1RNDC(8) BIND 9 RNDC(8)
2
6 rndc - name server control utility
7
9 rndc [-b source-address] [-c config-file] [-k key-file] [-s server] [-p
10 port] [-q] [-r] [-V] [-y key_id] [[-4] | [-6]] {command}
11
13 rndc controls the operation of a name server; it supersedes the ndc
14 utility. If rndc is invoked with no command line options or arguments,
15 it prints a short summary of the supported commands and the available
16 options and their arguments.
17 rndc communicates with the name server over a TCP connection, sending
19 commands authenticated with digital signatures. In the current versions
20 of rndc and named, the only supported authentication algorithms are
21 HMAC-MD5 (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256 (de‐
22 fault), HMAC-SHA384, and HMAC-SHA512. They use a shared secret on each
23 end of the connection, which provides TSIG-style authentication for the
24 command request and the name server's response. All commands sent over
25 the channel must be signed by a key_id known to the server.
26 rndc reads a configuration file to determine how to contact the name
28 server and decide what algorithm and key it should use.
29
31 -4 This option indicates use of IPv4 only.
32 -6 This option indicates use of IPv6 only.
34 -b source-address
36 This option indicates source-address as the source address for
37 the connection to the server. Multiple instances are permitted,
38 to allow setting of both the IPv4 and IPv6 source addresses.
39 -c config-file
41 This option indicates config-file as the configuration file in‐
42 stead of the default, /etc/rndc.conf.
43 -k key-file
45 This option indicates key-file as the key file instead of the
46 default, /etc/rndc.key. The key in /etc/rndc.key is used to au‐
47 thenticate commands sent to the server if the config-file does
48 not exist.
49 -s server
51 server is the name or address of the server which matches a
52 server statement in the configuration file for rndc. If no
53 server is supplied on the command line, the host named by the
54 default-server clause in the options statement of the rndc con‐
55 figuration file is used.
56 -p port
58 This option instructs BIND 9 to send commands to TCP port port
59 instead of its default control channel port, 953.
60 -q This option sets quiet mode, where message text returned by the
62 server is not printed unless there is an error.
63 -r This option instructs rndc to print the result code returned by
65 named after executing the requested command (e.g., ISC_R_SUC‐
66 CESS, ISC_R_FAILURE, etc.).
67 -V This option enables verbose logging.
69 -y key_id
71 This option indicates use of the key key_id from the configura‐
72 tion file. For control message validation to succeed, key_id
73 must be known by named with the same algorithm and secret
74 string. If no key_id is specified, rndc first looks for a key
75 clause in the server statement of the server being used, or if
76 no server statement is present for that host, then in the de‐
77 fault-key clause of the options statement. Note that the config‐
78 uration file contains shared secrets which are used to send au‐
79 thenticated control commands to name servers, and should there‐
80 fore not have general read or write access.
81
83 A list of commands supported by rndc can be seen by running rndc with‐
84 out arguments.
85 Currently supported commands are:
87 addzone zone [class [view]] configuration
89 This command adds a zone while the server is running. This com‐
90 mand requires the allow-new-zones option to be set to yes. The
91 configuration string specified on the command line is the zone
92 configuration text that would ordinarily be placed in
93 named.conf.
94 The configuration is saved in a file called viewname.nzf (or, if
96 named is compiled with liblmdb, an LMDB database file called
97 viewname.nzd). viewname is the name of the view, unless the view
98 name contains characters that are incompatible with use as a
99 file name, in which case a cryptographic hash of the view name
100 is used instead. When named is restarted, the file is loaded
101 into the view configuration so that zones that were added can
102 persist after a restart.
103 This sample addzone command adds the zone example.com to the de‐
105 fault view:
106 rndc addzone example.com '{ type master; file "example.com.db";
108 };'
109 (Note the brackets around and semi-colon after the zone configu‐
111 ration text.)
112 See also rndc delzone and rndc modzone.
114 delzone [-clean] zone [class [view]]
116 This command deletes a zone while the server is running.
117 If the -clean argument is specified, the zone's master file (and
119 journal file, if any) are deleted along with the zone. Without
120 the -clean option, zone files must be deleted manually. (If the
121 zone is of type secondary or stub, the files needing to be re‐
122 moved are reported in the output of the rndc delzone command.)
123 If the zone was originally added via rndc addzone, then it is
125 removed permanently. However, if it was originally configured in
126 named.conf, then that original configuration remains in place;
127 when the server is restarted or reconfigured, the zone is recre‐
128 ated. To remove it permanently, it must also be removed from
129 named.conf.
