man.rndc.html 47 KB
Newer Older
Tinderbox User's avatar
Tinderbox User committed
1 2
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
Tinderbox User's avatar
Tinderbox User committed
3
 - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
Tinderbox User's avatar
Tinderbox User committed
4 5 6 7 8 9 10 11 12
 - 
 - This Source Code Form is subject to the terms of the Mozilla Public
 - License, v. 2.0. If a copy of the MPL was not distributed with this
 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>rndc</title>
Tinderbox User's avatar
Tinderbox User committed
13
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
Tinderbox User's avatar
Tinderbox User committed
14
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
15
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
16
<link rel="prev" href="man.rndc.conf.html" title="rndc.conf">
Tinderbox User's avatar
Tinderbox User committed
17 18 19 20 21 22 23
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
<table width="100%" summary="Navigation header">
<tr><th colspan="3" align="center"><span class="application">rndc</span></th></tr>
<tr>
<td width="20%" align="left">
24
<a accesskey="p" href="man.rndc.conf.html">Prev</a> </td>
Tinderbox User's avatar
Tinderbox User committed
25
<th width="60%" align="center">Manual pages</th>
26
<td width="20%" align="right"> </td>
Tinderbox User's avatar
Tinderbox User committed
27 28 29 30 31 32
</tr>
</table>
<hr>
</div>
<div class="refentry">
<a name="man.rndc"></a><div class="titlepage"></div>
Tinderbox User's avatar
Tinderbox User committed
33 34 35 36 37 38
  
  

  

  <div class="refnamediv">
Tinderbox User's avatar
Tinderbox User committed
39
<h2>Name</h2>
Tinderbox User's avatar
Tinderbox User committed
40 41 42 43
<p>
    <span class="application">rndc</span>
     &#8212; name server control utility
  </p>
Tinderbox User's avatar
Tinderbox User committed
44
</div>
Tinderbox User's avatar
Tinderbox User committed
45 46 47 48

  

  <div class="refsynopsisdiv">
Tinderbox User's avatar
Tinderbox User committed
49
<h2>Synopsis</h2>
Tinderbox User's avatar
Tinderbox User committed
50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69
    <div class="cmdsynopsis"><p>
      <code class="command">rndc</code> 
       [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>]
       [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>]
       [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>]
       [<code class="option">-s <em class="replaceable"><code>server</code></em></code>]
       [<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
       [<code class="option">-q</code>]
       [<code class="option">-r</code>]
       [<code class="option">-V</code>]
       [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>]
       [
	[<code class="option">-4</code>]
	 |  [<code class="option">-6</code>]
      ]
       {command}
    </p></div>
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
70
<a name="id-1.13.38.7"></a><h2>DESCRIPTION</h2>
Tinderbox User's avatar
Tinderbox User committed
71 72

    <p><span class="command"><strong>rndc</strong></span>
Tinderbox User's avatar
Tinderbox User committed
73 74 75 76 77 78 79 80
      controls the operation of a name
      server.  It supersedes the <span class="command"><strong>ndc</strong></span> utility
      that was provided in old BIND releases.  If
      <span class="command"><strong>rndc</strong></span> is invoked with no command line
      options or arguments, it prints a short summary of the
      supported commands and the available options and their
      arguments.
    </p>
Tinderbox User's avatar
Tinderbox User committed
81
    <p><span class="command"><strong>rndc</strong></span>
Tinderbox User's avatar
Tinderbox User committed
82 83 84 85 86 87 88 89 90 91 92 93 94
      communicates with the name server over a TCP connection, sending
      commands authenticated with digital signatures.  In the current
      versions of
      <span class="command"><strong>rndc</strong></span> and <span class="command"><strong>named</strong></span>,
      the only supported authentication algorithms are HMAC-MD5
      (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
      (default), HMAC-SHA384 and HMAC-SHA512.
      They use a shared secret on each end of the connection.
      This provides TSIG-style authentication for the command
      request and the name server's response.  All commands sent
      over the channel must be signed by a key_id known to the
      server.
    </p>
Tinderbox User's avatar
Tinderbox User committed
95
    <p><span class="command"><strong>rndc</strong></span>
Tinderbox User's avatar
Tinderbox User committed
96 97 98 99
      reads a configuration file to
      determine how to contact the name server and decide what
      algorithm and key it should use.
    </p>
Tinderbox User's avatar
Tinderbox User committed
100 101 102
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
103
<a name="id-1.13.38.8"></a><h2>OPTIONS</h2>
Tinderbox User's avatar
Tinderbox User committed
104 105 106


    <div class="variablelist"><dl class="variablelist">
Tinderbox User's avatar
Tinderbox User committed
107
<dt><span class="term">-4</span></dt>
Tinderbox User's avatar
Tinderbox User committed
108 109
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
110
	    Use IPv4 only.
Tinderbox User's avatar
Tinderbox User committed
111 112
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
113
<dt><span class="term">-6</span></dt>
Tinderbox User's avatar
Tinderbox User committed
114 115
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
116
	    Use IPv6 only.
Tinderbox User's avatar
Tinderbox User committed
117 118
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
119
<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
120 121
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
122 123 124 125
	    Use <em class="replaceable"><code>source-address</code></em>
	    as the source address for the connection to the server.
	    Multiple instances are permitted to allow setting of both
	    the IPv4 and IPv6 source addresses.
Tinderbox User's avatar
Tinderbox User committed
126 127
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
128
<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
129 130
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
131 132 133
	    Use <em class="replaceable"><code>config-file</code></em>
	    as the configuration file instead of the default,
	    <code class="filename">/etc/rndc.conf</code>.
Tinderbox User's avatar
Tinderbox User committed
134 135
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
136
<dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
137 138
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
139 140 141 142 143 144 145
	    Use <em class="replaceable"><code>key-file</code></em>
	    as the key file instead of the default,
	    <code class="filename">/etc/rndc.key</code>.  The key in
	    <code class="filename">/etc/rndc.key</code> will be used to
	    authenticate
	    commands sent to the server if the <em class="replaceable"><code>config-file</code></em>
	    does not exist.
Tinderbox User's avatar
Tinderbox User committed
146 147
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
148
<dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
149 150
<dd>
	  <p><em class="replaceable"><code>server</code></em> is
Tinderbox User's avatar
Tinderbox User committed
151 152 153 154 155 156
	    the name or address of the server which matches a
	    server statement in the configuration file for
	    <span class="command"><strong>rndc</strong></span>.  If no server is supplied on the
	    command line, the host named by the default-server clause
	    in the options statement of the <span class="command"><strong>rndc</strong></span>
	    configuration file will be used.
