|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
Packit |
5ce601 |
-
|
|
Packit |
5ce601 |
- This Source Code Form is subject to the terms of the Mozilla Public
|
|
Packit |
5ce601 |
- License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
Packit Service |
704ed8 |
- file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
Packit |
5ce601 |
-
|
|
Packit |
5ce601 |
- See the COPYRIGHT file distributed with this work for additional
|
|
Packit |
5ce601 |
- information regarding copyright ownership.
|
|
Packit |
5ce601 |
-->
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
|
|
Packit Service |
d3afd5 |
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc">
|
|
Packit |
5ce601 |
<info>
|
|
Packit |
5ce601 |
<date>2014-08-15</date>
|
|
Packit |
5ce601 |
</info>
|
|
Packit |
5ce601 |
<refentryinfo>
|
|
Packit |
5ce601 |
<corpname>ISC</corpname>
|
|
Packit |
5ce601 |
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
|
|
Packit |
5ce601 |
</refentryinfo>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<refmeta>
|
|
Packit |
5ce601 |
<refentrytitle><application>rndc</application></refentrytitle>
|
|
Packit |
5ce601 |
<manvolnum>8</manvolnum>
|
|
Packit Service |
d3afd5 |
<refmiscinfo>BIND9</refmiscinfo>
|
|
Packit |
5ce601 |
</refmeta>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<refnamediv>
|
|
Packit |
5ce601 |
<refname><application>rndc</application></refname>
|
|
Packit |
5ce601 |
<refpurpose>name server control utility</refpurpose>
|
|
Packit |
5ce601 |
</refnamediv>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<docinfo>
|
|
Packit |
5ce601 |
<copyright>
|
|
Packit |
5ce601 |
<year>2000</year>
|
|
Packit |
5ce601 |
<year>2001</year>
|
|
Packit |
5ce601 |
<year>2004</year>
|
|
Packit |
5ce601 |
<year>2005</year>
|
|
Packit |
5ce601 |
<year>2007</year>
|
|
Packit |
5ce601 |
<year>2013</year>
|
|
Packit |
5ce601 |
<year>2014</year>
|
|
Packit |
5ce601 |
<year>2015</year>
|
|
Packit |
5ce601 |
<year>2016</year>
|
|
Packit |
5ce601 |
<year>2017</year>
|
|
Packit |
5ce601 |
<year>2018</year>
|
|
Packit |
5ce601 |
<year>2019</year>
|
|
Packit |
5ce601 |
<year>2020</year>
|
|
Packit |
5ce601 |
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
|
|
Packit |
5ce601 |
</copyright>
|
|
Packit |
5ce601 |
</docinfo>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<refsynopsisdiv>
|
|
Packit |
5ce601 |
<cmdsynopsis sepchar=" ">
|
|
Packit |
5ce601 |
<command>rndc</command>
|
|
Packit |
5ce601 |
<arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">source-address</replaceable></option></arg>
|
|
Packit |
5ce601 |
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
|
|
Packit |
5ce601 |
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">key-file</replaceable></option></arg>
|
|
Packit |
5ce601 |
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">server</replaceable></option></arg>
|
|
Packit |
5ce601 |
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">port</replaceable></option></arg>
|
|
Packit |
5ce601 |
<arg choice="opt" rep="norepeat"><option>-q</option></arg>
|
|
Packit |
5ce601 |
<arg choice="opt" rep="norepeat"><option>-r</option></arg>
|
|
Packit |
5ce601 |
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
|
|
Packit |
5ce601 |
<arg choice="opt" rep="norepeat"><option>-y <replaceable class="parameter">key_id</replaceable></option></arg>
|
|
Packit |
5ce601 |
<arg choice="req" rep="norepeat">command</arg>
|
|
Packit |
5ce601 |
</cmdsynopsis>
|
|
Packit |
5ce601 |
</refsynopsisdiv>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<refsection><info><title>DESCRIPTION</title></info>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<para><command>rndc</command>
|
|
Packit |
5ce601 |
controls the operation of a name
|
|
Packit |
5ce601 |
server. It supersedes the <command>ndc</command> utility
|
|
Packit |
5ce601 |
that was provided in old BIND releases. If
|
|
Packit |
5ce601 |
<command>rndc</command> is invoked with no command line
|
|
Packit |
5ce601 |
options or arguments, it prints a short summary of the
|
|
Packit |
5ce601 |
supported commands and the available options and their
|
|
Packit |
5ce601 |
arguments.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para><command>rndc</command>
|
|
Packit |
5ce601 |
communicates with the name server over a TCP connection, sending
|
|
Packit |
5ce601 |
commands authenticated with digital signatures. In the current
|
|
Packit |
5ce601 |
versions of
|
|
Packit |
5ce601 |
<command>rndc</command> and <command>named</command>,
|
|
Packit |
5ce601 |
the only supported authentication algorithms are HMAC-MD5
|
|
Packit |
5ce601 |
(for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
|
|
Packit |
5ce601 |
(default), HMAC-SHA384 and HMAC-SHA512.
