1<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" 2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" 3 [<!ENTITY mdash "—">]> 4<!-- 5 - Copyright (C) 2004, 2005, 2007, 2013, 2014 Internet Systems Consortium, Inc. ("ISC") 6 - Copyright (C) 2000, 2001 Internet Software Consortium. 7 - 8 - Permission to use, copy, modify, and/or distribute this software for any 9 - purpose with or without fee is hereby granted, provided that the above 10 - copyright notice and this permission notice appear in all copies. 11 - 12 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 13 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 14 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 15 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 16 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 17 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 18 - PERFORMANCE OF THIS SOFTWARE. 19--> 20 21<refentry id="man.rndc"> 22 <refentryinfo> 23 <date>August 15, 2014</date> 24 </refentryinfo> 25 26 <refmeta> 27 <refentrytitle><application>rndc</application></refentrytitle> 28 <manvolnum>8</manvolnum> 29 <refmiscinfo>BIND9</refmiscinfo> 30 </refmeta> 31 32 <refnamediv> 33 <refname><application>rndc</application></refname> 34 <refpurpose>name server control utility</refpurpose> 35 </refnamediv> 36 37 <docinfo> 38 <copyright> 39 <year>2004</year> 40 <year>2005</year> 41 <year>2007</year> 42 <year>2013</year> 43 <year>2014</year> 44 <holder>Internet Systems Consortium, Inc. ("ISC")</holder> 45 </copyright> 46 <copyright> 47 <year>2000</year> 48 <year>2001</year> 49 <holder>Internet Software Consortium.</holder> 50 </copyright> 51 </docinfo> 52 53 <refsynopsisdiv> 54 <cmdsynopsis> 55 <command>rndc</command> 56 <arg><option>-b <replaceable class="parameter">source-address</replaceable></option></arg> 57 <arg><option>-c <replaceable class="parameter">config-file</replaceable></option></arg> 58 <arg><option>-k <replaceable class="parameter">key-file</replaceable></option></arg> 59 <arg><option>-s <replaceable class="parameter">server</replaceable></option></arg> 60 <arg><option>-p <replaceable class="parameter">port</replaceable></option></arg> 61 <arg><option>-q</option></arg> 62 <arg><option>-V</option></arg> 63 <arg><option>-y <replaceable class="parameter">key_id</replaceable></option></arg> 64 <arg choice="req">command</arg> 65 </cmdsynopsis> 66 </refsynopsisdiv> 67 68 <refsect1> 69 <title>DESCRIPTION</title> 70 <para><command>rndc</command> 71 controls the operation of a name 72 server. It supersedes the <command>ndc</command> utility 73 that was provided in old BIND releases. If 74 <command>rndc</command> is invoked with no command line 75 options or arguments, it prints a short summary of the 76 supported commands and the available options and their 77 arguments. 78 </para> 79 <para><command>rndc</command> 80 communicates with the name server over a TCP connection, sending 81 commands authenticated with digital signatures. In the current 82 versions of 83 <command>rndc</command> and <command>named</command>, 84 the only supported authentication algorithms are HMAC-MD5 85 (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256 86 (default), HMAC-SHA384 and HMAC-SHA512. 87 They use a shared secret on each end of the connection. 88 This provides TSIG-style authentication for the command 89 request and the name server's response. All commands sent 90 over the channel must be signed by a key_id known to the 91 server. 92 </para> 93 <para><command>rndc</command> 94 reads a configuration file to 95 determine how to contact the name server and decide what 96 algorithm and key it should use. 97 </para> 98 </refsect1> 99 100 <refsect1> 101 <title>OPTIONS</title> 102 103 <variablelist> 104 <varlistentry> 105 <term>-b <replaceable class="parameter">source-address</replaceable></term> 106 <listitem> 107 <para> 108 Use <replaceable class="parameter">source-address</replaceable> 109 as the source address for the connection to the server. 110 Multiple instances are permitted to allow setting of both 111 the IPv4 and IPv6 source addresses. 112 </para> 113 </listitem> 114 </varlistentry> 115 116 <varlistentry> 117 <term>-c <replaceable class="parameter">config-file</replaceable></term> 118 <listitem> 119 <para> 120 Use <replaceable class="parameter">config-file</replaceable> 121 as the configuration file instead of the default, 122 <filename>/etc/rndc.conf</filename>. 