1.. 2 Copyright (C) Internet Systems Consortium, Inc. ("ISC") 3 4 This Source Code Form is subject to the terms of the Mozilla Public 5 License, v. 2.0. If a copy of the MPL was not distributed with this 6 file, You can obtain one at http://mozilla.org/MPL/2.0/. 7 8 See the COPYRIGHT file distributed with this work for additional 9 information regarding copyright ownership. 10 11.. 12 Copyright (C) Internet Systems Consortium, Inc. ("ISC") 13 14 This Source Code Form is subject to the terms of the Mozilla Public 15 License, v. 2.0. If a copy of the MPL was not distributed with this 16 file, You can obtain one at http://mozilla.org/MPL/2.0/. 17 18 See the COPYRIGHT file distributed with this work for additional 19 information regarding copyright ownership. 20 21 22.. highlight: console 23 24.. _man_rndc: 25 26rndc - name server control utility 27---------------------------------- 28 29Synopsis 30~~~~~~~~ 31 32:program:`rndc` [**-b** source-address] [**-c** config-file] [**-k** key-file] [**-s** server] [**-p** port] [**-q**] [**-r**] [**-V**] [**-y** key_id] [[**-4**] | [**-6**]] {command} 33 34Description 35~~~~~~~~~~~ 36 37``rndc`` controls the operation of a name server. It supersedes the 38``ndc`` utility that was provided in old BIND releases. If ``rndc`` is 39invoked with no command line options or arguments, it prints a short 40summary of the supported commands and the available options and their 41arguments. 42 43``rndc`` communicates with the name server over a TCP connection, 44sending commands authenticated with digital signatures. In the current 45versions of ``rndc`` and ``named``, the only supported authentication 46algorithms are HMAC-MD5 (for compatibility), HMAC-SHA1, HMAC-SHA224, 47HMAC-SHA256 (default), HMAC-SHA384 and HMAC-SHA512. They use a shared 48secret on each end of the connection. This provides TSIG-style 49authentication for the command request and the name server's response. 50All commands sent over the channel must be signed by a key_id known to 51the server. 52 53``rndc`` reads a configuration file to determine how to contact the name 54server and decide what algorithm and key it should use. 55 56Options 57~~~~~~~ 58 59**-4** 60 Use IPv4 only. 61 62**-6** 63 Use IPv6 only. 64 65**-b** source-address 66 Use source-address as the source address for the connection to the 67 server. Multiple instances are permitted to allow setting of both the 68 IPv4 and IPv6 source addresses. 69 70**-c** config-file 71 Use config-file as the configuration file instead of the default, 72 ``/etc/rndc.conf``. 73 74**-k** key-file 75 Use key-file as the key file instead of the default, 76 ``/etc/rndc.key``. The key in ``/etc/rndc.key`` will be used to 77 authenticate commands sent to the server if the config-file does not 78 exist. 79 80**-s** server 81 server is the name or address of the server which matches a server 82 statement in the configuration file for ``rndc``. If no server is 83 supplied on the command line, the host named by the default-server 84 clause in the options statement of the ``rndc`` configuration file 85 will be used. 86 87**-p** port 88 Send commands to TCP port port instead of BIND 9's default control 89 channel port, 953. 90 91**-q** 92 Quiet mode: Message text returned by the server will not be printed 93 except when there is an error. 94 95**-r** 96 Instructs ``rndc`` to print the result code returned by ``named`` 97 after executing the requested command (e.g., ISC_R_SUCCESS, 98 ISC_R_FAILURE, etc). 99 100**-V** 101 Enable verbose logging. 102 103**-y** key_id 104 Use the key key_id from the configuration file. key_id must be known 105 by ``named`` with the same algorithm and secret string in order for 106 control message validation to succeed. If no key_id is specified, 107 ``rndc`` will first look for a key clause in the server statement of 108 the server being used, or if no server statement is present for that 109 host, then the default-key clause of the options statement. Note that 110 the configuration file contains shared secrets which are used to send 111 authenticated control commands to name servers. It should therefore 112 not have general read or write access. 113 114Commands 115~~~~~~~~ 116 117A list of commands supported by ``rndc`` can be seen by running ``rndc`` 118without arguments. 