etc/services - sync with NetBSD-8
[minix.git] / external / bsd / bind / dist / doc / arm / man.rndc.html
blob0ccf76ab7b4e5277dbbbfa1a9c0e81d53f481dde
1 <!--
2 - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
3 - Copyright (C) 2000-2003 Internet Software Consortium.
4 -
5 - Permission to use, copy, modify, and/or distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
8 -
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
16 -->
17 <!-- $Id: man.rndc.html,v 1.5 2015/09/03 07:33:34 christos Exp $ -->
18 <html>
19 <head>
20 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
21 <title>rndc</title>
22 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
23 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
24 <link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
25 <link rel="prev" href="man.nsupdate.html" title="nsupdate">
26 <link rel="next" href="man.rndc.conf.html" title="rndc.conf">
27 </head>
28 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
29 <div class="navheader">
30 <table width="100%" summary="Navigation header">
31 <tr><th colspan="3" align="center"><span class="application">rndc</span></th></tr>
32 <tr>
33 <td width="20%" align="left">
34 <a accesskey="p" href="man.nsupdate.html">Prev</a> </td>
35 <th width="60%" align="center">Manual pages</th>
36 <td width="20%" align="right"> <a accesskey="n" href="man.rndc.conf.html">Next</a>
37 </td>
38 </tr>
39 </table>
40 <hr>
41 </div>
42 <div class="refentry" lang="en">
43 <a name="man.rndc"></a><div class="titlepage"></div>
44 <div class="refnamediv">
45 <h2>Name</h2>
46 <p><span class="application">rndc</span> &#8212; name server control utility</p>
47 </div>
48 <div class="refsynopsisdiv">
49 <h2>Synopsis</h2>
50 <div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-q</code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
51 </div>
52 <div class="refsect1" lang="en">
53 <a name="id2657861"></a><h2>DESCRIPTION</h2>
54 <p><span><strong class="command">rndc</strong></span>
55 controls the operation of a name
56 server. It supersedes the <span><strong class="command">ndc</strong></span> utility
57 that was provided in old BIND releases. If
58 <span><strong class="command">rndc</strong></span> is invoked with no command line
59 options or arguments, it prints a short summary of the
60 supported commands and the available options and their
61 arguments.
62 </p>
63 <p><span><strong class="command">rndc</strong></span>
64 communicates with the name server over a TCP connection, sending
65 commands authenticated with digital signatures. In the current
66 versions of
67 <span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span>,
68 the only supported authentication algorithms are HMAC-MD5
69 (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
70 (default), HMAC-SHA384 and HMAC-SHA512.
71 They use a shared secret on each end of the connection.
72 This provides TSIG-style authentication for the command
73 request and the name server's response. All commands sent
74 over the channel must be signed by a key_id known to the
75 server.
76 </p>
77 <p><span><strong class="command">rndc</strong></span>
78 reads a configuration file to
79 determine how to contact the name server and decide what
80 algorithm and key it should use.
81 </p>
82 </div>
83 <div class="refsect1" lang="en">
84 <a name="id2657911"></a><h2>OPTIONS</h2>
85 <div class="variablelist"><dl>
86 <dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
87 <dd><p>
88 Use <em class="replaceable"><code>source-address</code></em>
89 as the source address for the connection to the server.
90 Multiple instances are permitted to allow setting of both
91 the IPv4 and IPv6 source addresses.
92 </p></dd>
93 <dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
94 <dd><p>
95 Use <em class="replaceable"><code>config-file</code></em>
96 as the configuration file instead of the default,
97 <code class="filename">/etc/rndc.conf</code>.
98 </p></dd>
99 <dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt>
100 <dd><p>
101 Use <em class="replaceable"><code>key-file</code></em>
102 as the key file instead of the default,
103 <code class="filename">/etc/rndc.key</code>. The key in
104 <code class="filename">/etc/rndc.key</code> will be used to
105 authenticate
106 commands sent to the server if the <em class="replaceable"><code>config-file</code></em>
107 does not exist.
108 </p></dd>
109 <dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
110 <dd><p><em class="replaceable"><code>server</code></em> is
111 the name or address of the server which matches a
112 server statement in the configuration file for
113 <span><strong class="command">rndc</strong></span>. If no server is supplied on the
114 command line, the host named by the default-server clause
115 in the options statement of the <span><strong class="command">rndc</strong></span>
116 configuration file will be used.