Tinderbox User's avatar
Tinderbox User committed
157 158
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
159
<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
160 161
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
162 163 164 165
	    Send commands to TCP port
	    <em class="replaceable"><code>port</code></em>
	    instead
	    of BIND 9's default control channel port, 953.
Tinderbox User's avatar
Tinderbox User committed
166 167
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
168
<dt><span class="term">-q</span></dt>
Tinderbox User's avatar
Tinderbox User committed
169 170
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
171 172
	    Quiet mode: Message text returned by the server
	    will not be printed except when there is an error.
Tinderbox User's avatar
Tinderbox User committed
173 174
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
175
<dt><span class="term">-r</span></dt>
Tinderbox User's avatar
Tinderbox User committed
176 177
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
178 179 180
	    Instructs <span class="command"><strong>rndc</strong></span> to print the result code
	    returned by <span class="command"><strong>named</strong></span> after executing the
	    requested command (e.g., ISC_R_SUCCESS, ISC_R_FAILURE, etc).
Tinderbox User's avatar
Tinderbox User committed
181 182
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
183
<dt><span class="term">-V</span></dt>
Tinderbox User's avatar
Tinderbox User committed
184 185
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
186
	    Enable verbose logging.
Tinderbox User's avatar
Tinderbox User committed
187 188
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
189
<dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
190 191
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
192 193 194 195 196 197 198 199 200 201 202 203 204 205 206
	    Use the key <em class="replaceable"><code>key_id</code></em>
	    from the configuration file.
	    <em class="replaceable"><code>key_id</code></em>
	    must be
	    known by <span class="command"><strong>named</strong></span> with the same algorithm and secret string
	    in order for control message validation to succeed.
	    If no <em class="replaceable"><code>key_id</code></em>
	    is specified, <span class="command"><strong>rndc</strong></span> will first look
	    for a key clause in the server statement of the server
	    being used, or if no server statement is present for that
	    host, then the default-key clause of the options statement.
	    Note that the configuration file contains shared secrets
	    which are used to send authenticated control commands
	    to name servers.  It should therefore not have general read
	    or write access.
Tinderbox User's avatar
Tinderbox User committed
207 208
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
209
</dl></div>
Tinderbox User's avatar
Tinderbox User committed
210 211 212
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
213
<a name="id-1.13.38.9"></a><h2>COMMANDS</h2>
Tinderbox User's avatar
Tinderbox User committed
214 215

    <p>
Tinderbox User's avatar
Tinderbox User committed
216 217 218
      A list of commands supported by <span class="command"><strong>rndc</strong></span> can
      be seen by running <span class="command"><strong>rndc</strong></span> without arguments.
    </p>
Tinderbox User's avatar
Tinderbox User committed
219
    <p>
Tinderbox User's avatar
Tinderbox User committed
220 221
      Currently supported commands are:
    </p>
Tinderbox User's avatar
Tinderbox User committed
222 223

    <div class="variablelist"><dl class="variablelist">
Tinderbox User's avatar
Tinderbox User committed
224 225
<dt><span class="term"><strong class="userinput"><code>addzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
226
	  <p>
Tinderbox User's avatar
Tinderbox User committed
227 228 229 230 231 232 233 234 235
	    Add a zone while the server is running.  This
	    command requires the
	    <span class="command"><strong>allow-new-zones</strong></span> option to be set
	    to <strong class="userinput"><code>yes</code></strong>.  The
	    <em class="replaceable"><code>configuration</code></em> string
	    specified on the command line is the zone
	    configuration text that would ordinarily be
	    placed in <code class="filename">named.conf</code>.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
236
	  <p>
Tinderbox User's avatar
Tinderbox User committed
237 238 239 240 241 242 243 244 245 246 247 248 249 250
	    The configuration is saved in a file called
	    <code class="filename"><em class="replaceable"><code>viewname</code></em>.nzf</code>
	    (or, if <span class="command"><strong>named</strong></span> is compiled with
	    liblmdb, an LMDB database file called
	    <code class="filename"><em class="replaceable"><code>viewname</code></em>.nzd</code>).
	    <em class="replaceable"><code>viewname</code></em> is the
	    name of the view, unless the view name contains characters
	    that are incompatible with use as a file name, in which case
	    a cryptographic hash of the view name is used instead.
	    When <span class="command"><strong>named</strong></span> is
	    restarted, the file will be loaded into the view
	    configuration, so that zones that were added
	    can persist after a restart.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
251
	  <p>
Tinderbox User's avatar
Tinderbox User committed
252 253 254 255
	    This sample <span class="command"><strong>addzone</strong></span> command
	    would add the zone <code class="literal">example.com</code>
	    to the default view:
	  </p>
Tinderbox User's avatar
Tinderbox User committed
256
	  <p>
Tinderbox User's avatar
Tinderbox User committed
257 258
<code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong>
	  </p>
Tinderbox User's avatar
Tinderbox User committed
259
	  <p>
Tinderbox User's avatar
Tinderbox User committed
260 261 262
	    (Note the brackets and semi-colon around the zone
	    configuration text.)
	  </p>
Tinderbox User's avatar
Tinderbox User committed
263
	  <p>
Tinderbox User's avatar
Tinderbox User committed
264 265
	    See also <span class="command"><strong>rndc delzone</strong></span> and <span class="command"><strong>rndc modzone</strong></span>.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
266
	</dd>
Tinderbox User's avatar
Tinderbox User committed
267 268
<dt><span class="term"><strong class="userinput"><code>delzone [<span class="optional">-clean</span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
269
	  <p>
Tinderbox User's avatar
Tinderbox User committed
270 271
	    Delete a zone while the server is running.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
272
	  <p>
Tinderbox User's avatar
Tinderbox User committed
273 274 275 276 277 278 279 280 281
	    If the <code class="option">-clean</code> argument is specified,
	    the zone's master file (and journal file, if any)
	    will be deleted along with the zone.  Without the
	    <code class="option">-clean</code> option, zone files must
	    be cleaned up by hand.  (If the zone is of
	    type "slave" or "stub", the files needing to
	    be cleaned up will be reported in the output
	    of the <span class="command"><strong>rndc delzone</strong></span> command.)