119 120Currently supported commands are: 121 122``addzone`` *zone* [*class* [*view*]] *configuration* 123 Add a zone while the server is running. This command requires the 124 ``allow-new-zones`` option to be set to ``yes``. The configuration 125 string specified on the command line is the zone configuration text 126 that would ordinarily be placed in :manpage:`named.conf(5)`. 127 128 The configuration is saved in a file called ``viewname.nzf`` (or, if 129 :manpage:`named(8)` is compiled with liblmdb, an LMDB database file called 130 ``viewname.nzd``). viewname is the name of the view, unless the view 131 name contains characters that are incompatible with use as a file 132 name, in which case a cryptographic hash of the view name is used 133 instead. When :manpage:`named(8)` is restarted, the file will be loaded into 134 the view configuration, so that zones that were added can persist 135 after a restart. 136 137 This sample ``addzone`` command would add the zone ``example.com`` to 138 the default view: 139 140 ``$``\ ``rndc addzone example.com '{ type master; file "example.com.db"; };'`` 141 142 (Note the brackets and semi-colon around the zone configuration 143 text.) 144 145 See also ``rndc delzone`` and ``rndc modzone``. 146 147``delzone`` [**-clean**] *zone* [*class* [*view*]] 148 Delete a zone while the server is running. 149 150 If the ``-clean`` argument is specified, the zone's master file (and 151 journal file, if any) will be deleted along with the zone. Without 152 the ``-clean`` option, zone files must be cleaned up by hand. (If the 153 zone is of type "slave" or "stub", the files needing to be cleaned up 154 will be reported in the output of the ``rndc delzone`` command.) 155 156 If the zone was originally added via ``rndc addzone``, then it will 157 be removed permanently. However, if it was originally configured in 158 ``named.conf``, then that original configuration is still in place; 159 when the server is restarted or reconfigured, the zone will come 160 back. To remove it permanently, it must also be removed from 161 ``named.conf`` 162 163 See also ``rndc addzone`` and ``rndc modzone``. 164 165``dnssec`` [**-status** *zone* [*class* [*view*]] 166 Show the DNSSEC signing state for the specified zone. Requires the 167 zone to have a "dnssec-policy". 168 169``dnstap`` ( **-reopen** | **-roll** [*number*] ) 170 Close and re-open DNSTAP output files. ``rndc dnstap -reopen`` allows 171 the output file to be renamed externally, so that :manpage:`named(8)` can 172 truncate and re-open it. ``rndc dnstap -roll`` causes the output file 173 to be rolled automatically, similar to log files; the most recent 174 output file has ".0" appended to its name; the previous most recent 175 output file is moved to ".1", and so on. If number is specified, then 176 the number of backup log files is limited to that number. 177 178``dumpdb`` [**-all** | **-cache** | **-zones** | **-adb** | **-bad** | **-fail**] [*view ...*] 179 Dump the server's caches (default) and/or zones to the dump file for 180 the specified views. If no view is specified, all views are dumped. 181 (See the ``dump-file`` option in the BIND 9 Administrator Reference 182 Manual.) 183 184``flush`` 185 Flushes the server's cache. 186 187``flushname`` *name* [*view*] 188 Flushes the given name from the view's DNS cache and, if applicable, 189 from the view's nameserver address database, bad server cache and 190 SERVFAIL cache. 191 192``flushtree`` *name* [*view*] 193 Flushes the given name, and all of its subdomains, from the view's 194 DNS cache, address database, bad server cache, and SERVFAIL cache. 195 196``freeze`` [*zone* [*class* [*view*]]] 197 Suspend updates to a dynamic zone. If no zone is specified, then all 198 zones are suspended. This allows manual edits to be made to a zone 199 normally updated by dynamic update. It also causes changes in the 200 journal file to be synced into the master file. All dynamic update 201 attempts will be refused while the zone is frozen. 202 203 See also ``rndc thaw``. 204 205``halt`` [**-p**] 206 Stop the server immediately. Recent changes made through dynamic 207 update or IXFR are not saved to the master files, but will be rolled 208 forward from the journal files when the server is restarted. If 209 ``-p`` is specified :manpage:`named(8)`'s process id is returned. This allows 210 an external process to determine when :manpage:`named(8)` had completed 211 halting. 212 213 See also ``rndc stop``. 