130 See also rndc addzone and rndc modzone.
132 dnssec ( -status | -rollover -key id [-alg algorithm] [-when time] |
134 -checkds [-key id [-alg algorithm]] [-when time] ( published | with‐
135 drawn )) zone [class [view]]
136 This command allows you to interact with the "dnssec-policy" of
137 a given zone.
138 rndc dnssec -status show the DNSSEC signing state for the speci‐
140 fied zone.
141 rndc dnssec -rollover allows you to schedule key rollover for a
143 specific key (overriding the original key lifetime).
144 rndc dnssec -checkds will let named know that the DS for the
146 given key has been seen published into or withdrawn from the
147 parent. This is required in order to complete a KSK rollover.
148 If the -key id argument is specified, look for the key with the
149 given identifier, otherwise if there is only one key acting as a
150 KSK in the zone, assume the DS of that key (if there are multi‐
151 ple keys with the same tag, use -alg algorithm to select the
152 correct algorithm). The time that the DS has been published or
153 withdrawn is set to now, unless otherwise specified with the ar‐
154 gument -when time.
155 dnstap ( -reopen | -roll [number] )
157 This command closes and re-opens DNSTAP output files. rndc
158 dnstap -reopen allows the output file to be renamed externally,
159 so that named can truncate and re-open it. rndc dnstap -roll
160 causes the output file to be rolled automatically, similar to
161 log files. The most recent output file has ".0" appended to its
162 name; the previous most recent output file is moved to ".1", and
163 so on. If number is specified, then the number of backup log
164 files is limited to that number.
165 dumpdb [-all | -cache | -zones | -adb | -bad | -expired | -fail] [view
167 ...]
168 This command dumps the server's caches (default) and/or zones to
169 the dump file for the specified views. If no view is specified,
170 all views are dumped. (See the dump-file option in the BIND 9
171 Administrator Reference Manual.)
172 flush This command flushes the server's cache.
174 flushname name [view]
176 This command flushes the given name from the view's DNS cache
177 and, if applicable, from the view's nameserver address database,
178 bad server cache, and SERVFAIL cache.
179 flushtree name [view]
181 This command flushes the given name, and all of its subdomains,
182 from the view's DNS cache, address database, bad server cache,
183 and SERVFAIL cache.
184 freeze [zone [class [view]]]
186 This command suspends updates to a dynamic zone. If no zone is
187 specified, then all zones are suspended. This allows manual ed‐
188 its to be made to a zone normally updated by dynamic update, and
189 causes changes in the journal file to be synced into the master
190 file. All dynamic update attempts are refused while the zone is
191 frozen.
192 See also rndc thaw.
194 halt [-p]
196 This command stops the server immediately. Recent changes made
197 through dynamic update or IXFR are not saved to the master
198 files, but are rolled forward from the journal files when the
199 server is restarted. If -p is specified, named's process ID is
200 returned. This allows an external process to determine when
201 named has completed halting.
202 See also rndc stop.
204 loadkeys [zone [class [view]]]
206 This command fetches all DNSSEC keys for the given zone from the
207 key directory. If they are within their publication period, they
208 are merged into the zone's DNSKEY RRset. Unlike rndc sign, how‐
209 ever, the zone is not immediately re-signed by the new keys, but
210 is allowed to incrementally re-sign over time.
211 This command requires that the zone be configured with a
213 dnssec-policy, or that the auto-dnssec zone option be set to
214 maintain, and also requires the zone to be configured to allow
215 dynamic DNS. (See "Dynamic Update Policies" in the Administrator
216 Reference Manual for more details.)
217 managed-keys (status | refresh | sync | destroy) [class [view]]
219 This command inspects and controls the "managed-keys" database
220 which handles RFC 5011 DNSSEC trust anchor maintenance. If a
221 view is specified, these commands are applied to that view; oth‐
222 erwise, they are applied to all views.
223 • When run with the status keyword, this prints the current sta‐
225 tus of the managed-keys database.
226 • When run with the refresh keyword, this forces an immediate
228 refresh query to be sent for all the managed keys, updating
229 the managed-keys database if any new keys are found, without
230 waiting the normal refresh interval.
231 • When run with the sync keyword, this forces an immediate dump
233 of the managed-keys database to disk (in the file man‐
234 aged-keys.bind or (viewname.mkeys). This synchronizes the
235 database with its journal file, so that the database's current
236 contents can be inspected visually.
237 • When run with the destroy keyword, the managed-keys database
239 is shut down and deleted, and all key maintenance is termi‐
240 nated. This command should be used only with extreme caution.