123 </para> 124 </listitem> 125 </varlistentry> 126 127 <varlistentry> 128 <term>-k <replaceable class="parameter">key-file</replaceable></term> 129 <listitem> 130 <para> 131 Use <replaceable class="parameter">key-file</replaceable> 132 as the key file instead of the default, 133 <filename>/etc/rndc.key</filename>. The key in 134 <filename>/etc/rndc.key</filename> will be used to 135 authenticate 136 commands sent to the server if the <replaceable class="parameter">config-file</replaceable> 137 does not exist. 138 </para> 139 </listitem> 140 </varlistentry> 141 142 <varlistentry> 143 <term>-s <replaceable class="parameter">server</replaceable></term> 144 <listitem> 145 <para><replaceable class="parameter">server</replaceable> is 146 the name or address of the server which matches a 147 server statement in the configuration file for 148 <command>rndc</command>. If no server is supplied on the 149 command line, the host named by the default-server clause 150 in the options statement of the <command>rndc</command> 151 configuration file will be used. 152 </para> 153 </listitem> 154 </varlistentry> 155 156 <varlistentry> 157 <term>-p <replaceable class="parameter">port</replaceable></term> 158 <listitem> 159 <para> 160 Send commands to TCP port 161 <replaceable class="parameter">port</replaceable> 162 instead 163 of BIND 9's default control channel port, 953. 164 </para> 165 </listitem> 166 </varlistentry> 167 168 <varlistentry> 169 <term>-q</term> 170 <listitem> 171 <para> 172 Quiet mode: Message text returned by the server 173 will not be printed except when there is an error. 174 </para> 175 </listitem> 176 </varlistentry> 177 178 <varlistentry> 179 <term>-V</term> 180 <listitem> 181 <para> 182 Enable verbose logging. 183 </para> 184 </listitem> 185 </varlistentry> 186 187 <varlistentry> 188 <term>-y <replaceable class="parameter">key_id</replaceable></term> 189 <listitem> 190 <para> 191 Use the key <replaceable class="parameter">key_id</replaceable> 192 from the configuration file. 193 <replaceable class="parameter">key_id</replaceable> 194 must be 195 known by named with the same algorithm and secret string 196 in order for control message validation to succeed. 197 If no <replaceable class="parameter">key_id</replaceable> 198 is specified, <command>rndc</command> will first look 199 for a key clause in the server statement of the server 200 being used, or if no server statement is present for that 201 host, then the default-key clause of the options statement. 202 Note that the configuration file contains shared secrets 203 which are used to send authenticated control commands 204 to name servers. It should therefore not have general read 205 or write access. 206 </para> 207 </listitem> 208 </varlistentry> 209 210 </variablelist> 211 </refsect1> 212 213 <refsect1> 214 <title>COMMANDS</title> 215 <para> 216 A list of commands supported by <command>rndc</command> can 217 be seen by running <command>rndc</command> without arguments. 218 </para> 219 <para> 220 Currently supported commands are: 221 </para> 222 223 <variablelist> 224 <varlistentry> 225 <term><userinput>reload</userinput></term> 226 <listitem> 227 <para> 228 Reload configuration file and zones. 229 </para> 230 </listitem> 231 </varlistentry> 232 233 <varlistentry> 234 <term><userinput>reload <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term> 235 <listitem> 236 <para> 237 Reload the given zone. 238 </para> 239 </listitem> 240 </varlistentry> 241 242 <varlistentry> 243 <term><userinput>refresh <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term> 244 <listitem> 245 <para> 246 Schedule zone maintenance for the given zone. 247 </para> 248 </listitem> 249 </varlistentry> 250 251 <varlistentry> 252 <term><userinput>retransfer <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term> 253 <listitem> 254 <para> 255 Retransfer the given slave zone from the master server. 256 </para> 257 <para> 258 If the zone is configured to use 259 <command>inline-signing</command>, the signed 260 version of the zone is discarded; after the 261 retransfer of the unsigned version is complete, the 262 signed version will be regenerated with all new 263 signatures. 