diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 15:59:48 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 15:59:48 +0000 |
commit | 3b9b6d0b8e7f798023c9d109c490449d528fde80 (patch) | |
tree | 2e1c188dd7b8d7475cd163de9ae02c428343669b /doc/man/rndc.8in | |
parent | Initial commit. (diff) | |
download | bind9-3b9b6d0b8e7f798023c9d109c490449d528fde80.tar.xz bind9-3b9b6d0b8e7f798023c9d109c490449d528fde80.zip |
Adding upstream version 1:9.18.19.upstream/1%9.18.19
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/man/rndc.8in')
-rw-r--r-- | doc/man/rndc.8in | 727 |
1 files changed, 727 insertions, 0 deletions
diff --git a/doc/man/rndc.8in b/doc/man/rndc.8in new file mode 100644 index 0000000..7361778 --- /dev/null +++ b/doc/man/rndc.8in @@ -0,0 +1,727 @@ +.\" Man page generated from reStructuredText. +. +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.TH "RNDC" "8" "@RELEASE_DATE@" "@PACKAGE_VERSION@" "BIND 9" +.SH NAME +rndc \- name server control utility +.SH SYNOPSIS +.sp +\fBrndc\fP [\fB\-b\fP source\-address] [\fB\-c\fP config\-file] [\fB\-k\fP key\-file] [\fB\-s\fP server] [\fB\-p\fP port] [\fB\-q\fP] [\fB\-r\fP] [\fB\-V\fP] [\fB\-y\fP server_key] [[\fB\-4\fP] | [\fB\-6\fP]] {command} +.SH DESCRIPTION +.sp +\fBrndc\fP controls the operation of a name server. If \fBrndc\fP is +invoked with no command line options or arguments, it prints a short +summary of the supported commands and the available options and their +arguments. +.sp +\fBrndc\fP communicates with the name server over a TCP connection, +sending commands authenticated with digital signatures. In the current +versions of \fBrndc\fP and \fI\%named\fP, the only supported authentication +algorithms are HMAC\-MD5 (for compatibility), HMAC\-SHA1, HMAC\-SHA224, +HMAC\-SHA256 (default), HMAC\-SHA384, and HMAC\-SHA512. They use a shared +secret on each end of the connection, which provides TSIG\-style +authentication for the command request and the name server\(aqs response. +All commands sent over the channel must be signed by a server_key known to +the server. +.sp +\fBrndc\fP reads a configuration file to determine how to contact the name +server and decide what algorithm and key it should use. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \-4 +This option indicates use of IPv4 only. +.UNINDENT +.INDENT 0.0 +.TP +.B \-6 +This option indicates use of IPv6 only. +.UNINDENT +.INDENT 0.0 +.TP +.B \-b source\-address +This option indicates \fBsource\-address\fP as the source address for the connection to the +server. Multiple instances are permitted, to allow setting of both the +IPv4 and IPv6 source addresses. +.UNINDENT +.INDENT 0.0 +.TP +.B \-c config\-file +This option indicates \fBconfig\-file\fP as the configuration file instead of the default, +\fB@sysconfdir@/rndc.conf\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B \-k key\-file +This option indicates \fBkey\-file\fP as the key file instead of the default, +\fB@sysconfdir@/rndc.key\fP\&. The key in \fB@sysconfdir@/rndc.key\fP is used to +authenticate commands sent to the server if the config\-file does not +exist. +.UNINDENT +.INDENT 0.0 +.TP +.B \-s server +\fBserver\fP is the name or address of the server which matches a server +statement in the configuration file for \fBrndc\fP\&. If no server is +supplied on the command line, the host named by the default\-server +clause in the options statement of the \fBrndc\fP configuration file +is used. +.UNINDENT +.INDENT 0.0 +.TP +.B \-p port +This option instructs BIND 9 to send commands to TCP port \fBport\fP instead of its default control +channel port, 953. +.UNINDENT +.INDENT 0.0 +.TP +.B \-q +This option sets quiet mode, where message text returned by the server is not printed +unless there is an error. +.UNINDENT +.INDENT 0.0 +.TP +.B \-r +This option instructs \fBrndc\fP to print the result code returned by \fI\%named\fP +after executing the requested command (e.g., ISC_R_SUCCESS, +ISC_R_FAILURE, etc.). +.UNINDENT +.INDENT 0.0 +.TP +.B \-V +This option enables verbose logging. +.UNINDENT +.INDENT 0.0 +.TP +.B \-y server_key +This option indicates use of the key \fBserver_key\fP from the configuration file. For control message validation to succeed, \fBserver_key\fP must be known +by \fI\%named\fP with the same algorithm and