1RNDC(8) BIND9 RNDC(8)
2
6 rndc - name server control utility
7
9 rndc [-b source-address] [-c config-file] [-k key-file] [-s server]
10 [-p port] [-V] [-y key_id] {command}
11
13 rndc controls the operation of a name server. It supersedes the ndc
14 utility that was provided in old BIND releases. If rndc is invoked with
15 no command line options or arguments, it prints a short summary of the
16 supported commands and the available options and their arguments.
17 rndc communicates with the name server over a TCP connection, sending
19 commands authenticated with digital signatures. In the current versions
20 of rndc and named, the only supported authentication algorithm is
21 HMAC-MD5, which uses a shared secret on each end of the connection.
22 This provides TSIG-style authentication for the command request and the
23 name server's response. All commands sent over the channel must be
24 signed by a key_id known to the server.
25 rndc reads a configuration file to determine how to contact the name
27 server and decide what algorithm and key it should use.
28
30 -b source-address
31 Use source-address as the source address for the connection to the
32 server. Multiple instances are permitted to allow setting of both
33 the IPv4 and IPv6 source addresses.
34 -c config-file
36 Use config-file as the configuration file instead of the default,
37 /etc/rndc.conf.
38 -k key-file
40 Use key-file as the key file instead of the default, /etc/rndc.key.
41 The key in /etc/rndc.key will be used to authenticate commands sent
42 to the server if the config-file does not exist.
43 -s server
45 server is the name or address of the server which matches a server
46 statement in the configuration file for rndc. If no server is
47 supplied on the command line, the host named by the default-server
48 clause in the options statement of the rndc configuration file will
49 be used.
50 -p port
52 Send commands to TCP port port instead of BIND 9's default control
53 channel port, 953.
54 -V
56 Enable verbose logging.
57 -y key_id
59 Use the key key_id from the configuration file. key_id must be
60 known by named with the same algorithm and secret string in order
61 for control message validation to succeed. If no key_id is
62 specified, rndc will first look for a key clause in the server
63 statement of the server being used, or if no server statement is
64 present for that host, then the default-key clause of the options
65 statement. Note that the configuration file contains shared secrets
66 which are used to send authenticated control commands to name
67 servers. It should therefore not have general read or write access.
68
70 A list of commands supported by rndc can be seen by running rndc
71 without arguments.
72 Currently supported commands are:
74 reload
76 Reload configuration file and zones.
77 reload zone [class [view]]
79 Reload the given zone.
80 refresh zone [class [view]]
82 Schedule zone maintenance for the given zone.
83 retransfer zone [class [view]]
85 Retransfer the given zone from the master.
86 sign zone [class [view]]
88 Fetch all DNSSEC keys for the given zone from the key directory
89 (see the key-directory option in the BIND 9 Administrator Reference
90 Manual). If they are within their publication period, merge them
91 into the zone's DNSKEY RRset. If the DNSKEY RRset is changed, then
92 the zone is automatically re-signed with the new key set.
93 This command requires that the auto-dnssec zone option be set to
95 allow or maintain, and also requires the zone to be configured to
96 allow dynamic DNS. (See "Dynamic Update Policies" in the
97 Administrator Reference Manual for more details.)
98 loadkeys zone [class [view]]
100 Fetch all DNSSEC keys for the given zone from the key directory. If
101 they are within their publication period, merge them into the
102 zone's DNSKEY RRset. Unlike rndc sign, however, the zone is not
103 immediately re-signed by the new keys, but is allowed to
104 incrementally re-sign over time.
105 This command requires that the auto-dnssec zone option be set to
107 maintain, and also requires the zone to be configured to allow
108 dynamic DNS. (See "Dynamic Update Policies" in the Administrator
109 Reference Manual for more details.)
110 freeze [zone [class [view]]]
112 Suspend updates to a dynamic zone. If no zone is specified, then
113 all zones are suspended. This allows manual edits to be made to a
114 zone normally updated by dynamic update. It also causes changes in
115 the journal file to be synced into the master file. All dynamic
116 update attempts will be refused while the zone is frozen.
117 thaw [zone [class [view]]]
119 Enable updates to a frozen dynamic zone. If no zone is specified,
120 then all frozen zones are enabled. This causes the server to reload
121 the zone from disk, and re-enables dynamic updates after the load
122 has completed. After a zone is thawed, dynamic updates will no
123 longer be refused. If the zone has changed and the
124 ixfr-from-differences option is in use, then the journal file will
125 be updated to reflect changes in the zone. Otherwise, if the zone
126 has changed, any existing journal file will be removed.
127 sync [-clean] [zone [class [view]]]
129 Sync changes in the journal file for a dynamic zone to the master
130 file. If the "-clean" option is specified, the journal file is also
131 removed. If no zone is specified, then all zones are synced.
132 notify zone [class [view]]
134 Resend NOTIFY messages for the zone.
135 reconfig
137 Reload the configuration file and load new zones, but do not reload
138 existing zone files even if they have changed. This is faster than
139 a full reload when there is a large number of zones because it
140 avoids the need to examine the modification times of the zones
141 files.
142 stats
144 Write server statistics to the statistics file.
145 querylog [on|off]
147 Enable or disable query logging. (For backward compatibility, this
148 command can also be used without an argument to toggle query
149 logging on and off.)
150 Query logging can also be enabled by explicitly directing the
152 queries category to a channel in the logging section of named.conf
153 or by specifying querylog yes; in the options section of
154 named.conf.