214 215``loadkeys`` [*zone* [*class* [*view*]]] 216 Fetch all DNSSEC keys for the given zone from the key directory. If 217 they are within their publication period, merge them into the 218 zone's DNSKEY RRset. Unlike ``rndc sign``, however, the zone is not 219 immediately re-signed by the new keys, but is allowed to 220 incrementally re-sign over time. 221 222 This command requires that zone is configured with a ``dnssec-policy``, or 223 the ``auto-dnssec`` zone option be set to ``maintain``, and also requires the 224 zone to be configured to allow dynamic DNS. (See "Dynamic Update Policies" in 225 the Administrator Reference Manual for more details.) 226 227``managed-keys`` (*status* | *refresh* | *sync* | *destroy*) [*class* [*view*]] 228 Inspect and control the "managed-keys" database which handles 229 :rfc:`5011` DNSSEC trust anchor maintenance. If a view is specified, these 230 commands are applied to that view; otherwise they are applied to all 231 views. 232 233 - When run with the ``status`` keyword, prints the current status of 234 the managed-keys database. 235 236 - When run with the ``refresh`` keyword, forces an immediate refresh 237 query to be sent for all the managed keys, updating the 238 managed-keys database if any new keys are found, without waiting 239 the normal refresh interval. 240 241 - When run with the ``sync`` keyword, forces an immediate dump of 242 the managed-keys database to disk (in the file 243 ``managed-keys.bind`` or (``viewname.mkeys``). This synchronizes 244 the database with its journal file, so that the database's current 245 contents can be inspected visually. 246 247 - When run with the ``destroy`` keyword, the managed-keys database 248 is shut down and deleted, and all key maintenance is terminated. 249 This command should be used only with extreme caution. 250 251 Existing keys that are already trusted are not deleted from 252 memory; DNSSEC validation can continue after this command is used. 253 However, key maintenance operations will cease until :manpage:`named(8)` is 254 restarted or reconfigured, and all existing key maintenance state 255 will be deleted. 256 257 Running ``rndc reconfig`` or restarting :manpage:`named(8)` immediately 258 after this command will cause key maintenance to be reinitialized 259 from scratch, just as if the server were being started for the 260 first time. This is primarily intended for testing, but it may 261 also be used, for example, to jumpstart the acquisition of new 262 keys in the event of a trust anchor rollover, or as a brute-force 263 repair for key maintenance problems. 264 265``modzone`` *zone* [*class* [*view*]] *configuration* 266 Modify the configuration of a zone while the server is running. This 267 command requires the ``allow-new-zones`` option to be set to ``yes``. 268 As with ``addzone``, the configuration string specified on the 269 command line is the zone configuration text that would ordinarily be 270 placed in ``named.conf``. 271 272 If the zone was originally added via ``rndc addzone``, the 273 configuration changes will be recorded permanently and will still be 274 in effect after the server is restarted or reconfigured. However, if 275 it was originally configured in ``named.conf``, then that original 276 configuration is still in place; when the server is restarted or 277 reconfigured, the zone will revert to its original configuration. To 278 make the changes permanent, it must also be modified in 279 ``named.conf`` 280 281 See also ``rndc addzone`` and ``rndc delzone``. 282 283``notify`` *zone* [*class* [*view*]] 284 Resend NOTIFY messages for the zone. 285 286``notrace`` 287 Sets the server's debugging level to 0. 288 289 See also ``rndc trace``. 290 291``nta`` [( **-class** *class* | **-dump** | **-force** | **-remove** | **-lifetime** *duration*)] *domain* [*view*] 292 Sets a DNSSEC negative trust anchor (NTA) for ``domain``, with a 293 lifetime of ``duration``. The default lifetime is configured in 294 ``named.conf`` via the ``nta-lifetime`` option, and defaults to one 295 hour. The lifetime cannot exceed one week. 296 297 A negative trust anchor selectively disables DNSSEC validation for 298 zones that are known to be failing because of misconfiguration rather 299 than an attack. When data to be validated is at or below an active 300 NTA (and above any other configured trust anchors), :manpage:`named(8)` will 301 abort the DNSSEC validation process and treat the data as insecure 302 rather than bogus. This continues until the NTA's lifetime is 303 elapsed. 