1RNDC(8) BIND9 RNDC(8)
2
6 rndc - name server control utility
7
9 rndc [-b source-address] [-c config-file] [-k key-file] [-s server]
10 [-p port] [-q] [-r] [-V] [-y key_id] {command}
11
13 rndc controls the operation of a name server. It supersedes the ndc
14 utility that was provided in old BIND releases. If rndc is invoked with
15 no command line options or arguments, it prints a short summary of the
16 supported commands and the available options and their arguments.
17 rndc communicates with the name server over a TCP connection, sending
19 commands authenticated with digital signatures. In the current versions
20 of rndc and named, the only supported authentication algorithms are
21 HMAC-MD5 (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
22 (default), HMAC-SHA384 and HMAC-SHA512. They use a shared secret on
23 each end of the connection. This provides TSIG-style authentication for
24 the command request and the name server's response. All commands sent
25 over the channel must be signed by a key_id known to the server.
26 rndc reads a configuration file to determine how to contact the name
28 server and decide what algorithm and key it should use.
29
31 -b source-address
32 Use source-address as the source address for the connection to the
33 server. Multiple instances are permitted to allow setting of both
34 the IPv4 and IPv6 source addresses.
35 -c config-file
37 Use config-file as the configuration file instead of the default,
38 /etc/rndc.conf.
39 -k key-file
41 Use key-file as the key file instead of the default, /etc/rndc.key.
42 The key in /etc/rndc.key will be used to authenticate commands sent
43 to the server if the config-file does not exist.
44 -s server
46 server is the name or address of the server which matches a server
47 statement in the configuration file for rndc. If no server is
48 supplied on the command line, the host named by the default-server
49 clause in the options statement of the rndc configuration file will
50 be used.
51 -p port
53 Send commands to TCP port port instead of BIND 9's default control
54 channel port, 953.
55 -q
57 Quiet mode: Message text returned by the server will not be printed
58 except when there is an error.
59 -r
61 Instructs rndc to print the result code returned by named after
62 executing the requested command (e.g., ISC_R_SUCCESS,
63 ISC_R_FAILURE, etc).
64 -V
66 Enable verbose logging.
67 -y key_id
69 Use the key key_id from the configuration file. key_id must be
70 known by named with the same algorithm and secret string in order
71 for control message validation to succeed. If no key_id is
72 specified, rndc will first look for a key clause in the server
73 statement of the server being used, or if no server statement is
74 present for that host, then the default-key clause of the options
75 statement. Note that the configuration file contains shared secrets
76 which are used to send authenticated control commands to name
77 servers. It should therefore not have general read or write access.
78
80 A list of commands supported by rndc can be seen by running rndc
81 without arguments.
82 Currently supported commands are:
84 addzone zone [class [view]] configuration
86 Add a zone while the server is running. This command requires the
87 allow-new-zones option to be set to yes. The configuration string
88 specified on the command line is the zone configuration text that
89 would ordinarily be placed in named.conf.
90 The configuration is saved in a file called name.nzf, where name is
92 the name of the view, or if it contains characters that are
93 incompatible with use as a file name, a cryptographic hash
94 generated from the name of the view. When named is restarted, the
95 file will be loaded into the view configuration, so that zones that
96 were added can persist after a restart.
97 This sample addzone command would add the zone example.com to the
99 default view:
100 $rndc addzone example.com '{ type master; file "example.com.db";
102 };'
103 (Note the brackets and semi-colon around the zone configuration
105 text.)
106 See also rndc delzone and rndc modzone.
108 delzone [-clean] zone [class [view]]
110 Delete a zone while the server is running.
111 If the -clean argument is specified, the zone's master file (and
113 journal file, if any) will be deleted along with the zone. Without
114 the -clean option, zone files must be cleaned up by hand. (If the
115 zone is of type "slave" or "stub", the files needing to be cleaned
116 up will be reported in the output of the rndc delzone command.)
117 If the zone was originally added via rndc addzone, then it will be
119 removed permanently. However, if it was originally configured in
120 named.conf, then that original configuration is still in place;
121 when the server is restarted or reconfigured, the zone will come
122 back. To remove it permanently, it must also be removed from
123 named.conf
124 See also rndc addzone and rndc modzone.
126 dnstap ( -reopen | -roll [number] )
128 Close and re-open DNSTAP output files. rndc dnstap -reopen allows
129 the output file to be renamed externally, so that named can
130 truncate and re-open it. rndc dnstap -roll causes the output file
131 to be rolled automatically, similar to log files; the most recent
132 output file has ".0" appended to its name; the previous most recent
133 output file is moved to ".1", and so on. If number is specified,
134 then the number of backup log files is limited to that number.