264 </para> 265 </listitem> 266 </varlistentry> 267 268 <varlistentry> 269 <term><userinput>sign <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term> 270 <listitem> 271 <para> 272 Fetch all DNSSEC keys for the given zone 273 from the key directory (see the 274 <command>key-directory</command> option in 275 the BIND 9 Administrator Reference Manual). If they are within 276 their publication period, merge them into the 277 zone's DNSKEY RRset. If the DNSKEY RRset 278 is changed, then the zone is automatically 279 re-signed with the new key set. 280 </para> 281 <para> 282 This command requires that the 283 <command>auto-dnssec</command> zone option be set 284 to <literal>allow</literal> or 285 <literal>maintain</literal>, 286 and also requires the zone to be configured to 287 allow dynamic DNS. 288 (See "Dynamic Update Policies" in the Administrator 289 Reference Manual for more details.) 290 </para> 291 </listitem> 292 </varlistentry> 293 294 <varlistentry> 295 <term><userinput>loadkeys <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term> 296 <listitem> 297 <para> 298 Fetch all DNSSEC keys for the given zone 299 from the key directory. If they are within 300 their publication period, merge them into the 301 zone's DNSKEY RRset. Unlike <command>rndc 302 sign</command>, however, the zone is not 303 immediately re-signed by the new keys, but is 304 allowed to incrementally re-sign over time. 305 </para> 306 <para> 307 This command requires that the 308 <command>auto-dnssec</command> zone option 309 be set to <literal>maintain</literal>, 310 and also requires the zone to be configured to 311 allow dynamic DNS. 312 (See "Dynamic Update Policies" in the Administrator 313 Reference Manual for more details.) 314 </para> 315 </listitem> 316 </varlistentry> 317 318 <varlistentry> 319 <term><userinput>freeze <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term> 320 <listitem> 321 <para> 322 Suspend updates to a dynamic zone. If no zone is 323 specified, then all zones are suspended. This allows 324 manual edits to be made to a zone normally updated by 325 dynamic update. It also causes changes in the 326 journal file to be synced into the master file. 327 All dynamic update attempts will be refused while 328 the zone is frozen. 329 </para> 330 </listitem> 331 </varlistentry> 332 333 <varlistentry> 334 <term><userinput>thaw <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term> 335 <listitem> 336 <para> 337 Enable updates to a frozen dynamic zone. If no 338 zone is specified, then all frozen zones are 339 enabled. This causes the server to reload the zone 340 from disk, and re-enables dynamic updates after the 341 load has completed. After a zone is thawed, 342 dynamic updates will no longer be refused. If 343 the zone has changed and the 344 <command>ixfr-from-differences</command> option is 345 in use, then the journal file will be updated to 346 reflect changes in the zone. Otherwise, if the 347 zone has changed, any existing journal file will be 348 removed. 349 </para> 350 </listitem> 351 </varlistentry> 352 353 <varlistentry> 354 <term><userinput>scan</userinput></term> 355 <listitem> 356 <para> 357 Scan the list of available network interfaces 358 for changes, without performing a full 359 <command>reconfig</command> or waiting for the 360 <command>interface-interval</command> timer. 361 </para> 362 </listitem> 363 </varlistentry> 364 365 <varlistentry> 366 <term><userinput>sync <optional>-clean</optional> <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term> 367 <listitem> 368 <para> 369 Sync changes in the journal file for a dynamic zone 370 to the master file. If the "-clean" option is 371 specified, the journal file is also removed. If 372 no zone is specified, then all zones are synced. 373 </para> 374 </listitem> 375 </varlistentry> 376 377 <varlistentry> 378 <term><userinput>notify <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></userinput></term> 379 <listitem> 380 <para> 381 Resend NOTIFY messages for the zone. 382 </para> 383 </listitem> 384 </varlistentry> 385 386 <varlistentry> 387 <term><userinput>reconfig</userinput></term> 388 <listitem> 389 <para> 390 Reload the configuration file and load new zones, 391 but do not reload existing zone files even if they 392 have changed. 393 This is faster than a full <command>reload</command> when there 394 is a large number of zones because it avoids the need 395 to examine the 396 modification times of the zones files. 