589 lines
26 KiB
Plaintext
589 lines
26 KiB
Plaintext
.\" Man page generated from reStructuredText.
|
|
.
|
|
.TH "RNDC" "8" "@RELEASE_DATE@" "@PACKAGE_VERSION@" "BIND 9"
|
|
.SH NAME
|
|
rndc \- name server control utility
|
|
.
|
|
.nr rst2man-indent-level 0
|
|
.
|
|
.de1 rstReportMargin
|
|
\\$1 \\n[an-margin]
|
|
level \\n[rst2man-indent-level]
|
|
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
-
|
|
\\n[rst2man-indent0]
|
|
\\n[rst2man-indent1]
|
|
\\n[rst2man-indent2]
|
|
..
|
|
.de1 INDENT
|
|
.\" .rstReportMargin pre:
|
|
. RS \\$1
|
|
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
|
|
. nr rst2man-indent-level +1
|
|
.\" .rstReportMargin post:
|
|
..
|
|
.de UNINDENT
|
|
. RE
|
|
.\" indent \\n[an-margin]
|
|
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
.nr rst2man-indent-level -1
|
|
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
|
|
..
|
|
.SH SYNOPSIS
|
|
.sp
|
|
\fBrndc\fP [\fB\-b\fP source\-address] [\fB\-c\fP config\-file] [\fB\-k\fP key\-file] [\fB\-s\fP server] [\fB\-p\fP port] [\fB\-q\fP] [\fB\-r\fP] [\fB\-V\fP] [\fB\-y\fP key_id] [[\fB\-4\fP] | [\fB\-6\fP]] {command}
|
|
.SH DESCRIPTION
|
|
.sp
|
|
\fBrndc\fP controls the operation of a name server. It supersedes the
|
|
\fBndc\fP utility that was provided in old BIND releases. If \fBrndc\fP is
|
|
invoked with no command line options or arguments, it prints a short
|
|
summary of the supported commands and the available options and their
|
|
arguments.
|
|
.sp
|
|
\fBrndc\fP communicates with the name server over a TCP connection,
|
|
sending commands authenticated with digital signatures. In the current
|
|
versions of \fBrndc\fP and \fBnamed\fP, the only supported authentication
|
|
algorithms are HMAC\-MD5 (for compatibility), HMAC\-SHA1, HMAC\-SHA224,
|
|
HMAC\-SHA256 (default), HMAC\-SHA384 and HMAC\-SHA512. They use a shared
|
|
secret on each end of the connection. This provides TSIG\-style
|
|
authentication for the command request and the name server\(aqs response.
|
|
All commands sent over the channel must be signed by a key_id known to
|
|
the server.
|
|
.sp
|
|
\fBrndc\fP reads a configuration file to determine how to contact the name
|
|
server and decide what algorithm and key it should use.
|
|
.SH OPTIONS
|
|
.INDENT 0.0
|
|
.TP
|
|
\fB\-4\fP
|
|
Use IPv4 only.
|
|
.TP
|
|
\fB\-6\fP
|
|
Use IPv6 only.
|
|
.TP
|
|
\fB\-b\fP source\-address
|
|
Use source\-address as the source address for the connection to the
|
|
server. Multiple instances are permitted to allow setting of both the
|
|
IPv4 and IPv6 source addresses.
|
|
.TP
|
|
\fB\-c\fP config\-file
|
|
Use config\-file as the configuration file instead of the default,
|
|
\fB/etc/rndc.conf\fP\&.
|
|
.TP
|
|
\fB\-k\fP key\-file
|
|
Use key\-file as the key file instead of the default,
|
|
\fB/etc/rndc.key\fP\&. The key in \fB/etc/rndc.key\fP will be used to
|
|
authenticate commands sent to the server if the config\-file does not
|
|
exist.
|
|
.TP
|
|
\fB\-s\fP server
|
|
server is the name or address of the server which matches a server
|
|
statement in the configuration file for \fBrndc\fP\&. If no server is
|
|
supplied on the command line, the host named by the default\-server
|
|
clause in the options statement of the \fBrndc\fP configuration file
|
|
will be used.
|
|
.TP
|
|
\fB\-p\fP port
|
|
Send commands to TCP port port instead of BIND 9\(aqs default control
|
|
channel port, 953.