|
|
Packit |
5ce601 |
They use a shared secret on each end of the connection.
|
|
Packit |
5ce601 |
This provides TSIG-style authentication for the command
|
|
Packit |
5ce601 |
request and the name server's response. All commands sent
|
|
Packit |
5ce601 |
over the channel must be signed by a key_id known to the
|
|
Packit |
5ce601 |
server.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para><command>rndc</command>
|
|
Packit |
5ce601 |
reads a configuration file to
|
|
Packit |
5ce601 |
determine how to contact the name server and decide what
|
|
Packit |
5ce601 |
algorithm and key it should use.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</refsection>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<refsection><info><title>OPTIONS</title></info>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<variablelist>
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term>-b <replaceable class="parameter">source-address</replaceable></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Use <replaceable class="parameter">source-address</replaceable>
|
|
Packit |
5ce601 |
as the source address for the connection to the server.
|
|
Packit |
5ce601 |
Multiple instances are permitted to allow setting of both
|
|
Packit |
5ce601 |
the IPv4 and IPv6 source addresses.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term>-c <replaceable class="parameter">config-file</replaceable></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Use <replaceable class="parameter">config-file</replaceable>
|
|
Packit |
5ce601 |
as the configuration file instead of the default,
|
|
Packit |
5ce601 |
<filename>/etc/rndc.conf</filename>.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term>-k <replaceable class="parameter">key-file</replaceable></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Use <replaceable class="parameter">key-file</replaceable>
|
|
Packit |
5ce601 |
as the key file instead of the default,
|
|
Packit |
5ce601 |
<filename>/etc/rndc.key</filename>. The key in
|
|
Packit |
5ce601 |
<filename>/etc/rndc.key</filename> will be used to
|
|
Packit |
5ce601 |
authenticate
|
|
Packit |
5ce601 |
commands sent to the server if the <replaceable class="parameter">config-file</replaceable>
|
|
Packit |
5ce601 |
does not exist.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term>-s <replaceable class="parameter">server</replaceable></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para><replaceable class="parameter">server</replaceable> is
|
|
Packit |
5ce601 |
the name or address of the server which matches a
|
|
Packit |
5ce601 |
server statement in the configuration file for
|
|
Packit |
5ce601 |
<command>rndc</command>. If no server is supplied on the
|
|
Packit |
5ce601 |
command line, the host named by the default-server clause
|
|
Packit |
5ce601 |
in the options statement of the <command>rndc</command>
|
|
Packit |
5ce601 |
configuration file will be used.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term>-p <replaceable class="parameter">port</replaceable></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Send commands to TCP port
|
|
Packit |
5ce601 |
<replaceable class="parameter">port</replaceable>
|
|
Packit |
5ce601 |
instead
|
|
Packit |
5ce601 |
of BIND 9's default control channel port, 953.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term>-q</term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Quiet mode: Message text returned by the server
|
|
Packit |
5ce601 |
will not be printed except when there is an error.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term>-r</term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Instructs <command>rndc</command> to print the result code
|
|
Packit |
5ce601 |
returned by <command>named</command> after executing the
|
|
Packit |
5ce601 |
requested command (e.g., ISC_R_SUCCESS, ISC_R_FAILURE, etc).
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term>-V</term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Enable verbose logging.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term>-y <replaceable class="parameter">key_id</replaceable></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Use the key <replaceable class="parameter">key_id</replaceable>
|
|
Packit |
5ce601 |
from the configuration file.
|
|
Packit |
5ce601 |
<replaceable class="parameter">key_id</replaceable>
|
|
Packit |
5ce601 |
must be
|
|
Packit |
5ce601 |
known by <command>named</command> with the same algorithm and secret string
|
|
Packit |
5ce601 |
in order for control message validation to succeed.
|
|
Packit |
5ce601 |
If no <replaceable class="parameter">key_id</replaceable>
|
|
Packit |
5ce601 |
is specified, <command>rndc</command> will first look
|
|
Packit |
5ce601 |
for a key clause in the server statement of the server
|
|
Packit |
5ce601 |
being used, or if no server statement is present for that
|
|
Packit |
5ce601 |
host, then the default-key clause of the options statement.