135 dumpdb [-all|-cache|-zones|-adb|-bad|-fail] [view ...]
137 Dump the server's caches (default) and/or zones to the dump file
138 for the specified views. If no view is specified, all views are
139 dumped. (See the dump-file option in the BIND 9 Administrator
140 Reference Manual.)
141 flush
143 Flushes the server's cache.
144 flushname name [view]
146 Flushes the given name from the view's DNS cache and, if
147 applicable, from the view's nameserver address database, bad server
148 cache and SERVFAIL cache.
149 flushtree name [view]
151 Flushes the given name, and all of its subdomains, from the view's
152 DNS cache, address database, bad server cache, and SERVFAIL cache.
153 freeze [zone [class [view]]]
155 Suspend updates to a dynamic zone. If no zone is specified, then
156 all zones are suspended. This allows manual edits to be made to a
157 zone normally updated by dynamic update. It also causes changes in
158 the journal file to be synced into the master file. All dynamic
159 update attempts will be refused while the zone is frozen.
160 See also rndc thaw.
162 halt [-p]
164 Stop the server immediately. Recent changes made through dynamic
165 update or IXFR are not saved to the master files, but will be
166 rolled forward from the journal files when the server is restarted.
167 If -p is specified named's process id is returned. This allows an
168 external process to determine when named had completed halting.
169 See also rndc stop.
171 loadkeys zone [class [view]]
173 Fetch all DNSSEC keys for the given zone from the key directory. If
174 they are within their publication period, merge them into the
175 zone's DNSKEY RRset. Unlike rndc sign, however, the zone is not
176 immediately re-signed by the new keys, but is allowed to
177 incrementally re-sign over time.
178 This command requires that the auto-dnssec zone option be set to
180 maintain, and also requires the zone to be configured to allow
181 dynamic DNS. (See "Dynamic Update Policies" in the Administrator
182 Reference Manual for more details.)
183 managed-keys (status | refresh | sync) [class [view]]
185 When run with the "status" keyword, print the current status of the
186 managed-keys database for the specified view, or for all views if
187 none is specified. When run with the "refresh" keyword, force an
188 immediate refresh of all the managed-keys in the specified view, or
189 all views. When run with the "sync" keyword, force an immediate
190 dump of the managed-keys database to disk (in the file
191 managed-keys.bind or (viewname.mkeys).
192 modzone zone [class [view]] configuration
194 Modify the configuration of a zone while the server is running.
195 This command requires the allow-new-zones option to be set to yes.
196 As with addzone, the configuration string specified on the command
197 line is the zone configuration text that would ordinarily be placed
198 in named.conf.
199 If the zone was originally added via rndc addzone, the
201 configuration changes will be recorded permanently and will still
202 be in effect after the server is restarted or reconfigured.
203 However, if it was originally configured in named.conf, then that
204 original configuration is still in place; when the server is
205 restarted or reconfigured, the zone will revert to its original
206 configuration. To make the changes permanent, it must also be
207 modified in named.conf
208 See also rndc addzone and rndc delzone.
210 notify zone [class [view]]
212 Resend NOTIFY messages for the zone.
213 notrace
215 Sets the server's debugging level to 0.
216 See also rndc trace.
218 nta [( -d | -f | -r | -l duration)] domain [view]
220 Sets a DNSSEC negative trust anchor (NTA) for domain, with a
221 lifetime of duration. The default lifetime is configured in
222 named.conf via the nta-lifetime option, and defaults to one hour.
223 The lifetime cannot exceed one week.
224 A negative trust anchor selectively disables DNSSEC validation for
226 zones that are known to be failing because of misconfiguration
227 rather than an attack. When data to be validated is at or below an
228 active NTA (and above any other configured trust anchors), named
229 will abort the DNSSEC validation process and treat the data as
230 insecure rather than bogus. This continues until the NTA's lifetime
231 is elapsed.
232 NTAs persist across restarts of the named server. The NTAs for a
234 view are saved in a file called name.nta, where name is the name of
235 the view, or if it contains characters that are incompatible with
236 use as a file name, a cryptographic hash generated from the name of
237 the view.
