1RNDC(8)                              BIND9                             RNDC(8)
2
3
4

NAME

6       rndc - name server control utility
7

SYNOPSIS

9       rndc [-b source-address] [-c config-file] [-k key-file] [-s server]
10            [-p port] [-q] [-r] [-V] [-y key_id] {command}
11

DESCRIPTION

13       rndc controls the operation of a name server. It supersedes the ndc
14       utility that was provided in old BIND releases. If rndc is invoked with
15       no command line options or arguments, it prints a short summary of the
16       supported commands and the available options and their arguments.
17
18       rndc communicates with the name server over a TCP connection, sending
19       commands authenticated with digital signatures. In the current versions
20       of rndc and named, the only supported authentication algorithms are
21       HMAC-MD5 (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
22       (default), HMAC-SHA384 and HMAC-SHA512. They use a shared secret on
23       each end of the connection. This provides TSIG-style authentication for
24       the command request and the name server's response. All commands sent
25       over the channel must be signed by a key_id known to the server.
26
27       rndc reads a configuration file to determine how to contact the name
28       server and decide what algorithm and key it should use.
29

OPTIONS

31       -b source-address
32           Use source-address as the source address for the connection to the
33           server. Multiple instances are permitted to allow setting of both
34           the IPv4 and IPv6 source addresses.
35
36       -c config-file
37           Use config-file as the configuration file instead of the default,
38           /etc/rndc.conf.
39
40       -k key-file
41           Use key-file as the key file instead of the default, /etc/rndc.key.
42           The key in /etc/rndc.key will be used to authenticate commands sent
43           to the server if the config-file does not exist.
44
45       -s server
46           server is the name or address of the server which matches a server
47           statement in the configuration file for rndc. If no server is
48           supplied on the command line, the host named by the default-server
49           clause in the options statement of the rndc configuration file will
50           be used.
51
52       -p port
53           Send commands to TCP port port instead of BIND 9's default control
54           channel port, 953.
55
56       -q
57           Quiet mode: Message text returned by the server will not be printed
58           except when there is an error.
59
60       -r
61           Instructs rndc to print the result code returned by named after
62           executing the requested command (e.g., ISC_R_SUCCESS,
63           ISC_R_FAILURE, etc).
64
65       -V
66           Enable verbose logging.
67
68       -y key_id
69           Use the key key_id from the configuration file.  key_id must be
70           known by named with the same algorithm and secret string in order
71           for control message validation to succeed. If no key_id is
72           specified, rndc will first look for a key clause in the server
73           statement of the server being used, or if no server statement is
74           present for that host, then the default-key clause of the options
75           statement. Note that the configuration file contains shared secrets
76           which are used to send authenticated control commands to name
77           servers. It should therefore not have general read or write access.
78