241 Existing keys that are already trusted are not deleted from
243 memory; DNSSEC validation can continue after this command is
244 used. However, key maintenance operations cease until named
245 is restarted or reconfigured, and all existing key maintenance
246 states are deleted.
247 Running rndc reconfig or restarting named immediately after
249 this command causes key maintenance to be reinitialized from
250 scratch, just as if the server were being started for the
251 first time. This is primarily intended for testing, but it may
252 also be used, for example, to jumpstart the acquisition of new
253 keys in the event of a trust anchor rollover, or as a
254 brute-force repair for key maintenance problems.
255 modzone zone [class [view]] configuration
257 This command modifies the configuration of a zone while the
258 server is running. This command requires the allow-new-zones op‐
259 tion to be set to yes. As with addzone, the configuration
260 string specified on the command line is the zone configuration
261 text that would ordinarily be placed in named.conf.
262 If the zone was originally added via rndc addzone, the configu‐
264 ration changes are recorded permanently and are still in effect
265 after the server is restarted or reconfigured. However, if it
266 was originally configured in named.conf, then that original con‐
267 figuration remains in place; when the server is restarted or re‐
268 configured, the zone reverts to its original configuration. To
269 make the changes permanent, it must also be modified in
270 named.conf.
271 See also rndc addzone and rndc delzone.
273 notify zone [class [view]]
275 This command resends NOTIFY messages for the zone.
276 notrace
278 This command sets the server's debugging level to 0.
279 See also rndc trace.
281 nta [( -class class | -dump | -force | -remove | -lifetime duration)]
283 domain [view]
284 This command sets a DNSSEC negative trust anchor (NTA) for do‐
285 main, with a lifetime of duration. The default lifetime is con‐
286 figured in named.conf via the nta-lifetime option, and defaults
287 to one hour. The lifetime cannot exceed one week.
288 A negative trust anchor selectively disables DNSSEC validation
290 for zones that are known to be failing because of misconfigura‐
291 tion rather than an attack. When data to be validated is at or
292 below an active NTA (and above any other configured trust an‐
293 chors), named aborts the DNSSEC validation process and treats
294 the data as insecure rather than bogus. This continues until the
295 NTA's lifetime has elapsed.
296 NTAs persist across restarts of the named server. The NTAs for a
298 view are saved in a file called name.nta, where name is the name
299 of the view; if it contains characters that are incompatible
300 with use as a file name, a cryptographic hash is generated from
301 the name of the view.
302 An existing NTA can be removed by using the -remove option.
304 An NTA's lifetime can be specified with the -lifetime option.
306 TTL-style suffixes can be used to specify the lifetime in sec‐
307 onds, minutes, or hours. If the specified NTA already exists,
308 its lifetime is updated to the new value. Setting lifetime to
309 zero is equivalent to -remove.
310 If -dump is used, any other arguments are ignored and a list of
312 existing NTAs is printed. Note that this may include NTAs that
313 are expired but have not yet been cleaned up.
314 Normally, named periodically tests to see whether data below an
316 NTA can now be validated (see the nta-recheck option in the Ad‐
317 ministrator Reference Manual for details). If data can be vali‐
318 dated, then the NTA is regarded as no longer necessary and is
319 allowed to expire early. The -force parameter overrides this be‐
320 havior and forces an NTA to persist for its entire lifetime, re‐
321 gardless of whether data could be validated if the NTA were not
322 present.
323 The view class can be specified with -class. The default is
325 class IN, which is the only class for which DNSSEC is currently
326 supported.
327 All of these options can be shortened, i.e., to -l, -r, -d, -f,
329 and -c.
330 Unrecognized options are treated as errors. To refer to a domain
332 or view name that begins with a hyphen, use a double-hyphen (--)
333 on the command line to indicate the end of options.
334 querylog [(on | off)]
336 This command enables or disables query logging. For backward
337 compatibility, this command can also be used without an argument
338 to toggle query logging on and off.
339 Query logging can also be enabled by explicitly directing the
341 queries category to a channel in the logging section of
342 named.conf, or by specifying querylog yes; in the options sec‐
343 tion of named.conf.
344 reconfig
346 This command reloads the configuration file and loads new zones,
347 but does not reload existing zone files even if they have
348 changed. This is faster than a full reload when there is a large
349 number of zones, because it avoids the need to examine the modi‐
350 fication times of the zone files.
351 recursing
353 This command dumps the list of queries named is currently re‐
354 cursing on, and the list of domains to which iterative queries
355 are currently being sent. The second list includes the number
356 of fetches currently active for the given domain, and how many
357 have been passed or dropped because of the fetches-per-zone op‐
358 tion.
