rndc Command

Purpose

Name server control utility.

Syntax

rndc [ -b source-address ] [-c config-file] [-k key-file] [-s server] [-p port] [-q] [-r] [-V] [-y key_id] [[-4] [-6]] {command}

Description

The rndc command controls the operation of a name server. If you run the rndc command with no command-line options or arguments, it prints a short summary of the supported commands and the available options and their arguments.

The rndc command communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. In the current versions of the rndc command and the named daemon, following algorithms are the only supported authentication algorithm:

HMAC-MD5 (for compatibility)
HMAC-SHA1
HMAC-SHA224
HMAC-SHA256 (default)
HMAC-SHA384
HMAC-SHA512

The supported authentication algorithms use a shared secret on each end of the connection, which provides TSIG-style authentication for the command request and the response of the name server. A key_id that is known to the server must sign all the commands that are sent over the channel.

The rndc command reads a configuration file to determine how to contact the name server and decide what algorithm and key it must use.

Flags

Table 1. Flags
Item	Description
-4	Indicates use of IPv4 only.
-6	Indicates use of IPv6 only.
-b `source-address`	Uses the `source-address` value as the source address for the connection to the server. Multiple instances are permitted to allow setting of both the IPv4 and IPv6 source addresses.
-c `config-file`	Uses the `config-file` value as the configuration file instead of the default /etc/rndc.conf configuration file.
-k `key-file`	Uses the `key-file` value as the key file instead of the default /etc/rndc.key file. The key in the /etc/rndc.key file is used to authenticate commands that are sent to the server if the `config-file` argument does not exist.
-s `server`	Specifies the name or address of the server that matches a server statement in the configuration file for the rndc command. If you do not specify the `server` value, the host that is named by the default-server clause in the option statement of the configuration file is used.
-p `port`	Sends commands to TCP port instead of the default control channel port, 953.
-q	Sets quiet mode to avoid printing the message text that is returned by the server unless an error occurs.
-r	Prints the result code that is returned by the `named` utility after the `named` utility runs the requested command (for example, ISC_R_SUCCESS, ISC_R_FAILURE).
-V	Enables verbose logging.
-y `key_id`	Uses the `key_id` key from the configuration file. The `key_id` value must be known by the named daemon with the same algorithm and secret string for control message validation to succeed. If you do not specify the `key_id` value, the rndc command first looks for a key clause in the server statement of the server that is in use. If no server statement is present for that host, then the default-key clause of the options statement is used. Note: The configuration file contains shared secrets that are used to send authenticated control commands to name servers. It cannot have general read or write access.

For the complete set of commands supported by the rndc command, see the BIND 9 Administrator Reference Manual or run the rndc command without arguments to see its help message.

Limitations

The rndc command works only with the named9 daemon. The shared-secret for a key_id cannot be provided without using the configuration file.