|
|
Packit |
5ce601 |
Note that the configuration file contains shared secrets
|
|
Packit |
5ce601 |
which are used to send authenticated control commands
|
|
Packit |
5ce601 |
to name servers. It should therefore not have general read
|
|
Packit |
5ce601 |
or write access.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
</variablelist>
|
|
Packit |
5ce601 |
</refsection>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<refsection><info><title>COMMANDS</title></info>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
A list of commands supported by <command>rndc</command> can
|
|
Packit |
5ce601 |
be seen by running <command>rndc</command> without arguments.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Currently supported commands are:
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<variablelist>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>addzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> <replaceable>configuration</replaceable> </userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Add a zone while the server is running. This
|
|
Packit |
5ce601 |
command requires the
|
|
Packit |
5ce601 |
<command>allow-new-zones</command> option to be set
|
|
Packit |
5ce601 |
to <userinput>yes</userinput>. The
|
|
Packit |
5ce601 |
<replaceable>configuration</replaceable> string
|
|
Packit |
5ce601 |
specified on the command line is the zone
|
|
Packit |
5ce601 |
configuration text that would ordinarily be
|
|
Packit |
5ce601 |
placed in <filename>named.conf</filename>.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
The configuration is saved in a file called
|
|
Packit |
5ce601 |
<filename><replaceable>name</replaceable>.nzf</filename>,
|
|
Packit |
5ce601 |
where <replaceable>name</replaceable> is the
|
|
Packit |
5ce601 |
name of the view, or if it contains characters
|
|
Packit |
5ce601 |
that are incompatible with use as a file name, a
|
|
Packit |
5ce601 |
cryptographic hash generated from the name
|
|
Packit |
5ce601 |
of the view.
|
|
Packit |
5ce601 |
When <command>named</command> is
|
|
Packit |
5ce601 |
restarted, the file will be loaded into the view
|
|
Packit |
5ce601 |
configuration, so that zones that were added
|
|
Packit |
5ce601 |
can persist after a restart.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
This sample <command>addzone</command> command
|
|
Packit |
5ce601 |
would add the zone <literal>example.com</literal>
|
|
Packit |
5ce601 |
to the default view:
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
<prompt>$ </prompt><userinput>rndc addzone example.com '{ type master; file "example.com.db"; };'</userinput>
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
(Note the brackets and semi-colon around the zone
|
|
Packit |
5ce601 |
configuration text.)
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
See also <command>rndc delzone</command> and <command>rndc modzone</command>.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>delzone <optional>-clean</optional> <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Delete a zone while the server is running.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
If the <option>-clean</option> argument is specified,
|
|
Packit |
5ce601 |
the zone's master file (and journal file, if any)
|
|
Packit |
5ce601 |
will be deleted along with the zone. Without the
|
|
Packit |
5ce601 |
<option>-clean</option> option, zone files must
|
|
Packit |
5ce601 |
be cleaned up by hand. (If the zone is of
|
|
Packit |
5ce601 |
type "slave" or "stub", the files needing to
|
|
Packit |
5ce601 |
be cleaned up will be reported in the output
|
|
Packit |
5ce601 |
of the <command>rndc delzone</command> command.)
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
If the zone was originally added via
|
|
Packit |
5ce601 |
<command>rndc addzone</command>, then it will be
|
|
Packit |
5ce601 |
removed permanently. However, if it was originally
|
|
Packit |
5ce601 |
configured in <filename>named.conf</filename>, then
|
|
Packit |
5ce601 |
that original configuration is still in place; when
|
|
Packit |
5ce601 |
the server is restarted or reconfigured, the zone will
|
|
Packit |
5ce601 |
come back. To remove it permanently, it must also be
|
|
Packit |
5ce601 |
removed from <filename>named.conf</filename>
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
See also <command>rndc addzone</command> and <command>rndc modzone</command>.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>dnstap ( -reopen | -roll <optional><replaceable>number</replaceable></optional> )</userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Close and re-open DNSTAP output files.
|
|
Packit |
5ce601 |
<command>rndc dnstap -reopen</command> allows the output
|
|
Packit |
5ce601 |
file to be renamed externally, so
|
|
Packit |
5ce601 |
that <command>named</command> can truncate and re-open it.
|
|
Packit |
5ce601 |
<command>rndc dnstap -roll</command> causes the output file
|
|
Packit |
5ce601 |
to be rolled automatically, similar to log files; the most
|
|
Packit |
5ce601 |
recent output file has ".0" appended to its name; the
|
|
Packit |
5ce601 |
previous most recent output file is moved to ".1", and so on.
|
|
Packit |
5ce601 |
If <replaceable>number</replaceable> is specified, then the
|
|
Packit |
5ce601 |
number of backup log files is limited to that number.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>dumpdb <optional>-all|-cache|-zones|-adb|-bad|-fail</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Dump the server's caches (default) and/or zones to
|
|
Packit |
5ce601 |
the dump file for the specified views. If no view
|
|
Packit |
5ce601 |
is specified, all views are dumped.
|
|
Packit |
5ce601 |
(See the <command>dump-file</command> option in
|
|
Packit |
5ce601 |
the BIND 9 Administrator Reference Manual.)