|
|
.TP
|
|
\fB\-q\fP
|
|
Quiet mode: Message text returned by the server will not be printed
|
|
except when there is an error.
|
|
.TP
|
|
\fB\-r\fP
|
|
Instructs \fBrndc\fP to print the result code returned by \fBnamed\fP
|
|
after executing the requested command (e.g., ISC_R_SUCCESS,
|
|
ISC_R_FAILURE, etc).
|
|
.TP
|
|
\fB\-V\fP
|
|
Enable verbose logging.
|
|
.TP
|
|
\fB\-y\fP key_id
|
|
Use the key key_id from the configuration file. key_id must be known
|
|
by \fBnamed\fP with the same algorithm and secret string in order for
|
|
control message validation to succeed. If no key_id is specified,
|
|
\fBrndc\fP will first look for a key clause in the server statement of
|
|
the server being used, or if no server statement is present for that
|
|
host, then the default\-key clause of the options statement. Note that
|
|
the configuration file contains shared secrets which are used to send
|
|
authenticated control commands to name servers. It should therefore
|
|
not have general read or write access.
|
|
.UNINDENT
|
|
.SH COMMANDS
|
|
.sp
|
|
A list of commands supported by \fBrndc\fP can be seen by running \fBrndc\fP
|
|
without arguments.
|
|
.sp
|
|
Currently supported commands are:
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \fBaddzone\fP \fIzone\fP [\fIclass\fP [\fIview\fP]] \fIconfiguration\fP
|
|
Add a zone while the server is running. This command requires the
|
|
\fBallow\-new\-zones\fP option to be set to \fByes\fP\&. The configuration
|
|
string specified on the command line is the zone configuration text
|
|
that would ordinarily be placed in \fBnamed.conf(5)\fP\&.
|
|
.sp
|
|
The configuration is saved in a file called \fBviewname.nzf\fP (or, if
|
|
\fBnamed(8)\fP is compiled with liblmdb, an LMDB database file called
|
|
\fBviewname.nzd\fP). viewname is the name of the view, unless the view
|
|
name contains characters that are incompatible with use as a file
|
|
name, in which case a cryptographic hash of the view name is used
|
|
instead. When \fBnamed(8)\fP is restarted, the file will be loaded into
|
|
the view configuration, so that zones that were added can persist
|
|
after a restart.
|
|
.sp
|
|
This sample \fBaddzone\fP command would add the zone \fBexample.com\fP to
|
|
the default view:
|
|
.sp
|
|
\fB$\fP\fBrndc addzone example.com \(aq{ type master; file "example.com.db"; };\(aq\fP
|
|
.sp
|
|
(Note the brackets and semi\-colon around the zone configuration
|
|
text.)
|
|
.sp
|
|
See also \fBrndc delzone\fP and \fBrndc modzone\fP\&.
|
|
.TP
|
|
\fBdelzone\fP [\fB\-clean\fP] \fIzone\fP [\fIclass\fP [\fIview\fP]]
|
|
Delete a zone while the server is running.
|
|
.sp
|
|
If the \fB\-clean\fP argument is specified, the zone\(aqs master file (and
|
|
journal file, if any) will be deleted along with the zone. Without
|
|
the \fB\-clean\fP option, zone files must be cleaned up by hand. (If the
|
|
zone is of type "slave" or "stub", the files needing to be cleaned up
|
|
will be reported in the output of the \fBrndc delzone\fP command.)
|
|
.sp
|
|
If the zone was originally added via \fBrndc addzone\fP, then it will
|
|
be removed permanently. However, if it was originally configured in
|
|
\fBnamed.conf\fP, then that original configuration is still in place;
|
|
when the server is restarted or reconfigured, the zone will come
|
|
back. To remove it permanently, it must also be removed from
|
|
\fBnamed.conf\fP
|
|
.sp
|
|
See also \fBrndc addzone\fP and \fBrndc modzone\fP\&.
|
|
.TP
|
|
\fBdnssec\fP [\fB\-status\fP \fIzone\fP [\fIclass\fP [\fIview\fP]]
|
|
Show the DNSSEC signing state for the specified zone. Requires the
|
|
zone to have a "dnssec\-policy".