117 </p></dd>
118 <dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
119 <dd><p>
120 Send commands to TCP port
121 <em class="replaceable"><code>port</code></em>
122 instead
123 of BIND 9's default control channel port, 953.
124 </p></dd>
125 <dt><span class="term">-q</span></dt>
126 <dd><p>
127 Quiet mode: Message text returned by the server
128 will not be printed except when there is an error.
129 </p></dd>
130 <dt><span class="term">-V</span></dt>
131 <dd><p>
132 Enable verbose logging.
133 </p></dd>
134 <dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt>
135 <dd><p>
136 Use the key <em class="replaceable"><code>key_id</code></em>
137 from the configuration file.
138 <em class="replaceable"><code>key_id</code></em>
139 must be
140 known by named with the same algorithm and secret string
141 in order for control message validation to succeed.
142 If no <em class="replaceable"><code>key_id</code></em>
143 is specified, <span><strong class="command">rndc</strong></span> will first look
144 for a key clause in the server statement of the server
145 being used, or if no server statement is present for that
146 host, then the default-key clause of the options statement.
147 Note that the configuration file contains shared secrets
148 which are used to send authenticated control commands
149 to name servers. It should therefore not have general read
150 or write access.
151 </p></dd>
152 </dl></div>
153 </div>
154 <div class="refsect1" lang="en">
155 <a name="id2659498"></a><h2>COMMANDS</h2>
157 A list of commands supported by <span><strong class="command">rndc</strong></span> can
158 be seen by running <span><strong class="command">rndc</strong></span> without arguments.
159 </p>
161 Currently supported commands are:
162 </p>
163 <div class="variablelist"><dl>
164 <dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt>
165 <dd><p>
166 Reload configuration file and zones.
167 </p></dd>
168 <dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
169 <dd><p>
170 Reload the given zone.
171 </p></dd>
172 <dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
173 <dd><p>
174 Schedule zone maintenance for the given zone.
175 </p></dd>
176 <dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
177 <dd>
179 Retransfer the given slave zone from the master server.
180 </p>
182 If the zone is configured to use
183 <span><strong class="command">inline-signing</strong></span>, the signed
184 version of the zone is discarded; after the
185 retransfer of the unsigned version is complete, the
186 signed version will be regenerated with all new
187 signatures.
188 </p>
189 </dd>
190 <dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
191 <dd>
193 Fetch all DNSSEC keys for the given zone
194 from the key directory (see the
195 <span><strong class="command">key-directory</strong></span> option in
196 the BIND 9 Administrator Reference Manual). If they are within
197 their publication period, merge them into the
198 zone's DNSKEY RRset. If the DNSKEY RRset
199 is changed, then the zone is automatically
200 re-signed with the new key set.
201 </p>
203 This command requires that the
204 <span><strong class="command">auto-dnssec</strong></span> zone option be set
205 to <code class="literal">allow</code> or
206 <code class="literal">maintain</code>,
207 and also requires the zone to be configured to
208 allow dynamic DNS.
209 (See "Dynamic Update Policies" in the Administrator
210 Reference Manual for more details.)
211 </p>
212 </dd>
213 <dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
214 <dd>
216 Fetch all DNSSEC keys for the given zone
217 from the key directory. If they are within
218 their publication period, merge them into the
219 zone's DNSKEY RRset. Unlike <span><strong class="command">rndc
220 sign</strong></span>, however, the zone is not
221 immediately re-signed by the new keys, but is
222 allowed to incrementally re-sign over time.
223 </p>
225 This command requires that the
226 <span><strong class="command">auto-dnssec</strong></span> zone option
227 be set to <code class="literal">maintain</code>,
228 and also requires the zone to be configured to
229 allow dynamic DNS.
230 (See "Dynamic Update Policies" in the Administrator
231 Reference Manual for more details.)
232 </p>
233 </dd>
234 <dt><span class="term"><strong class="userinput"><code>freeze [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
235 <dd><p>
236 Suspend updates to a dynamic zone. If no zone is
237 specified, then all zones are suspended. This allows
238 manual edits to be made to a zone normally updated by
239 dynamic update. It also causes changes in the
240 journal file to be synced into the master file.
241 All dynamic update attempts will be refused while
242 the zone is frozen.
