; file "example.com.db"; };'</userinput>
654 (Note the brackets and semi-colon around the zone
661 <term><userinput>delzone <optional>-clean</optional> <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
664 Delete a zone while the server is running.
665 Only zones that were originally added via
666 <command>rndc addzone</command> can be deleted
670 If the <option>-clean</option> is specified,
671 the zone's master file (and journal file, if any)
672 will be deleted along with the zone. Without the
673 <option>-clean</option> option, zone files must
674 be cleaned up by hand. (If the zone is of
675 type "slave" or "stub", the files needing to
676 be cleaned up will be reported in the output
677 of the <command>rndc delzone</command> command.)
683 <term><userinput>signing <optional>( -list | -clear <replaceable>keyid/algorithm</replaceable> | -clear <literal>all</literal> | -nsec3param ( <replaceable>parameters</replaceable> | <literal>none</literal> ) ) </optional> <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
686 List, edit, or remove the DNSSEC signing state records
687 for the specified zone. The status of ongoing DNSSEC
688 operations (such as signing or generating
689 NSEC3 chains) is stored in the zone in the form
690 of DNS resource records of type
691 <command>sig-signing-type</command>.
692 <command>rndc signing -list</command> converts
693 these records into a human-readable form,
694 indicating which keys are currently signing
695 or have finished signing the zone, and which NSEC3
696 chains are being created or removed.
699 <command>rndc signing -clear</command> can remove
700 a single key (specified in the same format that
701 <command>rndc signing -list</command> uses to
702 display it), or all keys. In either case, only
703 completed keys are removed; any record indicating
704 that a key has not yet finished signing the zone
708 <command>rndc signing -nsec3param</command> sets
709 the NSEC3 parameters for a zone. This is the
710 only supported mechanism for using NSEC3 with
711 <command>inline-signing</command> zones.
712 Parameters are specified in the same format as
713 an NSEC3PARAM resource record: hash algorithm,
714 flags, iterations, and salt, in that order.
717 Currently, the only defined value for hash algorithm
718 is <literal>1</literal>, representing SHA-1.
719 The <option>flags</option> may be set to
720 <literal>0</literal> or <literal>1</literal>,
721 depending on whether you wish to set the opt-out
722 bit in the NSEC3 chain. <option>iterations</option>
723 defines the number of additional times to apply
724 the algorithm when generating an NSEC3 hash. The
725 <option>salt</option> is a string of data expressed
726 in hexadecimal, a hyphen (`-') if no salt is
727 to be used, or the keyword <literal>auto</literal>,
728 which causes <command>named</command> to generate a
732 So, for example, to create an NSEC3 chain using
733 the SHA-1 hash algorithm, no opt-out flag,
734 10 iterations, and a salt value of "FFFF", use:
735 <command>rndc signing -nsec3param 1 0 10 FFFF <replaceable>zone</replaceable></command>.
736 To set the opt-out flag, 15 iterations, and no
738 <command>rndc signing -nsec3param 1 1 15 - <replaceable>zone</replaceable></command>.
741 <command>rndc signing -nsec3param none</command>
742 removes an existing NSEC3 chain and replaces it
751 <title>LIMITATIONS</title>
753 There is currently no way to provide the shared secret for a
754 <option>key_id</option> without using the configuration file.
757 Several error messages could be clearer.
762 <title>SEE ALSO</title>
764 <refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum>
767 <refentrytitle>rndc-confgen</refentrytitle><manvolnum>8</manvolnum>
770 <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
773 <refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
776 <refentrytitle>ndc</refentrytitle><manvolnum>8</manvolnum>
778 <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
783 <title>AUTHOR</title>
784 <para><corpauthor>Internet Systems Consortium</corpauthor>