304 305 NTAs persist across restarts of the :manpage:`named(8)` server. The NTAs for a 306 view are saved in a file called ``name.nta``, where name is the name 307 of the view, or if it contains characters that are incompatible with 308 use as a file name, a cryptographic hash generated from the name of 309 the view. 310 311 An existing NTA can be removed by using the ``-remove`` option. 312 313 An NTA's lifetime can be specified with the ``-lifetime`` option. 314 TTL-style suffixes can be used to specify the lifetime in seconds, 315 minutes, or hours. If the specified NTA already exists, its lifetime 316 will be updated to the new value. Setting ``lifetime`` to zero is 317 equivalent to ``-remove``. 318 319 If the ``-dump`` is used, any other arguments are ignored, and a list 320 of existing NTAs is printed (note that this may include NTAs that are 321 expired but have not yet been cleaned up). 322 323 Normally, :manpage:`named(8)` will periodically test to see whether data below 324 an NTA can now be validated (see the ``nta-recheck`` option in the 325 Administrator Reference Manual for details). If data can be 326 validated, then the NTA is regarded as no longer necessary, and will 327 be allowed to expire early. The ``-force`` overrides this behavior 328 and forces an NTA to persist for its entire lifetime, regardless of 329 whether data could be validated if the NTA were not present. 330 331 The view class can be specified with ``-class``. The default is class 332 ``IN``, which is the only class for which DNSSEC is currently 333 supported. 334 335 All of these options can be shortened, i.e., to ``-l``, ``-r``, 336 ``-d``, ``-f``, and ``-c``. 337 338 Unrecognized options are treated as errors. To reference a domain or 339 view name that begins with a hyphen, use a double-hyphen on the 340 command line to indicate the end of options. 341 342``querylog`` [(*on* | *off*)] 343 Enable or disable query logging. (For backward compatibility, this 344 command can also be used without an argument to toggle query logging 345 on and off.) 346 347 Query logging can also be enabled by explicitly directing the 348 ``queries`` ``category`` to a ``channel`` in the ``logging`` section 349 of ``named.conf`` or by specifying ``querylog yes;`` in the 350 ``options`` section of ``named.conf``. 351 352``reconfig`` 353 Reload the configuration file and load new zones, but do not reload 354 existing zone files even if they have changed. This is faster than a 355 full ``reload`` when there is a large number of zones because it 356 avoids the need to examine the modification times of the zones files. 357 358``recursing`` 359 Dump the list of queries :manpage:`named(8)` is currently recursing on, and the 360 list of domains to which iterative queries are currently being sent. 361 (The second list includes the number of fetches currently active for 362 the given domain, and how many have been passed or dropped because of 363 the ``fetches-per-zone`` option.) 364 365``refresh`` *zone* [*class* [*view*]] 366 Schedule zone maintenance for the given zone. 367 368``reload`` 369 Reload configuration file and zones. 370 371``reload`` *zone* [*class* [*view*]] 372 Reload the given zone. 373 374``retransfer`` *zone* [*class* [*view*]] 375 Retransfer the given slave zone from the master server. 376 377 If the zone is configured to use ``inline-signing``, the signed 378 version of the zone is discarded; after the retransfer of the 379 unsigned version is complete, the signed version will be regenerated 380 with all new signatures. 381 382``scan`` 383 Scan the list of available network interfaces for changes, without 384 performing a full ``reconfig`` or waiting for the 385 ``interface-interval`` timer. 386 387``secroots`` [**-**] [*view* ...] 388 Dump the security roots (i.e., trust anchors configured via 389 ``trust-anchors``, or the ``managed-keys`` or ``trusted-keys`` statements 390 (both deprecated), or ``dnssec-validation auto``) and negative trust anchors 391 for the specified views. If no view is specified, all views are 392 dumped. Security roots will indicate whether they are configured as trusted 393 keys, managed keys, or initializing managed keys (managed keys that have not 394 yet been updated by a successful key refresh query). 