1<!-- 2 - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") 3 - Copyright (C) 2000-2003 Internet Software Consortium. 4 - 5 - Permission to use, copy, modify, and/or distribute this software for any 6 - purpose with or without fee is hereby granted, provided that the above 7 - copyright notice and this permission notice appear in all copies. 8 - 9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15 - PERFORMANCE OF THIS SOFTWARE. 16--> 17<!-- $Id: man.rndc.html,v 1.5 2015/09/03 07:33:34 christos Exp $ --> 18<html> 19<head> 20<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> 21<title>rndc</title> 22<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> 23<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> 24<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> 25<link rel="prev" href="man.nsupdate.html" title="nsupdate"> 26<link rel="next" href="man.rndc.conf.html" title="rndc.conf"> 27</head> 28<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> 29<div class="navheader"> 30<table width="100%" summary="Navigation header"> 31<tr><th colspan="3" align="center"><span class="application">rndc</span></th></tr> 32<tr> 33<td width="20%" align="left"> 34<a accesskey="p" href="man.nsupdate.html">Prev</a>�</td> 35<th width="60%" align="center">Manual pages</th> 36<td width="20%" align="right">�<a accesskey="n" href="man.rndc.conf.html">Next</a> 37</td> 38</tr> 39</table> 40<hr> 41</div> 42<div class="refentry" lang="en"> 43<a name="man.rndc"></a><div class="titlepage"></div> 44<div class="refnamediv"> 45<h2>Name</h2> 46<p><span class="application">rndc</span> — name server control utility</p> 47</div> 48<div class="refsynopsisdiv"> 49<h2>Synopsis</h2> 50<div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-q</code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div> 51</div> 52<div class="refsect1" lang="en"> 53<a name="id2657861"></a><h2>DESCRIPTION</h2> 54<p><span><strong class="command">rndc</strong></span> 55 controls the operation of a name 56 server. It supersedes the <span><strong class="command">ndc</strong></span> utility 57 that was provided in old BIND releases. If 58 <span><strong class="command">rndc</strong></span> is invoked with no command line 59 options or arguments, it prints a short summary of the 60 supported commands and the available options and their 61 arguments. 62 </p> 63<p><span><strong class="command">rndc</strong></span> 64 communicates with the name server over a TCP connection, sending 65 commands authenticated with digital signatures. In the current 66 versions of 67 <span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span>, 68 the only supported authentication algorithms are HMAC-MD5 69 (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256 70 (default), HMAC-SHA384 and HMAC-SHA512. 71 They use a shared secret on each end of the connection. 72 This provides TSIG-style authentication for the command 73 request and the name server's response. All commands sent 74 over the channel must be signed by a key_id known to the 75 server. 76 </p> 77<p><span><strong class="command">rndc</strong></span> 78 reads a configuration file to 79 determine how to contact the name server and decide what 80 algorithm and key it should use. 81 </p> 82</div> 83<div class="refsect1" lang="en"> 84<a name="id2657911"></a><h2>OPTIONS</h2> 85<div class="variablelist"><dl> 86<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt> 87<dd><p> 88 Use <em class="replaceable"><code>source-address</code></em> 89 as the source address for the connection to the server. 90 Multiple instances are permitted to allow setting of both 91 the IPv4 and IPv6 source addresses. 92 </p></dd> 93<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt> 94<dd><p> 95 Use <em class="replaceable"><code>config-file</code></em> 96 as the configuration file instead of the default, 97 <code class="filename">/etc/rndc.conf</code>. 98 </p></dd> 99<dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt> 100<dd><p> 101 Use <em class="replaceable"><code>key-file</code></em> 102 as the key file instead of the default, 103 <code class="filename">/etc/rndc.key</code>. The key in 104 <code class="filename">/etc/rndc.key</code> will be used to 105 authenticate 106 commands sent to the server if the <em class="replaceable"><code>config-file</code></em> 107 does not exist. 108 </p></dd> 109<dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt> 110<dd><p><em class="replaceable"><code>server</code></em> is 111 the name or address of the server which matches a 112 server statement in the configuration file for 113 <span><strong class="command">rndc</strong></span>. If no server is supplied on the 114 command line, the host named by the default-server clause 115 in the options statement of the <span><strong class="command">rndc</strong></span> 116 configuration file will be used. 117 </p></dd> 118<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt> 119<dd><p> 120 Send commands to TCP port 121 <em class="replaceable"><code>port</code></em> 122 instead 123 of BIND 9's default control channel port, 953. 