	  </p>
Tinderbox User's avatar
Tinderbox User committed
282
	  <p>
Tinderbox User's avatar
Tinderbox User committed
283 284 285 286 287 288 289 290 291
	    If the zone was originally added via
	    <span class="command"><strong>rndc addzone</strong></span>, then it will be
	    removed permanently. However, if it was originally
	    configured in <code class="filename">named.conf</code>, then
	    that original configuration is still in place; when
	    the server is restarted or reconfigured, the zone will
	    come back. To remove it permanently, it must also be
	    removed from <code class="filename">named.conf</code>
	  </p>
Tinderbox User's avatar
Tinderbox User committed
292
	  <p>
Tinderbox User's avatar
Tinderbox User committed
293 294
	    See also <span class="command"><strong>rndc addzone</strong></span> and <span class="command"><strong>rndc modzone</strong></span>.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
295
	</dd>
Tinderbox User's avatar
Tinderbox User committed
296
<dt><span class="term"><strong class="userinput"><code>dnstap ( -reopen | -roll [<span class="optional"><em class="replaceable"><code>number</code></em></span>] )</code></strong></span></dt>
Tinderbox User's avatar
Tinderbox User committed
297 298
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
299 300 301 302 303 304 305 306 307 308
	    Close and re-open DNSTAP output files.
	    <span class="command"><strong>rndc dnstap -reopen</strong></span> allows the output
	    file to be renamed externally, so
	    that <span class="command"><strong>named</strong></span> can truncate and re-open it.
	    <span class="command"><strong>rndc dnstap -roll</strong></span> causes the output file
	    to be rolled automatically, similar to log files; the most
	    recent output file has ".0" appended to its name; the
	    previous most recent output file is moved to ".1", and so on.
	    If <em class="replaceable"><code>number</code></em> is specified, then the
	    number of backup log files is limited to that number.
Tinderbox User's avatar
Tinderbox User committed
309 310
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
311
<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zones|-adb|-bad|-fail</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
Tinderbox User's avatar
Tinderbox User committed
312 313
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
314 315 316 317 318
	    Dump the server's caches (default) and/or zones to
	    the dump file for the specified views.  If no view
            is specified, all views are dumped.
	    (See the <span class="command"><strong>dump-file</strong></span> option in
	    the BIND 9 Administrator Reference Manual.)
Tinderbox User's avatar
Tinderbox User committed
319 320
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
321
<dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt>
Tinderbox User's avatar
Tinderbox User committed
322 323
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
324
	    Flushes the server's cache.
Tinderbox User's avatar
Tinderbox User committed
325 326
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
327
<dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
Tinderbox User's avatar
Tinderbox User committed
328 329
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
330 331 332
	    Flushes the given name from the view's DNS cache
	    and, if applicable, from the view's nameserver address
	    database, bad server cache and SERVFAIL cache.
Tinderbox User's avatar
Tinderbox User committed
333 334
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
335
<dt><span class="term"><strong class="userinput"><code>flushtree</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt>
Tinderbox User's avatar
Tinderbox User committed
336 337
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
338 339 340
	    Flushes the given name, and all of its subdomains,
	    from the view's DNS cache, address database,
	    bad server cache, and SERVFAIL cache.
Tinderbox User's avatar
Tinderbox User committed
341 342
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
343 344
<dt><span class="term"><strong class="userinput"><code>freeze [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
345
	  <p>
Tinderbox User's avatar
Tinderbox User committed
346 347 348 349 350 351 352 353
	    Suspend updates to a dynamic zone.  If no zone is
	    specified, then all zones are suspended.  This allows
	    manual edits to be made to a zone normally updated by
	    dynamic update.  It also causes changes in the
	    journal file to be synced into the master file.
	    All dynamic update attempts will be refused while
	    the zone is frozen.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
354
	  <p>
Tinderbox User's avatar
Tinderbox User committed
355 356
	    See also <span class="command"><strong>rndc thaw</strong></span>.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
357
	</dd>
Tinderbox User's avatar
Tinderbox User committed
358 359
<dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
360
	  <p>
Tinderbox User's avatar
Tinderbox User committed
361 362 363 364 365 366 367 368
	    Stop the server immediately.  Recent changes
	    made through dynamic update or IXFR are not saved to
	    the master files, but will be rolled forward from the
	    journal files when the server is restarted.
	    If <code class="option">-p</code> is specified <span class="command"><strong>named</strong></span>'s process id is returned.
	    This allows an external process to determine when <span class="command"><strong>named</strong></span>
	    had completed halting.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
369
	  <p>
Tinderbox User's avatar
Tinderbox User committed
370 371
	    See also <span class="command"><strong>rndc stop</strong></span>.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
372
	</dd>
Tinderbox User's avatar
Tinderbox User committed
373 374
<dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
375
	  <p>
Tinderbox User's avatar
Tinderbox User committed
376 377 378 379 380 381 382 383
	    Fetch all DNSSEC keys for the given zone
	    from the key directory.  If they are within
	    their publication period, merge them into the
	    zone's DNSKEY RRset.  Unlike <span class="command"><strong>rndc
	    sign</strong></span>, however, the zone is not
	    immediately re-signed by the new keys, but is
	    allowed to incrementally re-sign over time.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
384
	  <p>
Tinderbox User's avatar
Tinderbox User committed
385 386 387 388 389 390 391 392
	    This command requires that the
	    <span class="command"><strong>auto-dnssec</strong></span> zone option
	    be set to <code class="literal">maintain</code>,
	    and also requires the zone to be configured to
	    allow dynamic DNS.
	    (See "Dynamic Update Policies" in the Administrator
	    Reference Manual for more details.)
	  </p>
Tinderbox User's avatar
Tinderbox User committed
393
	</dd>
Tinderbox User's avatar
Tinderbox User committed
394
<dt><span class="term"><strong class="userinput"><code>managed-keys <em class="replaceable"><code>(status | refresh | sync | destroy)</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
Tinderbox User's avatar
Tinderbox User committed
395
<dd>
Tinderbox User's avatar
Tinderbox User committed
396
	  <p>
Tinderbox User's avatar
Tinderbox User committed
397 398 399 400 401
            Inspect and control the "managed-keys" database which
            handles RFC 5011 DNSSEC trust anchor maintenance. If a view
            is specified, these commands are applied to that view;
            otherwise they are applied to all views.
          </p>
Tinderbox User's avatar
Tinderbox User committed
402 403 404
          <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
              <p>
Tinderbox User's avatar
Tinderbox User committed
405 406
                When run with the <code class="literal">status</code> keyword, prints
                the current status of the managed-keys database.
Tinderbox User's avatar
Tinderbox User committed
407 408 409 410
              </p>
            </li>
<li class="listitem">
              <p>
Tinderbox User's avatar
Tinderbox User committed
411 412 413 414 415
                When run with the <code class="literal">refresh</code> keyword,
                forces an immediate refresh query to be sent for all
                the managed keys, updating the managed-keys database
                if any new keys are found, without waiting the normal
                refresh interval.
