1<!-- 2 - Copyright (C) 2004, 2005, 2007, 2013, 2014 Internet Systems Consortium, Inc. ("ISC") 3 - Copyright (C) 2000, 2001 Internet Software Consortium. 4 - 5 - Permission to use, copy, modify, and/or distribute this software for any 6 - purpose with or without fee is hereby granted, provided that the above 7 - copyright notice and this permission notice appear in all copies. 8 - 9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15 - PERFORMANCE OF THIS SOFTWARE. 16--> 17<!-- Id --> 18<html> 19<head> 20<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> 21<title>rndc</title> 22<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> 23</head> 24<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> 25<a name="man.rndc"></a><div class="titlepage"></div> 26<div class="refnamediv"> 27<h2>Name</h2> 28<p><span class="application">rndc</span> — name server control utility</p> 29</div> 30<div class="refsynopsisdiv"> 31<h2>Synopsis</h2> 32<div class="cmdsynopsis"><p><code class="command">rndc</code> [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-q</code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div> 33</div> 34<div class="refsect1" lang="en"> 35<a name="id2543432"></a><h2>DESCRIPTION</h2> 36<p><span><strong class="command">rndc</strong></span> 37 controls the operation of a name 38 server. It supersedes the <span><strong class="command">ndc</strong></span> utility 39 that was provided in old BIND releases. If 40 <span><strong class="command">rndc</strong></span> is invoked with no command line 41 options or arguments, it prints a short summary of the 42 supported commands and the available options and their 43 arguments. 44 </p> 45<p><span><strong class="command">rndc</strong></span> 46 communicates with the name server over a TCP connection, sending 47 commands authenticated with digital signatures. In the current 48 versions of 49 <span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span>, 50 the only supported authentication algorithms are HMAC-MD5 51 (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256 52 (default), HMAC-SHA384 and HMAC-SHA512. 53 They use a shared secret on each end of the connection. 54 This provides TSIG-style authentication for the command 55 request and the name server's response. All commands sent 56 over the channel must be signed by a key_id known to the 57 server. 58 </p> 59<p><span><strong class="command">rndc</strong></span> 60 reads a configuration file to 61 determine how to contact the name server and decide what 62 algorithm and key it should use. 63 </p> 64</div> 65<div class="refsect1" lang="en"> 66<a name="id2543467"></a><h2>OPTIONS</h2> 67<div class="variablelist"><dl> 68<dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt> 69<dd><p> 70 Use <em class="replaceable"><code>source-address</code></em> 71 as the source address for the connection to the server. 72 Multiple instances are permitted to allow setting of both 73 the IPv4 and IPv6 source addresses. 74 </p></dd> 75<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt> 76<dd><p> 77 Use <em class="replaceable"><code>config-file</code></em> 78 as the configuration file instead of the default, 79 <code class="filename">/etc/rndc.conf</code>. 80 </p></dd> 81<dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt> 82<dd><p> 83 Use <em class="replaceable"><code>key-file</code></em> 84 as the key file instead of the default, 85 <code class="filename">/etc/rndc.key</code>. The key in 86 <code class="filename">/etc/rndc.key</code> will be used to 87 authenticate 88 commands sent to the server if the <em class="replaceable"><code>config-file</code></em> 89 does not exist. 90 </p></dd> 91<dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt> 92<dd><p><em class="replaceable"><code>server</code></em> is 93 the name or address of the server which matches a 94 server statement in the configuration file for 95 <span><strong class="command">rndc</strong></span>. If no server is supplied on the 96 command line, the host named by the default-server clause 97 in the options statement of the <span><strong class="command">rndc</strong></span> 98 configuration file will be used. 99 </p></dd> 100<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt> 101<dd><p> 102 Send commands to TCP port 103 <em class="replaceable"><code>port</code></em> 104 instead 105 of BIND 9's default control channel port, 953. 106 </p></dd> 107<dt><span class="term">-q</span></dt> 108<dd><p> 109 Quiet mode: Message text returned by the server 110 will not be printed except when there is an error. 111 </p></dd> 112<dt><span class="term">-V</span></dt> 113<dd><p> 114 Enable verbose logging. 