secret string. If no \fBserver_key\fP is specified, +\fBrndc\fP first looks for a key clause in the server statement of +the server being used, or if no server statement is present for that +host, then in the default\-key clause of the options statement. Note that +the configuration file contains shared secrets which are used to send +authenticated control commands to name servers, and should therefore +not have general read or write access. +.UNINDENT +.SH COMMANDS +.sp +A list of commands supported by \fBrndc\fP can be seen by running \fBrndc\fP +without arguments. +.sp +Currently supported commands are: +.INDENT 0.0 +.TP +.B addzone zone [class [view]] configuration +This command adds a zone while the server is running. This command requires the +\fBallow\-new\-zones\fP option to be set to \fByes\fP\&. The configuration +string specified on the command line is the zone configuration text +that would ordinarily be placed in \fI\%named.conf\fP\&. +.sp +The configuration is saved in a file called \fBviewname.nzf\fP (or, if +\fI\%named\fP is compiled with liblmdb, an LMDB database file called +\fBviewname.nzd\fP). \fBviewname\fP is the name of the view, unless the view +name contains characters that are incompatible with use as a file +name, in which case a cryptographic hash of the view name is used +instead. When \fI\%named\fP is restarted, the file is loaded into +the view configuration so that zones that were added can persist +after a restart. +.sp +This sample \fBaddzone\fP command adds the zone \fBexample.com\fP to +the default view: +.sp +\fBrndc addzone example.com \(aq{ type primary; file \(dqexample.com.db\(dq; };\(aq\fP +.sp +(Note the brackets around and semi\-colon after the zone configuration +text.) +.sp +See also \fI\%rndc delzone\fP and \fI\%rndc modzone\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B delzone [\-clean] zone [class [view]] +This command deletes a zone while the server is running. +.sp +If the \fB\-clean\fP argument is specified, the zone\(aqs master file (and +journal file, if any) are deleted along with the zone. Without +the \fB\-clean\fP option, zone files must be deleted manually. (If the +zone is of type \fBsecondary\fP or \fBstub\fP, the files needing to be removed +are reported in the output of the \fBrndc delzone\fP command.) +.sp +If the zone was originally added via \fBrndc addzone\fP, then it is +removed permanently. However, if it was originally configured in +\fI\%named.conf\fP, then that original configuration remains in place; +when the server is restarted or reconfigured, the zone is +recreated. To remove it permanently, it must also be removed from +\fI\%named.conf\fP\&. +.sp +See also \fI\%rndc addzone\fP and \fI\%rndc modzone\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B dnssec (\-status | \-rollover \-key id [\-alg algorithm] [\-when time] | \-checkds [\-key id [\-alg algorithm]] [\-when time] published | withdrawn)) zone [class [view]] +This command allows you to interact with the \(dqdnssec\-policy\(dq of a given +zone. +.sp +\fBrndc dnssec \-status\fP show the DNSSEC signing state for the specified +zone. +.sp +\fBrndc dnssec \-rollover\fP allows you to schedule key rollover for a +specific key (overriding the original key lifetime). +.sp +\fBrndc dnssec \-checkds\fP informs \fI\%named\fP that the DS for +a specified zone\(aqs key\-signing key has been confirmed to be published +in, or withdrawn from, the parent zone. This is required in order to +complete a KSK rollover. The \fB\-key id\fP and \fB\-alg algorithm\fP arguments +can be used to specify a particular KSK, if necessary; if there is only +one key acting as a KSK for the zone, these arguments can be omitted. +The time of publication or withdrawal for the DS is set to the current +time by default, but can be overridden to a specific time with the +argument \fB\-when time\fP, where \fBtime\fP is expressed in YYYYMMDDHHMMSS +notation. +.UNINDENT +.INDENT 0.0 +.TP +.B dnstap (\-reopen | \-roll [number]) +This command closes and re\-opens DNSTAP output files. +.sp +\fBrndc dnstap \-reopen\fP allows +the output file to be renamed externally, so that \fI\%named\fP can +truncate and re\-open it. +.sp +\fBrndc dnstap \-roll\fP causes the output file +to be rolled automatically, similar to log