etc/services - sync with NetBSD-8
[minix.git] / external / bsd / bind / dist / bin / rndc / rndc.docbook
blob9b78bb611eaf8742502f1a488b095d3f3f15f30f
1 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
3                [<!ENTITY mdash "&#8212;">]>
4 <!--
5  - Copyright (C) 2004, 2005, 2007, 2013, 2014  Internet Systems Consortium, Inc. ("ISC")
6  - Copyright (C) 2000, 2001  Internet Software Consortium.
7  -
8  - Permission to use, copy, modify, and/or distribute this software for any
9  - purpose with or without fee is hereby granted, provided that the above
10  - copyright notice and this permission notice appear in all copies.
11  -
12  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
13  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
14  - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
15  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
16  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
17  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
18  - PERFORMANCE OF THIS SOFTWARE.
19 -->
21 <refentry id="man.rndc">
22   <refentryinfo>
23     <date>August 15, 2014</date>
24   </refentryinfo>
26   <refmeta>
27     <refentrytitle><application>rndc</application></refentrytitle>
28     <manvolnum>8</manvolnum>
29     <refmiscinfo>BIND9</refmiscinfo>
30   </refmeta>
32   <refnamediv>
33     <refname><application>rndc</application></refname>
34     <refpurpose>name server control utility</refpurpose>
35   </refnamediv>
37   <docinfo>
38     <copyright>
39       <year>2004</year>
40       <year>2005</year>
41       <year>2007</year>
42       <year>2013</year>
43       <year>2014</year>
44       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
45     </copyright>
46     <copyright>
47       <year>2000</year>
48       <year>2001</year>
49       <holder>Internet Software Consortium.</holder>
50     </copyright>
51   </docinfo>
53   <refsynopsisdiv>
54     <cmdsynopsis>
55       <command>rndc</command>
56       <arg><option>-b <replaceable class="parameter">source-address</replaceable></option></arg>
57       <arg><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
58       <arg><option>-k <replaceable class="parameter">key-file</replaceable></option></arg>
59       <arg><option>-s <replaceable class="parameter">server</replaceable></option></arg>
60       <arg><option>-p <replaceable class="parameter">port</replaceable></option></arg>
61       <arg><option>-q</option></arg>
62       <arg><option>-V</option></arg>
63       <arg><option>-y <replaceable class="parameter">key_id</replaceable></option></arg>
64       <arg choice="req">command</arg>
65     </cmdsynopsis>
66   </refsynopsisdiv>
68   <refsect1>
69     <title>DESCRIPTION</title>
70     <para><command>rndc</command>
71       controls the operation of a name
72       server.  It supersedes the <command>ndc</command> utility
73       that was provided in old BIND releases.  If
74       <command>rndc</command> is invoked with no command line
75       options or arguments, it prints a short summary of the
76       supported commands and the available options and their
77       arguments.
78     </para>
79     <para><command>rndc</command>
80       communicates with the name server over a TCP connection, sending
81       commands authenticated with digital signatures.  In the current
82       versions of
83       <command>rndc</command> and <command>named</command>,
84       the only supported authentication algorithms are HMAC-MD5
85       (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
86       (default), HMAC-SHA384 and HMAC-SHA512.
87       They use a shared secret on each end of the connection.
88       This provides TSIG-style authentication for the command
89       request and the name server's response.  All commands sent
90       over the channel must be signed by a key_id known to the
91       server.
92     </para>
93     <para><command>rndc</command>
94       reads a configuration file to
95       determine how to contact the name server and decide what
96       algorithm and key it should use.
97     </para>
98   </refsect1>
100   <refsect1>
101     <title>OPTIONS</title>
103     <variablelist>
104       <varlistentry>
105         <term>-b <replaceable class="parameter">source-address</replaceable></term>
106         <listitem>
107           <para>
108             Use <replaceable class="parameter">source-address</replaceable>
109             as the source address for the connection to the server.
110             Multiple instances are permitted to allow setting of both
111             the IPv4 and IPv6 source addresses.