|
|
.TP
|
|
\fBdnstap\fP ( \fB\-reopen\fP | \fB\-roll\fP [\fInumber\fP] )
|
|
Close and re\-open DNSTAP output files. \fBrndc dnstap \-reopen\fP allows
|
|
the output file to be renamed externally, so that \fBnamed(8)\fP can
|
|
truncate and re\-open it. \fBrndc dnstap \-roll\fP causes the output file
|
|
to be rolled automatically, similar to log files; the most recent
|
|
output file has ".0" appended to its name; the previous most recent
|
|
output file is moved to ".1", and so on. If number is specified, then
|
|
the number of backup log files is limited to that number.
|
|
.TP
|
|
\fBdumpdb\fP [\fB\-all\fP | \fB\-cache\fP | \fB\-zones\fP | \fB\-adb\fP | \fB\-bad\fP | \fB\-fail\fP] [\fIview ...\fP]
|
|
Dump the server\(aqs caches (default) and/or zones to the dump file for
|
|
the specified views. If no view is specified, all views are dumped.
|
|
(See the \fBdump\-file\fP option in the BIND 9 Administrator Reference
|
|
Manual.)
|
|
.TP
|
|
.B \fBflush\fP
|
|
Flushes the server\(aqs cache.
|
|
.TP
|
|
.B \fBflushname\fP \fIname\fP [\fIview\fP]
|
|
Flushes the given name from the view\(aqs DNS cache and, if applicable,
|
|
from the view\(aqs nameserver address database, bad server cache and
|
|
SERVFAIL cache.
|
|
.TP
|
|
.B \fBflushtree\fP \fIname\fP [\fIview\fP]
|
|
Flushes the given name, and all of its subdomains, from the view\(aqs
|
|
DNS cache, address database, bad server cache, and SERVFAIL cache.
|
|
.TP
|
|
.B \fBfreeze\fP [\fIzone\fP [\fIclass\fP [\fIview\fP]]]
|
|
Suspend updates to a dynamic zone. If no zone is specified, then all
|
|
zones are suspended. This allows manual edits to be made to a zone
|
|
normally updated by dynamic update. It also causes changes in the
|
|
journal file to be synced into the master file. All dynamic update
|
|
attempts will be refused while the zone is frozen.
|
|
.sp
|
|
See also \fBrndc thaw\fP\&.
|
|
.TP
|
|
\fBhalt\fP [\fB\-p\fP]
|
|
Stop the server immediately. Recent changes made through dynamic
|
|
update or IXFR are not saved to the master files, but will be rolled
|
|
forward from the journal files when the server is restarted. If
|
|
\fB\-p\fP is specified \fBnamed(8)\fP\(aqs process id is returned. This allows
|
|
an external process to determine when \fBnamed(8)\fP had completed
|
|
halting.
|
|
.sp
|
|
See also \fBrndc stop\fP\&.
|
|
.TP
|
|
.B \fBloadkeys\fP [\fIzone\fP [\fIclass\fP [\fIview\fP]]]
|
|
Fetch all DNSSEC keys for the given zone from the key directory. If
|
|
they are within their publication period, merge them into the
|
|
zone\(aqs DNSKEY RRset. Unlike \fBrndc sign\fP, however, the zone is not
|
|
immediately re\-signed by the new keys, but is allowed to
|
|
incrementally re\-sign over time.
|
|
.sp
|
|
This command requires that zone is configured with a \fBdnssec\-policy\fP, or
|
|
the \fBauto\-dnssec\fP zone option be set to \fBmaintain\fP, and also requires the
|
|
zone to be configured to allow dynamic DNS. (See "Dynamic Update Policies" in
|
|
the Administrator Reference Manual for more details.)
|
|
.TP
|
|
.B \fBmanaged\-keys\fP (\fIstatus\fP | \fIrefresh\fP | \fIsync\fP | \fIdestroy\fP) [\fIclass\fP [\fIview\fP]]
|
|
Inspect and control the "managed\-keys" database which handles
|
|
\fI\%RFC 5011\fP DNSSEC trust anchor maintenance. If a view is specified, these
|
|
commands are applied to that view; otherwise they are applied to all
|
|
views.
|
|
.INDENT 7.0
|
|
.IP \(bu 2
|
|
When run with the \fBstatus\fP keyword, prints the current status of
|
|
the managed\-keys database.