files. The most recent +output file has \(dq.0\(dq appended to its name; the previous most recent +output file is moved to \(dq.1\(dq, and so on. If \fBnumber\fP is specified, then +the number of backup log files is limited to that number. +.UNINDENT +.INDENT 0.0 +.TP +.B dumpdb [\-all | \-cache | \-zones | \-adb | \-bad | \-expired | \-fail] [view ...] +This command dumps the server\(aqs caches (default) and/or zones to the dump file for +the specified views. If no view is specified, all views are dumped. +(See the \fBdump\-file\fP option in the BIND 9 Administrator Reference +Manual.) +.UNINDENT +.INDENT 0.0 +.TP +.B flush +This command flushes the server\(aqs cache. +.UNINDENT +.INDENT 0.0 +.TP +.B flushname name [view] +This command flushes the given name from the view\(aqs DNS cache and, if applicable, +from the view\(aqs nameserver address database, bad server cache, and +SERVFAIL cache. +.UNINDENT +.INDENT 0.0 +.TP +.B flushtree name [view] +This command flushes the given name, and all of its subdomains, from the view\(aqs +DNS cache, address database, bad server cache, and SERVFAIL cache. +.UNINDENT +.INDENT 0.0 +.TP +.B freeze [zone [class [view]]] +This command suspends updates to a dynamic zone. If no zone is specified, then all +zones are suspended. This allows manual edits to be made to a zone +normally updated by dynamic update, and causes changes in the +journal file to be synced into the master file. All dynamic update +attempts are refused while the zone is frozen. +.sp +See also \fI\%rndc thaw\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B halt [\-p] +This command stops the server immediately. Recent changes made through dynamic +update or IXFR are not saved to the master files, but are rolled +forward from the journal files when the server is restarted. If +\fB\-p\fP is specified, \fI\%named\fP\(aqs process ID is returned. This allows +an external process to determine when \fI\%named\fP has completed +halting. +.sp +See also \fI\%rndc stop\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B loadkeys [zone [class [view]]] +This command fetches all DNSSEC keys for the given zone from the key directory. If +they are within their publication period, they are merged into the +zone\(aqs DNSKEY RRset. Unlike \fI\%rndc sign\fP, however, the zone is not +immediately re\-signed by the new keys, but is allowed to +incrementally re\-sign over time. +.sp +This command requires that the zone be configured with a \fBdnssec\-policy\fP, or +that the \fBauto\-dnssec\fP zone option be set to \fBmaintain\fP, and also requires the +zone to be configured to allow dynamic DNS. (See \(dqDynamic Update Policies\(dq in +the Administrator Reference Manual for more details.) +.UNINDENT +.INDENT 0.0 +.TP +.B managed\-keys (status | refresh | sync | destroy) [class [view]] +This command inspects and controls the \(dqmanaged\-keys\(dq database which handles +\fI\%RFC 5011\fP DNSSEC trust anchor maintenance. If a view is specified, these +commands are applied to that view; otherwise, they are applied to all +views. +.INDENT 7.0 +.IP \(bu 2 +When run with the \fBstatus\fP keyword, this prints the current status of +the managed\-keys database. +.IP \(bu 2 +When run with the \fBrefresh\fP keyword, this forces an immediate refresh +query to be sent for all the managed keys, updating the +managed\-keys database if any new keys are found, without waiting +the normal refresh interval. +.IP \(bu 2 +When run with the \fBsync\fP keyword, this forces an immediate dump of +the managed\-keys database to disk (in the file +\fBmanaged\-keys.bind\fP or (\fBviewname.mkeys\fP). This synchronizes +the database with its journal file, so that the database\(aqs current +contents can be inspected visually. +.IP \(bu 2 +When run with the \fBdestroy\fP keyword, the managed\-keys database +is shut down and deleted, and all key maintenance is terminated. +This command should be used only with extreme caution. +.sp +Existing keys that are already trusted are not deleted from +memory; DNSSEC validation can continue after this command is used. +However, key maintenance operations cease until \fI\%named\fP is +restarted or reconfigured, and all existing key maintenance states +are deleted. +.sp +Running \fI\%rndc reconfig\fP or restarting \fI\%named\fP