112           </para>
113         </listitem>
114       </varlistentry>
116       <varlistentry>
117         <term>-c <replaceable class="parameter">config-file</replaceable></term>
118         <listitem>
119           <para>
120             Use <replaceable class="parameter">config-file</replaceable>
121             as the configuration file instead of the default,
122             <filename>/etc/rndc.conf</filename>.
123           </para>
124         </listitem>
125       </varlistentry>
127       <varlistentry>
128         <term>-k <replaceable class="parameter">key-file</replaceable></term>
129         <listitem>
130           <para>
131             Use <replaceable class="parameter">key-file</replaceable>
132             as the key file instead of the default,
133             <filename>/etc/rndc.key</filename>.  The key in
134             <filename>/etc/rndc.key</filename> will be used to
135             authenticate
136             commands sent to the server if the <replaceable class="parameter">config-file</replaceable>
137             does not exist.
138           </para>
139         </listitem>
140       </varlistentry>
142       <varlistentry>
143         <term>-s <replaceable class="parameter">server</replaceable></term>
144         <listitem>
145           <para><replaceable class="parameter">server</replaceable> is
146             the name or address of the server which matches a
147             server statement in the configuration file for
148             <command>rndc</command>.  If no server is supplied on the
149             command line, the host named by the default-server clause
150             in the options statement of the <command>rndc</command>
151             configuration file will be used.
152           </para>
153         </listitem>
154       </varlistentry>
156       <varlistentry>
157         <term>-p <replaceable class="parameter">port</replaceable></term>
158         <listitem>
159           <para>
160             Send commands to TCP port
161             <replaceable class="parameter">port</replaceable>
162             instead
163             of BIND 9's default control channel port, 953.
164           </para>
165         </listitem>
166       </varlistentry>
168       <varlistentry>
169         <term>-q</term>
170         <listitem>
171           <para>
172             Quiet mode: Message text returned by the server
173             will not be printed except when there is an error.
174           </para>
175         </listitem>
176       </varlistentry>
178       <varlistentry>
179         <term>-V</term>
180         <listitem>
181           <para>
182             Enable verbose logging.
183           </para>
184         </listitem>
185       </varlistentry>
187       <varlistentry>
188         <term>-y <replaceable class="parameter">key_id</replaceable></term>
189         <listitem>
190           <para>
191             Use the key <replaceable class="parameter">key_id</replaceable>
192             from the configuration file.
193             <replaceable class="parameter">key_id</replaceable>
194             must be
195             known by named with the same algorithm and secret string
196             in order for control message validation to succeed.
197             If no <replaceable class="parameter">key_id</replaceable>
198             is specified, <command>rndc</command> will first look
199             for a key clause in the server statement of the server
200             being used, or if no server statement is present for that
201             host, then the default-key clause of the options statement.
202             Note that the configuration file contains shared secrets
203             which are used to send authenticated control commands
204             to name servers.  It should therefore not have general read
205             or write access.
206           </para>
207         </listitem>
208       </varlistentry>
210     </variablelist>
211   </refsect1>
213   <refsect1>
214     <title>COMMANDS</title>
215     <para>
216       A list of commands supported by <command>rndc</command> can
217       be seen by running <command>rndc</command> without arguments.
218     </para>
219     <para>
220       Currently supported commands are:
221     </para>
223     <variablelist>
224       <varlistentry>
225         <term><userinput>reload</userinput></term>
226         <listitem>
227           <para>
228             Reload configuration file and zones.
229           </para>
230         </listitem>
231       </varlistentry>
233       <varlistentry>
234         <term><userinput>reload <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
235         <listitem>
236           <para>
237             Reload the given zone.
238           </para>
239         </listitem>
240       </varlistentry>
242       <varlistentry>
243         <term><userinput>refresh <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
244         <listitem>
245           <para>
246             Schedule zone maintenance for the given zone.
247           </para>
248         </listitem>
249       </varlistentry>
251       <varlistentry>
252         <term><userinput>retransfer <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
253         <listitem>
254           <para>
255             Retransfer the given slave zone from the master server.
256           </para>
257           <para>
258             If the zone is configured to use
259             <command>inline-signing</command>, the signed
260             version of the zone is discarded; after the
261             retransfer of the unsigned version is complete, the
262             signed version will be regenerated with all new
263             signatures.