COMMANDS

80       A list of commands supported by rndc can be seen by running rndc
81       without arguments.
82
83       Currently supported commands are:
84
85       addzone zone [class [view]] configuration
86           Add a zone while the server is running. This command requires the
87           allow-new-zones option to be set to yes. The configuration string
88           specified on the command line is the zone configuration text that
89           would ordinarily be placed in named.conf.
90
91           The configuration is saved in a file called name.nzf, where name is
92           the name of the view, or if it contains characters that are
93           incompatible with use as a file name, a cryptographic hash
94           generated from the name of the view. When named is restarted, the
95           file will be loaded into the view configuration, so that zones that
96           were added can persist after a restart.
97
98           This sample addzone command would add the zone example.com to the
99           default view:
100
101           $rndc addzone example.com '{ type master; file "example.com.db";
102           };'
103
104           (Note the brackets and semi-colon around the zone configuration
105           text.)
106
107           See also rndc delzone and rndc modzone.
108
109       delzone [-clean] zone [class [view]]
110           Delete a zone while the server is running.
111
112           If the -clean argument is specified, the zone's master file (and
113           journal file, if any) will be deleted along with the zone. Without
114           the -clean option, zone files must be cleaned up by hand. (If the
115           zone is of type "slave" or "stub", the files needing to be cleaned
116           up will be reported in the output of the rndc delzone command.)
117
118           If the zone was originally added via rndc addzone, then it will be
119           removed permanently. However, if it was originally configured in
120           named.conf, then that original configuration is still in place;
121           when the server is restarted or reconfigured, the zone will come
122           back. To remove it permanently, it must also be removed from
123           named.conf
124
125           See also rndc addzone and rndc modzone.
126
127       dnstap ( -reopen | -roll [number] )
128           Close and re-open DNSTAP output files.  rndc dnstap -reopen allows
129           the output file to be renamed externally, so that named can
130           truncate and re-open it.  rndc dnstap -roll causes the output file
131           to be rolled automatically, similar to log files; the most recent
132           output file has ".0" appended to its name; the previous most recent
133           output file is moved to ".1", and so on. If number is specified,
134           then the number of backup log files is limited to that number.
135
136       dumpdb [-all|-cache|-zones|-adb|-bad|-fail] [view ...]
137           Dump the server's caches (default) and/or zones to the dump file
138           for the specified views. If no view is specified, all views are
139           dumped. (See the dump-file option in the BIND 9 Administrator
140           Reference Manual.)
141
142       flush
143           Flushes the server's cache.
144
145       flushname name [view]
146           Flushes the given name from the view's DNS cache and, if
147           applicable, from the view's nameserver address database, bad server
148           cache and SERVFAIL cache.
149
150       flushtree name [view]
151           Flushes the given name, and all of its subdomains, from the view's
152           DNS cache, address database, bad server cache, and SERVFAIL cache.
153
154       freeze [zone [class [view]]]
155           Suspend updates to a dynamic zone. If no zone is specified, then
156           all zones are suspended. This allows manual edits to be made to a
157           zone normally updated by dynamic update. It also causes changes in
158           the journal file to be synced into the master file. All dynamic
159           update attempts will be refused while the zone is frozen.
160
161           See also rndc thaw.
162
163       halt [-p]
164           Stop the server immediately. Recent changes made through dynamic
165           update or IXFR are not saved to the master files, but will be
166           rolled forward from the journal files when the server is restarted.
167           If -p is specified named's process id is returned. This allows an
168           external process to determine when named had completed halting.
169
170           See also rndc stop.
171
172       loadkeys zone [class [view]]
173           Fetch all DNSSEC keys for the given zone from the key directory. If
174           they are within their publication period, merge them into the
175           zone's DNSKEY RRset. Unlike rndc sign, however, the zone is not
176           immediately re-signed by the new keys, but is allowed to
177           incrementally re-sign over time.
178
179           This command requires that the auto-dnssec zone option be set to
180           maintain, and also requires the zone to be configured to allow
181           dynamic DNS. (See "Dynamic Update Policies" in the Administrator
182           Reference Manual for more details.)
183
184       managed-keys (status | refresh | sync) [class [view]]
185           When run with the "status" keyword, print the current status of the
186           managed-keys database for the specified view, or for all views if
187           none is specified. When run with the "refresh" keyword, force an
188           immediate refresh of all the managed-keys in the specified view, or
189           all views. When run with the "sync" keyword, force an immediate
190           dump of the managed-keys database to disk (in the file
191           managed-keys.bind or (viewname.mkeys).
192
193       modzone zone [class [view]] configuration
194           Modify the configuration of a zone while the server is running.
195           This command requires the allow-new-zones option to be set to yes.
196           As with addzone, the configuration string specified on the command
197           line is the zone configuration text that would ordinarily be placed
198           in named.conf.
199
200           If the zone was originally added via rndc addzone, the
201           configuration changes will be recorded permanently and will still
202           be in effect after the server is restarted or reconfigured.
203           However, if it was originally configured in named.conf, then that