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>flush</userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Flushes the server's cache.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>flushname</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Flushes the given name from the view's DNS cache
|
|
Packit |
5ce601 |
and, if applicable, from the view's nameserver address
|
|
Packit |
5ce601 |
database, bad server cache and SERVFAIL cache.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>flushtree</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Flushes the given name, and all of its subdomains,
|
|
Packit |
5ce601 |
from the view's DNS cache, address database,
|
|
Packit |
5ce601 |
bad server cache, and SERVFAIL cache.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>freeze <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Suspend updates to a dynamic zone. If no zone is
|
|
Packit |
5ce601 |
specified, then all zones are suspended. This allows
|
|
Packit |
5ce601 |
manual edits to be made to a zone normally updated by
|
|
Packit |
5ce601 |
dynamic update. It also causes changes in the
|
|
Packit |
5ce601 |
journal file to be synced into the master file.
|
|
Packit |
5ce601 |
All dynamic update attempts will be refused while
|
|
Packit |
5ce601 |
the zone is frozen.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
See also <command>rndc thaw</command>.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>halt <optional>-p</optional></userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Stop the server immediately. Recent changes
|
|
Packit |
5ce601 |
made through dynamic update or IXFR are not saved to
|
|
Packit |
5ce601 |
the master files, but will be rolled forward from the
|
|
Packit |
5ce601 |
journal files when the server is restarted.
|
|
Packit |
5ce601 |
If <option>-p</option> is specified <command>named</command>'s process id is returned.
|
|
Packit |
5ce601 |
This allows an external process to determine when <command>named</command>
|
|
Packit |
5ce601 |
had completed halting.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
See also <command>rndc stop</command>.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>loadkeys <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Fetch all DNSSEC keys for the given zone
|
|
Packit |
5ce601 |
from the key directory. If they are within
|
|
Packit |
5ce601 |
their publication period, merge them into the
|
|
Packit |
5ce601 |
zone's DNSKEY RRset. Unlike <command>rndc
|
|
Packit |
5ce601 |
sign</command>, however, the zone is not
|
|
Packit |
5ce601 |
immediately re-signed by the new keys, but is
|
|
Packit |
5ce601 |
allowed to incrementally re-sign over time.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
This command requires that the
|
|
Packit |
5ce601 |
<command>auto-dnssec</command> zone option
|
|
Packit |
5ce601 |
be set to <literal>maintain</literal>,
|
|
Packit |
5ce601 |
and also requires the zone to be configured to
|
|
Packit |
5ce601 |
allow dynamic DNS.
|
|
Packit |
5ce601 |
(See "Dynamic Update Policies" in the Administrator
|
|
Packit |
5ce601 |
Reference Manual for more details.)
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>managed-keys <replaceable>(status | refresh | sync)</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
When run with the "status" keyword, print the current
|
|
Packit |
5ce601 |
status of the managed-keys database for the specified
|
|
Packit |
5ce601 |
view, or for all views if none is specified. When run
|
|
Packit |
5ce601 |
with the "refresh" keyword, force an immediate refresh
|
|
Packit |
5ce601 |
of all the managed-keys in the specified view, or all
|
|
Packit |
5ce601 |
views. When run with the "sync" keyword, force an
|
|
Packit |
5ce601 |
immediate dump of the managed-keys database to disk (in
|
|
Packit |
5ce601 |
the file <filename>managed-keys.bind</filename> or
|
|
Packit |
5ce601 |
(<filename><replaceable>viewname</replaceable>.mkeys</filename>).
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>modzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> <replaceable>configuration</replaceable> </userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Modify the configuration of a zone while the server
|
|
Packit |
5ce601 |
is running. This command requires the
|
|
Packit |
5ce601 |
<command>allow-new-zones</command> option to be
|
|
Packit |
5ce601 |
set to <userinput>yes</userinput>. As with
|
|
Packit |
5ce601 |
<command>addzone</command>, the
|
|
Packit |
5ce601 |
<replaceable>configuration</replaceable> string
|
|
Packit |
5ce601 |
specified on the command line is the zone
|
|
Packit |
5ce601 |
configuration text that would ordinarily be
|
|
Packit |
5ce601 |
placed in <filename>named.conf</filename>.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
If the zone was originally added via
|
|
Packit |
5ce601 |
<command>rndc addzone</command>, the configuration
|
|
Packit |
5ce601 |
changes will be recorded permanently and will still be
|
|
Packit |
5ce601 |
in effect after the server is restarted or reconfigured.