Tinderbox User's avatar
Tinderbox User committed
416 417 418 419
              </p>
            </li>
<li class="listitem">
              <p>
Tinderbox User's avatar
Tinderbox User committed
420 421 422 423 424 425 426
                When run with the <code class="literal">sync</code> keyword, forces an
                immediate dump of the managed-keys database to disk
                (in the file <code class="filename">managed-keys.bind</code> or
                (<code class="filename"><em class="replaceable"><code>viewname</code></em>.mkeys</code>).
                This synchronizes the database with its journal file, so
                that the database's current contents can be inspected
                visually.
Tinderbox User's avatar
Tinderbox User committed
427 428
              </p>
            </li>
Tinderbox User's avatar
Tinderbox User committed
429
<li class="listitem">
Tinderbox User's avatar
Tinderbox User committed
430
              <p>
Tinderbox User's avatar
Tinderbox User committed
431 432 433 434 435
                When run with the <code class="literal">destroy</code> keyword, the
                managed-keys database is shut down and deleted, and all key
                maintenance is terminated.  This command should be used only
                with extreme caution.
              </p>
Tinderbox User's avatar
Tinderbox User committed
436
              <p>
Tinderbox User's avatar
Tinderbox User committed
437 438 439 440 441 442 443
                Existing keys that are already trusted are not deleted
                from memory; DNSSEC validation can continue after this
                command is used. However, key maintenance operations will
                cease until <span class="command"><strong>named</strong></span> is restarted or
                reconfigured, and all existing key maintenance state
                will be deleted.
              </p>
Tinderbox User's avatar
Tinderbox User committed
444
              <p>
Tinderbox User's avatar
Tinderbox User committed
445 446 447 448 449 450 451 452 453
                Running <span class="command"><strong>rndc reconfig</strong></span> or restarting
                <span class="command"><strong>named</strong></span> immediately after this command
                will cause key maintenance to be reinitialized from scratch,
                just as if the server were being started for the first time.
                This is primarily intended for testing, but it may also be
                used, for example, to jumpstart the acquisition of new keys
                in the event of a trust anchor rollover, or as a
                brute-force repair for key maintenance problems.
              </p>
Tinderbox User's avatar
Tinderbox User committed
454
            </li>
Tinderbox User's avatar
Tinderbox User committed
455
</ul></div>
Tinderbox User's avatar
Tinderbox User committed
456
	</dd>
Tinderbox User's avatar
Tinderbox User committed
457 458
<dt><span class="term"><strong class="userinput"><code>modzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
459
	  <p>
Tinderbox User's avatar
Tinderbox User committed
460 461 462 463 464 465 466 467 468 469
	    Modify the configuration of a zone while the server
	    is running.  This command requires the
	    <span class="command"><strong>allow-new-zones</strong></span> option to be
	    set to <strong class="userinput"><code>yes</code></strong>.  As with
	    <span class="command"><strong>addzone</strong></span>, the
	    <em class="replaceable"><code>configuration</code></em> string
	    specified on the command line is the zone
	    configuration text that would ordinarily be
	    placed in <code class="filename">named.conf</code>.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
470
	  <p>
Tinderbox User's avatar
Tinderbox User committed
471 472 473 474 475 476 477 478 479 480 481 482
	    If the zone was originally added via
	    <span class="command"><strong>rndc addzone</strong></span>, the configuration
	    changes will be recorded permanently and will still be
	    in effect after the server is restarted or reconfigured.
	    However, if it was originally configured in
	    <code class="filename">named.conf</code>, then that original
	    configuration is still in place; when the server is
	    restarted or reconfigured, the zone will revert to
	    its original configuration.  To make the changes
	    permanent, it must also be modified in
	    <code class="filename">named.conf</code>
	  </p>
Tinderbox User's avatar
Tinderbox User committed
483
	  <p>
Tinderbox User's avatar
Tinderbox User committed
484 485
	    See also <span class="command"><strong>rndc addzone</strong></span> and <span class="command"><strong>rndc delzone</strong></span>.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
486
	</dd>
Tinderbox User's avatar
Tinderbox User committed
487
<dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
Tinderbox User's avatar
Tinderbox User committed
488 489
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
490
	    Resend NOTIFY messages for the zone.
Tinderbox User's avatar
Tinderbox User committed
491 492
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
493 494
<dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
495
	  <p>
Tinderbox User's avatar
Tinderbox User committed
496 497
	    Sets the server's debugging level to 0.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
498
	  <p>
Tinderbox User's avatar
Tinderbox User committed
499 500
	    See also <span class="command"><strong>rndc trace</strong></span>.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
501
	</dd>
Tinderbox User's avatar
Tinderbox User committed
502
<dt><span class="term"><strong class="userinput"><code>nta
Tinderbox User's avatar
Tinderbox User committed
503
	    [<span class="optional">( -class <em class="replaceable"><code>class</code></em> | -dump | -force | -remove | -lifetime <em class="replaceable"><code>duration</code></em>)</span>]
Tinderbox User's avatar
Tinderbox User committed
504 505 506 507
	<em class="replaceable"><code>domain</code></em>
	[<span class="optional"><em class="replaceable"><code>view</code></em></span>]
	</code></strong></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
508
	  <p>
Tinderbox User's avatar
Tinderbox User committed
509 510 511 512 513 514 515
	    Sets a DNSSEC negative trust anchor (NTA)
	    for <code class="option">domain</code>, with a lifetime of
	    <code class="option">duration</code>.  The default lifetime is
	    configured in <code class="filename">named.conf</code> via the
	    <code class="option">nta-lifetime</code> option, and defaults to
	    one hour.  The lifetime cannot exceed one week.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
516
	  <p>
Tinderbox User's avatar
Tinderbox User committed
517 518 519 520 521 522 523 524 525 526
	    A negative trust anchor selectively disables
	    DNSSEC validation for zones that are known to be
	    failing because of misconfiguration rather than
	    an attack.  When data to be validated is
	    at or below an active NTA (and above any other
	    configured trust anchors), <span class="command"><strong>named</strong></span> will
	    abort the DNSSEC validation process and treat the data as
	    insecure rather than bogus.  This continues until the
	    NTA's lifetime is elapsed.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
527
	  <p>
Tinderbox User's avatar
Tinderbox User committed
528 529 530 531 532 533 534 535 536
	    NTAs persist across restarts of the <span class="command"><strong>named</strong></span> server.