204           original configuration is still in place; when the server is
205           restarted or reconfigured, the zone will revert to its original
206           configuration. To make the changes permanent, it must also be
207           modified in named.conf
208
209           See also rndc addzone and rndc delzone.
210
211       notify zone [class [view]]
212           Resend NOTIFY messages for the zone.
213
214       notrace
215           Sets the server's debugging level to 0.
216
217           See also rndc trace.
218
219       nta [( -d | -f | -r | -l duration)] domain [view]
220           Sets a DNSSEC negative trust anchor (NTA) for domain, with a
221           lifetime of duration. The default lifetime is configured in
222           named.conf via the nta-lifetime option, and defaults to one hour.
223           The lifetime cannot exceed one week.
224
225           A negative trust anchor selectively disables DNSSEC validation for
226           zones that are known to be failing because of misconfiguration
227           rather than an attack. When data to be validated is at or below an
228           active NTA (and above any other configured trust anchors), named
229           will abort the DNSSEC validation process and treat the data as
230           insecure rather than bogus. This continues until the NTA's lifetime
231           is elapsed.
232
233           NTAs persist across restarts of the named server. The NTAs for a
234           view are saved in a file called name.nta, where name is the name of
235           the view, or if it contains characters that are incompatible with
236           use as a file name, a cryptographic hash generated from the name of
237           the view.
238
239           An existing NTA can be removed by using the -remove option.
240
241           An NTA's lifetime can be specified with the -lifetime option.
242           TTL-style suffixes can be used to specify the lifetime in seconds,
243           minutes, or hours. If the specified NTA already exists, its
244           lifetime will be updated to the new value. Setting lifetime to zero
245           is equivalent to -remove.
246
247           If -dump is used, any other arguments are ignored, and a list of
248           existing NTAs is printed (note that this may include NTAs that are
249           expired but have not yet been cleaned up).
250
251           Normally, named will periodically test to see whether data below an
252           NTA can now be validated (see the nta-recheck option in the
253           Administrator Reference Manual for details). If data can be
254           validated, then the NTA is regarded as no longer necessary, and
255           will be allowed to expire early. The -force overrides this behavior
256           and forces an NTA to persist for its entire lifetime, regardless of
257           whether data could be validated if the NTA were not present.
258
259           All of these options can be shortened, i.e., to -l, -r, -d, and -f.
260
261       querylog [ on | off ]
262           Enable or disable query logging. (For backward compatibility, this
263           command can also be used without an argument to toggle query
264           logging on and off.)
265
266           Query logging can also be enabled by explicitly directing the
267           queriescategory to a channel in the logging section of named.conf
268           or by specifying querylog yes; in the options section of
269           named.conf.
270
271       reconfig
272           Reload the configuration file and load new zones, but do not reload
273           existing zone files even if they have changed. This is faster than
274           a full reload when there is a large number of zones because it
275           avoids the need to examine the modification times of the zones
276           files.
277
278       recursing
279           Dump the list of queries named is currently recursing on, and the
280           list of domains to which iterative queries are currently being
281           sent. (The second list includes the number of fetches currently
282           active for the given domain, and how many have been passed or
283           dropped because of the fetches-per-zone option.)
284
285       refresh zone [class [view]]
286           Schedule zone maintenance for the given zone.
287
288       reload
289           Reload configuration file and zones.
290
291       reload zone [class [view]]
292           Reload the given zone.
293
294       retransfer zone [class [view]]
295           Retransfer the given slave zone from the master server.
296
297           If the zone is configured to use inline-signing, the signed version
298           of the zone is discarded; after the retransfer of the unsigned
299           version is complete, the signed version will be regenerated with
300           all new signatures.
301
302       scan
303           Scan the list of available network interfaces for changes, without
304           performing a full reconfig or waiting for the interface-interval
305           timer.
306
307       secroots [-] [view ...]
308           Dump the server's security roots and negative trust anchors for the
309           specified views. If no view is specified, all views are dumped.
310
311           If the first argument is "-", then the output is returned via the
312           rndc response channel and printed to the standard output.
313           Otherwise, it is written to the secroots dump file, which defaults
314           to named.secroots, but can be overridden via the secroots-file
315           option in named.conf.
316
317           See also rndc managed-keys.
318
319       showzone zone [class [view]]
320           Print the configuration of a running zone.
321
322           See also rndc zonestatus.
323
324       sign zone [class [view]]
325           Fetch all DNSSEC keys for the given zone from the key directory
326           (see the key-directory option in the BIND 9 Administrator Reference
327           Manual). If they are within their publication period, merge them
328           into the zone's DNSKEY RRset. If the DNSKEY RRset is changed, then
329           the zone is automatically re-signed with the new key set.
330
331           This command requires that the auto-dnssec zone option be set to
332           allow or maintain, and also requires the zone to be configured to
333           allow dynamic DNS. (See "Dynamic Update Policies" in the
334           Administrator Reference Manual for more details.)
335
336           See also rndc loadkeys.
