"Fossies" - the Fresh Open Source Software Archive

Member "bind-9.17.5/doc/man/rndc.8in" (4 Sep 2020, 27703 Bytes) of package /linux/misc/dns/bind9/9.17.5/bind-9.17.5.tar.xz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "rndc.8in": 9.17.4_vs_9.17.5.

    1 .\" Man page generated from reStructuredText.
    2 .
    3 .TH "RNDC" "8" "@RELEASE_DATE@" "@PACKAGE_VERSION@" "BIND 9"
    4 .SH NAME
    5 rndc \- name server control utility
    6 .
    7 .nr rst2man-indent-level 0
    8 .
    9 .de1 rstReportMargin
   10 \\$1 \\n[an-margin]
   11 level \\n[rst2man-indent-level]
   12 level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
   13 -
   14 \\n[rst2man-indent0]
   15 \\n[rst2man-indent1]
   16 \\n[rst2man-indent2]
   17 ..
   18 .de1 INDENT
   19 .\" .rstReportMargin pre:
   20 . RS \\$1
   21 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
   22 . nr rst2man-indent-level +1
   23 .\" .rstReportMargin post:
   24 ..
   25 .de UNINDENT
   26 . RE
   27 .\" indent \\n[an-margin]
   28 .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
   29 .nr rst2man-indent-level -1
   30 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
   31 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
   32 ..
   33 .SH SYNOPSIS
   34 .sp
   35 \fBrndc\fP [\fB\-b\fP source\-address] [\fB\-c\fP config\-file] [\fB\-k\fP key\-file] [\fB\-s\fP server] [\fB\-p\fP port] [\fB\-q\fP] [\fB\-r\fP] [\fB\-V\fP] [\fB\-y\fP key_id] [[\fB\-4\fP] | [\fB\-6\fP]] {command}
   36 .SH DESCRIPTION
   37 .sp
   38 \fBrndc\fP controls the operation of a name server; it supersedes the
   39 \fBndc\fP utility. If \fBrndc\fP is
   40 invoked with no command line options or arguments, it prints a short
   41 summary of the supported commands and the available options and their
   42 arguments.
   43 .sp
   44 \fBrndc\fP communicates with the name server over a TCP connection,
   45 sending commands authenticated with digital signatures. In the current
   46 versions of \fBrndc\fP and \fBnamed\fP, the only supported authentication
   47 algorithms are HMAC\-MD5 (for compatibility), HMAC\-SHA1, HMAC\-SHA224,
   48 HMAC\-SHA256 (default), HMAC\-SHA384, and HMAC\-SHA512. They use a shared
   49 secret on each end of the connection, which provides TSIG\-style
   50 authentication for the command request and the name server\(aqs response.
   51 All commands sent over the channel must be signed by a key_id known to
   52 the server.
   53 .sp
   54 \fBrndc\fP reads a configuration file to determine how to contact the name
   55 server and decide what algorithm and key it should use.
   56 .SH OPTIONS
   57 .INDENT 0.0
   58 .TP
   59 .B \fB\-4\fP
   60 This option indicates use of IPv4 only.
   61 .TP
   62 .B \fB\-6\fP
   63 This option indicates use of IPv6 only.
   64 .TP
   65 .B \fB\-b source\-address\fP
   66 This option indicates \fBsource\-address\fP as the source address for the connection to the
   67 server. Multiple instances are permitted, to allow setting of both the
   68 IPv4 and IPv6 source addresses.
   69 .TP
   70 .B \fB\-c config\-file\fP
   71 This option indicates \fBconfig\-file\fP as the configuration file instead of the default,
   72 \fB/etc/rndc.conf\fP\&.
   73 .TP
   74 .B \fB\-k key\-file\fP
   75 This option indicates \fBkey\-file\fP as the key file instead of the default,
   76 \fB/etc/rndc.key\fP\&. The key in \fB/etc/rndc.key\fP is used to
   77 authenticate commands sent to the server if the config\-file does not
   78 exist.
   79 .TP
   80 .B \fB\-s server\fP
   81 \fBserver\fP is the name or address of the server which matches a server
   82 statement in the configuration file for \fBrndc\fP\&. If no server is
   83 supplied on the command line, the host named by the default\-server
   84 clause in the options statement of the \fBrndc\fP configuration file
   85 is used.