397 </para> 398 </listitem> 399 </varlistentry> 400 401 <varlistentry> 402 <term><userinput>zonestatus <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term> 403 <listitem> 404 <para> 405 Displays the current status of the given zone, 406 including the master file name and any include 407 files from which it was loaded, when it was most 408 recently loaded, the current serial number, the 409 number of nodes, whether the zone supports 410 dynamic updates, whether the zone is DNSSEC 411 signed, whether it uses automatic DNSSEC key 412 management or inline signing, and the scheduled 413 refresh or expiry times for the zone. 414 </para> 415 </listitem> 416 </varlistentry> 417 418 <varlistentry> 419 <term><userinput>stats</userinput></term> 420 <listitem> 421 <para> 422 Write server statistics to the statistics file. 423 </para> 424 </listitem> 425 </varlistentry> 426 427 <varlistentry> 428 <term><userinput>querylog</userinput> <optional>on|off</optional> </term> 429 <listitem> 430 <para> 431 Enable or disable query logging. (For backward 432 compatibility, this command can also be used without 433 an argument to toggle query logging on and off.) 434 </para> 435 <para> 436 Query logging can also be enabled 437 by explicitly directing the <command>queries</command> 438 <command>category</command> to a 439 <command>channel</command> in the 440 <command>logging</command> section of 441 <filename>named.conf</filename> or by specifying 442 <command>querylog yes;</command> in the 443 <command>options</command> section of 444 <filename>named.conf</filename>. 445 </para> 446 </listitem> 447 </varlistentry> 448 449 <varlistentry> 450 <term><userinput>dumpdb <optional>-all|-cache|-zone</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term> 451 <listitem> 452 <para> 453 Dump the server's caches (default) and/or zones to 454 the 455 dump file for the specified views. If no view is 456 specified, all 457 views are dumped. 458 </para> 459 </listitem> 460 </varlistentry> 461 462 <varlistentry> 463 <term><userinput>secroots <optional><replaceable>view ...</replaceable></optional></userinput></term> 464 <listitem> 465 <para> 466 Dump the server's security roots to the secroots 467 file for the specified views. If no view is 468 specified, security roots for all 469 views are dumped. 470 </para> 471 </listitem> 472 </varlistentry> 473 474 <varlistentry> 475 <term><userinput>stop <optional>-p</optional></userinput></term> 476 <listitem> 477 <para> 478 Stop the server, making sure any recent changes 479 made through dynamic update or IXFR are first saved to 480 the master files of the updated zones. 481 If <option>-p</option> is specified <command>named</command>'s process id is returned. 482 This allows an external process to determine when <command>named</command> 483 had completed stopping. 484 </para> 485 </listitem> 486 </varlistentry> 487 488 <varlistentry> 489 <term><userinput>halt <optional>-p</optional></userinput></term> 490 <listitem> 491 <para> 492 Stop the server immediately. Recent changes 493 made through dynamic update or IXFR are not saved to 494 the master files, but will be rolled forward from the 495 journal files when the server is restarted. 496 If <option>-p</option> is specified <command>named</command>'s process id is returned. 497 This allows an external process to determine when <command>named</command> 498 had completed halting. 499 </para> 500 </listitem> 501 </varlistentry> 502 503 <varlistentry> 504 <term><userinput>trace</userinput></term> 505 <listitem> 506 <para> 507 Increment the servers debugging level by one. 508 </para> 509 </listitem> 510 </varlistentry> 511 512 <varlistentry> 513 <term><userinput>trace <replaceable>level</replaceable></userinput></term> 514 <listitem> 515 <para> 516 Sets the server's debugging level to an explicit 517 value. 518 </para> 519 </listitem> 520 </varlistentry> 521 522 <varlistentry> 523 <term><userinput>notrace</userinput></term> 524 <listitem> 525 <para> 526 Sets the server's debugging level to 0. 527 </para> 528 </listitem> 529 </varlistentry> 530 531 <varlistentry> 532 <term><userinput>flush</userinput></term> 533 <listitem> 534 <para> 535 Flushes the server's cache. 