1RNDC(8) BIND9 RNDC(8)
2
6 rndc - name server control utility
7
9 rndc [-b source-address] [-c config-file] [-k key-file] [-s server]
10 [-p port] [-q] [-r] [-V] [-y key_id] {command}
11
13 rndc controls the operation of a name server. It supersedes the ndc
14 utility that was provided in old BIND releases. If rndc is invoked with
15 no command line options or arguments, it prints a short summary of the
16 supported commands and the available options and their arguments.
17 rndc communicates with the name server over a TCP connection, sending
19 commands authenticated with digital signatures. In the current versions
20 of rndc and named, the only supported authentication algorithms are
21 HMAC-MD5 (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
22 (default), HMAC-SHA384 and HMAC-SHA512. They use a shared secret on
23 each end of the connection. This provides TSIG-style authentication for
24 the command request and the name server's response. All commands sent
25 over the channel must be signed by a key_id known to the server.
26 rndc reads a configuration file to determine how to contact the name
28 server and decide what algorithm and key it should use.
29
31 -b source-address
32 Use source-address as the source address for the connection to the
33 server. Multiple instances are permitted to allow setting of both
34 the IPv4 and IPv6 source addresses.
35 -c config-file
37 Use config-file as the configuration file instead of the default,
38 /etc/rndc.conf.
39 -k key-file
41 Use key-file as the key file instead of the default, /etc/rndc.key.
42 The key in /etc/rndc.key will be used to authenticate commands sent
43 to the server if the config-file does not exist.
44 -s server
46 server is the name or address of the server which matches a server
47 statement in the configuration file for rndc. If no server is
48 supplied on the command line, the host named by the default-server
49 clause in the options statement of the rndc configuration file will
50 be used.
51 -p port
53 Send commands to TCP port port instead of BIND 9's default control
54 channel port, 953.
55 -q
57 Quiet mode: Message text returned by the server will not be printed
58 except when there is an error.
59 -r
61 Instructs rndc to print the result code returned by named after
62 executing the requested command (e.g., ISC_R_SUCCESS,
63 ISC_R_FAILURE, etc).
64 -V
66 Enable verbose logging.
67 -y key_id
69 Use the key key_id from the configuration file. key_id must be
70 known by named with the same algorithm and secret string in order
71 for control message validation to succeed. If no key_id is
72 specified, rndc will first look for a key clause in the server
73 statement of the server being used, or if no server statement is
74 present for that host, then the default-key clause of the options
75 statement. Note that the configuration file contains shared secrets
76 which are used to send authenticated control commands to name
77 servers. It should therefore not have general read or write access.
78
80 A list of commands supported by rndc can be seen by running rndc
81 without arguments.
82 Currently supported commands are:
84 addzone zone [class [view]] configuration
86 Add a zone while the server is running. This command requires the
87 allow-new-zones option to be set to yes. The configuration string
88 specified on the command line is the zone configuration text that
89 would ordinarily be placed in named.conf.
90 The configuration is saved in a file called name.nzf, where name is
92 the name of the view, or if it contains characters that are
93 incompatible with use as a file name, a cryptographic hash
94 generated from the name of the view. When named is restarted, the
95 file will be loaded into the view configuration, so that zones that
96 were added can persist after a restart.
97 This sample addzone command would add the zone example.com to the
99 default view:
100 $rndc addzone example.com '{ type master; file "example.com.db";
102 };'
103 (Note the brackets and semi-colon around the zone configuration
105 text.)
106 See also rndc delzone and rndc modzone.
108 delzone [-clean] zone [class [view]]
110 Delete a zone while the server is running.
111 If the -clean argument is specified, the zone's master file (and
113 journal file, if any) will be deleted along with the zone. Without
114 the -clean option, zone files must be cleaned up by hand. (If the
115 zone is of type "slave" or "stub", the files needing to be cleaned
116 up will be reported in the output of the rndc delzone command.)
117 If the zone was originally added via rndc addzone, then it will be
119 removed permanently. However, if it was originally configured in
120 named.conf, then that original configuration is still in place;
121 when the server is restarted or reconfigured, the zone will come
122 back. To remove it permanently, it must also be removed from
123 named.conf
124 See also rndc addzone and rndc modzone.
126 dnstap ( -reopen | -roll [number] )
128 Close and re-open DNSTAP output files. rndc dnstap -reopen allows
129 the output file to be renamed externally, so that named can
130 truncate and re-open it. rndc dnstap -roll causes the output file
131 to be rolled automatically, similar to log files; the most recent
132 output file has ".0" appended to its name; the previous most recent
133 output file is moved to ".1", and so on. If number is specified,
134 then the number of backup log files is limited to that number.