	    The NTAs for a view are saved in a file called
	    <code class="filename"><em class="replaceable"><code>name</code></em>.nta</code>,
	    where <em class="replaceable"><code>name</code></em> is the
	    name of the view, or if it contains characters
	    that are incompatible with use as a file name, a
	    cryptographic hash generated from the name
	    of the view.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
537
	  <p>
Tinderbox User's avatar
Tinderbox User committed
538 539 540
	    An existing NTA can be removed by using the
	    <code class="option">-remove</code> option.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
541
	  <p>
Tinderbox User's avatar
Tinderbox User committed
542 543 544 545 546 547 548 549
	    An NTA's lifetime can be specified with the
	    <code class="option">-lifetime</code> option.  TTL-style
	    suffixes can be used to specify the lifetime in
	    seconds, minutes, or hours.  If the specified NTA
	    already exists, its lifetime will be updated to the
	    new value.  Setting <code class="option">lifetime</code> to zero
	    is equivalent to <code class="option">-remove</code>.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
550
	  <p>
Tinderbox User's avatar
Tinderbox User committed
551
	    If the <code class="option">-dump</code> is used, any other arguments
Tinderbox User's avatar
Tinderbox User committed
552 553 554 555
	    are ignored, and a list of existing NTAs is printed
	    (note that this may include NTAs that are expired but
	    have not yet been cleaned up).
	  </p>
Tinderbox User's avatar
Tinderbox User committed
556
	  <p>
Tinderbox User's avatar
Tinderbox User committed
557 558 559 560 561 562 563 564 565 566 567
	    Normally, <span class="command"><strong>named</strong></span> will periodically
	    test to see whether data below an NTA can now be
	    validated (see the <code class="option">nta-recheck</code> option
	    in the Administrator Reference Manual for details).
	    If data can be validated, then the NTA is regarded as
	    no longer necessary, and will be allowed to expire
	    early.  The <code class="option">-force</code> overrides this
	    behavior and forces an NTA to persist for its entire
	    lifetime, regardless of whether data could be
	    validated if the NTA were not present.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
568 569 570 571 572
	  <p>
	    The view class can be specified with <code class="option">-class</code>.
	    The default is class <strong class="userinput"><code>IN</code></strong>, which is
	    the only class for which DNSSEC is currently supported.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
573
	  <p>
Tinderbox User's avatar
Tinderbox User committed
574 575
	    All of these options can be shortened, i.e., to
	    <code class="option">-l</code>, <code class="option">-r</code>, <code class="option">-d</code>,
Tinderbox User's avatar
Tinderbox User committed
576 577 578 579 580 581 582
	    <code class="option">-f</code>, and <code class="option">-c</code>.
	  </p>
	  <p>
	    Unrecognized options are treated as errors. To reference
	    a domain or view name that begins with a hyphen,
	    use a double-hyphen on the command line to indicate the
	    end of options.
Tinderbox User's avatar
Tinderbox User committed
583
	  </p>
Tinderbox User's avatar
Tinderbox User committed
584
	</dd>
Tinderbox User's avatar
Tinderbox User committed
585
<dt><span class="term"><strong class="userinput"><code>querylog</code></strong> [<span class="optional"> on | off </span>] </span></dt>
Tinderbox User's avatar
Tinderbox User committed
586
<dd>
Tinderbox User's avatar
Tinderbox User committed
587
	  <p>
Tinderbox User's avatar
Tinderbox User committed
588 589 590 591
	    Enable or disable query logging.  (For backward
	    compatibility, this command can also be used without
	    an argument to toggle query logging on and off.)
	  </p>
Tinderbox User's avatar
Tinderbox User committed
592
	  <p>
Tinderbox User's avatar
Tinderbox User committed
593 594 595 596 597 598 599 600 601 602
	    Query logging can also be enabled
	    by explicitly directing the <span class="command"><strong>queries</strong></span>
	    <span class="command"><strong>category</strong></span> to a
	    <span class="command"><strong>channel</strong></span> in the
	    <span class="command"><strong>logging</strong></span> section of
	    <code class="filename">named.conf</code> or by specifying
	    <span class="command"><strong>querylog yes;</strong></span> in the
	    <span class="command"><strong>options</strong></span> section of
	    <code class="filename">named.conf</code>.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
603
	</dd>
Tinderbox User's avatar
Tinderbox User committed
604
<dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt>
Tinderbox User's avatar
Tinderbox User committed
605 606
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
607 608 609 610 611 612 613
	    Reload the configuration file and load new zones,
	    but do not reload existing zone files even if they
	    have changed.
	    This is faster than a full <span class="command"><strong>reload</strong></span> when there
	    is a large number of zones because it avoids the need
	    to examine the
	    modification times of the zones files.
Tinderbox User's avatar
Tinderbox User committed
614 615
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
616
<dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
Tinderbox User's avatar
Tinderbox User committed
617 618
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
619 620 621 622 623 624
	    Dump the list of queries <span class="command"><strong>named</strong></span> is currently
	    recursing on, and the list of domains to which iterative
	    queries are currently being sent.  (The second list includes
	    the number of fetches currently active for the given domain,
	    and how many have been passed or dropped because of the
	    <code class="option">fetches-per-zone</code> option.)
Tinderbox User's avatar
Tinderbox User committed
625 626
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
627
<dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
Tinderbox User's avatar
Tinderbox User committed
628 629
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
630
	    Schedule zone maintenance for the given zone.
Tinderbox User's avatar
Tinderbox User committed
631 632
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
633
<dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt>
Tinderbox User's avatar
Tinderbox User committed
634 635
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
636
	    Reload configuration file and zones.
Tinderbox User's avatar
Tinderbox User committed
637 638
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
639
<dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
Tinderbox User's avatar
Tinderbox User committed
640 641
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
642
	    Reload the given zone.
Tinderbox User's avatar
Tinderbox User committed
643 644
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
645 646
<dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
647
	  <p>
Tinderbox User's avatar
Tinderbox User committed
648 649
	    Retransfer the given slave zone from the master server.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
650
	  <p>
Tinderbox User's avatar
Tinderbox User committed
651 652 653 654 655 656 657
	    If the zone is configured to use
	    <span class="command"><strong>inline-signing</strong></span>, the signed
	    version of the zone is discarded; after the
	    retransfer of the unsigned version is complete, the
	    signed version will be regenerated with all new
	    signatures.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
658
	</dd>
Tinderbox User's avatar
Tinderbox User committed
659
<dt><span class="term"><strong class="userinput"><code>scan</code></strong></span></dt>
Tinderbox User's avatar
Tinderbox User committed
660 661
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
662 663 664 665
	     Scan the list of available network interfaces
	     for changes, without performing a full
	     <span class="command"><strong>reconfig</strong></span> or waiting for the
	     <span class="command"><strong>interface-interval</strong></span> timer.