|
|
.IP \(bu 2
|
|
When run with the \fBrefresh\fP keyword, forces an immediate refresh
|
|
query to be sent for all the managed keys, updating the
|
|
managed\-keys database if any new keys are found, without waiting
|
|
the normal refresh interval.
|
|
.IP \(bu 2
|
|
When run with the \fBsync\fP keyword, forces an immediate dump of
|
|
the managed\-keys database to disk (in the file
|
|
\fBmanaged\-keys.bind\fP or (\fBviewname.mkeys\fP). This synchronizes
|
|
the database with its journal file, so that the database\(aqs current
|
|
contents can be inspected visually.
|
|
.IP \(bu 2
|
|
When run with the \fBdestroy\fP keyword, the managed\-keys database
|
|
is shut down and deleted, and all key maintenance is terminated.
|
|
This command should be used only with extreme caution.
|
|
.sp
|
|
Existing keys that are already trusted are not deleted from
|
|
memory; DNSSEC validation can continue after this command is used.
|
|
However, key maintenance operations will cease until \fBnamed(8)\fP is
|
|
restarted or reconfigured, and all existing key maintenance state
|
|
will be deleted.
|
|
.sp
|
|
Running \fBrndc reconfig\fP or restarting \fBnamed(8)\fP immediately
|
|
after this command will cause key maintenance to be reinitialized
|
|
from scratch, just as if the server were being started for the
|
|
first time. This is primarily intended for testing, but it may
|
|
also be used, for example, to jumpstart the acquisition of new
|
|
keys in the event of a trust anchor rollover, or as a brute\-force
|
|
repair for key maintenance problems.
|
|
.UNINDENT
|
|
.TP
|
|
.B \fBmodzone\fP \fIzone\fP [\fIclass\fP [\fIview\fP]] \fIconfiguration\fP
|
|
Modify the configuration of a zone while the server is running. This
|
|
command requires the \fBallow\-new\-zones\fP option to be set to \fByes\fP\&.
|
|
As with \fBaddzone\fP, the configuration string specified on the
|
|
command line is the zone configuration text that would ordinarily be
|
|
placed in \fBnamed.conf\fP\&.
|
|
.sp
|
|
If the zone was originally added via \fBrndc addzone\fP, the
|
|
configuration changes will be recorded permanently and will still be
|
|
in effect after the server is restarted or reconfigured. However, if
|
|
it was originally configured in \fBnamed.conf\fP, then that original
|
|
configuration is still in place; when the server is restarted or
|
|
reconfigured, the zone will revert to its original configuration. To
|
|
make the changes permanent, it must also be modified in
|
|
\fBnamed.conf\fP
|
|
.sp
|
|
See also \fBrndc addzone\fP and \fBrndc delzone\fP\&.
|
|
.TP
|
|
.B \fBnotify\fP \fIzone\fP [\fIclass\fP [\fIview\fP]]
|
|
Resend NOTIFY messages for the zone.
|
|
.TP
|
|
.B \fBnotrace\fP
|
|
Sets the server\(aqs debugging level to 0.
|
|
.sp
|
|
See also \fBrndc trace\fP\&.
|
|
.TP
|
|
\fBnta\fP [( \fB\-class\fP \fIclass\fP | \fB\-dump\fP | \fB\-force\fP | \fB\-remove\fP | \fB\-lifetime\fP \fIduration\fP)] \fIdomain\fP [\fIview\fP]
|
|
Sets a DNSSEC negative trust anchor (NTA) for \fBdomain\fP, with a
|
|
lifetime of \fBduration\fP\&. The default lifetime is configured in
|
|
\fBnamed.conf\fP via the \fBnta\-lifetime\fP option, and defaults to one
|
|
hour. The lifetime cannot exceed one week.
|
|
.sp
|
|
A negative trust anchor selectively disables DNSSEC validation for
|
|
zones that are known to be failing because of misconfiguration rather
|
|
than an attack. When data to be validated is at or below an active
|
|
NTA (and above any other configured trust anchors), \fBnamed(8)\fP will
|
|
abort the DNSSEC validation process and treat the data as insecure
|
|
rather than bogus. This continues until the NTA\(aqs lifetime is
|
|
elapsed.