   86 .TP
   87 .B \fB\-p port\fP
   88 This option instructs BIND 9 to send commands to TCP port \fBport\fP instead of its default control
   89 channel port, 953.
   90 .TP
   91 .B \fB\-q\fP
   92 This option sets quiet mode, where message text returned by the server is not printed
   93 unless there is an error.
   94 .TP
   95 .B \fB\-r\fP
   96 This option instructs \fBrndc\fP to print the result code returned by \fBnamed\fP
   97 after executing the requested command (e.g., ISC_R_SUCCESS,
   98 ISC_R_FAILURE, etc.).
   99 .TP
  100 .B \fB\-V\fP
  101 This option enables verbose logging.
  102 .TP
  103 .B \fB\-y key_id\fP
  104 This option indicates use of the key \fBkey_id\fP from the configuration file. For control message validation to succeed, \fBkey_id\fP must be known
  105 by \fBnamed\fP with the same algorithm and secret string. If no \fBkey_id\fP is specified,
  106 \fBrndc\fP first looks for a key clause in the server statement of
  107 the server being used, or if no server statement is present for that
  108 host, then in the default\-key clause of the options statement. Note that
  109 the configuration file contains shared secrets which are used to send
  110 authenticated control commands to name servers, and should therefore
  111 not have general read or write access.
  112 .UNINDENT
  113 .SH COMMANDS
  114 .sp
  115 A list of commands supported by \fBrndc\fP can be seen by running \fBrndc\fP
  116 without arguments.
  117 .sp
  118 Currently supported commands are:
  119 .INDENT 0.0
  120 .TP
  121 .B \fBaddzone\fP \fIzone\fP [\fIclass\fP [\fIview\fP]] \fIconfiguration\fP
  122 This command adds a zone while the server is running. This command requires the
  123 \fBallow\-new\-zones\fP option to be set to \fByes\fP\&. The configuration
  124 string specified on the command line is the zone configuration text
  125 that would ordinarily be placed in \fBnamed.conf\fP\&.
  126 .sp
  127 The configuration is saved in a file called \fBviewname.nzf\fP (or, if
  128 \fBnamed\fP is compiled with liblmdb, an LMDB database file called
  129 \fBviewname.nzd\fP). \fBviewname\fP is the name of the view, unless the view
  130 name contains characters that are incompatible with use as a file
  131 name, in which case a cryptographic hash of the view name is used
  132 instead. When \fBnamed\fP is restarted, the file is loaded into
  133 the view configuration so that zones that were added can persist
  134 after a restart.
  135 .sp
  136 This sample \fBaddzone\fP command adds the zone \fBexample.com\fP to
  137 the default view:
  138 .sp
  139 \fB$ \e rndc addzone example.com \(aq{ type master; file "example.com.db"; };\(aq\fP
  140 .sp
  141 (Note the brackets around and semi\-colon after the zone configuration
  142 text.)
  143 .sp
  144 See also \fBrndc delzone\fP and \fBrndc modzone\fP\&.
  145 .TP
  146 \fBdelzone\fP [\fB\-clean\fP] \fIzone\fP [\fIclass\fP [\fIview\fP]]
  147 This command deletes a zone while the server is running.
  148 .sp
  149 If the \fB\-clean\fP argument is specified, the zone\(aqs master file (and
  150 journal file, if any) are deleted along with the zone. Without
  151 the \fB\-clean\fP option, zone files must be deleted manually. (If the
  152 zone is of type \fBsecondary\fP or \fBstub\fP, the files needing to be removed
  153 are reported in the output of the \fBrndc delzone\fP command.)
  154 .sp
  155 If the zone was originally added via \fBrndc addzone\fP, then it is
  156 removed permanently. However, if it was originally configured in
  157 \fBnamed.conf\fP, then that original configuration remains in place;
  158 when the server is restarted or reconfigured, the zone is
  159 recreated. To remove it permanently, it must also be removed from
  160 \fBnamed.conf\fP\&.
  161 .sp
  162 See also \fBrndc addzone\fP and \fBrndc modzone\fP\&.
  163 .TP
  164 \fBdnssec\fP ( \fB\-status\fP | \fB\-checkds\fP [\fB\-key\fP \fIid\fP [\fB\-alg\fP \fIalgorithm\fP]] [\fB\-when\fP \fItime\fP] ( \fIpublished\fP | \fIwithdrawn\fP )) \fIzone\fP [\fIclass\fP [\fIview\fP]]
  165 This command allows you to interact with the "dnssec\-policy" of a given
  166 zone.