359 refresh zone [class [view]]
361 This command schedules zone maintenance for the given zone.
362 reload This command reloads the configuration file and zones.
364 reload zone [class [view]]
366 This command reloads the given zone.
367 retransfer zone [class [view]]
369 This command retransfers the given secondary zone from the pri‐
370 mary server.
371 If the zone is configured to use inline-signing, the signed ver‐
373 sion of the zone is discarded; after the retransfer of the un‐
374 signed version is complete, the signed version is regenerated
375 with new signatures.
376 scan This command scans the list of available network interfaces for
378 changes, without performing a full reconfig or waiting for the
379 interface-interval timer.
380 secroots [-] [view ...]
382 This command dumps the security roots (i.e., trust anchors con‐
383 figured via trust-anchors, or the managed-keys or trusted-keys
384 statements [both deprecated], or dnssec-validation auto) and
385 negative trust anchors for the specified views. If no view is
386 specified, all views are dumped. Security roots indicate whether
387 they are configured as trusted keys, managed keys, or initializ‐
388 ing managed keys (managed keys that have not yet been updated by
389 a successful key refresh query).
390 If the first argument is -, then the output is returned via the
392 rndc response channel and printed to the standard output. Oth‐
393 erwise, it is written to the secroots dump file, which defaults
394 to named.secroots, but can be overridden via the secroots-file
395 option in named.conf.
396 See also rndc managed-keys.
398 serve-stale (on | off | reset | status) [class [view]]
400 This command enables, disables, resets, or reports the current
401 status of the serving of stale answers as configured in
402 named.conf.
403 If serving of stale answers is disabled by rndc-serve-stale off,
405 then it remains disabled even if named is reloaded or reconfig‐
406 ured. rndc serve-stale reset restores the setting as configured
407 in named.conf.
408 rndc serve-stale status reports whether serving of stale answers
410 is currently enabled, disabled by the configuration, or disabled
411 by rndc. It also reports the values of stale-answer-ttl and
412 max-stale-ttl.
413 showzone zone [class [view]]
415 This command prints the configuration of a running zone.
416 See also rndc zonestatus.
418 sign zone [class [view]]
420 This command fetches all DNSSEC keys for the given zone from the
421 key directory (see the key-directory option in the BIND 9 Admin‐
422 istrator Reference Manual). If they are within their publication
423 period, they are merged into the zone's DNSKEY RRset. If the
424 DNSKEY RRset is changed, then the zone is automatically
425 re-signed with the new key set.
426 This command requires that the zone be configured with a
428 dnssec-policy, or that the auto-dnssec zone option be set to al‐
429 low or maintain, and also requires the zone to be configured to
430 allow dynamic DNS. (See "Dynamic Update Policies" in the BIND 9
431 Administrator Reference Manual for more details.)
432 See also rndc loadkeys.
434 signing [(-list | -clear keyid/algorithm | -clear all | -nsec3param (
436 parameters | none ) | -serial value ) zone [class [view]]
437 This command lists, edits, or removes the DNSSEC signing-state
438 records for the specified zone. The status of ongoing DNSSEC op‐
439 erations, such as signing or generating NSEC3 chains, is stored
440 in the zone in the form of DNS resource records of type
441 sig-signing-type. rndc signing -list converts these records
442 into a human-readable form, indicating which keys are currently
443 signing or have finished signing the zone, and which NSEC3
444 chains are being created or removed.
445 rndc signing -clear can remove a single key (specified in the
447 same format that rndc signing -list uses to display it), or all
448 keys. In either case, only completed keys are removed; any
449 record indicating that a key has not yet finished signing the
450 zone is retained.
451 rndc signing -nsec3param sets the NSEC3 parameters for a zone.
453 This is the only supported mechanism for using NSEC3 with in‐
454 line-signing zones. Parameters are specified in the same format
455 as an NSEC3PARAM resource record: hash algorithm, flags, itera‐
456 tions, and salt, in that order.
457 Currently, the only defined value for hash algorithm is 1, rep‐
459 resenting SHA-1. The flags may be set to 0 or 1, depending on
460 whether the opt-out bit in the NSEC3 chain should be set. itera‐
461 tions defines the number of additional times to apply the algo‐
462 rithm when generating an NSEC3 hash. The salt is a string of
463 data expressed in hexadecimal, a hyphen (-') if no salt is to be
464 used, or the keyword ``auto`, which causes named to generate a
465 random 64-bit salt.