|
|
.sp
|
|
NTAs persist across restarts of the \fBnamed(8)\fP server. The NTAs for a
|
|
view are saved in a file called \fBname.nta\fP, where name is the name
|
|
of the view, or if it contains characters that are incompatible with
|
|
use as a file name, a cryptographic hash generated from the name of
|
|
the view.
|
|
.sp
|
|
An existing NTA can be removed by using the \fB\-remove\fP option.
|
|
.sp
|
|
An NTA\(aqs lifetime can be specified with the \fB\-lifetime\fP option.
|
|
TTL\-style suffixes can be used to specify the lifetime in seconds,
|
|
minutes, or hours. If the specified NTA already exists, its lifetime
|
|
will be updated to the new value. Setting \fBlifetime\fP to zero is
|
|
equivalent to \fB\-remove\fP\&.
|
|
.sp
|
|
If the \fB\-dump\fP is used, any other arguments are ignored, and a list
|
|
of existing NTAs is printed (note that this may include NTAs that are
|
|
expired but have not yet been cleaned up).
|
|
.sp
|
|
Normally, \fBnamed(8)\fP will periodically test to see whether data below
|
|
an NTA can now be validated (see the \fBnta\-recheck\fP option in the
|
|
Administrator Reference Manual for details). If data can be
|
|
validated, then the NTA is regarded as no longer necessary, and will
|
|
be allowed to expire early. The \fB\-force\fP overrides this behavior
|
|
and forces an NTA to persist for its entire lifetime, regardless of
|
|
whether data could be validated if the NTA were not present.
|
|
.sp
|
|
The view class can be specified with \fB\-class\fP\&. The default is class
|
|
\fBIN\fP, which is the only class for which DNSSEC is currently
|
|
supported.
|
|
.sp
|
|
All of these options can be shortened, i.e., to \fB\-l\fP, \fB\-r\fP,
|
|
\fB\-d\fP, \fB\-f\fP, and \fB\-c\fP\&.
|
|
.sp
|
|
Unrecognized options are treated as errors. To reference a domain or
|
|
view name that begins with a hyphen, use a double\-hyphen on the
|
|
command line to indicate the end of options.
|
|
.TP
|
|
.B \fBquerylog\fP [(\fIon\fP | \fIoff\fP)]
|
|
Enable or disable query logging. (For backward compatibility, this
|
|
command can also be used without an argument to toggle query logging
|
|
on and off.)
|
|
.sp
|
|
Query logging can also be enabled by explicitly directing the
|
|
\fBqueries\fP \fBcategory\fP to a \fBchannel\fP in the \fBlogging\fP section
|
|
of \fBnamed.conf\fP or by specifying \fBquerylog yes;\fP in the
|
|
\fBoptions\fP section of \fBnamed.conf\fP\&.
|
|
.TP
|
|
.B \fBreconfig\fP
|
|
Reload the configuration file and load new zones, but do not reload
|
|
existing zone files even if they have changed. This is faster than a
|
|
full \fBreload\fP when there is a large number of zones because it
|
|
avoids the need to examine the modification times of the zones files.
|
|
.TP
|
|
.B \fBrecursing\fP
|
|
Dump the list of queries \fBnamed(8)\fP is currently recursing on, and the
|
|
list of domains to which iterative queries are currently being sent.
|
|
(The second list includes the number of fetches currently active for
|
|
the given domain, and how many have been passed or dropped because of
|
|
the \fBfetches\-per\-zone\fP option.)
|
|
.TP
|
|
.B \fBrefresh\fP \fIzone\fP [\fIclass\fP [\fIview\fP]]
|
|
Schedule zone maintenance for the given zone.
|
|
.TP
|
|
.B \fBreload\fP
|
|
Reload configuration file and zones.
|
|
.TP
|
|
.B \fBreload\fP \fIzone\fP [\fIclass\fP [\fIview\fP]]
|
|
Reload the given zone.
|
|
.TP
|
|
.B \fBretransfer\fP \fIzone\fP [\fIclass\fP [\fIview\fP]]
|
|
Retransfer the given slave zone from the master server.
|
|
.sp
|
|
If the zone is configured to use \fBinline\-signing\fP, the signed
|
|
version of the zone is discarded; after the retransfer of the
|
|
unsigned version is complete, the signed version will be regenerated
|
|
with all new signatures.