264           </para>
265         </listitem>
266       </varlistentry>
268       <varlistentry>
269         <term><userinput>sign <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
270         <listitem>
271           <para>
272             Fetch all DNSSEC keys for the given zone
273             from the key directory (see the 
274             <command>key-directory</command> option in
275             the BIND 9 Administrator Reference Manual).  If they are within
276             their publication period, merge them into the
277             zone's DNSKEY RRset.  If the DNSKEY RRset
278             is changed, then the zone is automatically
279             re-signed with the new key set.
280           </para>
281           <para>
282             This command requires that the
283             <command>auto-dnssec</command> zone option be set
284             to <literal>allow</literal> or
285             <literal>maintain</literal>,
286             and also requires the zone to be configured to
287             allow dynamic DNS.
288             (See "Dynamic Update Policies" in the Administrator
289             Reference Manual for more details.)
290           </para>
291         </listitem>
292       </varlistentry>
294       <varlistentry>
295         <term><userinput>loadkeys <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
296         <listitem>
297           <para>
298             Fetch all DNSSEC keys for the given zone
299             from the key directory.  If they are within
300             their publication period, merge them into the
301             zone's DNSKEY RRset.  Unlike <command>rndc
302             sign</command>, however, the zone is not
303             immediately re-signed by the new keys, but is
304             allowed to incrementally re-sign over time.
305           </para>
306           <para>
307             This command requires that the
308             <command>auto-dnssec</command> zone option
309             be set to <literal>maintain</literal>,
310             and also requires the zone to be configured to
311             allow dynamic DNS.
312             (See "Dynamic Update Policies" in the Administrator
313             Reference Manual for more details.)
314           </para>
315         </listitem>
316       </varlistentry>
318       <varlistentry>
319         <term><userinput>freeze <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
320         <listitem>
321           <para>
322             Suspend updates to a dynamic zone.  If no zone is
323             specified, then all zones are suspended.  This allows
324             manual edits to be made to a zone normally updated by
325             dynamic update.  It also causes changes in the
326             journal file to be synced into the master file.
327             All dynamic update attempts will be refused while
328             the zone is frozen.
329           </para>
330         </listitem>
331       </varlistentry>
333       <varlistentry>
334         <term><userinput>thaw <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
335         <listitem>
336           <para>
337             Enable updates to a frozen dynamic zone.  If no
338             zone is specified, then all frozen zones are
339             enabled.  This causes the server to reload the zone
340             from disk, and re-enables dynamic updates after the
341             load has completed.  After a zone is thawed,
342             dynamic updates will no longer be refused.  If
343             the zone has changed and the
344             <command>ixfr-from-differences</command> option is
345             in use, then the journal file will be updated to
346             reflect changes in the zone.  Otherwise, if the
347             zone has changed, any existing journal file will be
348             removed.
349           </para>
350         </listitem>
351       </varlistentry>
353       <varlistentry>
354         <term><userinput>scan</userinput></term>
355         <listitem>
356           <para>
357              Scan the list of available network interfaces
358              for changes, without performing a full
359              <command>reconfig</command> or waiting for the
360              <command>interface-interval</command> timer.
361           </para>
362         </listitem>
363       </varlistentry>
365       <varlistentry>
366         <term><userinput>sync <optional>-clean</optional> <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
367         <listitem>
368           <para>
369             Sync changes in the journal file for a dynamic zone
370             to the master file.  If the "-clean" option is
371             specified, the journal file is also removed.  If
372             no zone is specified, then all zones are synced.
373           </para>
374         </listitem>
375       </varlistentry>
377       <varlistentry>
378         <term><userinput>notify <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
379         <listitem>
380           <para>
381             Resend NOTIFY messages for the zone.
382           </para>
383         </listitem>
384       </varlistentry>
386       <varlistentry>
387         <term><userinput>reconfig</userinput></term>
388         <listitem>
389           <para>
390             Reload the configuration file and load new zones,
391             but do not reload existing zone files even if they
392             have changed.
393             This is faster than a full <command>reload</command> when there
394             is a large number of zones because it avoids the need
395             to examine the
396             modification times of the zones files.