Tinderbox User's avatar
Tinderbox User committed
666 667
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
668 669
<dt><span class="term"><strong class="userinput"><code>secroots [<span class="optional">-</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
670
	  <p>
Tinderbox User's avatar
Tinderbox User committed
671 672 673 674 675 676 677 678 679
	    Dump the security roots (i.e., trust anchors
	    configured via <span class="command"><strong>trusted-keys</strong></span>,
	    <span class="command"><strong>managed-keys</strong></span>, or
	    <span class="command"><strong>dnssec-validation auto</strong></span>) and negative trust
	    anchors for the specified views.  If no view is specified, all
	    views are dumped.  Security roots will indicate whether
	    they are configured as trusted keys, managed keys, or
	    initializing managed keys (managed keys that have not yet
	    been updated by a successful key refresh query).
Tinderbox User's avatar
Tinderbox User committed
680
	  </p>
Tinderbox User's avatar
Tinderbox User committed
681
	  <p>
Tinderbox User's avatar
Tinderbox User committed
682 683 684 685 686 687 688 689
	    If the first argument is "-", then the output is
	    returned via the <span class="command"><strong>rndc</strong></span> response channel
	    and printed to the standard output.
	    Otherwise, it is written to the secroots dump file, which
	    defaults to <code class="filename">named.secroots</code>, but can be
	    overridden via the <code class="option">secroots-file</code> option in
	    <code class="filename">named.conf</code>.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
690
	  <p>
Tinderbox User's avatar
Tinderbox User committed
691 692
	    See also <span class="command"><strong>rndc managed-keys</strong></span>.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
693
	</dd>
Evan Hunt's avatar
Evan Hunt committed
694
<dt><span class="term"><strong class="userinput"><code>serve-stale ( on | off | reset | status ) [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
Tinderbox User's avatar
Tinderbox User committed
695
<dd>
Tinderbox User's avatar
Tinderbox User committed
696
	  <p>
Evan Hunt's avatar
Evan Hunt committed
697 698 699
	    Enable, disable, reset, or report the current status
            of the serving of stale answers as configured in
            <code class="filename">named.conf</code>.
Tinderbox User's avatar
Tinderbox User committed
700
	  </p>
Tinderbox User's avatar
Tinderbox User committed
701
	  <p>
Evan Hunt's avatar
Evan Hunt committed
702 703 704 705 706 707 708
            If serving of stale answers is disabled by
            <span class="command"><strong>rndc-serve-stale off</strong></span>, then it
	    will remain disabled even if <span class="command"><strong>named</strong></span>
            is reloaded or reconfigured.
            <span class="command"><strong>rndc serve-stale reset</strong></span> restores
            the setting as configured in <code class="filename">named.conf</code>.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
709
	  <p>
Evan Hunt's avatar
Evan Hunt committed
710 711 712 713 714 715
	    <span class="command"><strong>rndc serve-stale status</strong></span> will report
            whether serving of stale answers is currently enabled,
            disabled by the configuration, or disabled by
            <span class="command"><strong>rndc</strong></span>.  It will also report the
	    values of <span class="command"><strong>stale-answer-ttl</strong></span> and
	    <span class="command"><strong>max-stale-ttl</strong></span>.
Tinderbox User's avatar
Tinderbox User committed
716
	  </p>
Tinderbox User's avatar
Tinderbox User committed
717
	</dd>
Tinderbox User's avatar
Tinderbox User committed
718 719
<dt><span class="term"><strong class="userinput"><code>showzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
720
	  <p>
Tinderbox User's avatar
Tinderbox User committed
721 722
	    Print the configuration of a running zone.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
723
	  <p>
Tinderbox User's avatar
Tinderbox User committed
724 725
	    See also <span class="command"><strong>rndc zonestatus</strong></span>.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
726
	</dd>
Tinderbox User's avatar
Tinderbox User committed
727 728
<dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
729
	  <p>
Tinderbox User's avatar
Tinderbox User committed
730 731 732 733 734 735 736 737 738
	    Fetch all DNSSEC keys for the given zone
	    from the key directory (see the
	    <span class="command"><strong>key-directory</strong></span> option in
	    the BIND 9 Administrator Reference Manual).  If they are within
	    their publication period, merge them into the
	    zone's DNSKEY RRset.  If the DNSKEY RRset
	    is changed, then the zone is automatically
	    re-signed with the new key set.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
739
	  <p>
Tinderbox User's avatar
Tinderbox User committed
740 741 742 743 744 745 746 747 748
	    This command requires that the
	    <span class="command"><strong>auto-dnssec</strong></span> zone option be set
	    to <code class="literal">allow</code> or
	    <code class="literal">maintain</code>,
	    and also requires the zone to be configured to
	    allow dynamic DNS.
	    (See "Dynamic Update Policies" in the Administrator
	    Reference Manual for more details.)
	  </p>
Tinderbox User's avatar
Tinderbox User committed
749
	  <p>
Tinderbox User's avatar
Tinderbox User committed
750 751
	    See also <span class="command"><strong>rndc loadkeys</strong></span>.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
752
	</dd>
Tinderbox User's avatar
Tinderbox User committed
753 754
<dt><span class="term"><strong class="userinput"><code>signing [<span class="optional">( -list | -clear <em class="replaceable"><code>keyid/algorithm</code></em> | -clear <code class="literal">all</code> | -nsec3param ( <em class="replaceable"><code>parameters</code></em> | <code class="literal">none</code> ) | -serial <em class="replaceable"><code>value</code></em> ) </span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
755
	  <p>
Tinderbox User's avatar
Tinderbox User committed
756 757 758 759 760 761 762 763 764 765 766 767
	    List, edit, or remove the DNSSEC signing state records
	    for the specified zone.  The status of ongoing DNSSEC
	    operations (such as signing or generating
	    NSEC3 chains) is stored in the zone in the form
	    of DNS resource records of type
	    <span class="command"><strong>sig-signing-type</strong></span>.