115 </p></dd> 116<dt><span class="term">-y <em class="replaceable"><code>key_id</code></em></span></dt> 117<dd><p> 118 Use the key <em class="replaceable"><code>key_id</code></em> 119 from the configuration file. 120 <em class="replaceable"><code>key_id</code></em> 121 must be 122 known by named with the same algorithm and secret string 123 in order for control message validation to succeed. 124 If no <em class="replaceable"><code>key_id</code></em> 125 is specified, <span><strong class="command">rndc</strong></span> will first look 126 for a key clause in the server statement of the server 127 being used, or if no server statement is present for that 128 host, then the default-key clause of the options statement. 129 Note that the configuration file contains shared secrets 130 which are used to send authenticated control commands 131 to name servers. It should therefore not have general read 132 or write access. 133 </p></dd> 134</dl></div> 135</div> 136<div class="refsect1" lang="en"> 137<a name="id2543676"></a><h2>COMMANDS</h2> 138<p> 139 A list of commands supported by <span><strong class="command">rndc</strong></span> can 140 be seen by running <span><strong class="command">rndc</strong></span> without arguments. 141 </p> 142<p> 143 Currently supported commands are: 144 </p> 145<div class="variablelist"><dl> 146<dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt> 147<dd><p> 148 Reload configuration file and zones. 149 </p></dd> 150<dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> 151<dd><p> 152 Reload the given zone. 153 </p></dd> 154<dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> 155<dd><p> 156 Schedule zone maintenance for the given zone. 157 </p></dd> 158<dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> 159<dd> 160<p> 161 Retransfer the given slave zone from the master server. 162 </p> 163<p> 164 If the zone is configured to use 165 <span><strong class="command">inline-signing</strong></span>, the signed 166 version of the zone is discarded; after the 167 retransfer of the unsigned version is complete, the 168 signed version will be regenerated with all new 169 signatures. 170 </p> 171</dd> 172<dt><span class="term"><strong class="userinput"><code>sign <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> 173<dd> 174<p> 175 Fetch all DNSSEC keys for the given zone 176 from the key directory (see the 177 <span><strong class="command">key-directory</strong></span> option in 178 the BIND 9 Administrator Reference Manual). If they are within 179 their publication period, merge them into the 180 zone's DNSKEY RRset. If the DNSKEY RRset 181 is changed, then the zone is automatically 182 re-signed with the new key set. 183 </p> 184<p> 185 This command requires that the 186 <span><strong class="command">auto-dnssec</strong></span> zone option be set 187 to <code class="literal">allow</code> or 188 <code class="literal">maintain</code>, 189 and also requires the zone to be configured to 190 allow dynamic DNS. 191 (See "Dynamic Update Policies" in the Administrator 192 Reference Manual for more details.) 193 </p> 194</dd> 195<dt><span class="term"><strong class="userinput"><code>loadkeys <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> 196<dd> 197<p> 198 Fetch all DNSSEC keys for the given zone 199 from the key directory. If they are within 200 their publication period, merge them into the 201 zone's DNSKEY RRset. Unlike <span><strong class="command">rndc 202 sign</strong></span>, however, the zone is not 203 immediately re-signed by the new keys, but is 204 allowed to incrementally re-sign over time. 205 </p> 206<p> 207 This command requires that the 208 <span><strong class="command">auto-dnssec</strong></span> zone option 209 be set to <code class="literal">maintain</code>, 210 and also requires the zone to be configured to 211 allow dynamic DNS. 212 (See "Dynamic Update Policies" in the Administrator 213 Reference Manual for more details.) 214 </p> 215</dd> 216<dt><span class="term"><strong class="userinput"><code>freeze [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt> 217<dd><p> 218 Suspend updates to a dynamic zone. If no zone is 219 specified, then all zones are suspended. This allows 220 manual edits to be made to a zone normally updated by 221 dynamic update. It also causes changes in the 222 journal file to be synced into the master file. 223 All dynamic update attempts will be refused while 224 the zone is frozen. 225 </p></dd> 226<dt><span class="term"><strong class="userinput"><code>thaw [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt> 227<dd><p> 228 Enable updates to a frozen dynamic zone. If no 229 zone is specified, then all frozen zones are 230 enabled. This causes the server to reload the zone 231 from disk, and re-enables dynamic updates after the 232 load has completed. After a zone is thawed, 233 dynamic updates will no longer be refused. If 234 the zone has changed and the 235 <span><strong class="command">ixfr-from-differences</strong></span> option is 236 in use, then the journal file will be updated to 237 reflect changes in the zone. Otherwise, if the 238 zone has changed, any existing journal file will be 239 removed. 240 </p></dd> 241<dt><span class="term"><strong class="userinput"><code>scan</code></strong></span></dt> 242<dd><p> 243 Scan the list of available network interfaces 244 for changes, without performing a full 245 <span><strong class="command">reconfig</strong></span> or waiting for the 246 <span><strong class="command">interface-interval</strong></span> timer. 247 </p></dd> 248<dt><span class="term"><strong class="userinput"><code>sync [<span class="optional">-clean</span>] [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt> 249<dd><p> 250 Sync changes in the journal file for a dynamic zone 251 to the master file. If the "-clean" option is 252 specified, the journal file is also removed. If 253 no zone is specified, then all zones are synced. 254 </p></dd> 255<dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt> 256<dd><p> 257 Resend NOTIFY messages for the zone. 258 </p></dd> 259<dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt> 260<dd><p> 261 Reload the configuration file and load new zones, 262 but do not reload existing zone files even if they 263 have changed. 264 This is faster than a full <span><strong class="command">reload</strong></span> when there 265 is a large number of zones because it avoids the need 266 to examine the 267 modification times of the zones files. 268 </p></dd> 269<dt><span class="term"><strong class="userinput"><code>zonestatus [<span class="optional"><em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt> 270<dd><p> 271 Displays the current status of the given zone, 272 including the master file name and any include 273 files from which it was loaded, when it was most 274 recently loaded, the current serial number, the 275 number of nodes, whether the zone supports 276 dynamic updates, whether the zone is DNSSEC 277 signed, whether it uses automatic DNSSEC key 278 management or inline signing, and the scheduled 279 refresh or expiry times for the zone. 280 </p></dd> 281<dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt> 282<dd><p> 283 Write server statistics to the statistics file. 284 </p></dd> 285<dt><span class="term"><strong class="userinput"><code>querylog</code></strong> [<span class="optional">on|off</span>] </span></dt> 286<dd> 287<p> 288 Enable or disable query logging. (For backward 289 compatibility, this command can also be used without 290 an argument to toggle query logging on and off.) 291 </p> 292<p> 293 Query logging can also be enabled 294 by explicitly directing the <span><strong class="command">queries</strong></span> 295 <span><strong class="command">category</strong></span> to a 296 <span><strong class="command">channel</strong></span> in the 297 <span><strong class="command">logging</strong></span> section of 298 <code class="filename">named.conf</code> or by specifying 299 <span><strong class="command">querylog yes;</strong></span> in the 300 <span><strong class="command">options</strong></span> section of 301 <code class="filename">named.conf</code>. 302 </p> 303</dd> 304<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt> 305<dd><p> 306 Dump the server's caches (default) and/or zones to 307 the 308 dump file for the specified views. If no view is 309 specified, all 310 views are dumped. 311 </p></dd> 312<dt><span class="term"><strong class="userinput"><code>secroots [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt> 313<dd><p> 314 Dump the server's security roots to the secroots 315 file for the specified views. If no view is 316 specified, security roots for all 317 views are dumped. 318 </p></dd> 319<dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt> 320<dd><p> 321 Stop the server, making sure any recent changes 322 made through dynamic update or IXFR are first saved to 323 the master files of the updated zones. 324 If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned. 325 This allows an external process to determine when <span><strong class="command">named</strong></span> 326 had completed stopping. 327 </p></dd> 328<dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt> 329<dd><p> 330 Stop the server immediately. Recent changes 331 made through dynamic update or IXFR are not saved to 332 the master files, but will be rolled forward from the 333 journal files when the server is restarted. 334 If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned. 335 This allows an external process to determine when <span><strong class="command">named</strong></span> 336 had completed halting. 337 </p></dd> 338<dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt> 339<dd><p> 340 Increment the servers debugging level by one. 341 </p></dd> 342<dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt> 343<dd><p> 344 Sets the server's debugging level to an explicit 345 value. 346 </p></dd> 347<dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt> 348<dd><p> 349 Sets the server's debugging level to 0. 350 </p></dd> 351<dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt> 352<dd><p> 353 Flushes the server's cache. 354 </p></dd> 355<dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt> 356<dd><p> 357 Flushes the given name from the server's DNS cache 358 and, if applicable, from the server's nameserver address 359 database or bad-server cache. 360 </p></dd> 361<dt><span class="term"><strong class="userinput"><code>flushtree</code></strong> <em class="replaceable"><code>name</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>] </span></dt> 362<dd><p> 363 Flushes the given name, and all of its subdomains, 364 from the server's DNS cache, the address database, 365 and the bad server cache. 366 </p></dd> 367<dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt> 368<dd><p> 369 Display status of the server. 370 Note that the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone 371 and the default <span><strong class="command">./IN</strong></span> 372 hint zone if there is not an 373 explicit root zone configured. 374 </p></dd> 375<dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt> 376<dd><p> 377 Dump the list of queries <span><strong class="command">named</strong></span> is currently recursing 378 on. 379 </p></dd> 380<dt><span class="term"><strong class="userinput"><code>validation ( on | off | check ) [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>] </code></strong></span></dt> 381<dd><p> 382 Enable, disable, or check the current status of 383 DNSSEC validation. 384 Note <span><strong class="command">dnssec-enable</strong></span> also needs to be 385 set to <strong class="userinput"><code>yes</code></strong> or 386 <strong class="userinput"><code>auto</code></strong> to be effective. 387 It defaults to enabled. 388 </p></dd> 389<dt><span class="term"><strong class="userinput"><code>tsig-list</code></strong></span></dt> 390<dd><p> 391 List the names of all TSIG keys currently configured 392 for use by <span><strong class="command">named</strong></span> in each view. The 393 list both statically configured keys and dynamic 394 TKEY-negotiated keys. 395 </p></dd> 396<dt><span class="term"><strong class="userinput"><code>tsig-delete</code></strong> <em class="replaceable"><code>keyname</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span></dt> 397<dd><p> 398 Delete a given TKEY-negotiated key from the server. 399 (This does not apply to statically configured TSIG 400 keys.) 401 </p></dd> 402<dt><span class="term"><strong class="userinput"><code>addzone <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] <em class="replaceable"><code>configuration</code></em> </code></strong></span></dt> 403<dd> 404<p> 405 Add a zone while the server is running. This 406 command requires the 407 <span><strong class="command">allow-new-zones</strong></span> option to be set 408 to <strong class="userinput"><code>yes</code></strong>. The 409 <em class="replaceable"><code>configuration</code></em> string 410 specified on the command line is the zone 411 configuration text that would ordinarily be 412 placed in <code class="filename">named.conf</code>. 413 </p> 414<p> 415 The configuration is saved in a file called 416 <code class="filename"><em class="replaceable"><code>hash</code></em>.nzf</code>, 417 where <em class="replaceable"><code>hash</code></em> is a 418 cryptographic hash generated from the name of 419 the view. When <span><strong class="command">named</strong></span> is 420 restarted, the file will be loaded into the view 421 configuration, so that zones that were added 422 can persist after a restart. 423 </p> 424<p> 425 This sample <span><strong class="command">addzone</strong></span> command 426 would add the zone <code class="literal">example.com</code> 427 to the default view: 428 </p> 429<p> 430<code class="prompt">$ </code><strong class="userinput"><code>rndc addzone example.com '{ type master; file "example.com.db"; };'</code></strong> 431 </p> 432<p> 433 (Note the brackets and semi-colon around the zone 434 configuration text.) 435 </p> 436</dd> 437<dt><span class="term"><strong class="userinput"><code>delzone [<span class="optional">-clean</span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt> 438<dd> 439<p> 440 Delete a zone while the server is running. 441 Only zones that were originally added via 442 <span><strong class="command">rndc addzone</strong></span> can be deleted 443 in this manner. 444 </p> 445<p> 446 If the <code class="option">-clean</code> is specified, 447 the zone's master file (and journal file, if any) 448 will be deleted along with the zone. Without the 449 <code class="option">-clean</code> option, zone files must 450 be cleaned up by hand. (If the zone is of 451 type "slave" or "stub", the files needing to 452 be cleaned up will be reported in the output 453 of the <span><strong class="command">rndc delzone</strong></span> command.) 454 </p> 455</dd> 456<dt><span class="term"><strong class="userinput"><code>signing [<span class="optional">( -list | -clear <em class="replaceable"><code>keyid/algorithm</code></em> | -clear <code class="literal">all</code> | -nsec3param ( <em class="replaceable"><code>parameters</code></em> | <code class="literal">none</code> ) ) </span>] <em class="replaceable"><code>zone</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em> [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>] </code></strong></span></dt> 457<dd> 458<p> 459 List, edit, or remove the DNSSEC signing state records 460 for the specified zone. The status of ongoing DNSSEC 461 operations (such as signing or generating 462 NSEC3 chains) is stored in the zone in the form 463 of DNS resource records of type 464 <span><strong class="command">sig-signing-type</strong></span>. 465 <span><strong class="command">rndc signing -list</strong></span> converts 466 these records into a human-readable form, 467 indicating which keys are currently signing 468 or have finished signing the zone, and which NSEC3 469 chains are being created or removed. 470 </p> 471<p> 472 <span><strong class="command">rndc signing -clear</strong></span> can remove 473 a single key (specified in the same format that 474 <span><strong class="command">rndc signing -list</strong></span> uses to 475 display it), or all keys. In either case, only 476 completed keys are removed; any record indicating 477 that a key has not yet finished signing the zone 478 will be retained. 479 </p> 480<p> 481 <span><strong class="command">rndc signing -nsec3param</strong></span> sets 482 the NSEC3 parameters for a zone. This is the 483 only supported mechanism for using NSEC3 with 484 <span><strong class="command">inline-signing</strong></span> zones. 485 Parameters are specified in the same format as 486 an NSEC3PARAM resource record: hash algorithm, 487 flags, iterations, and salt, in that order. 488 </p> 489<p> 490 Currently, the only defined value for hash algorithm 491 is <code class="literal">1</code>, representing SHA-1. 492 The <code class="option">flags</code> may be set to 493 <code class="literal">0</code> or <code class="literal">1</code>, 494 depending on whether you wish to set the opt-out 495 bit in the NSEC3 chain. <code class="option">iterations</code> 496 defines the number of additional times to apply 497 the algorithm when generating an NSEC3 hash. The 498 <code class="option">salt</code> is a string of data expressed 499 in hexadecimal, a hyphen (`-') if no salt is 500 to be used, or the keyword <code class="literal">auto</code>, 501 which causes <span><strong class="command">named</strong></span> to generate a 502 random 64-bit salt. 503 </p> 504<p> 505 So, for example, to create an NSEC3 chain using 506 the SHA-1 hash algorithm, no opt-out flag, 507 10 iterations, and a salt value of "FFFF", use: 508 <span><strong class="command">rndc signing -nsec3param 1 0 10 FFFF <em class="replaceable"><code>zone</code></em></strong></span>. 509 To set the opt-out flag, 15 iterations, and no 510 salt, use: 511 <span><strong class="command">rndc signing -nsec3param 1 1 15 - <em class="replaceable"><code>zone</code></em></strong></span>. 512 </p> 513<p> 514 <span><strong class="command">rndc signing -nsec3param none</strong></span> 515 removes an existing NSEC3 chain and replaces it 516 with NSEC. 517 </p> 518</dd> 519</dl></div> 520</div> 521<div class="refsect1" lang="en"> 522<a name="id2542002"></a><h2>LIMITATIONS</h2> 523<p> 524 There is currently no way to provide the shared secret for a 525 <code class="option">key_id</code> without using the configuration file. 526 </p> 527<p> 528 Several error messages could be clearer. 529 </p> 530</div> 531<div class="refsect1" lang="en"> 532<a name="id2542020"></a><h2>SEE ALSO</h2> 533<p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>, 534 <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>, 535 <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, 536 <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>, 537 <span class="citerefentry"><span class="refentrytitle">ndc</span>(8)</span>, 538 <em class="citetitle">BIND 9 Administrator Reference Manual</em>. 539 </p> 540</div> 541<div class="refsect1" lang="en"> 542<a name="id2545420"></a><h2>AUTHOR</h2> 543<p><span class="corpauthor">Internet Systems Consortium</span> 544 </p> 545</div> 546</div></body> 547</html> 548