  167 .sp
  168 \fBrndc dnssec \-status\fP show the DNSSEC signing state for the specified
  169 zone.
  170 .sp
  171 \fBrndc dnssec \-checkds\fP will let \fBnamed\fP know that the DS for the given
  172 key has been seen published into or withdrawn from the parent.  This is
  173 required in order to complete a KSK rollover.  If the \fB\-key id\fP argument
  174 is specified, look for the key with the given identifier, otherwise if there
  175 is only one key acting as a KSK in the zone, assume the DS of that key (if
  176 there are multiple keys with the same tag, use \fB\-alg algorithm\fP to
  177 select the correct algorithm).  The time that the DS has been published or
  178 withdrawn is set to now, unless otherwise specified with the argument \fB\-when time\fP\&.
  179 .TP
  180 \fBdnstap\fP ( \fB\-reopen\fP | \fB\-roll\fP [\fInumber\fP] )
  181 This command closes and re\-opens DNSTAP output files. \fBrndc dnstap \-reopen\fP allows
  182 the output file to be renamed externally, so that \fBnamed\fP can
  183 truncate and re\-open it. \fBrndc dnstap \-roll\fP causes the output file
  184 to be rolled automatically, similar to log files. The most recent
  185 output file has ".0" appended to its name; the previous most recent
  186 output file is moved to ".1", and so on. If \fBnumber\fP is specified, then
  187 the number of backup log files is limited to that number.
  188 .TP
  189 \fBdumpdb\fP [\fB\-all\fP | \fB\-cache\fP | \fB\-zones\fP | \fB\-adb\fP | \fB\-bad\fP | \fB\-fail\fP] [\fIview ...\fP]
  190 This command dumps the server\(aqs caches (default) and/or zones to the dump file for
  191 the specified views. If no view is specified, all views are dumped.
  192 (See the \fBdump\-file\fP option in the BIND 9 Administrator Reference
  193 Manual.)
  194 .TP
  195 .B \fBflush\fP
  196 This command flushes the server\(aqs cache.
  197 .TP
  198 .B \fBflushname\fP \fIname\fP [\fIview\fP]
  199 This command flushes the given name from the view\(aqs DNS cache and, if applicable,
  200 from the view\(aqs nameserver address database, bad server cache, and
  201 SERVFAIL cache.
  202 .TP
  203 .B \fBflushtree\fP \fIname\fP [\fIview\fP]
  204 This command flushes the given name, and all of its subdomains, from the view\(aqs
  205 DNS cache, address database, bad server cache, and SERVFAIL cache.
  206 .TP
  207 .B \fBfreeze\fP [\fIzone\fP [\fIclass\fP [\fIview\fP]]]
  208 This command suspends updates to a dynamic zone. If no zone is specified, then all
  209 zones are suspended. This allows manual edits to be made to a zone
  210 normally updated by dynamic update, and causes changes in the
  211 journal file to be synced into the master file. All dynamic update
  212 attempts are refused while the zone is frozen.
  213 .sp
  214 See also \fBrndc thaw\fP\&.
  215 .TP
  216 \fBhalt\fP [\fB\-p\fP]
  217 This command stops the server immediately. Recent changes made through dynamic
  218 update or IXFR are not saved to the master files, but are rolled
  219 forward from the journal files when the server is restarted. If
  220 \fB\-p\fP is specified, \fBnamed\fP\(aqs process ID is returned. This allows
  221 an external process to determine when \fBnamed\fP has completed
  222 halting.
  223 .sp
  224 See also \fBrndc stop\fP\&.
  225 .TP
  226 .B \fBloadkeys\fP [\fIzone\fP [\fIclass\fP [\fIview\fP]]]
  227 This command fetches all DNSSEC keys for the given zone from the key directory. If
  228 they are within their publication period, they are merged into the
  229 zone\(aqs DNSKEY RRset. Unlike \fBrndc sign\fP, however, the zone is not
  230 immediately re\-signed by the new keys, but is allowed to
  231 incrementally re\-sign over time.