immediately +after this command causes key maintenance to be reinitialized +from scratch, just as if the server were being started for the +first time. This is primarily intended for testing, but it may +also be used, for example, to jumpstart the acquisition of new +keys in the event of a trust anchor rollover, or as a brute\-force +repair for key maintenance problems. +.UNINDENT +.UNINDENT +.INDENT 0.0 +.TP +.B modzone zone [class [view]] configuration +This command modifies the configuration of a zone while the server is running. This +command requires the \fBallow\-new\-zones\fP option to be set to \fByes\fP\&. +As with \fBaddzone\fP, the configuration string specified on the +command line is the zone configuration text that would ordinarily be +placed in \fI\%named.conf\fP\&. +.sp +If the zone was originally added via \fI\%rndc addzone\fP, the +configuration changes are recorded permanently and are still +in effect after the server is restarted or reconfigured. However, if +it was originally configured in \fI\%named.conf\fP, then that original +configuration remains in place; when the server is restarted or +reconfigured, the zone reverts to its original configuration. To +make the changes permanent, it must also be modified in +\fI\%named.conf\fP\&. +.sp +See also \fI\%rndc addzone\fP and \fI\%rndc delzone\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B notify zone [class [view]] +This command resends NOTIFY messages for the zone. +.UNINDENT +.INDENT 0.0 +.TP +.B notrace +This command sets the server\(aqs debugging level to 0. +.sp +See also \fI\%rndc trace\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B nta [(\-class class | \-dump | \-force | \-remove | \-lifetime duration)] domain [view] +This command sets a DNSSEC negative trust anchor (NTA) for \fBdomain\fP, with a +lifetime of \fBduration\fP\&. The default lifetime is configured in +\fI\%named.conf\fP via the \fBnta\-lifetime\fP option, and defaults to one +hour. The lifetime cannot exceed one week. +.sp +A negative trust anchor selectively disables DNSSEC validation for +zones that are known to be failing because of misconfiguration rather +than an attack. When data to be validated is at or below an active +NTA (and above any other configured trust anchors), \fI\%named\fP +aborts the DNSSEC validation process and treats the data as insecure +rather than bogus. This continues until the NTA\(aqs lifetime has +elapsed. +.sp +NTAs persist across restarts of the \fI\%named\fP server. The NTAs for a +view are saved in a file called \fBname.nta\fP, where \fBname\fP is the name +of the view; if it contains characters that are incompatible with +use as a file name, a cryptographic hash is generated from the name of +the view. +.sp +An existing NTA can be removed by using the \fB\-remove\fP option. +.sp +An NTA\(aqs lifetime can be specified with the \fB\-lifetime\fP option. +TTL\-style suffixes can be used to specify the lifetime in seconds, +minutes, or hours. If the specified NTA already exists, its lifetime +is updated to the new value. Setting \fBlifetime\fP to zero is +equivalent to \fB\-remove\fP\&. +.sp +If \fB\-dump\fP is used, any other arguments are ignored and a list +of existing NTAs is printed. Note that this may include NTAs that are +expired but have not yet been cleaned up. +.sp +Normally, \fI\%named\fP periodically tests to see whether data below +an NTA can now be validated (see the \fBnta\-recheck\fP option in the +Administrator Reference Manual for details). If data can be +validated, then the NTA is regarded as no longer necessary and is +allowed to expire early. The \fB\-force\fP parameter overrides this behavior +and forces an NTA to persist for its entire lifetime, regardless of +whether data could be validated if the NTA were not present. +.sp +The view class can be specified with \fB\-class\fP\&. The default is class +\fBIN\fP, which is the only class for which DNSSEC is currently +supported. +.sp +All of these options can be shortened, i.e., to \fB\-l\fP, \fB\-r\fP, +\fB\-d\fP, \fB\-f\fP, and \fB\-c\fP\&. +.sp +Unrecognized options are treated as errors. To refer to a domain or +view name that begins with a hyphen, use a double\-hyphen (\-\-) on the +command line to indicate the end of options. +.UNINDENT +.INDENT 0.0 +.TP +.B querylog [(on | off)] +This command enables or disables query logging. For backward compatibility, this +command can also be used without an argument to toggle query logging +on and off. +.sp +Query logging can also be enabled by explicitly directing the +\fBqueries\fP \fBcategory\fP to a \fBchannel\fP in the \fBlogging\fP section +of \fI\%named.conf\fP, or by specifying \fBquerylog yes;\fP in the +\fBoptions\fP section of \fI\%named.conf\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B reconfig +This command reloads the configuration file and loads new zones, but does not reload +existing zone files even if they have changed. This is faster than a +full \fI\%rndc reload\fP when there is a large number of zones, because it +avoids the need to examine the modification times of the zone files. +.UNINDENT +.INDENT 0.0 +.TP +.B recursing +This command dumps the list of queries \fI\%named\fP is currently +recursing on, and the list of domains to which iterative queries +are currently being sent. +.sp +The first list includes all unique clients that are waiting for +recursion to complete, including the query that is awaiting a +response and the timestamp (seconds since the Unix epoch) of +when named started processing this client query. +.sp +The second list comprises of domains for which there are active +(or recently active) fetches in progress. It reports the number +of active fetches for each domain and the number of queries that +have been passed (allowed) or dropped (spilled) as a result of +the \fBfetches\-per\-zone\fP limit. (Note: these counters are not +cumulative over time; whenever the number of active fetches for +a domain drops to zero, the counter for that domain is deleted, +and the next time a fetch is sent to that domain, it is recreated +with the counters set to zero). +.UNINDENT +.INDENT 0.0 +.TP +.B refresh zone [class [view]] +This command schedules zone maintenance for the given zone. +.UNINDENT +.INDENT 0.0 +.TP +.B reload +This command reloads the configuration file and zones. +.INDENT 7.0 +.TP +.B zone [class [view]] +.UNINDENT +.sp +If a zone is specified, this command reloads only the given zone. +.UNINDENT +.INDENT 0.0 +.TP +.B retransfer zone [class [view]] +This command retransfers the given secondary zone from the primary server. +.sp +If the zone is configured to use \fBinline\-signing\fP, the signed +version of the zone is discarded; after the retransfer of the +unsigned version is complete, the signed version is regenerated +with new signatures. +.UNINDENT +.INDENT 0.0 +.TP +.B scan +This command scans the list of available network interfaces for changes, without +performing a full \fI\%rndc reconfig\fP or waiting for the +\fBinterface\-interval\fP timer. +.UNINDENT +.INDENT 0.0 +.TP +.B secroots [\-] [view ...] +This command dumps the security roots (i.e., trust anchors configured via +\fBtrust\-anchors\fP, or the \fBmanaged\-keys\fP or \fBtrusted\-keys\fP statements +[both deprecated], or \fBdnssec\-validation auto\fP) and negative trust anchors +for the specified views. If no view is specified, all views are +dumped. Security roots indicate whether they are configured as trusted +keys, managed keys, or initializing managed keys (managed keys that have not +yet been updated by a successful key refresh query). +.sp +If the first argument is \fB\-\fP, then the output is returned via the +\fBrndc\fP response channel and printed to the standard output. +Otherwise, it is written to the secroots dump file, which defaults to +\fBnamed.secroots\fP, but can be overridden via the \fBsecroots\-file\fP +option in \fI\%named.conf\fP\&. +.sp +See also \fI\%rndc managed\-keys\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B serve\-stale (on | off | reset | status) [class [view]] +This command enables, disables, resets, or reports the current status of +the serving of stale answers as configured in \fI\%named.conf\fP\&. +.sp +If serving of stale answers is disabled by \fBrndc\-serve\-stale off\fP, then it +remains disabled even if \fI\%named\fP is reloaded or reconfigured. \fBrndc +serve\-stale reset\fP restores the setting as configured in \fI\%named.conf\fP\&. +.sp +\fBrndc serve\-stale status\fP reports whether caching and serving of stale +answers is currently enabled or disabled. It