395 396 If the first argument is "-", then the output is returned via the 397 ``rndc`` response channel and printed to the standard output. 398 Otherwise, it is written to the secroots dump file, which defaults to 399 ``named.secroots``, but can be overridden via the ``secroots-file`` 400 option in ``named.conf``. 401 402 See also ``rndc managed-keys``. 403 404``serve-stale`` (**on** | **off** | **reset** | **status**) [*class* [*view*]] 405 Enable, disable, reset, or report the current status of the serving 406 of stale answers as configured in ``named.conf``. 407 408 If serving of stale answers is disabled by ``rndc-serve-stale off``, 409 then it will remain disabled even if :manpage:`named(8)` is reloaded or 410 reconfigured. ``rndc serve-stale reset`` restores the setting as 411 configured in ``named.conf``. 412 413 ``rndc serve-stale status`` will report whether serving of stale 414 answers is currently enabled, disabled by the configuration, or 415 disabled by ``rndc``. It will also report the values of 416 ``stale-answer-ttl`` and ``max-stale-ttl``. 417 418``showzone`` *zone* [*class* [*view*]] 419 Print the configuration of a running zone. 420 421 See also ``rndc zonestatus``. 422 423``sign`` *zone* [*class* [*view*]] 424 Fetch all DNSSEC keys for the given zone from the key directory (see 425 the ``key-directory`` option in the BIND 9 Administrator Reference 426 Manual). If they are within their publication period, merge them into 427 the zone's DNSKEY RRset. If the DNSKEY RRset is changed, then the 428 zone is automatically re-signed with the new key set. 429 430 This command requires that the zone is configure with a ``dnssec-policy``, or 431 that the ``auto-dnssec`` zone option be set to ``allow`` or ``maintain``, 432 and also requires the zone to be configured to allow dynamic DNS. (See 433 "Dynamic Update Policies" in the Administrator Reference Manual for more 434 details.) 435 436 See also ``rndc loadkeys``. 437 438``signing`` [(**-list** | **-clear** *keyid/algorithm* | **-clear** *all* | **-nsec3param** ( *parameters* | none ) | **-serial** *value* ) *zone* [*class* [*view*]] 439 List, edit, or remove the DNSSEC signing state records for the 440 specified zone. The status of ongoing DNSSEC operations (such as 441 signing or generating NSEC3 chains) is stored in the zone in the form 442 of DNS resource records of type ``sig-signing-type``. 443 ``rndc signing -list`` converts these records into a human-readable 444 form, indicating which keys are currently signing or have finished 445 signing the zone, and which NSEC3 chains are being created or 446 removed. 447 448 ``rndc signing -clear`` can remove a single key (specified in the 449 same format that ``rndc signing -list`` uses to display it), or all 450 keys. In either case, only completed keys are removed; any record 451 indicating that a key has not yet finished signing the zone will be 452 retained. 453 454 ``rndc signing -nsec3param`` sets the NSEC3 parameters for a zone. 455 This is the only supported mechanism for using NSEC3 with 456 ``inline-signing`` zones. Parameters are specified in the same format 457 as an NSEC3PARAM resource record: hash algorithm, flags, iterations, 458 and salt, in that order. 459 460 Currently, the only defined value for hash algorithm is ``1``, 461 representing SHA-1. The ``flags`` may be set to ``0`` or ``1``, 462 depending on whether you wish to set the opt-out bit in the NSEC3 463 chain. ``iterations`` defines the number of additional times to apply 464 the algorithm when generating an NSEC3 hash. The ``salt`` is a string 465 of data expressed in hexadecimal, a hyphen (`-') if no salt is to be 466 used, or the keyword ``auto``, which causes :manpage:`named(8)` to generate a 467 random 64-bit salt. 468 469 So, for example, to create an NSEC3 chain using the SHA-1 hash 470 algorithm, no opt-out flag, 10 iterations, and a salt value of 471 "FFFF", use: ``rndc signing -nsec3param 1 0 10 FFFF zone``. To set 472 the opt-out flag, 15 iterations, and no salt, use: 473 ``rndc signing -nsec3param 1 1 15 - zone``. 474 475 ``rndc signing -nsec3param none`` removes an existing NSEC3 chain and 476 replaces it with NSEC. 477 478 ``rndc signing -serial value`` sets the serial number of the zone to 479 value. If the value would cause the serial number to go backwards it 480 will be rejected. The primary use is to set the serial on inline 481 signed zones. 