Name server control utility.
rndc [ -b source-address ] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] command
The rndc command controls the operation of a name server. It supersedes the ndc utility that was provided in old BIND releases. If you run the rndc command with no command line options or arguments, it prints a short summary of the supported commands and the available options and their arguments.
The rndc command communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. In the current versions of the rndc command and the named daemon, the only supported authentication algorithm is HMAC-MD5, which uses a shared secret on each end of the connection. This provides TSIG-style authentication for the command request and the name server's response. All commands sent over the channel must be signed by a key_id known to the server.
The rndc command reads a configuration file to determine how to contact the name server and decide what algorithm and key it must use.
Item | Description |
---|---|
-b source-address | Uses the source-address value as the source address for the connection to the server. Multiple instances are permitted to allow setting of both the IPv4 and IPv6 source addresses. |
-c config-file | Uses the config-file value as the configuration file instead of the default, /etc/rndc.conf. |
-k key-file | Uses the key-file value as the key file instead of the default, /etc/rndc.key. The key in /etc/rndc.key is used to authenticate commands sent to the server if the config-file argument does not exist. |
-s server | Specifies the name or address of the server which matches a server statement in the configuration file for the rndc command. If you do not specify the server value, the host named by the default-server clause in the option statement of the configuration file is used. |
-p port | Sends commands to TCP port instead of BIND 9's default control channel port, 953. |
-V | Enables verbose logging. |
-y keyid | Uses the keyid key from the configuration
file. The keyid value must be known by the named daemon
with the same algorithm and secret string in order for control message
validation to succeed. If you do not specify the keyid value,
the rndc command first looks for a key clause in the server
statement of the server being used, or if no server statement is present
for that host, then the default-key clause of the options statement.
Note: The configuration file contains shared secrets which are used
to send authenticated control commands to name servers. It cannot
have general read or write access.
|
For the complete set of commands supported by the rndc command, see the BIND 9 Administrator Reference Manual or run the rndc command without arguments to see its help message.
The rndc command only works with the named9 daemon. The shared-secret for a key_id cannot be provided without using the configuration file.