243 </p></dd>
244 <dt><span class="term"><strong class="userinput"><code>thaw [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
245 <dd><p>
246 Enable updates to a frozen dynamic zone. If no
247 zone is specified, then all frozen zones are
248 enabled. This causes the server to reload the zone
249 from disk, and re-enables dynamic updates after the
250 load has completed. After a zone is thawed,
251 dynamic updates will no longer be refused. If
252 the zone has changed and the
253 <span><strong class="command">ixfr-from-differences</strong></span> option is
254 in use, then the journal file will be updated to
255 reflect changes in the zone. Otherwise, if the
256 zone has changed, any existing journal file will be
257 removed.
258 </p></dd>
259 <dt><span class="term"><strong class="userinput"><code>scan</code></strong></span></dt>
260 <dd><p>
261 Scan the list of available network interfaces
262 for changes, without performing a full
263 <span><strong class="command">reconfig</strong></span> or waiting for the
264 <span><strong class="command">interface-interval</strong></span> timer.
265 </p></dd>
266 <dt><span class="term"><strong class="userinput"><code>sync [<span class="optional">-clean</span>] [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
267 <dd><p>
268 Sync changes in the journal file for a dynamic zone
269 to the master file. If the "-clean" option is
270 specified, the journal file is also removed. If
271 no zone is specified, then all zones are synced.
272 </p></dd>
273 <dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
274 <dd><p>
275 Resend NOTIFY messages for the zone.
276 </p></dd>
277 <dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt>
278 <dd><p>
279 Reload the configuration file and load new zones,
280 but do not reload existing zone files even if they
281 have changed.
282 This is faster than a full <span><strong class="command">reload</strong></span> when there
283 is a large number of zones because it avoids the need
284 to examine the
285 modification times of the zones files.
286 </p></dd>
287 <dt><span class="term"><strong class="userinput"><code>zonestatus [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
288 <dd><p>
289 Displays the current status of the given zone,
290 including the master file name and any include
291 files from which it was loaded, when it was most
292 recently loaded, the current serial number, the
293 number of nodes, whether the zone supports
294 dynamic updates, whether the zone is DNSSEC
295 signed, whether it uses automatic DNSSEC key
296 management or inline signing, and the scheduled
297 refresh or expiry times for the zone.
298 </p></dd>
299 <dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt>
300 <dd><p>
301 Write server statistics to the statistics file.
302 </p></dd>
303 <dt><span class="term"><strong class="userinput"><code>querylog</code></strong> [<span class="optional">on|off</span>] </span></dt>
304 <dd>
306 Enable or disable query logging. (For backward
307 compatibility, this command can also be used without
308 an argument to toggle query logging on and off.)
309 </p>
311 Query logging can also be enabled
312 by explicitly directing the <span><strong class="command">queries</strong></span>
313 <span><strong class="command">category</strong></span> to a
314 <span><strong class="command">channel</strong></span> in the
315 <span><strong class="command">logging</strong></span> section of
316 <code class="filename">named.conf</code> or by specifying
317 <span><strong class="command">querylog yes;</strong></span> in the
318 <span><strong class="command">options</strong></span> section of
319 <code class="filename">named.conf</code>.
320 </p>
321 </dd>
322 <dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
323 <dd><p>
324 Dump the server's caches (default) and/or zones to
326 dump file for the specified views. If no view is
327 specified, all
328 views are dumped.
329 </p></dd>
330 <dt><span class="term"><strong class="userinput"><code>secroots [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
331 <dd><p>
332 Dump the server's security roots to the secroots
333 file for the specified views. If no view is
334 specified, security roots for all
335 views are dumped.
336 </p></dd>
337 <dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>
338 <dd><p>
339 Stop the server, making sure any recent changes
340 made through dynamic update or IXFR are first saved to
341 the master files of the updated zones.
342 If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
343 This allows an external process to determine when <span><strong class="command">named</strong></span>
344 had completed stopping.
345 </p></dd>
346 <dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
347 <dd><p>
348 Stop the server immediately. Recent changes
349 made through dynamic update or IXFR are not saved to
350 the master files, but will be rolled forward from the
351 journal files when the server is restarted.
352 If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
353 This allows an external process to determine when <span><strong class="command">named</strong></span>
354 had completed halting.
355 </p></dd>
356 <dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
357 <dd><p>
358 Increment the servers debugging level by one.
359 </p></dd>
360 <dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt>
361 <dd><p>
362 Sets the server's debugging level to an explicit
363 value.