155 dumpdb [-all|-cache|-zone] [view ...]
157 Dump the server's caches (default) and/or zones to the dump file
158 for the specified views. If no view is specified, all views are
159 dumped.
160 secroots [view ...]
162 Dump the server's security roots to the secroots file for the
163 specified views. If no view is specified, security roots for all
164 views are dumped.
165 stop [-p]
167 Stop the server, making sure any recent changes made through
168 dynamic update or IXFR are first saved to the master files of the
169 updated zones. If -p is specified named's process id is returned.
170 This allows an external process to determine when named had
171 completed stopping.
172 halt [-p]
174 Stop the server immediately. Recent changes made through dynamic
175 update or IXFR are not saved to the master files, but will be
176 rolled forward from the journal files when the server is restarted.
177 If -p is specified named's process id is returned. This allows an
178 external process to determine when named had completed halting.
179 trace
181 Increment the servers debugging level by one.
182 trace level
184 Sets the server's debugging level to an explicit value.
185 notrace
187 Sets the server's debugging level to 0.
188 flush
190 Flushes the server's cache.
191 flushname name [view]
193 Flushes the given name from the server's DNS cache and, if
194 applicable, from the server's nameserver address database or
195 bad-server cache.
196 flushtree name [view]
198 Flushes the given name, and all of its subdomains, from the
199 server's DNS cache. Note that this does not affect he server's
200 address database or bad-server cache.
201 status
203 Display status of the server. Note that the number of zones
204 includes the internal bind/CH zone and the default ./IN hint zone
205 if there is not an explicit root zone configured.
206 recursing
208 Dump the list of queries named is currently recursing on.
209 validation ( on | off | check ) [view ...]
211 Enable, disable, or check the current status of DNSSEC validation.
212 Note dnssec-enable also needs to be set to yes or auto to be
213 effective. It defaults to enabled.
214 tsig-list
216 List the names of all TSIG keys currently configured for use by
217 named in each view. The list both statically configured keys and
218 dynamic TKEY-negotiated keys.
219 tsig-delete keyname [view]
221 Delete a given TKEY-negotiated key from the server. (This does not
222 apply to statically configured TSIG keys.)
223 addzone zone [class [view]] configuration
225 Add a zone while the server is running. This command requires the
226 allow-new-zones option to be set to yes. The configuration string
227 specified on the command line is the zone configuration text that
228 would ordinarily be placed in named.conf.
229 The configuration is saved in a file called hash.nzf, where hash is
231 a cryptographic hash generated from the name of the view. When
232 named is restarted, the file will be loaded into the view
233 configuration, so that zones that were added can persist after a
234 restart.
235 This sample addzone command would add the zone example.com to the
237 default view:
238 $rndc addzone example.com '{ type master; file "example.com.db";
240 };'
241 (Note the brackets and semi-colon around the zone configuration
243 text.)
244 delzone zone [class [view]]
246 Delete a zone while the server is running. Only zones that were
247 originally added via rndc addzone can be deleted in this manner.
248 signing [( -list | -clear keyid/algorithm | -clear all | -nsec3param (
250 parameters | none ) ) ] zone [class [view]]
251 List, edit, or remove the DNSSEC signing state for the specified
252 zone. The status of ongoing DNSSEC operations (such as signing or
253 generating NSEC3 chains) is stored in the zone in the form of DNS
254 resource records of type sig-signing-type. rndc signing -list
255 converts these records into a human-readable form, indicating which
256 keys are currently signing or have finished signing the zone, and
257 which NSEC3 chains are being created or removed.
258 rndc signing -clear can remove a single key (specified in the same
260 format that rndc signing -list uses to display it), or all keys. In
261 either case, only completed keys are removed; any record indicating
262 that a key has not yet finished signing the zone will be retained.
263 rndc signing -nsec3param sets the NSEC3 parameters for a zone. This
265 is the only supported mechanism for using NSEC3 with inline-signing
266 zones. Parameters are specified in the same format as an NSEC3PARAM
267 resource record: hash algorithm, flags, iterations, and salt, in
268 that order.
269 Currently, the only defined value for hash algorithm is 1,
271 representing SHA-1. The flags may be set to 0 or 1, depending on
272 whether you wish to set the opt-out bit in the NSEC3 chain.
273 iterations defines the number of additional times to apply the
274 algorithm when generating an NSEC3 hash. The salt is a string of
275 data expressed in hexidecimal, or a hyphen (`-') if no salt is to
276 be used.
277 So, for example, to create an NSEC3 chain using the SHA-1 hash
279 algorithm, no opt-out flag, 10 iterations, and a salt value of
280 "FFFF", use: rndc signing -nsec3param 1 0 10 FFFF zone. To set the
281 opt-out flag, 15 iterations, and no salt, use: rndc signing
282 -nsec3param 1 1 15 - zone.
283 rndc signing -nsec3param none removes an existing NSEC3 chain and
285 replaces it with NSEC.
286
288 There is currently no way to provide the shared secret for a key_id
289 without using the configuration file.
290 Several error messages could be clearer.
292
294 rndc.conf(5), rndc-confgen(8), named(8), named.conf(5), ndc(8), BIND 9
295 Administrator Reference Manual.
296
298 Internet Systems Consortium
299
301 Copyright © 2004, 2005, 2007, 2013 Internet Systems Consortium, Inc.
302 ("ISC")
303 Copyright © 2000, 2001 Internet Software Consortium.
304BIND9 June 7, 2013 RNDC(8)