|
|
.TP
|
|
.B \fBscan\fP
|
|
Scan the list of available network interfaces for changes, without
|
|
performing a full \fBreconfig\fP or waiting for the
|
|
\fBinterface\-interval\fP timer.
|
|
.TP
|
|
\fBsecroots\fP [\fB\-\fP] [\fIview\fP ...]
|
|
Dump the security roots (i.e., trust anchors configured via
|
|
\fBtrust\-anchors\fP, or the \fBmanaged\-keys\fP or \fBtrusted\-keys\fP statements
|
|
(both deprecated), or \fBdnssec\-validation auto\fP) and negative trust anchors
|
|
for the specified views. If no view is specified, all views are
|
|
dumped. Security roots will indicate whether they are configured as trusted
|
|
keys, managed keys, or initializing managed keys (managed keys that have not
|
|
yet been updated by a successful key refresh query).
|
|
.sp
|
|
If the first argument is "\-", then the output is returned via the
|
|
\fBrndc\fP response channel and printed to the standard output.
|
|
Otherwise, it is written to the secroots dump file, which defaults to
|
|
\fBnamed.secroots\fP, but can be overridden via the \fBsecroots\-file\fP
|
|
option in \fBnamed.conf\fP\&.
|
|
.sp
|
|
See also \fBrndc managed\-keys\fP\&.
|
|
.TP
|
|
\fBserve\-stale\fP (\fBon\fP | \fBoff\fP | \fBreset\fP | \fBstatus\fP) [\fIclass\fP [\fIview\fP]]
|
|
Enable, disable, reset, or report the current status of the serving
|
|
of stale answers as configured in \fBnamed.conf\fP\&.
|
|
.sp
|
|
If serving of stale answers is disabled by \fBrndc\-serve\-stale off\fP,
|
|
then it will remain disabled even if \fBnamed(8)\fP is reloaded or
|
|
reconfigured. \fBrndc serve\-stale reset\fP restores the setting as
|
|
configured in \fBnamed.conf\fP\&.
|
|
.sp
|
|
\fBrndc serve\-stale status\fP will report whether serving of stale
|
|
answers is currently enabled, disabled by the configuration, or
|
|
disabled by \fBrndc\fP\&. It will also report the values of
|
|
\fBstale\-answer\-ttl\fP and \fBmax\-stale\-ttl\fP\&.
|
|
.TP
|
|
.B \fBshowzone\fP \fIzone\fP [\fIclass\fP [\fIview\fP]]
|
|
Print the configuration of a running zone.
|
|
.sp
|
|
See also \fBrndc zonestatus\fP\&.
|
|
.TP
|
|
.B \fBsign\fP \fIzone\fP [\fIclass\fP [\fIview\fP]]
|
|
Fetch all DNSSEC keys for the given zone from the key directory (see
|
|
the \fBkey\-directory\fP option in the BIND 9 Administrator Reference
|
|
Manual). If they are within their publication period, merge them into
|
|
the zone\(aqs DNSKEY RRset. If the DNSKEY RRset is changed, then the
|
|
zone is automatically re\-signed with the new key set.
|
|
.sp
|
|
This command requires that the zone is configure with a \fBdnssec\-policy\fP, or
|
|
that the \fBauto\-dnssec\fP zone option be set to \fBallow\fP or \fBmaintain\fP,
|
|
and also requires the zone to be configured to allow dynamic DNS. (See
|
|
"Dynamic Update Policies" in the Administrator Reference Manual for more
|
|
details.)
|
|
.sp
|
|
See also \fBrndc loadkeys\fP\&.
|
|
.TP
|
|
\fBsigning\fP [(\fB\-list\fP | \fB\-clear\fP \fIkeyid/algorithm\fP | \fB\-clear\fP \fIall\fP | \fB\-nsec3param\fP ( \fIparameters\fP | none ) | \fB\-serial\fP \fIvalue\fP ) \fIzone\fP [\fIclass\fP [\fIview\fP]]
|
|
List, edit, or remove the DNSSEC signing state records for the
|
|
specified zone. The status of ongoing DNSSEC operations (such as
|
|
signing or generating NSEC3 chains) is stored in the zone in the form
|
|
of DNS resource records of type \fBsig\-signing\-type\fP\&.