135 dumpdb [-all|-cache|-zones|-adb|-bad|-fail] [view ...]
137 Dump the server's caches (default) and/or zones to the dump file
138 for the specified views. If no view is specified, all views are
139 dumped. (See the dump-file option in the BIND 9 Administrator
140 Reference Manual.)
141 flush
143 Flushes the server's cache.
144 flushname name [view]
146 Flushes the given name from the view's DNS cache and, if
147 applicable, from the view's nameserver address database, bad server
148 cache and SERVFAIL cache.
149 flushtree name [view]
151 Flushes the given name, and all of its subdomains, from the view's
152 DNS cache, address database, bad server cache, and SERVFAIL cache.
153 freeze [zone [class [view]]]
155 Suspend updates to a dynamic zone. If no zone is specified, then
156 all zones are suspended. This allows manual edits to be made to a
157 zone normally updated by dynamic update. It also causes changes in
158 the journal file to be synced into the master file. All dynamic
159 update attempts will be refused while the zone is frozen.
160 See also rndc thaw.
162 halt [-p]
164 Stop the server immediately. Recent changes made through dynamic
165 update or IXFR are not saved to the master files, but will be
166 rolled forward from the journal files when the server is restarted.
167 If -p is specified named's process id is returned. This allows an
168 external process to determine when named had completed halting.
169 See also rndc stop.
171 loadkeys zone [class [view]]
173 Fetch all DNSSEC keys for the given zone from the key directory. If
174 they are within their publication period, merge them into the
175 zone's DNSKEY RRset. Unlike rndc sign, however, the zone is not
176 immediately re-signed by the new keys, but is allowed to
177 incrementally re-sign over time.
178 This command requires that the auto-dnssec zone option be set to
180 maintain, and also requires the zone to be configured to allow
181 dynamic DNS. (See "Dynamic Update Policies" in the Administrator
182 Reference Manual for more details.)
183 managed-keys (status | refresh | sync) [class [view]]
185 When run with the "status" keyword, print the current status of the
186 managed-keys database for the specified view, or for all views if
187 none is specified. When run with the "refresh" keyword, force an
188 immediate refresh of all the managed-keys in the specified view, or
189 all views. When run with the "sync" keyword, force an immediate
190 dump of the managed-keys database to disk (in the file
191 managed-keys.bind or (viewname.mkeys).
192 modzone zone [class [view]] configuration
194 Modify the configuration of a zone while the server is running.
195 This command requires the allow-new-zones option to be set to yes.
196 As with addzone, the configuration string specified on the command
197 line is the zone configuration text that would ordinarily be placed
198 in named.conf.
199 If the zone was originally added via rndc addzone, the
201 configuration changes will be recorded permanently and will still
202 be in effect after the server is restarted or reconfigured.
203 However, if it was originally configured in named.conf, then that
204 original configuration is still in place; when the server is
205 restarted or reconfigured, the zone will revert to its original
206 configuration. To make the changes permanent, it must also be
207 modified in named.conf
208 See also rndc addzone and rndc delzone.
210 notify zone [class [view]]
212 Resend NOTIFY messages for the zone.
213 notrace
215 Sets the server's debugging level to 0.
216 See also rndc trace.
218 nta [( -class class | -dump | -force | -remove | -lifetime duration)]
220 domain [view]
221 Sets a DNSSEC negative trust anchor (NTA) for domain, with a
222 lifetime of duration. The default lifetime is configured in
223 named.conf via the nta-lifetime option, and defaults to one hour.
224 The lifetime cannot exceed one week.
225 A negative trust anchor selectively disables DNSSEC validation for
227 zones that are known to be failing because of misconfiguration
228 rather than an attack. When data to be validated is at or below an
229 active NTA (and above any other configured trust anchors), named
230 will abort the DNSSEC validation process and treat the data as
231 insecure rather than bogus. This continues until the NTA's lifetime
232 is elapsed.
233 NTAs persist across restarts of the named server. The NTAs for a
235 view are saved in a file called name.nta, where name is the name of
236 the view, or if it contains characters that are incompatible with
237 use as a file name, a cryptographic hash generated from the name of
238 the view.