  232 .sp
  233 This command requires that the zone be configured with a \fBdnssec\-policy\fP, or
  234 that the \fBauto\-dnssec\fP zone option be set to \fBmaintain\fP, and also requires the
  235 zone to be configured to allow dynamic DNS. (See "Dynamic Update Policies" in
  236 the Administrator Reference Manual for more details.)
  237 .TP
  238 .B \fBmanaged\-keys\fP (\fIstatus\fP | \fIrefresh\fP | \fIsync\fP | \fIdestroy\fP) [\fIclass\fP [\fIview\fP]]
  239 This command inspects and controls the "managed\-keys" database which handles
  240 \fI\%RFC 5011\fP DNSSEC trust anchor maintenance. If a view is specified, these
  241 commands are applied to that view; otherwise, they are applied to all
  242 views.
  243 .INDENT 7.0
  244 .IP \(bu 2
  245 When run with the \fBstatus\fP keyword, this prints the current status of
  246 the managed\-keys database.
  247 .IP \(bu 2
  248 When run with the \fBrefresh\fP keyword, this forces an immediate refresh
  249 query to be sent for all the managed keys, updating the
  250 managed\-keys database if any new keys are found, without waiting
  251 the normal refresh interval.
  252 .IP \(bu 2
  253 When run with the \fBsync\fP keyword, this forces an immediate dump of
  254 the managed\-keys database to disk (in the file
  255 \fBmanaged\-keys.bind\fP or (\fBviewname.mkeys\fP). This synchronizes
  256 the database with its journal file, so that the database\(aqs current
  257 contents can be inspected visually.
  258 .IP \(bu 2
  259 When run with the \fBdestroy\fP keyword, the managed\-keys database
  260 is shut down and deleted, and all key maintenance is terminated.
  261 This command should be used only with extreme caution.
  262 .sp
  263 Existing keys that are already trusted are not deleted from
  264 memory; DNSSEC validation can continue after this command is used.
  265 However, key maintenance operations cease until \fBnamed\fP is
  266 restarted or reconfigured, and all existing key maintenance states
  267 are deleted.
  268 .sp
  269 Running \fBrndc reconfig\fP or restarting \fBnamed\fP immediately
  270 after this command causes key maintenance to be reinitialized
  271 from scratch, just as if the server were being started for the
  272 first time. This is primarily intended for testing, but it may
  273 also be used, for example, to jumpstart the acquisition of new
  274 keys in the event of a trust anchor rollover, or as a brute\-force
  275 repair for key maintenance problems.
  276 .UNINDENT
  277 .TP
  278 .B \fBmodzone\fP \fIzone\fP [\fIclass\fP [\fIview\fP]] \fIconfiguration\fP
  279 This command modifies the configuration of a zone while the server is running. This
  280 command requires the \fBallow\-new\-zones\fP option to be set to \fByes\fP\&.
  281 As with \fBaddzone\fP, the configuration string specified on the
  282 command line is the zone configuration text that would ordinarily be
  283 placed in \fBnamed.conf\fP\&.
  284 .sp
  285 If the zone was originally added via \fBrndc addzone\fP, the
  286 configuration changes are recorded permanently and are still
  287 in effect after the server is restarted or reconfigured. However, if
  288 it was originally configured in \fBnamed.conf\fP, then that original
  289 configuration remains in place; when the server is restarted or
  290 reconfigured, the zone reverts to its original configuration. To
  291 make the changes permanent, it must also be modified in
  292 \fBnamed.conf\fP\&.
  293 .sp
  294 See also \fBrndc addzone\fP and \fBrndc delzone\fP\&.
  295 .TP
  296 .B \fBnotify\fP \fIzone\fP [\fIclass\fP [\fIview\fP]]
  297 This command resends NOTIFY messages for the zone.
  298 .TP
  299 .B \fBnotrace\fP
  300 This command sets the server\(aqs debugging level to 0.
  301 .sp
  302 See also \fBrndc trace\fP\&.
  303 .TP
  304 \fBnta\fP [( \fB\-class\fP \fIclass\fP | \fB\-dump\fP | \fB\-force\fP | \fB\-remove\fP | \fB\-lifetime\fP \fIduration\fP)] \fIdomain\fP [\fIview\fP]
  305 This command sets a DNSSEC negative trust anchor (NTA) for \fBdomain\fP, with a
  306 lifetime of \fBduration\fP\&. The default lifetime is configured in
  307 \fBnamed.conf\fP via the \fBnta\-lifetime\fP option, and defaults to one
  308 hour. The lifetime cannot exceed one week.