124 </p></dd> 125<dt><span class="term">-q</span></dt> 126<dd><p> 127 Quiet mode: Message text returned by the server 128 will not be printed except when there is an error. 129 </p></dd> 130<dt><span class="term">-V</span></dt> 131<dd><p> 132 Enable verbose logging. 133 </p></dd> 134<dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt> 135<dd><p> 136 Use the key <em class="replaceable"><code>key_id</code></em> 137 from the configuration file. 138 <em class="replaceable"><code>key_id</code></em> 139 must be 140 known by named with the same algorithm and secret string 141 in order for control message validation to succeed. 142 If no <em class="replaceable"><code>key_id</code></em> 143 is specified, <span><strong class="command">rndc</strong></span> will first look 144 for a key clause in the server statement of the server 145 being used, or if no server statement is present for that 146 host, then the default-key clause of the options statement. 147 Note that the configuration file contains shared secrets 148 which are used to send authenticated control commands 149 to name servers. It should therefore not have general read 150 or write access. 151 </p></dd> 152</dl></div> 153</div> 154<div class="refsect1" lang="en"> 155<a name="id2659498"></a><h2>COMMANDS</h2> 156<p> 157 A list of commands supported by <span><strong class="command">rndc</strong></span> can 158 be seen by running <span><strong class="command">rndc</strong></span> without arguments. 159 </p> 160<p> 161 Currently supported commands are: 162 </p> 163<div class="variablelist"><dl> 164<dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt> 165<dd><p> 166 Reload configuration file and zones. 167 </p></dd> 168<dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> 169<dd><p> 170 Reload the given zone. 171 </p></dd> 172<dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> 173<dd><p> 174 Schedule zone maintenance for the given zone. 175 </p></dd> 176<dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> 177<dd> 178<p> 179 Retransfer the given slave zone from the master server. 180 </p> 181<p> 182 If the zone is configured to use 183 <span><strong class="command">inline-signing</strong></span>, the signed 184 version of the zone is discarded; after the 185 retransfer of the unsigned version is complete, the 186 signed version will be regenerated with all new 187 signatures. 188 </p> 189</dd> 190<dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> 191<dd> 192<p> 193 Fetch all DNSSEC keys for the given zone 194 from the key directory (see the 195 <span><strong class="command">key-directory</strong></span> option in 196 the BIND 9 Administrator Reference Manual). If they are within 197 their publication period, merge them into the 198 zone's DNSKEY RRset. If the DNSKEY RRset 199 is changed, then the zone is automatically 200 re-signed with the new key set. 201 </p> 202<p> 203 This command requires that the 204 <span><strong class="command">auto-dnssec</strong></span> zone option be set 205 to <code class="literal">allow</code> or 206 <code class="literal">maintain</code>, 207 and also requires the zone to be configured to 208 allow dynamic DNS. 209 (See "Dynamic Update Policies" in the Administrator 210 Reference Manual for more details.) 211 </p> 212</dd> 213<dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> 214<dd> 215<p> 216 Fetch all DNSSEC keys for the given zone 217 from the key directory. If they are within 218 their publication period, merge them into the 219 zone's DNSKEY RRset. Unlike <span><strong class="command">rndc 220 sign</strong></span>, however, the zone is not 221 immediately re-signed by the new keys, but is 222 allowed to incrementally re-sign over time. 223 </p> 224<p> 225 This command requires that the 226 <span><strong class="command">auto-dnssec</strong></span> zone option 227 be set to <code class="literal">maintain</code>, 228 and also requires the zone to be configured to 229 allow dynamic DNS. 230 (See "Dynamic Update Policies" in the Administrator 231 Reference Manual for more details.) 232 </p> 233</dd> 234<dt><span class="term"><strong class="userinput"><code>freeze [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt> 235<dd><p> 236 Suspend updates to a dynamic zone. If no zone is 237 specified, then all zones are suspended. This allows 238 manual edits to be made to a zone normally updated by 239 dynamic update. It also causes changes in the 240 journal file to be synced into the master file. 241 All dynamic update attempts will be refused while 242 the zone is frozen. 