|
|
Packit |
5ce601 |
However, if it was originally configured in
|
|
Packit |
5ce601 |
<filename>named.conf</filename>, then that original
|
|
Packit |
5ce601 |
configuration is still in place; when the server is
|
|
Packit |
5ce601 |
restarted or reconfigured, the zone will revert to
|
|
Packit |
5ce601 |
its original configuration. To make the changes
|
|
Packit |
5ce601 |
permanent, it must also be modified in
|
|
Packit |
5ce601 |
<filename>named.conf</filename>
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
See also <command>rndc addzone</command> and <command>rndc delzone</command>.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>notify <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Resend NOTIFY messages for the zone.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>notrace</userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Sets the server's debugging level to 0.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
See also <command>rndc trace</command>.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>nta
|
|
Packit |
5ce601 |
<optional>( -class <replaceable>class</replaceable> | -dump | -force | -remove | -lifetime <replaceable>duration</replaceable>)</optional>
|
|
Packit |
5ce601 |
<replaceable>domain</replaceable>
|
|
Packit |
5ce601 |
<optional><replaceable>view</replaceable></optional>
|
|
Packit |
5ce601 |
</userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Sets a DNSSEC negative trust anchor (NTA)
|
|
Packit |
5ce601 |
for <option>domain</option>, with a lifetime of
|
|
Packit |
5ce601 |
<option>duration</option>. The default lifetime is
|
|
Packit |
5ce601 |
configured in <filename>named.conf</filename> via the
|
|
Packit |
5ce601 |
<option>nta-lifetime</option> option, and defaults to
|
|
Packit |
5ce601 |
one hour. The lifetime cannot exceed one week.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
A negative trust anchor selectively disables
|
|
Packit |
5ce601 |
DNSSEC validation for zones that are known to be
|
|
Packit |
5ce601 |
failing because of misconfiguration rather than
|
|
Packit |
5ce601 |
an attack. When data to be validated is
|
|
Packit |
5ce601 |
at or below an active NTA (and above any other
|
|
Packit |
5ce601 |
configured trust anchors), <command>named</command> will
|
|
Packit |
5ce601 |
abort the DNSSEC validation process and treat the data as
|
|
Packit |
5ce601 |
insecure rather than bogus. This continues until the
|
|
Packit |
5ce601 |
NTA's lifetime is elapsed.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
NTAs persist across restarts of the <command>named</command> server.
|
|
Packit |
5ce601 |
The NTAs for a view are saved in a file called
|
|
Packit |
5ce601 |
<filename><replaceable>name</replaceable>.nta</filename>,
|
|
Packit |
5ce601 |
where <replaceable>name</replaceable> is the
|
|
Packit |
5ce601 |
name of the view, or if it contains characters
|
|
Packit |
5ce601 |
that are incompatible with use as a file name, a
|
|
Packit |
5ce601 |
cryptographic hash generated from the name
|
|
Packit |
5ce601 |
of the view.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
An existing NTA can be removed by using the
|
|
Packit |
5ce601 |
<option>-remove</option> option.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
An NTA's lifetime can be specified with the
|
|
Packit |
5ce601 |
<option>-lifetime</option> option. TTL-style
|
|
Packit |
5ce601 |
suffixes can be used to specify the lifetime in
|
|
Packit |
5ce601 |
seconds, minutes, or hours. If the specified NTA
|
|
Packit |
5ce601 |
already exists, its lifetime will be updated to the
|
|
Packit |
5ce601 |
new value. Setting <option>lifetime</option> to zero
|
|
Packit |
5ce601 |
is equivalent to <option>-remove</option>.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
If the <option>-dump</option> is used, any other arguments
|
|
Packit |
5ce601 |
are ignored, and a list of existing NTAs is printed
|
|
Packit |
5ce601 |
(note that this may include NTAs that are expired but
|
|
Packit |
5ce601 |
have not yet been cleaned up).
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Normally, <command>named</command> will periodically
|
|
Packit |
5ce601 |
test to see whether data below an NTA can now be
|
|
Packit |
5ce601 |
validated (see the <option>nta-recheck</option> option
|
|
Packit |
5ce601 |
in the Administrator Reference Manual for details).
|
|
Packit |
5ce601 |
If data can be validated, then the NTA is regarded as
|
|
Packit |
5ce601 |
no longer necessary, and will be allowed to expire
|
|
Packit |
5ce601 |
early. The <option>-force</option> overrides this
|
|
Packit |
5ce601 |
behavior and forces an NTA to persist for its entire
|
|
Packit |
5ce601 |
lifetime, regardless of whether data could be
|
|
Packit |
5ce601 |
validated if the NTA were not present.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
The view class can be specified with <option>-class</option>.
|
|
Packit |
5ce601 |
The default is class <userinput>IN</userinput>, which is
|
|
Packit |
5ce601 |
the only class for which DNSSEC is currently supported.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
All of these options can be shortened, i.e., to
|
|
Packit |
5ce601 |
<option>-l</option>, <option>-r</option>, <option>-d</option>,
|
|
Packit |
5ce601 |
<option>-f</option>, and <option>-c</option>.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>querylog</userinput> <optional> on | off </optional> </term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Enable or disable query logging. (For backward
|
|
Packit |
5ce601 |
compatibility, this command can also be used without
|
|
Packit |
5ce601 |
an argument to toggle query logging on and off.)