239 An existing NTA can be removed by using the -remove option.
241 An NTA's lifetime can be specified with the -lifetime option.
243 TTL-style suffixes can be used to specify the lifetime in seconds,
244 minutes, or hours. If the specified NTA already exists, its
245 lifetime will be updated to the new value. Setting lifetime to zero
246 is equivalent to -remove.
247 If the -dump is used, any other arguments are ignored, and a list
249 of existing NTAs is printed (note that this may include NTAs that
250 are expired but have not yet been cleaned up).
251 Normally, named will periodically test to see whether data below an
253 NTA can now be validated (see the nta-recheck option in the
254 Administrator Reference Manual for details). If data can be
255 validated, then the NTA is regarded as no longer necessary, and
256 will be allowed to expire early. The -force overrides this behavior
257 and forces an NTA to persist for its entire lifetime, regardless of
258 whether data could be validated if the NTA were not present.
259 The view class can be specified with -class. The default is class
261 IN, which is the only class for which DNSSEC is currently
262 supported.
263 All of these options can be shortened, i.e., to -l, -r, -d, -f, and
265 -c.
266 querylog [ on | off ]
268 Enable or disable query logging. (For backward compatibility, this
269 command can also be used without an argument to toggle query
270 logging on and off.)
271 Query logging can also be enabled by explicitly directing the
273 queries category to a channel in the logging section of named.conf
274 or by specifying querylog yes; in the options section of
275 named.conf.
276 reconfig
278 Reload the configuration file and load new zones, but do not reload
279 existing zone files even if they have changed. This is faster than
280 a full reload when there is a large number of zones because it
281 avoids the need to examine the modification times of the zones
282 files.
283 recursing
285 Dump the list of queries named is currently recursing on, and the
286 list of domains to which iterative queries are currently being
287 sent. (The second list includes the number of fetches currently
288 active for the given domain, and how many have been passed or
289 dropped because of the fetches-per-zone option.)
290 refresh zone [class [view]]
292 Schedule zone maintenance for the given zone.
293 reload
295 Reload configuration file and zones.
296 reload zone [class [view]]
298 Reload the given zone.
299 retransfer zone [class [view]]
301 Retransfer the given slave zone from the master server.
302 If the zone is configured to use inline-signing, the signed version
304 of the zone is discarded; after the retransfer of the unsigned
305 version is complete, the signed version will be regenerated with
306 all new signatures.
307 scan
309 Scan the list of available network interfaces for changes, without
310 performing a full reconfig or waiting for the interface-interval
311 timer.
312 secroots [-] [view ...]
314 Dump the server's security roots and negative trust anchors for the
315 specified views. If no view is specified, all views are dumped.
316 If the first argument is "-", then the output is returned via the
318 rndc response channel and printed to the standard output.
319 Otherwise, it is written to the secroots dump file, which defaults
320 to named.secroots, but can be overridden via the secroots-file
321 option in named.conf.
322 See also rndc managed-keys.
324 showzone zone [class [view]]
326 Print the configuration of a running zone.
327 See also rndc zonestatus.
329 sign zone [class [view]]
331 Fetch all DNSSEC keys for the given zone from the key directory
332 (see the key-directory option in the BIND 9 Administrator Reference
333 Manual). If they are within their publication period, merge them
334 into the zone's DNSKEY RRset. If the DNSKEY RRset is changed, then
335 the zone is automatically re-signed with the new key set.
336 This command requires that the auto-dnssec zone option be set to
338 allow or maintain, and also requires the zone to be configured to
339 allow dynamic DNS. (See "Dynamic Update Policies" in the
340 Administrator Reference Manual for more details.)
341 See also rndc loadkeys.
343 signing [( -list | -clear keyid/algorithm | -clear all | -nsec3param (
345 parameters | none ) | -serial value ) ] zone [class [view]]
346 List, edit, or remove the DNSSEC signing state records for the
347 specified zone. The status of ongoing DNSSEC operations (such as
348 signing or generating NSEC3 chains) is stored in the zone in the
349 form of DNS resource records of type sig-signing-type. rndc
350 signing -list converts these records into a human-readable form,
351 indicating which keys are currently signing or have finished
352 signing the zone, and which NSEC3 chains are being created or
353 removed.
354 rndc signing -clear can remove a single key (specified in the same
356 format that rndc signing -list uses to display it), or all keys. In
357 either case, only completed keys are removed; any record indicating
358 that a key has not yet finished signing the zone will be retained.