|
|
\fBrndc signing \-list\fP converts these records into a human\-readable
|
|
form, indicating which keys are currently signing or have finished
|
|
signing the zone, and which NSEC3 chains are being created or
|
|
removed.
|
|
.sp
|
|
\fBrndc signing \-clear\fP can remove a single key (specified in the
|
|
same format that \fBrndc signing \-list\fP uses to display it), or all
|
|
keys. In either case, only completed keys are removed; any record
|
|
indicating that a key has not yet finished signing the zone will be
|
|
retained.
|
|
.sp
|
|
\fBrndc signing \-nsec3param\fP sets the NSEC3 parameters for a zone.
|
|
This is the only supported mechanism for using NSEC3 with
|
|
\fBinline\-signing\fP zones. Parameters are specified in the same format
|
|
as an NSEC3PARAM resource record: hash algorithm, flags, iterations,
|
|
and salt, in that order.
|
|
.sp
|
|
Currently, the only defined value for hash algorithm is \fB1\fP,
|
|
representing SHA\-1. The \fBflags\fP may be set to \fB0\fP or \fB1\fP,
|
|
depending on whether you wish to set the opt\-out bit in the NSEC3
|
|
chain. \fBiterations\fP defines the number of additional times to apply
|
|
the algorithm when generating an NSEC3 hash. The \fBsalt\fP is a string
|
|
of data expressed in hexadecimal, a hyphen (\fI\-\(aq) if no salt is to be
|
|
used, or the keyword \(ga\(gaauto\(ga\fP, which causes \fBnamed(8)\fP to generate a
|
|
random 64\-bit salt.
|
|
.sp
|
|
So, for example, to create an NSEC3 chain using the SHA\-1 hash
|
|
algorithm, no opt\-out flag, 10 iterations, and a salt value of
|
|
"FFFF", use: \fBrndc signing \-nsec3param 1 0 10 FFFF zone\fP\&. To set
|
|
the opt\-out flag, 15 iterations, and no salt, use:
|
|
\fBrndc signing \-nsec3param 1 1 15 \- zone\fP\&.
|
|
.sp
|
|
\fBrndc signing \-nsec3param none\fP removes an existing NSEC3 chain and
|
|
replaces it with NSEC.
|
|
.sp
|
|
\fBrndc signing \-serial value\fP sets the serial number of the zone to
|
|
value. If the value would cause the serial number to go backwards it
|
|
will be rejected. The primary use is to set the serial on inline
|
|
signed zones.
|
|
.TP
|
|
.B \fBstats\fP
|
|
Write server statistics to the statistics file. (See the
|
|
\fBstatistics\-file\fP option in the BIND 9 Administrator Reference
|
|
Manual.)
|
|
.TP
|
|
.B \fBstatus\fP
|
|
Display status of the server. Note that the number of zones includes
|
|
the internal \fBbind/CH\fP zone and the default \fB\&./IN\fP hint zone if
|
|
there is not an explicit root zone configured.
|
|
.TP
|
|
\fBstop\fP \fB\-p\fP
|
|
Stop the server, making sure any recent changes made through dynamic
|
|
update or IXFR are first saved to the master files of the updated
|
|
zones. If \fB\-p\fP is specified \fBnamed(8)\fP\(aqs process id is returned.
|
|
This allows an external process to determine when \fBnamed(8)\fP had
|
|
completed stopping.
|
|
.sp
|
|
See also \fBrndc halt\fP\&.
|
|
.TP
|
|
\fBsync\fP \fB\-clean\fP [\fIzone\fP [\fIclass\fP [\fIview\fP]]]
|
|
Sync changes in the journal file for a dynamic zone to the master
|
|
file. If the "\-clean" option is specified, the journal file is also
|
|
removed. If no zone is specified, then all zones are synced.
|
|
.TP
|
|
.B \fBtcp\-timeouts\fP [\fIinitial\fP \fIidle\fP \fIkeepalive\fP \fIadvertised\fP]
|
|
When called without arguments, display the current values of the
|
|
\fBtcp\-initial\-timeout\fP, \fBtcp\-idle\-timeout\fP,
|
|
\fBtcp\-keepalive\-timeout\fP and \fBtcp\-advertised\-timeout\fP options.