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Query logging can also be enabled
|
|
Packit |
5ce601 |
by explicitly directing the <command>queries</command>
|
|
Packit |
5ce601 |
<command>category</command> to a
|
|
Packit |
5ce601 |
<command>channel</command> in the
|
|
Packit |
5ce601 |
<command>logging</command> section of
|
|
Packit |
5ce601 |
<filename>named.conf</filename> or by specifying
|
|
Packit |
5ce601 |
<command>querylog yes;</command> in the
|
|
Packit |
5ce601 |
<command>options</command> section of
|
|
Packit |
5ce601 |
<filename>named.conf</filename>.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>reconfig</userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Reload the configuration file and load new zones,
|
|
Packit |
5ce601 |
but do not reload existing zone files even if they
|
|
Packit |
5ce601 |
have changed.
|
|
Packit |
5ce601 |
This is faster than a full <command>reload</command> when there
|
|
Packit |
5ce601 |
is a large number of zones because it avoids the need
|
|
Packit |
5ce601 |
to examine the
|
|
Packit |
5ce601 |
modification times of the zones files.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>recursing</userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Dump the list of queries <command>named</command> is currently
|
|
Packit |
5ce601 |
recursing on, and the list of domains to which iterative
|
|
Packit |
5ce601 |
queries are currently being sent. (The second list includes
|
|
Packit |
5ce601 |
the number of fetches currently active for the given domain,
|
|
Packit |
5ce601 |
and how many have been passed or dropped because of the
|
|
Packit |
5ce601 |
<option>fetches-per-zone</option> option.)
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>refresh <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Schedule zone maintenance for the given zone.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>reload</userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Reload configuration file and zones.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>reload <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Reload the given zone.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>retransfer <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Retransfer the given slave zone from the master server.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
If the zone is configured to use
|
|
Packit |
5ce601 |
<command>inline-signing</command>, the signed
|
|
Packit |
5ce601 |
version of the zone is discarded; after the
|
|
Packit |
5ce601 |
retransfer of the unsigned version is complete, the
|
|
Packit |
5ce601 |
signed version will be regenerated with all new
|
|
Packit |
5ce601 |
signatures.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>scan</userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Scan the list of available network interfaces
|
|
Packit |
5ce601 |
for changes, without performing a full
|
|
Packit |
5ce601 |
<command>reconfig</command> or waiting for the
|
|
Packit |
5ce601 |
<command>interface-interval</command> timer.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>secroots <optional>-</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Dump the server's security roots and negative trust anchors
|
|
Packit |
5ce601 |
for the specified views. If no view is specified, all views
|
|
Packit |
5ce601 |
are dumped.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
If the first argument is "-", then the output is
|
|
Packit |
5ce601 |
returned via the <command>rndc</command> response channel
|
|
Packit |
5ce601 |
and printed to the standard output.
|
|
Packit |
5ce601 |
Otherwise, it is written to the secroots dump file, which
|
|
Packit |
5ce601 |
defaults to <filename>named.secroots</filename>, but can be
|
|
Packit |
5ce601 |
overridden via the <option>secroots-file</option> option in
|
|
Packit |
5ce601 |
<filename>named.conf</filename>.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
See also <command>rndc managed-keys</command>.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>showzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Print the configuration of a running zone.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
See also <command>rndc zonestatus</command>.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>sign <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Fetch all DNSSEC keys for the given zone
|
|
Packit |
5ce601 |
from the key directory (see the
|
|
Packit |
5ce601 |
<command>key-directory</command> option in
|
|
Packit |
5ce601 |
the BIND 9 Administrator Reference Manual). If they are within
|
|
Packit |
5ce601 |
their publication period, merge them into the
|
|
Packit |
5ce601 |
zone's DNSKEY RRset. If the DNSKEY RRset
|
|
Packit |
5ce601 |
is changed, then the zone is automatically
|
|
Packit |
5ce601 |
re-signed with the new key set.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
This command requires that the
|
|
Packit |
5ce601 |
<command>auto-dnssec</command> zone option be set
|
|
Packit |
5ce601 |
to <literal>allow</literal> or
|
|
Packit |
5ce601 |
<literal>maintain</literal>,
|
|
Packit |
5ce601 |
and also requires the zone to be configured to
|
|
Packit |
5ce601 |
allow dynamic DNS.
|
|
Packit |
5ce601 |
(See "Dynamic Update Policies" in the Administrator
|
|
Packit |
5ce601 |
Reference Manual for more details.)
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
See also <command>rndc loadkeys</command>.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>signing <optional>( -list | -clear <replaceable>keyid/algorithm</replaceable> | -clear <literal>all</literal> | -nsec3param ( <replaceable>parameters</replaceable> | <literal>none</literal> ) | -serial <replaceable>value</replaceable> ) </optional> <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
List, edit, or remove the DNSSEC signing state records
|
|
Packit |
5ce601 |
for the specified zone. The status of ongoing DNSSEC
|
|
Packit |
5ce601 |
operations (such as signing or generating
|
|
Packit |
5ce601 |
NSEC3 chains) is stored in the zone in the form
|
|
Packit |
5ce601 |
of DNS resource records of type
|
|
Packit |
5ce601 |
<command>sig-signing-type</command>.