also reports the values of +\fBstale\-answer\-ttl\fP and \fBmax\-stale\-ttl\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B showzone zone [class [view]] +This command prints the configuration of a running zone. +.sp +See also \fI\%rndc zonestatus\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B sign zone [class [view]] +This command fetches all DNSSEC keys for the given zone from the key directory (see +the \fBkey\-directory\fP option in the BIND 9 Administrator Reference +Manual). If they are within their publication period, they are merged into +the zone\(aqs DNSKEY RRset. If the DNSKEY RRset is changed, then the +zone is automatically re\-signed with the new key set. +.sp +This command requires that the zone be configured with a \fBdnssec\-policy\fP, or +that the \fBauto\-dnssec\fP zone option be set to \fBallow\fP or \fBmaintain\fP, +and also requires the zone to be configured to allow dynamic DNS. (See +\(dqDynamic Update Policies\(dq in the BIND 9 Administrator Reference Manual for more +details.) +.sp +See also \fI\%rndc loadkeys\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B signing [(\-list | \-clear keyid/algorithm | \-clear all | \-nsec3param (parameters | none) | \-serial value) zone [class [view]] +This command lists, edits, or removes the DNSSEC signing\-state records for the +specified zone. The status of ongoing DNSSEC operations, such as +signing or generating NSEC3 chains, is stored in the zone in the form +of DNS resource records of type \fBsig\-signing\-type\fP\&. +\fBrndc signing \-list\fP converts these records into a human\-readable +form, indicating which keys are currently signing or have finished +signing the zone, and which NSEC3 chains are being created or +removed. +.sp +\fBrndc signing \-clear\fP can remove a single key (specified in the +same format that \fBrndc signing \-list\fP uses to display it), or all +keys. In either case, only completed keys are removed; any record +indicating that a key has not yet finished signing the zone is +retained. +.sp +\fBrndc signing \-nsec3param\fP sets the NSEC3 parameters for a zone. +This is the only supported mechanism for using NSEC3 with +\fBinline\-signing\fP zones. Parameters are specified in the same format +as an NSEC3PARAM resource record: \fBhash algorithm\fP, \fBflags\fP, \fBiterations\fP, +and \fBsalt\fP, in that order. +.sp +Currently, the only defined value for \fBhash algorithm\fP is \fB1\fP, +representing SHA\-1. The \fBflags\fP may be set to \fB0\fP or \fB1\fP, +depending on whether the opt\-out bit in the NSEC3 +chain should be set. \fBiterations\fP defines the number of additional times to apply +the algorithm when generating an NSEC3 hash. The \fBsalt\fP is a string +of data expressed in hexadecimal, a hyphen (\fB\-\fP) if no salt is to be +used, or the keyword \fBauto\fP, which causes \fI\%named\fP to generate a +random 64\-bit salt. +.sp +The only recommended configuration is \fBrndc signing \-nsec3param 1 0 0 \- zone\fP, +i.e. no salt, no additional iterations, no opt\-out. +.sp +\fBWARNING:\fP +.INDENT 7.0 +.INDENT 3.5 +Do not use extra iterations, salt, or opt\-out unless all their implications +are fully understood. A higher number of iterations causes interoperability +problems and opens servers to CPU\-exhausting DoS attacks. +.UNINDENT +.UNINDENT +.sp +\fBrndc signing \-nsec3param none\fP removes an existing NSEC3 chain and +replaces it with NSEC. +.sp +\fBrndc signing \-serial value\fP sets the serial number of the zone to +\fBvalue\fP\&. If the value would cause the serial number to go backwards, it +is rejected. The primary use of this parameter is to set the serial number on inline +signed zones. +.UNINDENT +.INDENT 0.0 +.TP +.B stats +This command writes server statistics to the statistics file. (See the +\fBstatistics\-file\fP option in the BIND 9 Administrator Reference +Manual.) +.UNINDENT +.INDENT 0.0 +.TP +.B status +This command displays the status of the server. Note that the number of zones includes +the internal \fBbind/CH\fP zone and the default \fB\&./IN\fP hint zone, if +there is no explicit root zone configured. +.UNINDENT +.INDENT 0.0 +.TP +.B stop \-p +This command stops the server, making sure any recent changes made through dynamic +update or IXFR are first saved to the master files