	    <span class="command"><strong>rndc signing -list</strong></span> converts
	    these records into a human-readable form,
	    indicating which keys are currently signing
	    or have finished signing the zone, and which NSEC3
	    chains are being created or removed.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
768
	  <p>
Tinderbox User's avatar
Tinderbox User committed
769 770 771 772 773 774 775 776
	    <span class="command"><strong>rndc signing -clear</strong></span> can remove
	    a single key (specified in the same format that
	    <span class="command"><strong>rndc signing -list</strong></span> uses to
	    display it), or all keys.  In either case, only
	    completed keys are removed; any record indicating
	    that a key has not yet finished signing the zone
	    will be retained.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
777
	  <p>
Tinderbox User's avatar
Tinderbox User committed
778 779 780 781 782 783 784 785
	    <span class="command"><strong>rndc signing -nsec3param</strong></span> sets
	    the NSEC3 parameters for a zone.  This is the
	    only supported mechanism for using NSEC3 with
	    <span class="command"><strong>inline-signing</strong></span> zones.
	    Parameters are specified in the same format as
	    an NSEC3PARAM resource record: hash algorithm,
	    flags, iterations, and salt, in that order.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
786
	  <p>
Tinderbox User's avatar
Tinderbox User committed
787 788 789 790 791 792 793 794 795 796 797 798 799 800
	    Currently, the only defined value for hash algorithm
	    is <code class="literal">1</code>, representing SHA-1.
	    The <code class="option">flags</code> may be set to
	    <code class="literal">0</code> or <code class="literal">1</code>,
	    depending on whether you wish to set the opt-out
	    bit in the NSEC3 chain.  <code class="option">iterations</code>
	    defines the number of additional times to apply
	    the algorithm when generating an NSEC3 hash.  The
	    <code class="option">salt</code> is a string of data expressed
	    in hexadecimal, a hyphen (`-') if no salt is
	    to be used, or the keyword <code class="literal">auto</code>,
	    which causes <span class="command"><strong>named</strong></span> to generate a
	    random 64-bit salt.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
801
	  <p>
Tinderbox User's avatar
Tinderbox User committed
802 803 804 805 806 807 808 809
	    So, for example, to create an NSEC3 chain using
	    the SHA-1 hash algorithm, no opt-out flag,
	    10 iterations, and a salt value of "FFFF", use:
	    <span class="command"><strong>rndc signing -nsec3param 1 0 10 FFFF <em class="replaceable"><code>zone</code></em></strong></span>.
	    To set the opt-out flag, 15 iterations, and no
	    salt, use:
	    <span class="command"><strong>rndc signing -nsec3param 1 1 15 - <em class="replaceable"><code>zone</code></em></strong></span>.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
810
	  <p>
Tinderbox User's avatar
Tinderbox User committed
811 812 813 814
	    <span class="command"><strong>rndc signing -nsec3param none</strong></span>
	    removes an existing NSEC3 chain and replaces it
	    with NSEC.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
815
	  <p>
Tinderbox User's avatar
Tinderbox User committed
816 817 818 819 820 821
	    <span class="command"><strong>rndc signing -serial value</strong></span> sets
	    the serial number of the zone to value.  If the value
	    would cause the serial number to go backwards it will
	    be rejected.  The primary use is to set the serial on
	    inline signed zones.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
822
	</dd>
Tinderbox User's avatar
Tinderbox User committed
823
<dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt>
Tinderbox User's avatar
Tinderbox User committed
824 825
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
826 827 828
	    Write server statistics to the statistics file.
	    (See the <span class="command"><strong>statistics-file</strong></span> option in
	    the BIND 9 Administrator Reference Manual.)
Tinderbox User's avatar
Tinderbox User committed
829 830
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
831
<dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>
Tinderbox User's avatar
Tinderbox User committed
832 833
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
834 835 836 837 838
	    Display status of the server.
	    Note that the number of zones includes the internal <span class="command"><strong>bind/CH</strong></span> zone
	    and the default <span class="command"><strong>./IN</strong></span>
	    hint zone if there is not an
	    explicit root zone configured.
Tinderbox User's avatar
Tinderbox User committed
839 840
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
841 842
<dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
843
	  <p>
Tinderbox User's avatar
Tinderbox User committed
844 845 846 847 848 849 850
	    Stop the server, making sure any recent changes
	    made through dynamic update or IXFR are first saved to
	    the master files of the updated zones.
	    If <code class="option">-p</code> is specified <span class="command"><strong>named</strong></span>'s process id is returned.
	    This allows an external process to determine when <span class="command"><strong>named</strong></span>
	    had completed stopping.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
851 852
	  <p>See also <span class="command"><strong>rndc halt</strong></span>.</p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
853
<dt><span class="term"><strong class="userinput"><code>sync [<span class="optional">-clean</span>] [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
Tinderbox User's avatar
Tinderbox User committed
854 855
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
856 857 858 859
	    Sync changes in the journal file for a dynamic zone
	    to the master file.  If the "-clean" option is
	    specified, the journal file is also removed.  If
	    no zone is specified, then all zones are synced.
Tinderbox User's avatar
Tinderbox User committed
860 861
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
862
<dt><span class="term"><strong class="userinput"><code>tcp-timeouts [<span class="optional"><em class="replaceable"><code>initial</code></em> <em class="replaceable"><code>idle</code></em> <em class="replaceable"><code>keepalive</code></em> <em class="replaceable"><code>advertised</code></em></span>]</code></strong></span></dt>
Tinderbox User's avatar
Tinderbox User committed
863 864
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
865
	    When called without arguments, display the current
Tinderbox User's avatar
Tinderbox User committed
866
	    values of the <span class="command"><strong>tcp-initial-timeout</strong></span>,
Tinderbox User's avatar
Tinderbox User committed
867 868 869
	    <span class="command"><strong>tcp-idle-timeout</strong></span>,
	    <span class="command"><strong>tcp-keepalive-timeout</strong></span> and
	    <span class="command"><strong>tcp-advertised-timeout</strong></span> options.
Tinderbox User's avatar
Tinderbox User committed
870 871 872 873 874
	    When called with arguments, update these values. This
	    allows an administrator to make rapid adjustments when
	    under a denial of service attack.  See the descriptions of
	    these options in the BIND 9 Administrator Reference Manual
	    for details of their use.
Tinderbox User's avatar
Tinderbox User committed
875 876
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
877 878
<dt><span class="term"><strong class="userinput"><code>thaw [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
879
	  <p>
Tinderbox User's avatar
Tinderbox User committed
880 881 882 883 884 885 886 887 888 889 890 891 892
	    Enable updates to a frozen dynamic zone.  If no
	    zone is specified, then all frozen zones are
	    enabled.  This causes the server to reload the zone
	    from disk, and re-enables dynamic updates after the
	    load has completed.  After a zone is thawed,
	    dynamic updates will no longer be refused.  If
	    the zone has changed and the
	    <span class="command"><strong>ixfr-from-differences</strong></span> option is
	    in use, then the journal file will be updated to
	    reflect changes in the zone.  Otherwise, if the
	    zone has changed, any existing journal file will be
	    removed.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
893 894
	  <p>See also <span class="command"><strong>rndc freeze</strong></span>.</p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
895
<dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
Tinderbox User's avatar
Tinderbox User committed
896 897
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
898
	    Increment the servers debugging level by one.