  309 .sp
  310 A negative trust anchor selectively disables DNSSEC validation for
  311 zones that are known to be failing because of misconfiguration rather
  312 than an attack. When data to be validated is at or below an active
  313 NTA (and above any other configured trust anchors), \fBnamed\fP
  314 aborts the DNSSEC validation process and treats the data as insecure
  315 rather than bogus. This continues until the NTA\(aqs lifetime has
  316 elapsed.
  317 .sp
  318 NTAs persist across restarts of the \fBnamed\fP server. The NTAs for a
  319 view are saved in a file called \fBname.nta\fP, where \fBname\fP is the name
  320 of the view; if it contains characters that are incompatible with
  321 use as a file name, a cryptographic hash is generated from the name of
  322 the view.
  323 .sp
  324 An existing NTA can be removed by using the \fB\-remove\fP option.
  325 .sp
  326 An NTA\(aqs lifetime can be specified with the \fB\-lifetime\fP option.
  327 TTL\-style suffixes can be used to specify the lifetime in seconds,
  328 minutes, or hours. If the specified NTA already exists, its lifetime
  329 is updated to the new value. Setting \fBlifetime\fP to zero is
  330 equivalent to \fB\-remove\fP\&.
  331 .sp
  332 If \fB\-dump\fP is used, any other arguments are ignored and a list
  333 of existing NTAs is printed. Note that this may include NTAs that are
  334 expired but have not yet been cleaned up.
  335 .sp
  336 Normally, \fBnamed\fP periodically tests to see whether data below
  337 an NTA can now be validated (see the \fBnta\-recheck\fP option in the
  338 Administrator Reference Manual for details). If data can be
  339 validated, then the NTA is regarded as no longer necessary and is
  340 allowed to expire early. The \fB\-force\fP parameter overrides this behavior
  341 and forces an NTA to persist for its entire lifetime, regardless of
  342 whether data could be validated if the NTA were not present.
  343 .sp
  344 The view class can be specified with \fB\-class\fP\&. The default is class
  345 \fBIN\fP, which is the only class for which DNSSEC is currently
  346 supported.
  347 .sp
  348 All of these options can be shortened, i.e., to \fB\-l\fP, \fB\-r\fP,
  349 \fB\-d\fP, \fB\-f\fP, and \fB\-c\fP\&.
  350 .sp
  351 Unrecognized options are treated as errors. To refer to a domain or
  352 view name that begins with a hyphen, use a double\-hyphen (\-\-) on the
  353 command line to indicate the end of options.
  354 .TP
  355 .B \fBquerylog\fP [(\fIon\fP | \fIoff\fP)]
  356 This command enables or disables query logging. For backward compatibility, this
  357 command can also be used without an argument to toggle query logging
  358 on and off.
  359 .sp
  360 Query logging can also be enabled by explicitly directing the
  361 \fBqueries\fP \fBcategory\fP to a \fBchannel\fP in the \fBlogging\fP section
  362 of \fBnamed.conf\fP, or by specifying \fBquerylog yes;\fP in the
  363 \fBoptions\fP section of \fBnamed.conf\fP\&.
  364 .TP
  365 .B \fBreconfig\fP
  366 This command reloads the configuration file and loads new zones, but does not reload
  367 existing zone files even if they have changed. This is faster than a
  368 full \fBreload\fP when there is a large number of zones, because it
  369 avoids the need to examine the modification times of the zone files.
  370 .TP
  371 .B \fBrecursing\fP
  372 This command dumps the list of queries \fBnamed\fP is currently recursing on, and the
  373 list of domains to which iterative queries are currently being sent.
  374 The second list includes the number of fetches currently active for
  375 the given domain, and how many have been passed or dropped because of
  376 the \fBfetches\-per\-zone\fP option.