397           </para>
398         </listitem>
399       </varlistentry>
401       <varlistentry>
402         <term><userinput>zonestatus <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
403         <listitem>
404           <para>
405             Displays the current status of the given zone,
406             including the master file name and any include
407             files from which it was loaded, when it was most
408             recently loaded, the current serial number, the
409             number of nodes, whether the zone supports
410             dynamic updates, whether the zone is DNSSEC
411             signed, whether it uses automatic DNSSEC key
412             management or inline signing, and the scheduled
413             refresh or expiry times for the zone.
414           </para>
415         </listitem>
416       </varlistentry>
418       <varlistentry>
419         <term><userinput>stats</userinput></term>
420         <listitem>
421           <para>
422             Write server statistics to the statistics file.
423           </para>
424         </listitem>
425       </varlistentry>
427       <varlistentry>
428         <term><userinput>querylog</userinput> <optional>on|off</optional> </term>
429         <listitem>
430           <para>
431             Enable or disable query logging.  (For backward
432             compatibility, this command can also be used without
433             an argument to toggle query logging on and off.)
434           </para>
435           <para>
436             Query logging can also be enabled
437             by explicitly directing the <command>queries</command>
438             <command>category</command> to a
439             <command>channel</command> in the
440             <command>logging</command> section of
441             <filename>named.conf</filename> or by specifying
442             <command>querylog yes;</command> in the
443             <command>options</command> section of
444             <filename>named.conf</filename>.
445           </para>
446         </listitem>
447       </varlistentry>
449       <varlistentry>
450         <term><userinput>dumpdb <optional>-all|-cache|-zone</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term>
451         <listitem>
452           <para>
453             Dump the server's caches (default) and/or zones to
454             the
455             dump file for the specified views.  If no view is
456             specified, all
457             views are dumped.
458           </para>
459         </listitem>
460       </varlistentry>
462       <varlistentry>
463         <term><userinput>secroots <optional><replaceable>view ...</replaceable></optional></userinput></term>
464         <listitem>
465           <para>
466             Dump the server's security roots to the secroots
467             file for the specified views.  If no view is
468             specified, security roots for all
469             views are dumped.
470           </para>
471         </listitem>
472       </varlistentry>
474       <varlistentry>
475         <term><userinput>stop <optional>-p</optional></userinput></term>
476         <listitem>
477           <para>
478             Stop the server, making sure any recent changes
479             made through dynamic update or IXFR are first saved to
480             the master files of the updated zones.
481             If <option>-p</option> is specified <command>named</command>'s process id is returned.
482             This allows an external process to determine when <command>named</command>
483             had completed stopping.
484           </para>
485         </listitem>
486       </varlistentry>
488       <varlistentry>
489         <term><userinput>halt <optional>-p</optional></userinput></term>
490         <listitem>
491           <para>
492             Stop the server immediately.  Recent changes
493             made through dynamic update or IXFR are not saved to
494             the master files, but will be rolled forward from the
495             journal files when the server is restarted.
496             If <option>-p</option> is specified <command>named</command>'s process id is returned.
497             This allows an external process to determine when <command>named</command>
498             had completed halting.
499           </para>
500         </listitem>
501       </varlistentry>
503       <varlistentry>
504         <term><userinput>trace</userinput></term>
505         <listitem>
506           <para>
507             Increment the servers debugging level by one.
508           </para>
509         </listitem>
510       </varlistentry>
512       <varlistentry>
513         <term><userinput>trace <replaceable>level</replaceable></userinput></term>
514         <listitem>
515           <para>
516             Sets the server's debugging level to an explicit
517             value.
518           </para>
519         </listitem>
520       </varlistentry>
522       <varlistentry>
523         <term><userinput>notrace</userinput></term>
524         <listitem>
525           <para>
526             Sets the server's debugging level to 0.
527           </para>
528         </listitem>
529       </varlistentry>
531       <varlistentry>
532         <term><userinput>flush</userinput></term>
533         <listitem>
534           <para>
535             Flushes the server's cache.
536           </para>
537         </listitem>
538       </varlistentry>
540       <varlistentry>
541         <term><userinput>flushname</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term>
542         <listitem>
543           <para>
544             Flushes the given name from the server's DNS cache
545             and, if applicable, from the server's nameserver address
546             database or bad-server cache.