482 483``stats`` 484 Write server statistics to the statistics file. (See the 485 ``statistics-file`` option in the BIND 9 Administrator Reference 486 Manual.) 487 488``status`` 489 Display status of the server. Note that the number of zones includes 490 the internal ``bind/CH`` zone and the default ``./IN`` hint zone if 491 there is not an explicit root zone configured. 492 493``stop`` **-p** 494 Stop the server, making sure any recent changes made through dynamic 495 update or IXFR are first saved to the master files of the updated 496 zones. If ``-p`` is specified :manpage:`named(8)`'s process id is returned. 497 This allows an external process to determine when :manpage:`named(8)` had 498 completed stopping. 499 500 See also ``rndc halt``. 501 502``sync`` **-clean** [*zone* [*class* [*view*]]] 503 Sync changes in the journal file for a dynamic zone to the master 504 file. If the "-clean" option is specified, the journal file is also 505 removed. If no zone is specified, then all zones are synced. 506 507``tcp-timeouts`` [*initial* *idle* *keepalive* *advertised*] 508 When called without arguments, display the current values of the 509 ``tcp-initial-timeout``, ``tcp-idle-timeout``, 510 ``tcp-keepalive-timeout`` and ``tcp-advertised-timeout`` options. 511 When called with arguments, update these values. This allows an 512 administrator to make rapid adjustments when under a denial of 513 service attack. See the descriptions of these options in the BIND 9 514 Administrator Reference Manual for details of their use. 515 516``thaw`` [*zone* [*class* [*view*]]] 517 Enable updates to a frozen dynamic zone. If no zone is specified, 518 then all frozen zones are enabled. This causes the server to reload 519 the zone from disk, and re-enables dynamic updates after the load has 520 completed. After a zone is thawed, dynamic updates will no longer be 521 refused. If the zone has changed and the ``ixfr-from-differences`` 522 option is in use, then the journal file will be updated to reflect 523 changes in the zone. Otherwise, if the zone has changed, any existing 524 journal file will be removed. 525 526 See also ``rndc freeze``. 527 528``trace`` 529 Increment the servers debugging level by one. 530 531``trace`` *level* 532 Sets the server's debugging level to an explicit value. 533 534 See also ``rndc notrace``. 535 536``tsig-delete`` *keyname* [*view*] 537 Delete a given TKEY-negotiated key from the server. (This does not 538 apply to statically configured TSIG keys.) 539 540``tsig-list`` 541 List the names of all TSIG keys currently configured for use by 542 :manpage:`named(8)` in each view. The list both statically configured keys and 543 dynamic TKEY-negotiated keys. 544 545``validation`` (**on** | **off** | **status**) [*view* ...]`` 546 Enable, disable, or check the current status of DNSSEC validation. By 547 default, validation is enabled. 548 549 The cache is flushed when validation is turned on or off to avoid using data 550 that might differ between states. 551 552``zonestatus`` *zone* [*class* [*view*]] 553 Displays the current status of the given zone, including the master 554 file name and any include files from which it was loaded, when it was 555 most recently loaded, the current serial number, the number of nodes, 556 whether the zone supports dynamic updates, whether the zone is DNSSEC 557 signed, whether it uses automatic DNSSEC key management or inline 558 signing, and the scheduled refresh or expiry times for the zone. 559 560 See also ``rndc showzone``. 561 562``rndc`` commands that specify zone names, such as ``reload``, 563``retransfer`` or ``zonestatus``, can be ambiguous when applied to zones 564of type ``redirect``. Redirect zones are always called ".", and can be 565confused with zones of type ``hint`` or with slaved copies of the root 566zone. To specify a redirect zone, use the special zone name 567``-redirect``, without a trailing period. (With a trailing period, this 568would specify a zone called "-redirect".) 569 570Limitations 571~~~~~~~~~~~ 572 573There is currently no way to provide the shared secret for a ``key_id`` 574without using the configuration file. 575 576Several error messages could be clearer. 577 578See Also 579~~~~~~~~ 580 581:manpage:`rndc.conf(5)`, :manpage:`rndc-confgen(8)`, 582:manpage:`named(8)`, :manpage:`named.conf(5)`, :manpage:`ndc(8)`, BIND 9 Administrator 583Reference Manual. 584