  377 .TP
  378 .B \fBrefresh\fP \fIzone\fP [\fIclass\fP [\fIview\fP]]
  379 This command schedules zone maintenance for the given zone.
  380 .TP
  381 .B \fBreload\fP
  382 This command reloads the configuration file and zones.
  383 .TP
  384 .B \fBreload\fP \fIzone\fP [\fIclass\fP [\fIview\fP]]
  385 This command reloads the given zone.
  386 .TP
  387 .B \fBretransfer\fP \fIzone\fP [\fIclass\fP [\fIview\fP]]
  388 This command retransfers the given secondary zone from the primary server.
  389 .sp
  390 If the zone is configured to use \fBinline\-signing\fP, the signed
  391 version of the zone is discarded; after the retransfer of the
  392 unsigned version is complete, the signed version is regenerated
  393 with new signatures.
  394 .TP
  395 .B \fBscan\fP
  396 This command scans the list of available network interfaces for changes, without
  397 performing a full \fBreconfig\fP or waiting for the
  398 \fBinterface\-interval\fP timer.
  399 .TP
  400 \fBsecroots\fP [\fB\-\fP] [\fIview\fP ...]
  401 This command dumps the security roots (i.e., trust anchors configured via
  402 \fBtrust\-anchors\fP, or the \fBmanaged\-keys\fP or \fBtrusted\-keys\fP statements
  403 [both deprecated], or \fBdnssec\-validation auto\fP) and negative trust anchors
  404 for the specified views. If no view is specified, all views are
  405 dumped. Security roots indicate whether they are configured as trusted
  406 keys, managed keys, or initializing managed keys (managed keys that have not
  407 yet been updated by a successful key refresh query).
  408 .sp
  409 If the first argument is \fB\-\fP, then the output is returned via the
  410 \fBrndc\fP response channel and printed to the standard output.
  411 Otherwise, it is written to the secroots dump file, which defaults to
  412 \fBnamed.secroots\fP, but can be overridden via the \fBsecroots\-file\fP
  413 option in \fBnamed.conf\fP\&.
  414 .sp
  415 See also \fBrndc managed\-keys\fP\&.
  416 .TP
  417 \fBserve\-stale\fP (\fBon\fP | \fBoff\fP | \fBreset\fP | \fBstatus\fP) [\fIclass\fP [\fIview\fP]]
  418 This command enables, disables, resets, or reports the current status of the serving
  419 of stale answers as configured in \fBnamed.conf\fP\&.
  420 .sp
  421 If serving of stale answers is disabled by \fBrndc\-serve\-stale off\fP,
  422 then it remains disabled even if \fBnamed\fP is reloaded or
  423 reconfigured. \fBrndc serve\-stale reset\fP restores the setting as
  424 configured in \fBnamed.conf\fP\&.
  425 .sp
  426 \fBrndc serve\-stale status\fP reports whether serving of stale
  427 answers is currently enabled, disabled by the configuration, or
  428 disabled by \fBrndc\fP\&. It also reports the values of
  429 \fBstale\-answer\-ttl\fP and \fBmax\-stale\-ttl\fP\&.
  430 .TP
  431 .B \fBshowzone\fP \fIzone\fP [\fIclass\fP [\fIview\fP]]
  432 This command prints the configuration of a running zone.
  433 .sp
  434 See also \fBrndc zonestatus\fP\&.
  435 .TP
  436 .B \fBsign\fP \fIzone\fP [\fIclass\fP [\fIview\fP]]
  437 This command fetches all DNSSEC keys for the given zone from the key directory (see
  438 the \fBkey\-directory\fP option in the BIND 9 Administrator Reference
  439 Manual). If they are within their publication period, they are merged into
  440 the zone\(aqs DNSKEY RRset. If the DNSKEY RRset is changed, then the
  441 zone is automatically re\-signed with the new key set.
  442 .sp
  443 This command requires that the zone be configured with a \fBdnssec\-policy\fP, or
  444 that the \fBauto\-dnssec\fP zone option be set to \fBallow\fP or \fBmaintain\fP,
  445 and also requires the zone to be configured to allow dynamic DNS. (See
  446 "Dynamic Update Policies" in the BIND 9 Administrator Reference Manual for more
  447 details.)
  448 .sp
  449 See also \fBrndc loadkeys\fP\&.
  450 .TP
  451 \fBsigning\fP [(\fB\-list\fP | \fB\-clear\fP \fIkeyid/algorithm\fP | \fB\-clear\fP \fIall\fP | \fB\-nsec3param\fP ( \fIparameters\fP | none ) | \fB\-serial\fP \fIvalue\fP ) \fIzone\fP [\fIclass\fP [\fIview\fP]]
  452 This command lists, edits, or removes the DNSSEC signing\-state records for the
  453 specified zone. The status of ongoing DNSSEC operations, such as
  454 signing or generating NSEC3 chains, is stored in the zone in the form
  455 of DNS resource records of type \fBsig\-signing\-type\fP\&.