Tinderbox User's avatar
Tinderbox User committed
899 900
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
901 902
<dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
903
	  <p>
Tinderbox User's avatar
Tinderbox User committed
904 905 906
	    Sets the server's debugging level to an explicit
	    value.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
907
	  <p>
Tinderbox User's avatar
Tinderbox User committed
908 909
	    See also <span class="command"><strong>rndc notrace</strong></span>.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
910
	</dd>
Tinderbox User's avatar
Tinderbox User committed
911
<dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong> <em class="replaceable"><code>keyname</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt>
Tinderbox User's avatar
Tinderbox User committed
912 913
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
914 915 916
	    Delete a given TKEY-negotiated key from the server.
	    (This does not apply to statically configured TSIG
	    keys.)
Tinderbox User's avatar
Tinderbox User committed
917 918
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
919
<dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt>
Tinderbox User's avatar
Tinderbox User committed
920 921
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
922 923 924 925
	    List the names of all TSIG keys currently configured
	    for use by <span class="command"><strong>named</strong></span> in each view.  The
	    list both statically configured keys and dynamic
	    TKEY-negotiated keys.
Tinderbox User's avatar
Tinderbox User committed
926 927
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
928
<dt><span class="term"><strong class="userinput"><code>validation ( on | off | status ) [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>] </code></strong></span></dt>
Tinderbox User's avatar
Tinderbox User committed
929 930
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
931
	    Enable, disable, or check the current status of
Tinderbox User's avatar
Tinderbox User committed
932 933 934 935 936 937 938 939
	    DNSSEC validation.  By default, validation is enabled.
	    (Note that <span class="command"><strong>dnssec-enable</strong></span> must also be
	    <strong class="userinput"><code>yes</code></strong> (the default value) for signatures
	    to be returned along with validated data. If validation is
	    enabled while <span class="command"><strong>dnssec-enable</strong></span> is set to
	    <strong class="userinput"><code>no</code></strong>, the server will validate internally,
	    but will not supply clients with the necessary records to allow
	    validity to be confirmed.)
Tinderbox User's avatar
Tinderbox User committed
940 941
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
942 943
<dt><span class="term"><strong class="userinput"><code>zonestatus <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
944
	  <p>
Tinderbox User's avatar
Tinderbox User committed
945 946 947 948 949 950 951 952 953 954
	    Displays the current status of the given zone,
	    including the master file name and any include
	    files from which it was loaded, when it was most
	    recently loaded, the current serial number, the
	    number of nodes, whether the zone supports
	    dynamic updates, whether the zone is DNSSEC
	    signed, whether it uses automatic DNSSEC key
	    management or inline signing, and the scheduled
	    refresh or expiry times for the zone.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
955
	  <p>
Tinderbox User's avatar
Tinderbox User committed
956 957
	    See also <span class="command"><strong>rndc showzone</strong></span>.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
958
	</dd>
Tinderbox User's avatar
Tinderbox User committed
959
</dl></div>
Tinderbox User's avatar
Tinderbox User committed
960 961

    <p>
Tinderbox User's avatar
Tinderbox User committed
962 963 964 965 966 967 968 969 970 971 972
      <span class="command"><strong>rndc</strong></span> commands that specify zone names,
      such as <span class="command"><strong>reload</strong></span>, <span class="command"><strong>retransfer</strong></span>
      or <span class="command"><strong>zonestatus</strong></span>, can be ambiguous when applied
      to zones of type <code class="option">redirect</code>. Redirect zones are
      always called ".", and can be confused with zones of type
      <code class="option">hint</code> or with slaved copies of the root zone.
      To specify a redirect zone, use the special zone name
      <strong class="userinput"><code>-redirect</code></strong>, without a trailing period.
      (With a trailing period, this would specify a zone called
      "-redirect".)
    </p>
Tinderbox User's avatar
Tinderbox User committed
973 974 975
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
976
<a name="id-1.13.38.10"></a><h2>LIMITATIONS</h2>
Tinderbox User's avatar
Tinderbox User committed
977 978

    <p>
Tinderbox User's avatar
Tinderbox User committed
979 980 981
      There is currently no way to provide the shared secret for a
      <code class="option">key_id</code> without using the configuration file.
    </p>
Tinderbox User's avatar
Tinderbox User committed
982
    <p>
Tinderbox User's avatar
Tinderbox User committed
983 984
      Several error messages could be clearer.
    </p>
Tinderbox User's avatar
Tinderbox User committed
985 986 987
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
988
<a name="id-1.13.38.11"></a><h2>SEE ALSO</h2>
Tinderbox User's avatar
Tinderbox User committed
989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004

    <p><span class="citerefentry">
	<span class="refentrytitle">rndc.conf</span>(5)
      </span>,
      <span class="citerefentry">
	<span class="refentrytitle">rndc-confgen</span>(8)
      </span>,
      <span class="citerefentry">
	<span class="refentrytitle">named</span>(8)
      </span>,
      <span class="citerefentry">
	<span class="refentrytitle">named.conf</span>(5)
      </span>,
      <span class="citerefentry">
	<span class="refentrytitle">ndc</span>(8)
      </span>,
Tinderbox User's avatar
Tinderbox User committed
1005 1006
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
    </p>
Tinderbox User's avatar
Tinderbox User committed
1007 1008
  </div>

Tinderbox User's avatar
Tinderbox User committed
1009 1010 1011 1012 1013 1014
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
1015
<a accesskey="p" href="man.rndc.conf.html">Prev</a> </td>
1016
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
1017
<td width="40%" align="right"> </td>
Tinderbox User's avatar
Tinderbox User committed
1018 1019 1020
</tr>
<tr>
<td width="40%" align="left" valign="top">
1021
<code class="filename">rndc.conf</code> </td>
Tinderbox User's avatar
Tinderbox User committed
1022
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
1023
<td width="40%" align="right" valign="top"> </td>
Tinderbox User's avatar
Tinderbox User committed
1024 1025 1026
</tr>
</table>
</div>
Tinderbox User's avatar
Tinderbox User committed
1027
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
Tinderbox User's avatar
Tinderbox User committed
1028 1029
</body>
</html>