243 </p></dd> 244<dt><span class="term"><strong class="userinput"><code>thaw [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt> 245<dd><p> 246 Enable updates to a frozen dynamic zone. If no 247 zone is specified, then all frozen zones are 248 enabled. This causes the server to reload the zone 249 from disk, and re-enables dynamic updates after the 250 load has completed. After a zone is thawed, 251 dynamic updates will no longer be refused. If 252 the zone has changed and the 253 <span><strong class="command">ixfr-from-differences</strong></span> option is 254 in use, then the journal file will be updated to 255 reflect changes in the zone. Otherwise, if the 256 zone has changed, any existing journal file will be 257 removed. 258 </p></dd> 259<dt><span class="term"><strong class="userinput"><code>scan</code></strong></span></dt> 260<dd><p> 261 Scan the list of available network interfaces 262 for changes, without performing a full 263 <span><strong class="command">reconfig</strong></span> or waiting for the 264 <span><strong class="command">interface-interval</strong></span> timer. 265 </p></dd> 266<dt><span class="term"><strong class="userinput"><code>sync [<span class="optional">-clean</span>] [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt> 267<dd><p> 268 Sync changes in the journal file for a dynamic zone 269 to the master file. If the "-clean" option is 270 specified, the journal file is also removed. If 271 no zone is specified, then all zones are synced. 272 </p></dd> 273<dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> 274<dd><p> 275 Resend NOTIFY messages for the zone. 276 </p></dd> 277<dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt> 278<dd><p> 279 Reload the configuration file and load new zones, 280 but do not reload existing zone files even if they 281 have changed. 282 This is faster than a full <span><strong class="command">reload</strong></span> when there 283 is a large number of zones because it avoids the need 284 to examine the 285 modification times of the zones files. 286 </p></dd> 287<dt><span class="term"><strong class="userinput"><code>zonestatus [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt> 288<dd><p> 289 Displays the current status of the given zone, 290 including the master file name and any include 291 files from which it was loaded, when it was most 292 recently loaded, the current serial number, the 293 number of nodes, whether the zone supports 294 dynamic updates, whether the zone is DNSSEC 295 signed, whether it uses automatic DNSSEC key 296 management or inline signing, and the scheduled 297 refresh or expiry times for the zone. 298 </p></dd> 299<dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt> 300<dd><p> 301 Write server statistics to the statistics file. 302 </p></dd> 303<dt><span class="term"><strong class="userinput"><code>querylog</code></strong> [<span class="optional">on|off</span>] </span></dt> 304<dd> 305<p> 306 Enable or disable query logging. (For backward 307 compatibility, this command can also be used without 308 an argument to toggle query logging on and off.) 309 </p> 310<p> 311 Query logging can also be enabled 312 by explicitly directing the <span><strong class="command">queries</strong></span> 313 <span><strong class="command">category</strong></span> to a 314 <span><strong class="command">channel</strong></span> in the 315 <span><strong class="command">logging</strong></span> section of 316 <code class="filename">named.conf</code> or by specifying 317 <span><strong class="command">querylog yes;</strong></span> in the 318 <span><strong class="command">options</strong></span> section of 319 <code class="filename">named.conf</code>. 320 </p> 321</dd> 322<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt> 323<dd><p> 324 Dump the server's caches (default) and/or zones to 325 the 326 dump file for the specified views. If no view is 327 specified, all 328 views are dumped. 329 </p></dd> 330<dt><span class="term"><strong class="userinput"><code>secroots [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt> 331<dd><p> 332 Dump the server's security roots to the secroots 333 file for the specified views. If no view is 334 specified, security roots for all 335 views are dumped. 336 </p></dd> 337<dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt> 338<dd><p> 339 Stop the server, making sure any recent changes 340 made through dynamic update or IXFR are first saved to 341 the master files of the updated zones. 342 If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned. 343 This allows an external process to determine when <span><strong class="command">named</strong></span> 344 had completed stopping. 345 </p></dd> 346<dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt> 347<dd><p> 348 Stop the server immediately. Recent changes 349 made through dynamic update or IXFR are not saved to 350 the master files, but will be rolled forward from the 351 journal files when the server is restarted. 352 If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned. 353 This allows an external process to determine when <span><strong class="command">named</strong></span> 354 had completed halting. 