|
|
Packit |
5ce601 |
<command>rndc signing -list</command> converts
|
|
Packit |
5ce601 |
these records into a human-readable form,
|
|
Packit |
5ce601 |
indicating which keys are currently signing
|
|
Packit |
5ce601 |
or have finished signing the zone, and which NSEC3
|
|
Packit |
5ce601 |
chains are being created or removed.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
<command>rndc signing -clear</command> can remove
|
|
Packit |
5ce601 |
a single key (specified in the same format that
|
|
Packit |
5ce601 |
<command>rndc signing -list</command> uses to
|
|
Packit |
5ce601 |
display it), or all keys. In either case, only
|
|
Packit |
5ce601 |
completed keys are removed; any record indicating
|
|
Packit |
5ce601 |
that a key has not yet finished signing the zone
|
|
Packit |
5ce601 |
will be retained.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
<command>rndc signing -nsec3param</command> sets
|
|
Packit |
5ce601 |
the NSEC3 parameters for a zone. This is the
|
|
Packit |
5ce601 |
only supported mechanism for using NSEC3 with
|
|
Packit |
5ce601 |
<command>inline-signing</command> zones.
|
|
Packit |
5ce601 |
Parameters are specified in the same format as
|
|
Packit |
5ce601 |
an NSEC3PARAM resource record: hash algorithm,
|
|
Packit |
5ce601 |
flags, iterations, and salt, in that order.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Currently, the only defined value for hash algorithm
|
|
Packit |
5ce601 |
is <literal>1</literal>, representing SHA-1.
|
|
Packit |
5ce601 |
The <option>flags</option> may be set to
|
|
Packit |
5ce601 |
<literal>0</literal> or <literal>1</literal>,
|
|
Packit |
5ce601 |
depending on whether you wish to set the opt-out
|
|
Packit |
5ce601 |
bit in the NSEC3 chain. <option>iterations</option>
|
|
Packit |
5ce601 |
defines the number of additional times to apply
|
|
Packit |
5ce601 |
the algorithm when generating an NSEC3 hash. The
|
|
Packit |
5ce601 |
<option>salt</option> is a string of data expressed
|
|
Packit |
5ce601 |
in hexadecimal, a hyphen (`-') if no salt is
|
|
Packit |
5ce601 |
to be used, or the keyword <literal>auto</literal>,
|
|
Packit |
5ce601 |
which causes <command>named</command> to generate a
|
|
Packit |
5ce601 |
random 64-bit salt.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
So, for example, to create an NSEC3 chain using
|
|
Packit |
5ce601 |
the SHA-1 hash algorithm, no opt-out flag,
|
|
Packit |
5ce601 |
10 iterations, and a salt value of "FFFF", use:
|
|
Packit |
5ce601 |
<command>rndc signing -nsec3param 1 0 10 FFFF <replaceable>zone</replaceable></command>.
|
|
Packit |
5ce601 |
To set the opt-out flag, 15 iterations, and no
|
|
Packit |
5ce601 |
salt, use:
|
|
Packit |
5ce601 |
<command>rndc signing -nsec3param 1 1 15 - <replaceable>zone</replaceable></command>.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
<command>rndc signing -nsec3param none</command>
|
|
Packit |
5ce601 |
removes an existing NSEC3 chain and replaces it
|
|
Packit |
5ce601 |
with NSEC.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
<command>rndc signing -serial value</command> sets
|
|
Packit |
5ce601 |
the serial number of the zone to value. If the value
|
|
Packit |
5ce601 |
would cause the serial number to go backwards it will
|
|
Packit |
5ce601 |
be rejected. The primary use is to set the serial on
|
|
Packit |
5ce601 |
inline signed zones.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>stats</userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Write server statistics to the statistics file.
|
|
Packit |
5ce601 |
(See the <command>statistics-file</command> option in
|
|
Packit |
5ce601 |
the BIND 9 Administrator Reference Manual.)
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>status</userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Display status of the server.
|
|
Packit |
5ce601 |
Note that the number of zones includes the internal <command>bind/CH</command> zone
|
|
Packit |
5ce601 |
and the default <command>./IN</command>
|
|
Packit |
5ce601 |
hint zone if there is not an
|
|
Packit |
5ce601 |
explicit root zone configured.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>stop <optional>-p</optional></userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Stop the server, making sure any recent changes
|
|
Packit |
5ce601 |
made through dynamic update or IXFR are first saved to
|
|
Packit |
5ce601 |
the master files of the updated zones.
|
|
Packit |
5ce601 |
If <option>-p</option> is specified <command>named</command>'s process id is returned.