466 So, for example, to create an NSEC3 chain using the SHA-1 hash
468 algorithm, no opt-out flag, 10 iterations, and a salt value of
469 "FFFF", use: rndc signing -nsec3param 1 0 10 FFFF zone. To set
470 the opt-out flag, 15 iterations, and no salt, use: rndc signing
471 -nsec3param 1 1 15 - zone.
472 rndc signing -nsec3param none removes an existing NSEC3 chain
474 and replaces it with NSEC.
475 rndc signing -serial value sets the serial number of the zone to
477 value. If the value would cause the serial number to go back‐
478 wards, it is rejected. The primary use of this parameter is to
479 set the serial number on inline signed zones.
480 stats This command writes server statistics to the statistics file.
482 (See the statistics-file option in the BIND 9 Administrator Ref‐
483 erence Manual.)
484 status This command displays the status of the server. Note that the
486 number of zones includes the internal bind/CH zone and the de‐
487 fault ./IN hint zone, if there is no explicit root zone config‐
488 ured.
489 stop -p
491 This command stops the server, making sure any recent changes
492 made through dynamic update or IXFR are first saved to the mas‐
493 ter files of the updated zones. If -p is specified, named(8)`'s
494 process ID is returned. This allows an external process to de‐
495 termine when ``named has completed stopping.
496 See also rndc halt.
498 sync -clean [zone [class [view]]]
500 This command syncs changes in the journal file for a dynamic
501 zone to the master file. If the "-clean" option is specified,
502 the journal file is also removed. If no zone is specified, then
503 all zones are synced.
504 tcp-timeouts [initial idle keepalive advertised]
506 When called without arguments, this command displays the current
507 values of the tcp-initial-timeout, tcp-idle-timeout,
508 tcp-keepalive-timeout, and tcp-advertised-timeout options. When
509 called with arguments, these values are updated. This allows an
510 administrator to make rapid adjustments when under a de‐
511 nial-of-service (DoS) attack. See the descriptions of these op‐
512 tions in the BIND 9 Administrator Reference Manual for details
513 of their use.
514 thaw [zone [class [view]]]
516 This command enables updates to a frozen dynamic zone. If no
517 zone is specified, then all frozen zones are enabled. This
518 causes the server to reload the zone from disk, and re-enables
519 dynamic updates after the load has completed. After a zone is
520 thawed, dynamic updates are no longer refused. If the zone has
521 changed and the ixfr-from-differences option is in use, the
522 journal file is updated to reflect changes in the zone. Other‐
523 wise, if the zone has changed, any existing journal file is re‐
524 moved.
525 See also rndc freeze.
527 trace This command increments the server's debugging level by one.
529 trace level
531 This command sets the server's debugging level to an explicit
532 value.
533 See also rndc notrace.
535 tsig-delete keyname [view]
537 This command deletes a given TKEY-negotiated key from the
538 server. This does not apply to statically configured TSIG keys.
539 tsig-list
541 This command lists the names of all TSIG keys currently config‐
542 ured for use by named in each view. The list includes both stat‐
543 ically configured keys and dynamic TKEY-negotiated keys.
544 validation (on | off | status) [view ...]``
546 This command enables, disables, or checks the current status of
547 DNSSEC validation. By default, validation is enabled.
548 The cache is flushed when validation is turned on or off to
550 avoid using data that might differ between states.
551 zonestatus zone [class [view]]
553 This command displays the current status of the given zone, in‐
554 cluding the master file name and any include files from which it
555 was loaded, when it was most recently loaded, the current serial
556 number, the number of nodes, whether the zone supports dynamic
557 updates, whether the zone is DNSSEC signed, whether it uses au‐
558 tomatic DNSSEC key management or inline signing, and the sched‐
559 uled refresh or expiry times for the zone.
560 See also rndc showzone.
562 rndc commands that specify zone names, such as reload, retransfer, or
564 zonestatus, can be ambiguous when applied to zones of type redirect.
565 Redirect zones are always called ., and can be confused with zones of
566 type hint or with secondary copies of the root zone. To specify a redi‐
567 rect zone, use the special zone name -redirect, without a trailing pe‐
568 riod. (With a trailing period, this would specify a zone called "-redi‐
569 rect".)
570
572 There is currently no way to provide the shared secret for a key_id
573 without using the configuration file.
574 Several error messages could be clearer.
576
578 rndc.conf(5), rndc-confgen(8), named(8), named.conf(5), ndc(8), BIND 9
579 Administrator Reference Manual.
580
582 Internet Systems Consortium
583
585 2021, Internet Systems Consortium
5869.16.16-RH RNDC(8)