355 </p></dd> 356<dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt> 357<dd><p> 358 Increment the servers debugging level by one. 359 </p></dd> 360<dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt> 361<dd><p> 362 Sets the server's debugging level to an explicit 363 value. 364 </p></dd> 365<dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt> 366<dd><p> 367 Sets the server's debugging level to 0. 368 </p></dd> 369<dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt> 370<dd><p> 371 Flushes the server's cache. 372 </p></dd> 373<dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt> 374<dd><p> 375 Flushes the given name from the server's DNS cache 376 and, if applicable, from the server's nameserver address 377 database or bad-server cache. 378 </p></dd> 379<dt><span class="term"><strong class="userinput"><code>flushtree</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt> 380<dd><p> 381 Flushes the given name, and all of its subdomains, 382 from the server's DNS cache, the address database, 383 and the bad server cache. 384 </p></dd> 385<dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt> 386<dd><p> 387 Display status of the server. 388 Note that the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone 389 and the default <span><strong class="command">./IN</strong></span> 390 hint zone if there is not an 391 explicit root zone configured. 392 </p></dd> 393<dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt> 394<dd><p> 395 Dump the list of queries <span><strong class="command">named</strong></span> is currently recursing 396 on. 397 </p></dd> 398<dt><span class="term"><strong class="userinput"><code>validation ( on | off | check ) [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>] </code></strong></span></dt> 399<dd><p> 400 Enable, disable, or check the current status of 401 DNSSEC validation. 402 Note <span><strong class="command">dnssec-enable</strong></span> also needs to be 403 set to <strong class="userinput"><code>yes</code></strong> or 404 <strong class="userinput"><code>auto</code></strong> to be effective. 405 It defaults to enabled. 406 </p></dd> 407<dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt> 408<dd><p> 409 List the names of all TSIG keys currently configured 410 for use by <span><strong class="command">named</strong></span> in each view. The 411 list both statically configured keys and dynamic 412 TKEY-negotiated keys. 413 </p></dd> 414<dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong> <em class="replaceable"><code>keyname</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt> 415<dd><p> 416 Delete a given TKEY-negotiated key from the server. 417 (This does not apply to statically configured TSIG 418 keys.) 419 </p></dd> 420<dt><span class="term"><strong class="userinput"><code>addzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt> 421<dd> 422<p> 423 Add a zone while the server is running. This 424 command requires the 425 <span><strong class="command">allow-new-zones</strong></span> option to be set 426 to <strong class="userinput"><code>yes</code></strong>. The 427 <em class="replaceable"><code>configuration</code></em> string 428 specified on the command line is the zone 429 configuration text that would ordinarily be 430 placed in <code class="filename">named.conf</code>. 431 </p> 432<p> 433 The configuration is saved in a file called 434 <code class="filename"><em class="replaceable"><code>hash</code></em>.nzf</code>, 435 where <em class="replaceable"><code>hash</code></em> is a 436 cryptographic hash generated from the name of 437 the view. When <span><strong class="command">named</strong></span> is 438 restarted, the file will be loaded into the view 439 configuration, so that zones that were added 440 can persist after a restart. 441 </p> 442<p> 443 This sample <span><strong class="command">addzone</strong></span> command 444 would add the zone <code class="literal">example.com</code> 445 to the default view: 446 </p> 447<p> 448<code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong> 449 </p> 450<p> 451 (Note the brackets and semi-colon around the zone 452 configuration text.) 453 </p> 454</dd> 455<dt><span class="term"><strong class="userinput"><code>delzone [<span class="optional">-clean</span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt> 456<dd> 457<p> 458 Delete a zone while the server is running. 459 Only zones that were originally added via 460 <span><strong class="command">rndc addzone</strong></span> can be deleted 461 in this manner. 462 </p> 463<p> 464 If the <code class="option">-clean</code> is specified, 465 the zone's master file (and journal file, if any) 466 will be deleted along with the zone. Without the 467 <code class="option">-clean</code> option, zone files must 468 be cleaned up by hand. (If the zone is of 469 type "slave" or "stub", the files needing to 470 be cleaned up will be reported in the output 471 of the <span><strong class="command">rndc delzone</strong></span> command.) 