  456 \fBrndc signing \-list\fP converts these records into a human\-readable
  457 form, indicating which keys are currently signing or have finished
  458 signing the zone, and which NSEC3 chains are being created or
  459 removed.
  460 .sp
  461 \fBrndc signing \-clear\fP can remove a single key (specified in the
  462 same format that \fBrndc signing \-list\fP uses to display it), or all
  463 keys. In either case, only completed keys are removed; any record
  464 indicating that a key has not yet finished signing the zone is
  465 retained.
  466 .sp
  467 \fBrndc signing \-nsec3param\fP sets the NSEC3 parameters for a zone.
  468 This is the only supported mechanism for using NSEC3 with
  469 \fBinline\-signing\fP zones. Parameters are specified in the same format
  470 as an NSEC3PARAM resource record: \fBhash algorithm\fP, \fBflags\fP, \fBiterations\fP,
  471 and \fBsalt\fP, in that order.
  472 .sp
  473 Currently, the only defined value for \fBhash algorithm\fP is \fB1\fP,
  474 representing SHA\-1. The \fBflags\fP may be set to \fB0\fP or \fB1\fP,
  475 depending on whether the opt\-out bit in the NSEC3
  476 chain should be set. \fBiterations\fP defines the number of additional times to apply
  477 the algorithm when generating an NSEC3 hash. The \fBsalt\fP is a string
  478 of data expressed in hexadecimal, a hyphen (\fI\-\(aq) if no salt is to be
  479 used, or the keyword \(ga\(gaauto\(ga\fP, which causes \fBnamed\fP to generate a
  480 random 64\-bit salt.
  481 .sp
  482 So, for example, to create an NSEC3 chain using the SHA\-1 hash
  483 algorithm, no opt\-out flag, 10 iterations, and a salt value of
  484 "FFFF", use: \fBrndc signing \-nsec3param 1 0 10 FFFF zone\fP\&. To set
  485 the opt\-out flag, 15 iterations, and no salt, use:
  486 \fBrndc signing \-nsec3param 1 1 15 \- zone\fP\&.
  487 .sp
  488 \fBrndc signing \-nsec3param none\fP removes an existing NSEC3 chain and
  489 replaces it with NSEC.
  490 .sp
  491 \fBrndc signing \-serial value\fP sets the serial number of the zone to
  492 \fBvalue\fP\&. If the value would cause the serial number to go backwards, it
  493 is rejected. The primary use of this parameter is to set the serial number on inline
  494 signed zones.
  495 .TP
  496 .B \fBstats\fP
  497 This command writes server statistics to the statistics file. (See the
  498 \fBstatistics\-file\fP option in the BIND 9 Administrator Reference
  499 Manual.)
  500 .TP
  501 .B \fBstatus\fP
  502 This command displays the status of the server. Note that the number of zones includes
  503 the internal \fBbind/CH\fP zone and the default \fB\&./IN\fP hint zone, if
  504 there is no explicit root zone configured.
  505 .TP
  506 \fBstop\fP \fB\-p\fP
  507 This command stops the server, making sure any recent changes made through dynamic
  508 update or IXFR are first saved to the master files of the updated
  509 zones. If \fB\-p\fP is specified, \fBnamed(8)\(ga\(aqs process ID is returned.
  510 This allows an external process to determine when \(ga\(ganamed\fP has
  511 completed stopping.
  512 .sp
  513 See also \fBrndc halt\fP\&.
  514 .TP
  515 \fBsync\fP \fB\-clean\fP [\fIzone\fP [\fIclass\fP [\fIview\fP]]]
  516 This command syncs changes in the journal file for a dynamic zone to the master
  517 file. If the "\-clean" option is specified, the journal file is also
  518 removed. If no zone is specified, then all zones are synced.