337
338       signing [( -list | -clear keyid/algorithm | -clear all | -nsec3param (
339       parameters | none ) | -serial value ) ] zone [class [view]]
340           List, edit, or remove the DNSSEC signing state records for the
341           specified zone. The status of ongoing DNSSEC operations (such as
342           signing or generating NSEC3 chains) is stored in the zone in the
343           form of DNS resource records of type sig-signing-type.  rndc
344           signing -list converts these records into a human-readable form,
345           indicating which keys are currently signing or have finished
346           signing the zone, and which NSEC3 chains are being created or
347           removed.
348
349           rndc signing -clear can remove a single key (specified in the same
350           format that rndc signing -list uses to display it), or all keys. In
351           either case, only completed keys are removed; any record indicating
352           that a key has not yet finished signing the zone will be retained.
353
354           rndc signing -nsec3param sets the NSEC3 parameters for a zone. This
355           is the only supported mechanism for using NSEC3 with inline-signing
356           zones. Parameters are specified in the same format as an NSEC3PARAM
357           resource record: hash algorithm, flags, iterations, and salt, in
358           that order.
359
360           Currently, the only defined value for hash algorithm is 1,
361           representing SHA-1. The flags may be set to 0 or 1, depending on
362           whether you wish to set the opt-out bit in the NSEC3 chain.
363           iterations defines the number of additional times to apply the
364           algorithm when generating an NSEC3 hash. The salt is a string of
365           data expressed in hexadecimal, a hyphen (`-') if no salt is to be
366           used, or the keyword auto, which causes named to generate a random
367           64-bit salt.
368
369           So, for example, to create an NSEC3 chain using the SHA-1 hash
370           algorithm, no opt-out flag, 10 iterations, and a salt value of
371           "FFFF", use: rndc signing -nsec3param 1 0 10 FFFF zone. To set the
372           opt-out flag, 15 iterations, and no salt, use: rndc signing
373           -nsec3param 1 1 15 - zone.
374
375           rndc signing -nsec3param none removes an existing NSEC3 chain and
376           replaces it with NSEC.
377
378           rndc signing -serial value sets the serial number of the zone to
379           value. If the value would cause the serial number to go backwards
380           it will be rejected. The primary use is to set the serial on inline
381           signed zones.
382
383       stats
384           Write server statistics to the statistics file. (See the
385           statistics-file option in the BIND 9 Administrator Reference
386           Manual.)
387
388       status
389           Display status of the server. Note that the number of zones
390           includes the internal bind/CH zone and the default ./IN hint zone
391           if there is not an explicit root zone configured.
392
393       stop [-p]
394           Stop the server, making sure any recent changes made through
395           dynamic update or IXFR are first saved to the master files of the
396           updated zones. If -p is specified named's process id is returned.
397           This allows an external process to determine when named had
398           completed stopping.
399
400           See also rndc halt.
401
402       sync [-clean] [zone [class [view]]]
403           Sync changes in the journal file for a dynamic zone to the master
404           file. If the "-clean" option is specified, the journal file is also
405           removed. If no zone is specified, then all zones are synced.
406
407       thaw [zone [class [view]]]
408           Enable updates to a frozen dynamic zone. If no zone is specified,
409           then all frozen zones are enabled. This causes the server to reload
410           the zone from disk, and re-enables dynamic updates after the load
411           has completed. After a zone is thawed, dynamic updates will no
412           longer be refused. If the zone has changed and the
413           ixfr-from-differences option is in use, then the journal file will
414           be updated to reflect changes in the zone. Otherwise, if the zone
415           has changed, any existing journal file will be removed.
416
417           See also rndc freeze.
418
419       trace
420           Increment the servers debugging level by one.
421
422       trace level
423           Sets the server's debugging level to an explicit value.
424
425           See also rndc notrace.
426
427       tsig-delete keyname [view]
428           Delete a given TKEY-negotiated key from the server. (This does not
429           apply to statically configured TSIG keys.)
430
431       tsig-list
432           List the names of all TSIG keys currently configured for use by
433           named in each view. The list both statically configured keys and
434           dynamic TKEY-negotiated keys.
435
436       validation ( on | off | status ) [view ...]
437           Enable, disable, or check the current status of DNSSEC validation.
438           Note dnssec-enable also needs to be set to yes or auto to be
439           effective. It defaults to enabled.
440
441       zonestatus zone [class [view]]
442           Displays the current status of the given zone, including the master
443           file name and any include files from which it was loaded, when it
444           was most recently loaded, the current serial number, the number of
445           nodes, whether the zone supports dynamic updates, whether the zone
446           is DNSSEC signed, whether it uses automatic DNSSEC key management
447           or inline signing, and the scheduled refresh or expiry times for
448           the zone.
449
450           See also rndc showzone.
451

LIMITATIONS

453       There is currently no way to provide the shared secret for a key_id
454       without using the configuration file.
455
456       Several error messages could be clearer.
457

SEE ALSO

459       rndc.conf(5), rndc-confgen(8), named(8), named.conf(5), ndc(8), BIND 9
460       Administrator Reference Manual.
461

AUTHOR

463       Internet Systems Consortium, Inc.
464
466       Copyright © 2000, 2001, 2004, 2005, 2007, 2013-2018 Internet Systems
467       Consortium, Inc. ("ISC")
468
469
470
471ISC                               2014-08-15                           RNDC(8)
Impressum