|
|
Packit |
5ce601 |
This allows an external process to determine when <command>named</command>
|
|
Packit |
5ce601 |
had completed stopping.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>See also <command>rndc halt</command>.</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>sync <optional>-clean</optional> <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Sync changes in the journal file for a dynamic zone
|
|
Packit |
5ce601 |
to the master file. If the "-clean" option is
|
|
Packit |
5ce601 |
specified, the journal file is also removed. If
|
|
Packit |
5ce601 |
no zone is specified, then all zones are synced.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>thaw <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Enable updates to a frozen dynamic zone. If no
|
|
Packit |
5ce601 |
zone is specified, then all frozen zones are
|
|
Packit |
5ce601 |
enabled. This causes the server to reload the zone
|
|
Packit |
5ce601 |
from disk, and re-enables dynamic updates after the
|
|
Packit |
5ce601 |
load has completed. After a zone is thawed,
|
|
Packit |
5ce601 |
dynamic updates will no longer be refused. If
|
|
Packit |
5ce601 |
the zone has changed and the
|
|
Packit |
5ce601 |
<command>ixfr-from-differences</command> option is
|
|
Packit |
5ce601 |
in use, then the journal file will be updated to
|
|
Packit |
5ce601 |
reflect changes in the zone. Otherwise, if the
|
|
Packit |
5ce601 |
zone has changed, any existing journal file will be
|
|
Packit |
5ce601 |
removed.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>See also <command>rndc freeze</command>.</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>trace</userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Increment the servers debugging level by one.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>trace <replaceable>level</replaceable></userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Sets the server's debugging level to an explicit
|
|
Packit |
5ce601 |
value.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
See also <command>rndc notrace</command>.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>tsig-delete</userinput> <replaceable>keyname</replaceable> <optional><replaceable>view</replaceable></optional></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Delete a given TKEY-negotiated key from the server.
|
|
Packit |
5ce601 |
(This does not apply to statically configured TSIG
|
|
Packit |
5ce601 |
keys.)
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>tsig-list</userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
List the names of all TSIG keys currently configured
|
|
Packit |
5ce601 |
for use by <command>named</command> in each view. The
|
|
Packit |
5ce601 |
list includes both statically configured keys and dynamic
|
|
Packit |
5ce601 |
TKEY-negotiated keys.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>validation ( on | off | status ) <optional><replaceable>view ...</replaceable></optional> </userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Enable, disable, or check the current status of
|
|
Packit |
5ce601 |
DNSSEC validation.
|
|
Packit |
5ce601 |
Note <command>dnssec-enable</command> also needs to be
|
|
Packit |
5ce601 |
set to <userinput>yes</userinput> or
|
|
Packit |
5ce601 |
<userinput>auto</userinput> to be effective.
|
|
Packit |
5ce601 |
It defaults to enabled.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<varlistentry>
|
|
Packit |
5ce601 |
<term><userinput>zonestatus <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term>
|
|
Packit |
5ce601 |
<listitem>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Displays the current status of the given zone,
|
|
Packit |
5ce601 |
including the master file name and any include
|
|
Packit |
5ce601 |
files from which it was loaded, when it was most
|
|
Packit |
5ce601 |
recently loaded, the current serial number, the
|
|
Packit |
5ce601 |
number of nodes, whether the zone supports
|
|
Packit |
5ce601 |
dynamic updates, whether the zone is DNSSEC
|
|
Packit |
5ce601 |
signed, whether it uses automatic DNSSEC key
|
|
Packit |
5ce601 |
management or inline signing, and the scheduled
|
|
Packit |
5ce601 |
refresh or expiry times for the zone.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
See also <command>rndc showzone</command>.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</listitem>
|
|
Packit |
5ce601 |
</varlistentry>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
</variablelist>
|
|
Packit |
5ce601 |
</refsection>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<refsection><info><title>LIMITATIONS</title></info>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
There is currently no way to provide the shared secret for a
|
|
Packit |
5ce601 |
<option>key_id</option> without using the configuration file.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
<para>
|
|
Packit |
5ce601 |
Several error messages could be clearer.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</refsection>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<refsection><info><title>SEE ALSO</title></info>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
<para><citerefentry>
|
|
Packit |
5ce601 |
<refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum>
|
|
Packit |
5ce601 |
</citerefentry>,
|
|
Packit |
5ce601 |
<citerefentry>
|
|
Packit |
5ce601 |
<refentrytitle>rndc-confgen</refentrytitle><manvolnum>8</manvolnum>
|
|
Packit |
5ce601 |
</citerefentry>,
|
|
Packit |
5ce601 |
<citerefentry>
|
|
Packit |
5ce601 |
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
|
|
Packit |
5ce601 |
</citerefentry>,
|
|
Packit |
5ce601 |
<citerefentry>
|
|
Packit |
5ce601 |
<refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
|
|
Packit |
5ce601 |
</citerefentry>,
|
|
Packit |
5ce601 |
<citerefentry>
|
|
Packit |
5ce601 |
<refentrytitle>ndc</refentrytitle><manvolnum>8</manvolnum>
|
|
Packit |
5ce601 |
</citerefentry>,
|
|
Packit |
5ce601 |
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
|
|
Packit |
5ce601 |
</para>
|
|
Packit |
5ce601 |
</refsection>
|
|
Packit |
5ce601 |
|
|
Packit |
5ce601 |
</refentry>
|