547           </para>
548         </listitem>
549       </varlistentry>
551       <varlistentry>
552         <term><userinput>flushtree</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term>
553         <listitem>
554           <para>
555             Flushes the given name, and all of its subdomains,
556             from the server's DNS cache, the address database,
557             and the bad server cache.
558           </para>
559         </listitem>
560       </varlistentry>
562       <varlistentry>
563         <term><userinput>status</userinput></term>
564         <listitem>
565           <para>
566             Display status of the server.
567             Note that the number of zones includes the internal <command>bind/CH</command> zone
568             and the default <command>./IN</command>
569             hint zone if there is not an
570             explicit root zone configured.
571           </para>
572         </listitem>
573       </varlistentry>
575       <varlistentry>
576         <term><userinput>recursing</userinput></term>
577         <listitem>
578           <para>
579             Dump the list of queries <command>named</command> is currently recursing
580             on.
581           </para>
582         </listitem>
583       </varlistentry>
585       <varlistentry>
586         <term><userinput>validation ( on | off | check ) <optional><replaceable>view ...</replaceable></optional> </userinput></term>
587         <listitem>
588           <para>
589             Enable, disable, or check the current status of
590             DNSSEC validation.
591             Note <command>dnssec-enable</command> also needs to be
592             set to <userinput>yes</userinput> or
593             <userinput>auto</userinput> to be effective.
594             It defaults to enabled.
595           </para>
596         </listitem>
597       </varlistentry>
599       <varlistentry>
600         <term><userinput>tsig-list</userinput></term>
601         <listitem>
602           <para>
603             List the names of all TSIG keys currently configured
604             for use by <command>named</command> in each view.  The
605             list both statically configured keys and dynamic
606             TKEY-negotiated keys.
607           </para>
608         </listitem>
609       </varlistentry>
611       <varlistentry>
612         <term><userinput>tsig-delete</userinput> <replaceable>keyname</replaceable> <optional><replaceable>view</replaceable></optional></term>
613         <listitem>
614           <para>
615             Delete a given TKEY-negotiated key from the server.
616             (This does not apply to statically configured TSIG
617             keys.)
618           </para>
619         </listitem>
620       </varlistentry>
622       <varlistentry>
623         <term><userinput>addzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> <replaceable>configuration</replaceable> </userinput></term>
624         <listitem>
625           <para>
626             Add a zone while the server is running.  This
627             command requires the
628             <command>allow-new-zones</command> option to be set
629             to <userinput>yes</userinput>.  The
630             <replaceable>configuration</replaceable> string
631             specified on the command line is the zone
632             configuration text that would ordinarily be
633             placed in <filename>named.conf</filename>.
634           </para>
635           <para>
636             The configuration is saved in a file called
637            <filename><replaceable>hash</replaceable>.nzf</filename>,
638             where <replaceable>hash</replaceable> is a
639             cryptographic hash generated from the name of
640             the view.  When <command>named</command> is
641             restarted, the file will be loaded into the view
642             configuration, so that zones that were added
643             can persist after a restart.
644           </para>
645           <para>
646             This sample <command>addzone</command> command
647             would add the zone <literal>example.com</literal>
648             to the default view:
649           </para>
650           <para>
651 <prompt>$ </prompt><userinput>rndc addzone example.com '{ type master; file "example.com.db"; };'</userinput>
652           </para>
653           <para>
654             (Note the brackets and semi-colon around the zone
655             configuration text.)
656           </para>
657         </listitem>
658       </varlistentry>
660       <varlistentry>
661         <term><userinput>delzone <optional>-clean</optional> <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
662         <listitem>
663           <para>
664             Delete a zone while the server is running.
665             Only zones that were originally added via
666             <command>rndc addzone</command> can be deleted
667             in this manner. 
668           </para>
669           <para>
670             If the <option>-clean</option> is specified,
671             the zone's master file (and journal file, if any)
672             will be deleted along with the zone.  Without the
673             <option>-clean</option> option, zone files must
674             be cleaned up by hand.  (If the zone is of
675             type "slave" or "stub", the files needing to
676             be cleaned up will be reported in the output
677             of the <command>rndc delzone</command> command.)