472 </p> 473</dd> 474<dt><span class="term"><strong class="userinput"><code>signing [<span class="optional">( -list | -clear <em class="replaceable"><code>keyid/algorithm</code></em> | -clear <code class="literal">all</code> | -nsec3param ( <em class="replaceable"><code>parameters</code></em> | <code class="literal">none</code> ) ) </span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt> 475<dd> 476<p> 477 List, edit, or remove the DNSSEC signing state records 478 for the specified zone. The status of ongoing DNSSEC 479 operations (such as signing or generating 480 NSEC3 chains) is stored in the zone in the form 481 of DNS resource records of type 482 <span><strong class="command">sig-signing-type</strong></span>. 483 <span><strong class="command">rndc signing -list</strong></span> converts 484 these records into a human-readable form, 485 indicating which keys are currently signing 486 or have finished signing the zone, and which NSEC3 487 chains are being created or removed. 488 </p> 489<p> 490 <span><strong class="command">rndc signing -clear</strong></span> can remove 491 a single key (specified in the same format that 492 <span><strong class="command">rndc signing -list</strong></span> uses to 493 display it), or all keys. In either case, only 494 completed keys are removed; any record indicating 495 that a key has not yet finished signing the zone 496 will be retained. 497 </p> 498<p> 499 <span><strong class="command">rndc signing -nsec3param</strong></span> sets 500 the NSEC3 parameters for a zone. This is the 501 only supported mechanism for using NSEC3 with 502 <span><strong class="command">inline-signing</strong></span> zones. 503 Parameters are specified in the same format as 504 an NSEC3PARAM resource record: hash algorithm, 505 flags, iterations, and salt, in that order. 506 </p> 507<p> 508 Currently, the only defined value for hash algorithm 509 is <code class="literal">1</code>, representing SHA-1. 510 The <code class="option">flags</code> may be set to 511 <code class="literal">0</code> or <code class="literal">1</code>, 512 depending on whether you wish to set the opt-out 513 bit in the NSEC3 chain. <code class="option">iterations</code> 514 defines the number of additional times to apply 515 the algorithm when generating an NSEC3 hash. The 516 <code class="option">salt</code> is a string of data expressed 517 in hexadecimal, a hyphen (`-') if no salt is 518 to be used, or the keyword <code class="literal">auto</code>, 519 which causes <span><strong class="command">named</strong></span> to generate a 520 random 64-bit salt. 521 </p> 522<p> 523 So, for example, to create an NSEC3 chain using 524 the SHA-1 hash algorithm, no opt-out flag, 525 10 iterations, and a salt value of "FFFF", use: 526 <span><strong class="command">rndc signing -nsec3param 1 0 10 FFFF <em class="replaceable"><code>zone</code></em></strong></span>. 527 To set the opt-out flag, 15 iterations, and no 528 salt, use: 529 <span><strong class="command">rndc signing -nsec3param 1 1 15 - <em class="replaceable"><code>zone</code></em></strong></span>. 530 </p> 531<p> 532 <span><strong class="command">rndc signing -nsec3param none</strong></span> 533 removes an existing NSEC3 chain and replaces it 534 with NSEC. 535 </p> 536</dd> 537</dl></div> 538</div> 539<div class="refsect1" lang="en"> 540<a name="id2691952"></a><h2>LIMITATIONS</h2> 541<p> 542 There is currently no way to provide the shared secret for a 543 <code class="option">key_id</code> without using the configuration file. 544 </p> 545<p> 546 Several error messages could be clearer. 547 </p> 548</div> 549<div class="refsect1" lang="en"> 550<a name="id2692038"></a><h2>SEE ALSO</h2> 551<p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>, 552 <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>, 553 <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, 554 <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>, 555 <span class="citerefentry"><span class="refentrytitle">ndc</span>(8)</span>, 556 <em class="citetitle">BIND 9 Administrator Reference Manual</em>. 557 </p> 558</div> 559<div class="refsect1" lang="en"> 560<a name="id2692093"></a><h2>AUTHOR</h2> 561<p><span class="corpauthor">Internet Systems Consortium</span> 562 </p> 563</div> 564</div> 565<div class="navfooter"> 566<hr> 567<table width="100%" summary="Navigation footer"> 568<tr> 569<td width="40%" align="left"> 570<a accesskey="p" href="man.nsupdate.html">Prev</a>�</td> 571<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td> 572<td width="40%" align="right">�<a accesskey="n" href="man.rndc.conf.html">Next</a> 573</td> 574</tr> 575<tr> 576<td width="40%" align="left" valign="top"> 577<span class="application">nsupdate</span>�</td> 578<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> 579<td width="40%" align="right" valign="top">�<code class="filename">rndc.conf</code> 580</td> 581</tr> 582</table> 583</div> 584<p style="text-align: center;">BIND 9.10.2-P4</p> 585</body> 586</html> 587