238 An existing NTA can be removed by using the -remove option.
240 An NTA's lifetime can be specified with the -lifetime option.
242 TTL-style suffixes can be used to specify the lifetime in seconds,
243 minutes, or hours. If the specified NTA already exists, its
244 lifetime will be updated to the new value. Setting lifetime to zero
245 is equivalent to -remove.
246 If -dump is used, any other arguments are ignored, and a list of
248 existing NTAs is printed (note that this may include NTAs that are
249 expired but have not yet been cleaned up).
250 Normally, named will periodically test to see whether data below an
252 NTA can now be validated (see the nta-recheck option in the
253 Administrator Reference Manual for details). If data can be
254 validated, then the NTA is regarded as no longer necessary, and
255 will be allowed to expire early. The -force overrides this behavior
256 and forces an NTA to persist for its entire lifetime, regardless of
257 whether data could be validated if the NTA were not present.
258 All of these options can be shortened, i.e., to -l, -r, -d, and -f.
260 querylog [ on | off ]
262 Enable or disable query logging. (For backward compatibility, this
263 command can also be used without an argument to toggle query
264 logging on and off.)
265 Query logging can also be enabled by explicitly directing the
267 queriescategory to a channel in the logging section of named.conf
268 or by specifying querylog yes; in the options section of
269 named.conf.
270 reconfig
272 Reload the configuration file and load new zones, but do not reload
273 existing zone files even if they have changed. This is faster than
274 a full reload when there is a large number of zones because it
275 avoids the need to examine the modification times of the zones
276 files.
277 recursing
279 Dump the list of queries named is currently recursing on, and the
280 list of domains to which iterative queries are currently being
281 sent. (The second list includes the number of fetches currently
282 active for the given domain, and how many have been passed or
283 dropped because of the fetches-per-zone option.)
284 refresh zone [class [view]]
286 Schedule zone maintenance for the given zone.
287 reload
289 Reload configuration file and zones.
290 reload zone [class [view]]
292 Reload the given zone.
293 retransfer zone [class [view]]
295 Retransfer the given slave zone from the master server.
296 If the zone is configured to use inline-signing, the signed version
298 of the zone is discarded; after the retransfer of the unsigned
299 version is complete, the signed version will be regenerated with
300 all new signatures.
301 scan
303 Scan the list of available network interfaces for changes, without
304 performing a full reconfig or waiting for the interface-interval
305 timer.
306 secroots [-] [view ...]
308 Dump the server's security roots and negative trust anchors for the
309 specified views. If no view is specified, all views are dumped.
310 If the first argument is "-", then the output is returned via the
312 rndc response channel and printed to the standard output.
313 Otherwise, it is written to the secroots dump file, which defaults
314 to named.secroots, but can be overridden via the secroots-file
315 option in named.conf.
316 See also rndc managed-keys.
318 showzone zone [class [view]]
320 Print the configuration of a running zone.
321 See also rndc zonestatus.
323 sign zone [class [view]]
325 Fetch all DNSSEC keys for the given zone from the key directory
326 (see the key-directory option in the BIND 9 Administrator Reference
327 Manual). If they are within their publication period, merge them
328 into the zone's DNSKEY RRset. If the DNSKEY RRset is changed, then
329 the zone is automatically re-signed with the new key set.
330 This command requires that the auto-dnssec zone option be set to
332 allow or maintain, and also requires the zone to be configured to
333 allow dynamic DNS. (See "Dynamic Update Policies" in the
334 Administrator Reference Manual for more details.)
335 See also rndc loadkeys.
337 signing [( -list | -clear keyid/algorithm | -clear all | -nsec3param (
339 parameters | none ) | -serial value ) ] zone [class [view]]
340 List, edit, or remove the DNSSEC signing state records for the
341 specified zone. The status of ongoing DNSSEC operations (such as
342 signing or generating NSEC3 chains) is stored in the zone in the
343 form of DNS resource records of type sig-signing-type. rndc
344 signing -list converts these records into a human-readable form,
345 indicating which keys are currently signing or have finished
346 signing the zone, and which NSEC3 chains are being created or
347 removed.
348 rndc signing -clear can remove a single key (specified in the same
350 format that rndc signing -list uses to display it), or all keys. In
351 either case, only completed keys are removed; any record indicating
352 that a key has not yet finished signing the zone will be retained.