678           </para>
679         </listitem>
680       </varlistentry>
682       <varlistentry>
683         <term><userinput>signing <optional>( -list | -clear <replaceable>keyid/algorithm</replaceable> | -clear <literal>all</literal> | -nsec3param ( <replaceable>parameters</replaceable> | <literal>none</literal> ) ) </optional> <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
684         <listitem>
685           <para>
686             List, edit, or remove the DNSSEC signing state records
687             for the specified zone.  The status of ongoing DNSSEC
688             operations (such as signing or generating
689             NSEC3 chains) is stored in the zone in the form
690             of DNS resource records of type
691             <command>sig-signing-type</command>. 
692             <command>rndc signing -list</command> converts
693             these records into a human-readable form,
694             indicating which keys are currently signing
695             or have finished signing the zone, and which NSEC3
696             chains are being created or removed.
697           </para>
698           <para>
699             <command>rndc signing -clear</command> can remove
700             a single key (specified in the same format that
701             <command>rndc signing -list</command> uses to
702             display it), or all keys.  In either case, only
703             completed keys are removed; any record indicating
704             that a key has not yet finished signing the zone
705             will be retained.
706           </para>
707           <para>
708             <command>rndc signing -nsec3param</command> sets
709             the NSEC3 parameters for a zone.  This is the
710             only supported mechanism for using NSEC3 with
711             <command>inline-signing</command> zones.
712             Parameters are specified in the same format as
713             an NSEC3PARAM resource record: hash algorithm,
714             flags, iterations, and salt, in that order.
715           </para>
716           <para>
717             Currently, the only defined value for hash algorithm 
718             is <literal>1</literal>, representing SHA-1.
719             The <option>flags</option> may be set to
720             <literal>0</literal> or <literal>1</literal>,
721             depending on whether you wish to set the opt-out
722             bit in the NSEC3 chain.  <option>iterations</option>
723             defines the number of additional times to apply
724             the algorithm when generating an NSEC3 hash.  The
725             <option>salt</option> is a string of data expressed
726             in hexadecimal, a hyphen (`-') if no salt is
727             to be used, or the keyword <literal>auto</literal>,
728             which causes <command>named</command> to generate a
729             random 64-bit salt.
730           </para>
731           <para>
732             So, for example, to create an NSEC3 chain using
733             the SHA-1 hash algorithm, no opt-out flag,
734             10 iterations, and a salt value of "FFFF", use:
735             <command>rndc signing -nsec3param 1 0 10 FFFF <replaceable>zone</replaceable></command>.
736             To set the opt-out flag, 15 iterations, and no
737             salt, use:
738             <command>rndc signing -nsec3param 1 1 15 - <replaceable>zone</replaceable></command>.
739           </para>
740           <para>
741             <command>rndc signing -nsec3param none</command>
742             removes an existing NSEC3 chain and replaces it
743             with NSEC.
744           </para>
745         </listitem>
746       </varlistentry>
747     </variablelist>
748   </refsect1>
750   <refsect1>
751     <title>LIMITATIONS</title>
752     <para>
753       There is currently no way to provide the shared secret for a
754       <option>key_id</option> without using the configuration file.
755     </para>
756     <para>
757       Several error messages could be clearer.
758     </para>
759   </refsect1>
761   <refsect1>
762     <title>SEE ALSO</title>
763     <para><citerefentry>
764         <refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum>
765       </citerefentry>,
766       <citerefentry>
767         <refentrytitle>rndc-confgen</refentrytitle><manvolnum>8</manvolnum>
768       </citerefentry>,
769       <citerefentry>
770         <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
771       </citerefentry>,
772       <citerefentry>
773         <refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
774       </citerefentry>,
775       <citerefentry>
776         <refentrytitle>ndc</refentrytitle><manvolnum>8</manvolnum>
777       </citerefentry>,
778       <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
779     </para>
780   </refsect1>
782   <refsect1>
783     <title>AUTHOR</title>
784     <para><corpauthor>Internet Systems Consortium</corpauthor>
785     </para>
786   </refsect1>
788 </refentry><!--
789  - Local variables:
790  - mode: sgml
791  - End: