Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
RNDC(8)								       RNDC(8)

       rndc - name server control utility

       rndc [ -c config-file ]	[ -k key-file ]	 [ -s server ]	[ -p port ]  [
       -V ]  [ -y key_id ]  command

       rndc controls the operation of a	name server.  It  supersedes  the  ndc
       utility that was	provided in old	BIND releases. If rndc is invoked with
       no command line options or arguments, it	prints a short summary of  the
       supported commands and the available options and	their arguments.

       rndc  communicates  with	the name server	over a TCP connection, sending
       commands	authenticated with digital signatures. In the current versions
       of  rndc	and named named	the only supported authentication algorithm is
       HMAC-MD5, which uses a shared secret on each  end  of  the  connection.
       This provides TSIG-style	authentication for the command request and the
       name server's response. All commands sent  over	the  channel  must  be
       signed by a key_id known	to the server.

       rndc  reads  a  configuration file to determine how to contact the name
       server and decide what algorithm	and key	it should use.

       -c config-file
	      Use config-file as the configuration file	 instead  of  the  de-
	      fault, /etc/namedb/rndc.conf.

       -k key-file
	      Use   key-file   as   the	 key  file  instead  of	 the  default,
	      /etc/namedb/rndc.key. The	key in	/etc/namedb/rndc.key  will  be
	      used  to authenticate commands sent to the server	if the config-
	      file does	not exist.

       -s server
	      server is	the name or address of	the  server  which  matches  a
	      server  statement	 in  the  configuration	 file  for rndc. If no
	      server is	supplied on the	command	line, the host	named  by  the
	      default-server  clause in	the option statement of	the configura-
	      tion file	will be	used.

       -p port
	      Send commands to TCP port	port instead of	BIND 9's default  con-
	      trol channel port, 953.

       -V     Enable verbose logging.

       -y keyid
	      Use  the	key  keyid from	the configuration file.	 keyid must be
	      known by named with the same algorithm and secret	string in  or-
	      der  for	control	message	validation to succeed.	If no keyid is
	      specified, rndc will first look for a key	clause in  the	server
	      statement	of the server being used, or if	no server statement is
	      present for that host, then the default-key clause  of  the  op-
	      tions  statement.	  Note	that  the  configuration file contains
	      shared secrets which are used to send authenticated control com-
	      mands to name servers. It	should therefore not have general read
	      or write access.

       For the complete	set of commands	supported by rndc, see the BIND	9  Ad-
       ministrator  Reference  Manual or run rndc without arguments to see its
       help message.

       rndc does not yet support all the commands of the BIND 8	ndc utility.

       There is	currently no way to provide the	shared	secret	for  a	key_id
       without using the configuration file.

       Several error messages could be clearer.

       rndc.conf(5), named(8), named.conf(5) ndc(8), BIND 9 Administrator Ref-
       erence Manual.

       Internet	Systems	Consortium

BIND9				 June 30, 2000			       RNDC(8)


Want to link to this manual page? Use this URL:

home | help