536 </para> 537 </listitem> 538 </varlistentry> 539 540 <varlistentry> 541 <term><userinput>flushname</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term> 542 <listitem> 543 <para> 544 Flushes the given name from the server's DNS cache 545 and, if applicable, from the server's nameserver address 546 database or bad-server cache. 547 </para> 548 </listitem> 549 </varlistentry> 550 551 <varlistentry> 552 <term><userinput>flushtree</userinput> <replaceable>name</replaceable> <optional><replaceable>view</replaceable></optional> </term> 553 <listitem> 554 <para> 555 Flushes the given name, and all of its subdomains, 556 from the server's DNS cache, the address database, 557 and the bad server cache. 558 </para> 559 </listitem> 560 </varlistentry> 561 562 <varlistentry> 563 <term><userinput>status</userinput></term> 564 <listitem> 565 <para> 566 Display status of the server. 567 Note that the number of zones includes the internal <command>bind/CH</command> zone 568 and the default <command>./IN</command> 569 hint zone if there is not an 570 explicit root zone configured. 571 </para> 572 </listitem> 573 </varlistentry> 574 575 <varlistentry> 576 <term><userinput>recursing</userinput></term> 577 <listitem> 578 <para> 579 Dump the list of queries <command>named</command> is currently recursing 580 on. 581 </para> 582 </listitem> 583 </varlistentry> 584 585 <varlistentry> 586 <term><userinput>validation ( on | off | check ) <optional><replaceable>view ...</replaceable></optional> </userinput></term> 587 <listitem> 588 <para> 589 Enable, disable, or check the current status of 590 DNSSEC validation. 591 Note <command>dnssec-enable</command> also needs to be 592 set to <userinput>yes</userinput> or 593 <userinput>auto</userinput> to be effective. 594 It defaults to enabled. 595 </para> 596 </listitem> 597 </varlistentry> 598 599 <varlistentry> 600 <term><userinput>tsig-list</userinput></term> 601 <listitem> 602 <para> 603 List the names of all TSIG keys currently configured 604 for use by <command>named</command> in each view. The 605 list both statically configured keys and dynamic 606 TKEY-negotiated keys. 607 </para> 608 </listitem> 609 </varlistentry> 610 611 <varlistentry> 612 <term><userinput>tsig-delete</userinput> <replaceable>keyname</replaceable> <optional><replaceable>view</replaceable></optional></term> 613 <listitem> 614 <para> 615 Delete a given TKEY-negotiated key from the server. 616 (This does not apply to statically configured TSIG 617 keys.) 618 </para> 619 </listitem> 620 </varlistentry> 621 622 <varlistentry> 623 <term><userinput>addzone <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> <replaceable>configuration</replaceable> </userinput></term> 624 <listitem> 625 <para> 626 Add a zone while the server is running. This 627 command requires the 628 <command>allow-new-zones</command> option to be set 629 to <userinput>yes</userinput>. The 630 <replaceable>configuration</replaceable> string 631 specified on the command line is the zone 632 configuration text that would ordinarily be 633 placed in <filename>named.conf</filename>. 634 </para> 635 <para> 636 The configuration is saved in a file called 637 <filename><replaceable>hash</replaceable>.nzf</filename>, 638 where <replaceable>hash</replaceable> is a 639 cryptographic hash generated from the name of 640 the view. When <command>named</command> is 641 restarted, the file will be loaded into the view 642 configuration, so that zones that were added 643 can persist after a restart. 644 </para> 645 <para> 646 This sample <command>addzone</command> command 647 would add the zone <literal>example.com</literal> 648 to the default view: 649 </para> 650 <para> 651<prompt>$ </prompt><userinput>rndc addzone example.com '{ type master; file "example.com.db"; };'</userinput> 652 </para> 653 <para> 654 (Note the brackets and semi-colon around the zone 655 configuration text.) 656 </para> 657 </listitem> 658 </varlistentry> 659 660 <varlistentry> 661 <term><userinput>delzone <optional>-clean</optional> <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term> 662 <listitem> 663 <para> 664 Delete a zone while the server is running. 665 Only zones that were originally added via 666 <command>rndc addzone</command> can be deleted 667 in this manner. 668 </para> 669 <para> 670 If the <option>-clean</option> is specified, 671 the zone's master file (and journal file, if any) 672 will be deleted along with the zone. Without the 673 <option>-clean</option> option, zone files must 674 be cleaned up by hand. (If the zone is of 675 type "slave" or "stub", the files needing to 676 be cleaned up will be reported in the output 677 of the <command>rndc delzone</command> command.) 