353 rndc signing -nsec3param sets the NSEC3 parameters for a zone. This
355 is the only supported mechanism for using NSEC3 with inline-signing
356 zones. Parameters are specified in the same format as an NSEC3PARAM
357 resource record: hash algorithm, flags, iterations, and salt, in
358 that order.
359 Currently, the only defined value for hash algorithm is 1,
361 representing SHA-1. The flags may be set to 0 or 1, depending on
362 whether you wish to set the opt-out bit in the NSEC3 chain.
363 iterations defines the number of additional times to apply the
364 algorithm when generating an NSEC3 hash. The salt is a string of
365 data expressed in hexadecimal, a hyphen (`-') if no salt is to be
366 used, or the keyword auto, which causes named to generate a random
367 64-bit salt.
368 So, for example, to create an NSEC3 chain using the SHA-1 hash
370 algorithm, no opt-out flag, 10 iterations, and a salt value of
371 "FFFF", use: rndc signing -nsec3param 1 0 10 FFFF zone. To set the
372 opt-out flag, 15 iterations, and no salt, use: rndc signing
373 -nsec3param 1 1 15 - zone.
374 rndc signing -nsec3param none removes an existing NSEC3 chain and
376 replaces it with NSEC.
377 rndc signing -serial value sets the serial number of the zone to
379 value. If the value would cause the serial number to go backwards
380 it will be rejected. The primary use is to set the serial on inline
381 signed zones.
382 stats
384 Write server statistics to the statistics file. (See the
385 statistics-file option in the BIND 9 Administrator Reference
386 Manual.)
387 status
389 Display status of the server. Note that the number of zones
390 includes the internal bind/CH zone and the default ./IN hint zone
391 if there is not an explicit root zone configured.
392 stop [-p]
394 Stop the server, making sure any recent changes made through
395 dynamic update or IXFR are first saved to the master files of the
396 updated zones. If -p is specified named's process id is returned.
397 This allows an external process to determine when named had
398 completed stopping.
399 See also rndc halt.
401 sync [-clean] [zone [class [view]]]
403 Sync changes in the journal file for a dynamic zone to the master
404 file. If the "-clean" option is specified, the journal file is also
405 removed. If no zone is specified, then all zones are synced.
406 thaw [zone [class [view]]]
408 Enable updates to a frozen dynamic zone. If no zone is specified,
409 then all frozen zones are enabled. This causes the server to reload
410 the zone from disk, and re-enables dynamic updates after the load
411 has completed. After a zone is thawed, dynamic updates will no
412 longer be refused. If the zone has changed and the
413 ixfr-from-differences option is in use, then the journal file will
414 be updated to reflect changes in the zone. Otherwise, if the zone
415 has changed, any existing journal file will be removed.
416 See also rndc freeze.
418 trace
420 Increment the servers debugging level by one.
421 trace level
423 Sets the server's debugging level to an explicit value.
424 See also rndc notrace.
426 tsig-delete keyname [view]
428 Delete a given TKEY-negotiated key from the server. (This does not
429 apply to statically configured TSIG keys.)
430 tsig-list
432 List the names of all TSIG keys currently configured for use by
433 named in each view. The list both statically configured keys and
434 dynamic TKEY-negotiated keys.
435 validation ( on | off | status ) [view ...]
437 Enable, disable, or check the current status of DNSSEC validation.
438 Note dnssec-enable also needs to be set to yes or auto to be
439 effective. It defaults to enabled.
440 zonestatus zone [class [view]]
442 Displays the current status of the given zone, including the master
443 file name and any include files from which it was loaded, when it
444 was most recently loaded, the current serial number, the number of
445 nodes, whether the zone supports dynamic updates, whether the zone
446 is DNSSEC signed, whether it uses automatic DNSSEC key management
447 or inline signing, and the scheduled refresh or expiry times for
448 the zone.
449 See also rndc showzone.
451
453 There is currently no way to provide the shared secret for a key_id
454 without using the configuration file.
455 Several error messages could be clearer.
457
459 rndc.conf(5), rndc-confgen(8), named(8), named.conf(5), ndc(8), BIND 9
460 Administrator Reference Manual.
461
463 Internet Systems Consortium, Inc.
464
466 Copyright © 2000, 2001, 2004, 2005, 2007, 2013-2018 Internet Systems
467 Consortium, Inc. ("ISC")
468ISC 2014-08-15 RNDC(8)