364 </p></dd>
365 <dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt>
366 <dd><p>
367 Sets the server's debugging level to 0.
368 </p></dd>
369 <dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt>
370 <dd><p>
371 Flushes the server's cache.
372 </p></dd>
373 <dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
374 <dd><p>
375 Flushes the given name from the server's DNS cache
376 and, if applicable, from the server's nameserver address
377 database or bad-server cache.
378 </p></dd>
379 <dt><span class="term"><strong class="userinput"><code>flushtree</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
380 <dd><p>
381 Flushes the given name, and all of its subdomains,
382 from the server's DNS cache, the address database,
383 and the bad server cache.
384 </p></dd>
385 <dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>
386 <dd><p>
387 Display status of the server.
388 Note that the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone
389 and the default <span><strong class="command">./IN</strong></span>
390 hint zone if there is not an
391 explicit root zone configured.
392 </p></dd>
393 <dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
394 <dd><p>
395 Dump the list of queries <span><strong class="command">named</strong></span> is currently recursing
397 </p></dd>
398 <dt><span class="term"><strong class="userinput"><code>validation ( on | off | check ) [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>] </code></strong></span></dt>
399 <dd><p>
400 Enable, disable, or check the current status of
401 DNSSEC validation.
402 Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
403 set to <strong class="userinput"><code>yes</code></strong> or
404 <strong class="userinput"><code>auto</code></strong> to be effective.
405 It defaults to enabled.
406 </p></dd>
407 <dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt>
408 <dd><p>
409 List the names of all TSIG keys currently configured
410 for use by <span><strong class="command">named</strong></span> in each view. The
411 list both statically configured keys and dynamic
412 TKEY-negotiated keys.
413 </p></dd>
414 <dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong> <em class="replaceable"><code>keyname</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt>
415 <dd><p>
416 Delete a given TKEY-negotiated key from the server.
417 (This does not apply to statically configured TSIG
418 keys.)
419 </p></dd>
420 <dt><span class="term"><strong class="userinput"><code>addzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
421 <dd>
423 Add a zone while the server is running. This
424 command requires the
425 <span><strong class="command">allow-new-zones</strong></span> option to be set
426 to <strong class="userinput"><code>yes</code></strong>. The
427 <em class="replaceable"><code>configuration</code></em> string
428 specified on the command line is the zone
429 configuration text that would ordinarily be
430 placed in <code class="filename">named.conf</code>.
431 </p>
433 The configuration is saved in a file called
434 <code class="filename"><em class="replaceable"><code>hash</code></em>.nzf</code>,
435 where <em class="replaceable"><code>hash</code></em> is a
436 cryptographic hash generated from the name of
437 the view. When <span><strong class="command">named</strong></span> is
438 restarted, the file will be loaded into the view
439 configuration, so that zones that were added
440 can persist after a restart.
441 </p>
443 This sample <span><strong class="command">addzone</strong></span> command
444 would add the zone <code class="literal">example.com</code>
445 to the default view:
446 </p>
448 <code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong>
449 </p>
451 (Note the brackets and semi-colon around the zone
452 configuration text.)
453 </p>
454 </dd>
455 <dt><span class="term"><strong class="userinput"><code>delzone [<span class="optional">-clean</span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
456 <dd>
458 Delete a zone while the server is running.
459 Only zones that were originally added via
460 <span><strong class="command">rndc addzone</strong></span> can be deleted
461 in this manner.
462 </p>
464 If the <code class="option">-clean</code> is specified,
465 the zone's master file (and journal file, if any)
466 will be deleted along with the zone. Without the
467 <code class="option">-clean</code> option, zone files must
468 be cleaned up by hand. (If the zone is of
469 type "slave" or "stub", the files needing to
470 be cleaned up will be reported in the output
471 of the <span><strong class="command">rndc delzone</strong></span> command.)
472 </p>
473 </dd>
474 <dt><span class="term"><strong class="userinput"><code>signing [<span class="optional">( -list | -clear <em class="replaceable"><code>keyid/algorithm</code></em> | -clear <code class="literal">all</code> | -nsec3param ( <em class="replaceable"><code>parameters</code></em> | <code class="literal">none</code> ) ) </span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
475 <dd>
477 List, edit, or remove the DNSSEC signing state records
478 for the specified zone. The status of ongoing DNSSEC
479 operations (such as signing or generating
480 NSEC3 chains) is stored in the zone in the form
481 of DNS resource records of type
482 <span><strong class="command">sig-signing-type</strong></span>.