  519 .TP
  520 .B \fBtcp\-timeouts\fP [\fIinitial\fP \fIidle\fP \fIkeepalive\fP \fIadvertised\fP]
  521 When called without arguments, this command displays the current values of the
  522 \fBtcp\-initial\-timeout\fP, \fBtcp\-idle\-timeout\fP,
  523 \fBtcp\-keepalive\-timeout\fP, and \fBtcp\-advertised\-timeout\fP options.
  524 When called with arguments, these values are updated. This allows an
  525 administrator to make rapid adjustments when under a
  526 denial\-of\-service (DoS) attack. See the descriptions of these options in the BIND 9
  527 Administrator Reference Manual for details of their use.
  528 .TP
  529 .B \fBthaw\fP [\fIzone\fP [\fIclass\fP [\fIview\fP]]]
  530 This command enables updates to a frozen dynamic zone. If no zone is specified,
  531 then all frozen zones are enabled. This causes the server to reload
  532 the zone from disk, and re\-enables dynamic updates after the load has
  533 completed. After a zone is thawed, dynamic updates are no longer
  534 refused. If the zone has changed and the \fBixfr\-from\-differences\fP
  535 option is in use, the journal file is updated to reflect
  536 changes in the zone. Otherwise, if the zone has changed, any existing
  537 journal file is removed.
  538 .sp
  539 See also \fBrndc freeze\fP\&.
  540 .TP
  541 .B \fBtrace\fP
  542 This command increments the server\(aqs debugging level by one.
  543 .TP
  544 .B \fBtrace\fP \fIlevel\fP
  545 This command sets the server\(aqs debugging level to an explicit value.
  546 .sp
  547 See also \fBrndc notrace\fP\&.
  548 .TP
  549 .B \fBtsig\-delete\fP \fIkeyname\fP [\fIview\fP]
  550 This command deletes a given TKEY\-negotiated key from the server. This does not
  551 apply to statically configured TSIG keys.
  552 .TP
  553 .B \fBtsig\-list\fP
  554 This command lists the names of all TSIG keys currently configured for use by
  555 \fBnamed\fP in each view. The list includes both statically configured keys and
  556 dynamic TKEY\-negotiated keys.
  557 .TP
  558 \fBvalidation\fP (\fBon\fP | \fBoff\fP | \fBstatus\fP) [\fIview\fP ...]\(ga\(ga
  559 This command enables, disables, or checks the current status of DNSSEC validation. By
  560 default, validation is enabled.
  561 .sp
  562 The cache is flushed when validation is turned on or off to avoid using data
  563 that might differ between states.
  564 .TP
  565 .B \fBzonestatus\fP \fIzone\fP [\fIclass\fP [\fIview\fP]]
  566 This command displays the current status of the given zone, including the master
  567 file name and any include files from which it was loaded, when it was
  568 most recently loaded, the current serial number, the number of nodes,
  569 whether the zone supports dynamic updates, whether the zone is DNSSEC
  570 signed, whether it uses automatic DNSSEC key management or inline
  571 signing, and the scheduled refresh or expiry times for the zone.
  572 .sp
  573 See also \fBrndc showzone\fP\&.
  574 .UNINDENT
  575 .sp
  576 \fBrndc\fP commands that specify zone names, such as \fBreload\fP,
  577 \fBretransfer\fP, or \fBzonestatus\fP, can be ambiguous when applied to zones
  578 of type \fBredirect\fP\&. Redirect zones are always called \fB\&.\fP, and can be
  579 confused with zones of type \fBhint\fP or with secondary copies of the root
  580 zone. To specify a redirect zone, use the special zone name
  581 \fB\-redirect\fP, without a trailing period. (With a trailing period, this
  582 would specify a zone called "\-redirect".)
  583 .SH LIMITATIONS
  584 .sp
  585 There is currently no way to provide the shared secret for a \fBkey_id\fP
  586 without using the configuration file.
  587 .sp
  588 Several error messages could be clearer.
  589 .SH SEE ALSO
  590 .sp
  591 \fBrndc.conf(5)\fP, \fBrndc\-confgen(8)\fP,
  592 \fBnamed(8)\fP, \fBnamed.conf(5)\fP, \fBndc(8)\fP, BIND 9 Administrator
  593 Reference Manual.
  594 .SH AUTHOR
  595 Internet Systems Consortium
  596 .SH COPYRIGHT
  597 2020, Internet Systems Consortium
  598 .\" Generated by docutils manpage writer.
  599 .