rndc

a b c d e f g h i j k l m n o p q r s t u v w x y z _
RNDC(8)								      RNDC(8)



NAME
       rndc - name server control utility

SYNOPSIS
       rndc  [	-c config-file ]  [ -k key-file ]  [ -s server ]  [ -p port ]
       [ -V ]  [ -y key_id ]  command

DESCRIPTION
       rndc controls the operation of a name server. It	 supersedes  the  ndc
       utility	that  was  provided  in old BIND releases. If rndc is invoked
       with no command line options or arguments, it prints a  short  summary
       of  the	supported  commands and the available options and their argu-
       ments.

       rndc communicates with the name server over a TCP connection,  sending
       commands	 authenticated	with  digital signatures. In the current ver-
       sions of rndc and named named the only supported authentication	algo-
       rithm  is HMAC-MD5, which uses a shared secret on each end of the con-
       nection.	 This provides	TSIG-style  authentication  for	 the  command
       request	and  the  name	server’s response. All commands sent over the
       channel must be signed by a key_id known to the server.

       rndc reads a configuration file to determine how to contact  the	 name
       server and decide what algorithm and key it should use.

OPTIONS
       -c config-file
	      Use  config-file	as  the	 configuration	file  instead  of the
	      default, /etc/rndc.conf.

       -k key-file
	      Use  key-file  as	 the  key  file	 instead  of   the   default,
	      /etc/rndc.key. The key in /etc/rndc.key will be used to authen-
	      ticate commands sent to the server if the config-file does  not
	      exist.

       -s server
	      server  is  the  name  or address of the server which matches a
	      server statement in the configuration  file  for	rndc.  If  no
	      server  is  supplied on the command line, the host named by the
	      default-server clause in the option statement of the configura-
	      tion file will be used.

       -p port
	      Send commands to TCP port port instead of BIND 9’s default con-
	      trol channel port, 953.

       -V     Enable verbose logging.

       -y keyid
	      Use the key keyid from the configuration file.  keyid  must  be
	      known  by	 named	with  the same algorithm and secret string in
	      order for control message validation to succeed.	If  no	keyid
	      is  specified,  rndc  will  first	 look for a key clause in the
	      server statement of the server being  used,  or  if  no  server
	      statement is present for that host, then the default-key clause
	      of the options statement.	 Note  that  the  configuration	 file
	      contains	shared	secrets	 which are used to send authenticated
	      control commands to name servers. It should therefore not	 have
	      general read or write access.

       For  the	 complete  set	of commands supported by rndc, see the BIND 9
       Administrator Reference Manual or run rndc without  arguments  to  see
       its help message.


LIMITATIONS
       rndc  does not yet support all the commands of the BIND 8 ndc utility.

       There is currently no way to provide the shared secret  for  a  key_id
       without using the configuration file.

       Several error messages could be clearer.

SEE ALSO
       rndc.conf(5),  named(8),	 named.conf(5)	ndc(8),	 BIND 9 Administrator
       Reference Manual.

AUTHOR
       Internet Systems Consortium



BIND9				June 30, 2000			      RNDC(8)