483 <span><strong class="command">rndc signing -list</strong></span> converts
484 these records into a human-readable form,
485 indicating which keys are currently signing
486 or have finished signing the zone, and which NSEC3
487 chains are being created or removed.
488 </p>
490 <span><strong class="command">rndc signing -clear</strong></span> can remove
491 a single key (specified in the same format that
492 <span><strong class="command">rndc signing -list</strong></span> uses to
493 display it), or all keys. In either case, only
494 completed keys are removed; any record indicating
495 that a key has not yet finished signing the zone
496 will be retained.
497 </p>
499 <span><strong class="command">rndc signing -nsec3param</strong></span> sets
500 the NSEC3 parameters for a zone. This is the
501 only supported mechanism for using NSEC3 with
502 <span><strong class="command">inline-signing</strong></span> zones.
503 Parameters are specified in the same format as
504 an NSEC3PARAM resource record: hash algorithm,
505 flags, iterations, and salt, in that order.
506 </p>
508 Currently, the only defined value for hash algorithm
509 is <code class="literal">1</code>, representing SHA-1.
510 The <code class="option">flags</code> may be set to
511 <code class="literal">0</code> or <code class="literal">1</code>,
512 depending on whether you wish to set the opt-out
513 bit in the NSEC3 chain. <code class="option">iterations</code>
514 defines the number of additional times to apply
515 the algorithm when generating an NSEC3 hash. The
516 <code class="option">salt</code> is a string of data expressed
517 in hexadecimal, a hyphen (`-') if no salt is
518 to be used, or the keyword <code class="literal">auto</code>,
519 which causes <span><strong class="command">named</strong></span> to generate a
520 random 64-bit salt.
521 </p>
523 So, for example, to create an NSEC3 chain using
524 the SHA-1 hash algorithm, no opt-out flag,
525 10 iterations, and a salt value of "FFFF", use:
526 <span><strong class="command">rndc signing -nsec3param 1 0 10 FFFF <em class="replaceable"><code>zone</code></em></strong></span>.
527 To set the opt-out flag, 15 iterations, and no
528 salt, use:
529 <span><strong class="command">rndc signing -nsec3param 1 1 15 - <em class="replaceable"><code>zone</code></em></strong></span>.
530 </p>
532 <span><strong class="command">rndc signing -nsec3param none</strong></span>
533 removes an existing NSEC3 chain and replaces it
534 with NSEC.
535 </p>
536 </dd>
537 </dl></div>
538 </div>
539 <div class="refsect1" lang="en">
540 <a name="id2691952"></a><h2>LIMITATIONS</h2>
542 There is currently no way to provide the shared secret for a
543 <code class="option">key_id</code> without using the configuration file.
544 </p>
546 Several error messages could be clearer.
547 </p>
548 </div>
549 <div class="refsect1" lang="en">
550 <a name="id2692038"></a><h2>SEE ALSO</h2>
551 <p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
552 <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
553 <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
554 <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
555 <span class="citerefentry"><span class="refentrytitle">ndc</span>(8)</span>,
556 <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
557 </p>
558 </div>
559 <div class="refsect1" lang="en">
560 <a name="id2692093"></a><h2>AUTHOR</h2>
561 <p><span class="corpauthor">Internet Systems Consortium</span>
562 </p>
563 </div>
564 </div>
565 <div class="navfooter">
566 <hr>
567 <table width="100%" summary="Navigation footer">
568 <tr>
569 <td width="40%" align="left">
570 <a accesskey="p" href="man.nsupdate.html">Prev</a> </td>
571 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
572 <td width="40%" align="right"> <a accesskey="n" href="man.rndc.conf.html">Next</a>
573 </td>
574 </tr>
575 <tr>
576 <td width="40%" align="left" valign="top">
577 <span class="application">nsupdate</span> </td>
578 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
579 <td width="40%" align="right" valign="top"> <code class="filename">rndc.conf</code>
580 </td>
581 </tr>
582 </table>
583 </div>
584 <p style="text-align: center;">BIND 9.10.2-P4</p>
585 </body>
586 </html>