678 </para> 679 </listitem> 680 </varlistentry> 681 682 <varlistentry> 683 <term><userinput>signing <optional>( -list | -clear <replaceable>keyid/algorithm</replaceable> | -clear <literal>all</literal> | -nsec3param ( <replaceable>parameters</replaceable> | <literal>none</literal> ) ) </optional> <replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional> </userinput></term> 684 <listitem> 685 <para> 686 List, edit, or remove the DNSSEC signing state records 687 for the specified zone. The status of ongoing DNSSEC 688 operations (such as signing or generating 689 NSEC3 chains) is stored in the zone in the form 690 of DNS resource records of type 691 <command>sig-signing-type</command>. 692 <command>rndc signing -list</command> converts 693 these records into a human-readable form, 694 indicating which keys are currently signing 695 or have finished signing the zone, and which NSEC3 696 chains are being created or removed. 697 </para> 698 <para> 699 <command>rndc signing -clear</command> can remove 700 a single key (specified in the same format that 701 <command>rndc signing -list</command> uses to 702 display it), or all keys. In either case, only 703 completed keys are removed; any record indicating 704 that a key has not yet finished signing the zone 705 will be retained. 706 </para> 707 <para> 708 <command>rndc signing -nsec3param</command> sets 709 the NSEC3 parameters for a zone. This is the 710 only supported mechanism for using NSEC3 with 711 <command>inline-signing</command> zones. 712 Parameters are specified in the same format as 713 an NSEC3PARAM resource record: hash algorithm, 714 flags, iterations, and salt, in that order. 715 </para> 716 <para> 717 Currently, the only defined value for hash algorithm 718 is <literal>1</literal>, representing SHA-1. 719 The <option>flags</option> may be set to 720 <literal>0</literal> or <literal>1</literal>, 721 depending on whether you wish to set the opt-out 722 bit in the NSEC3 chain. <option>iterations</option> 723 defines the number of additional times to apply 724 the algorithm when generating an NSEC3 hash. The 725 <option>salt</option> is a string of data expressed 726 in hexadecimal, a hyphen (`-') if no salt is 727 to be used, or the keyword <literal>auto</literal>, 728 which causes <command>named</command> to generate a 729 random 64-bit salt. 730 </para> 731 <para> 732 So, for example, to create an NSEC3 chain using 733 the SHA-1 hash algorithm, no opt-out flag, 734 10 iterations, and a salt value of "FFFF", use: 735 <command>rndc signing -nsec3param 1 0 10 FFFF <replaceable>zone</replaceable></command>. 736 To set the opt-out flag, 15 iterations, and no 737 salt, use: 738 <command>rndc signing -nsec3param 1 1 15 - <replaceable>zone</replaceable></command>. 739 </para> 740 <para> 741 <command>rndc signing -nsec3param none</command> 742 removes an existing NSEC3 chain and replaces it 743 with NSEC. 744 </para> 745 </listitem> 746 </varlistentry> 747 </variablelist> 748 </refsect1> 749 750 <refsect1> 751 <title>LIMITATIONS</title> 752 <para> 753 There is currently no way to provide the shared secret for a 754 <option>key_id</option> without using the configuration file. 755 </para> 756 <para> 757 Several error messages could be clearer. 758 </para> 759 </refsect1> 760 761 <refsect1> 762 <title>SEE ALSO</title> 763 <para><citerefentry> 764 <refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum> 765 </citerefentry>, 766 <citerefentry> 767 <refentrytitle>rndc-confgen</refentrytitle><manvolnum>8</manvolnum> 768 </citerefentry>, 769 <citerefentry> 770 <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum> 771 </citerefentry>, 772 <citerefentry> 773 <refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum> 774 </citerefentry>, 775 <citerefentry> 776 <refentrytitle>ndc</refentrytitle><manvolnum>8</manvolnum> 777 </citerefentry>, 778 <citetitle>BIND 9 Administrator Reference Manual</citetitle>. 779 </para> 780 </refsect1> 781 782 <refsect1> 783 <title>AUTHOR</title> 784 <para><corpauthor>Internet Systems Consortium</corpauthor> 785 </para> 786 </refsect1> 787 788</refentry><!-- 789 - Local variables: 790 - mode: sgml 791 - End: 792--> 793