359 rndc signing -nsec3param sets the NSEC3 parameters for a zone. This
361 is the only supported mechanism for using NSEC3 with inline-signing
362 zones. Parameters are specified in the same format as an NSEC3PARAM
363 resource record: hash algorithm, flags, iterations, and salt, in
364 that order.
365 Currently, the only defined value for hash algorithm is 1,
367 representing SHA-1. The flags may be set to 0 or 1, depending on
368 whether you wish to set the opt-out bit in the NSEC3 chain.
369 iterations defines the number of additional times to apply the
370 algorithm when generating an NSEC3 hash. The salt is a string of
371 data expressed in hexadecimal, a hyphen (`-') if no salt is to be
372 used, or the keyword auto, which causes named to generate a random
373 64-bit salt.
374 So, for example, to create an NSEC3 chain using the SHA-1 hash
376 algorithm, no opt-out flag, 10 iterations, and a salt value of
377 "FFFF", use: rndc signing -nsec3param 1 0 10 FFFF zone. To set the
378 opt-out flag, 15 iterations, and no salt, use: rndc signing
379 -nsec3param 1 1 15 - zone.
380 rndc signing -nsec3param none removes an existing NSEC3 chain and
382 replaces it with NSEC.
383 rndc signing -serial value sets the serial number of the zone to
385 value. If the value would cause the serial number to go backwards
386 it will be rejected. The primary use is to set the serial on inline
387 signed zones.
388 stats
390 Write server statistics to the statistics file. (See the
391 statistics-file option in the BIND 9 Administrator Reference
392 Manual.)
393 status
395 Display status of the server. Note that the number of zones
396 includes the internal bind/CH zone and the default ./IN hint zone
397 if there is not an explicit root zone configured.
398 stop [-p]
400 Stop the server, making sure any recent changes made through
401 dynamic update or IXFR are first saved to the master files of the
402 updated zones. If -p is specified named's process id is returned.
403 This allows an external process to determine when named had
404 completed stopping.
405 See also rndc halt.
407 sync [-clean] [zone [class [view]]]
409 Sync changes in the journal file for a dynamic zone to the master
410 file. If the "-clean" option is specified, the journal file is also
411 removed. If no zone is specified, then all zones are synced.
412 thaw [zone [class [view]]]
414 Enable updates to a frozen dynamic zone. If no zone is specified,
415 then all frozen zones are enabled. This causes the server to reload
416 the zone from disk, and re-enables dynamic updates after the load
417 has completed. After a zone is thawed, dynamic updates will no
418 longer be refused. If the zone has changed and the
419 ixfr-from-differences option is in use, then the journal file will
420 be updated to reflect changes in the zone. Otherwise, if the zone
421 has changed, any existing journal file will be removed.
422 See also rndc freeze.
424 trace
426 Increment the servers debugging level by one.
427 trace level
429 Sets the server's debugging level to an explicit value.
430 See also rndc notrace.
432 tsig-delete keyname [view]
434 Delete a given TKEY-negotiated key from the server. (This does not
435 apply to statically configured TSIG keys.)
436 tsig-list
438 List the names of all TSIG keys currently configured for use by
439 named in each view. The list includes both statically configured
440 keys and dynamic TKEY-negotiated keys.
441 validation ( on | off | status ) [view ...]
443 Enable, disable, or check the current status of DNSSEC validation.
444 Note dnssec-enable also needs to be set to yes or auto to be
445 effective. It defaults to enabled.
446 zonestatus zone [class [view]]
448 Displays the current status of the given zone, including the master
449 file name and any include files from which it was loaded, when it
450 was most recently loaded, the current serial number, the number of
451 nodes, whether the zone supports dynamic updates, whether the zone
452 is DNSSEC signed, whether it uses automatic DNSSEC key management
453 or inline signing, and the scheduled refresh or expiry times for
454 the zone.
455 See also rndc showzone.
457
459 There is currently no way to provide the shared secret for a key_id
460 without using the configuration file.
461 Several error messages could be clearer.
463
465 rndc.conf(5), rndc-confgen(8), named(8), named.conf(5), ndc(8), BIND 9
466 Administrator Reference Manual.
467
469 Internet Systems Consortium, Inc.
470
472 Copyright © 2000, 2001, 2004, 2005, 2007, 2013-2021 Internet Systems
473 Consortium, Inc. ("ISC")
474ISC 2014-08-15 RNDC(8)