|
|
When called with arguments, update these values. This allows an
|
|
administrator to make rapid adjustments when under a denial of
|
|
service attack. See the descriptions of these options in the BIND 9
|
|
Administrator Reference Manual for details of their use.
|
|
.TP
|
|
.B \fBthaw\fP [\fIzone\fP [\fIclass\fP [\fIview\fP]]]
|
|
Enable updates to a frozen dynamic zone. If no zone is specified,
|
|
then all frozen zones are enabled. This causes the server to reload
|
|
the zone from disk, and re\-enables dynamic updates after the load has
|
|
completed. After a zone is thawed, dynamic updates will no longer be
|
|
refused. If the zone has changed and the \fBixfr\-from\-differences\fP
|
|
option is in use, then the journal file will be updated to reflect
|
|
changes in the zone. Otherwise, if the zone has changed, any existing
|
|
journal file will be removed.
|
|
.sp
|
|
See also \fBrndc freeze\fP\&.
|
|
.TP
|
|
.B \fBtrace\fP
|
|
Increment the servers debugging level by one.
|
|
.TP
|
|
.B \fBtrace\fP \fIlevel\fP
|
|
Sets the server\(aqs debugging level to an explicit value.
|
|
.sp
|
|
See also \fBrndc notrace\fP\&.
|
|
.TP
|
|
.B \fBtsig\-delete\fP \fIkeyname\fP [\fIview\fP]
|
|
Delete a given TKEY\-negotiated key from the server. (This does not
|
|
apply to statically configured TSIG keys.)
|
|
.TP
|
|
.B \fBtsig\-list\fP
|
|
List the names of all TSIG keys currently configured for use by
|
|
\fBnamed(8)\fP in each view. The list both statically configured keys and
|
|
dynamic TKEY\-negotiated keys.
|
|
.TP
|
|
\fBvalidation\fP (\fBon\fP | \fBoff\fP | \fBstatus\fP) [\fIview\fP ...]\(ga\(ga
|
|
Enable, disable, or check the current status of DNSSEC validation. By
|
|
default, validation is enabled.
|
|
.sp
|
|
The cache is flushed when validation is turned on or off to avoid using data
|
|
that might differ between states.
|
|
.TP
|
|
.B \fBzonestatus\fP \fIzone\fP [\fIclass\fP [\fIview\fP]]
|
|
Displays the current status of the given zone, including the master
|
|
file name and any include files from which it was loaded, when it was
|
|
most recently loaded, the current serial number, the number of nodes,
|
|
whether the zone supports dynamic updates, whether the zone is DNSSEC
|
|
signed, whether it uses automatic DNSSEC key management or inline
|
|
signing, and the scheduled refresh or expiry times for the zone.
|
|
.sp
|
|
See also \fBrndc showzone\fP\&.
|
|
.UNINDENT
|
|
.sp
|
|
\fBrndc\fP commands that specify zone names, such as \fBreload\fP,
|
|
\fBretransfer\fP or \fBzonestatus\fP, can be ambiguous when applied to zones
|
|
of type \fBredirect\fP\&. Redirect zones are always called ".", and can be
|
|
confused with zones of type \fBhint\fP or with slaved copies of the root
|
|
zone. To specify a redirect zone, use the special zone name
|
|
\fB\-redirect\fP, without a trailing period. (With a trailing period, this
|
|
would specify a zone called "\-redirect".)
|
|
.SH LIMITATIONS
|
|
.sp
|
|
There is currently no way to provide the shared secret for a \fBkey_id\fP
|
|
without using the configuration file.
|
|
.sp
|
|
Several error messages could be clearer.
|
|
.SH SEE ALSO
|
|
.sp
|
|
\fBrndc.conf(5)\fP, \fBrndc\-confgen(8)\fP,
|
|
\fBnamed(8)\fP, \fBnamed.conf(5)\fP, \fBndc(8)\fP, BIND 9 Administrator
|
|
Reference Manual.
|
|
.SH AUTHOR
|
|
Internet Systems Consortium
|
|
.SH COPYRIGHT
|
|
2020, Internet Systems Consortium
|
|
.\" Generated by docutils manpage writer.
|
|
.
|