of the updated +zones. If \fB\-p\fP is specified, \fI\%named\fP\(aqs process ID is returned. +This allows an external process to determine when \fI\%named\fP has +completed stopping. +.sp +See also \fI\%rndc halt\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B sync \-clean [zone [class [view]]] +This command syncs changes in the journal file for a dynamic zone to the master +file. If the \(dq\-clean\(dq option is specified, the journal file is also +removed. If no zone is specified, then all zones are synced. +.UNINDENT +.INDENT 0.0 +.TP +.B tcp\-timeouts [initial idle keepalive advertised] +When called without arguments, this command displays the current values of the +\fBtcp\-initial\-timeout\fP, \fBtcp\-idle\-timeout\fP, +\fBtcp\-keepalive\-timeout\fP, and \fBtcp\-advertised\-timeout\fP options. +When called with arguments, these values are updated. This allows an +administrator to make rapid adjustments when under a +denial\-of\-service (DoS) attack. See the descriptions of these options in the BIND 9 +Administrator Reference Manual for details of their use. +.UNINDENT +.INDENT 0.0 +.TP +.B thaw [zone [class [view]]] +This command enables updates to a frozen dynamic zone. If no zone is specified, +then all frozen zones are enabled. This causes the server to reload +the zone from disk, and re\-enables dynamic updates after the load has +completed. After a zone is thawed, dynamic updates are no longer +refused. If the zone has changed and the \fBixfr\-from\-differences\fP +option is in use, the journal file is updated to reflect +changes in the zone. Otherwise, if the zone has changed, any existing +journal file is removed. +.sp +See also \fI\%rndc freeze\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B trace [level] +If no level is specified, this command increments the server\(aqs debugging +level by one. +.INDENT 7.0 +.TP +.B level +If specified, this command sets the server\(aqs debugging level to the +provided value. +.UNINDENT +.sp +See also \fI\%rndc notrace\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B tsig\-delete keyname [view] +This command deletes a given TKEY\-negotiated key from the server. This does not +apply to statically configured TSIG keys. +.UNINDENT +.INDENT 0.0 +.TP +.B tsig\-list +This command lists the names of all TSIG keys currently configured for use by +\fI\%named\fP in each view. The list includes both statically configured keys and +dynamic TKEY\-negotiated keys. +.UNINDENT +.INDENT 0.0 +.TP +.B validation (on | off | status) [view ...] +This command enables, disables, or checks the current status of DNSSEC validation. By +default, validation is enabled. +.sp +The cache is flushed when validation is turned on or off to avoid using data +that might differ between states. +.UNINDENT +.INDENT 0.0 +.TP +.B zonestatus zone [class [view]] +This command displays the current status of the given zone, including the master +file name and any include files from which it was loaded, when it was +most recently loaded, the current serial number, the number of nodes, +whether the zone supports dynamic updates, whether the zone is DNSSEC +signed, whether it uses automatic DNSSEC key management or inline +signing, and the scheduled refresh or expiry times for the zone. +.sp +See also \fI\%rndc showzone\fP\&. +.UNINDENT +.sp +\fBrndc\fP commands that specify zone names, such as \fI\%reload\fP +\fI\%retransfer\fP, or \fI\%zonestatus\fP, can be ambiguous when applied to zones +of type \fBredirect\fP\&. Redirect zones are always called \fB\&.\fP, and can be +confused with zones of type \fBhint\fP or with secondary copies of the root +zone. To specify a redirect zone, use the special zone name +\fB\-redirect\fP, without a trailing period. (With a trailing period, this +would specify a zone called \(dq\-redirect\(dq.) +.SH LIMITATIONS +.sp +There is currently no way to provide the shared secret for a \fBserver_key\fP +without using the configuration file. +.sp +Several error messages could be clearer. +.SH SEE ALSO +.sp +\fI\%rndc.conf(5)\fP, \fI\%rndc\-confgen(8)\fP, +\fI\%named(8)\fP, \fI\%named.conf(5)\fP, BIND 9 Administrator +Reference Manual. +.SH AUTHOR +Internet Systems Consortium +.SH COPYRIGHT +2023, Internet Systems Consortium +.\" Generated by docutils manpage writer. +. |