rndc - name server control utility
rndc [ -c config-file ] [ -k key-file ] [ -s server ] [
-p port ] [ -V ] [ -y key_id ] command
rndc controls the operation of a name server. It super-
sedes the ndc utility that was provided in old BIND
releases. If rndc is invoked with no command line options
or arguments, it prints a short summary of the supported
commands and the available options and their arguments.
rndc communicates with the name server over a TCP connec-
tion, sending commands authenticated with digital signa-
tures. In the current versions of rndc and named named the
only supported authentication algorithm is HMAC-MD5, which
uses a shared secret on each end of the connection. This
provides TSIG-style authentication for the command request
and the name server's response. All commands sent over the
channel must be signed by a key_id known to the server.
rndc reads a configuration file to determine how to con-
tact the name server and decide what algorithm and key it
Use config-file as the configuration file instead
of the default, /etc/rndc.conf.
Use key-file as the key file instead of the
default, /etc/rndc.key. The key in /etc/rndc.key
will be used to authenticate commands sent to the
server if the config-file does not exist.
server is the name or address of the server which
matches a server statement in the configuration
file for rndc. If no server is supplied on the com-
mand line, the host named by the default-server
clause in the option statement of the configuration
file will be used.
Send commands to TCP port port instead of BIND 9's
default control channel port, 953.
-V Enable verbose logging.
Use the key keyid from the configuration file.
BIND9 June 30, 2000 1
keyid must be known by named with the same algo-
rithm and secret string in order for control mes-
sage validation to succeed. If no keyid is speci-
fied, rndc will first look for a key clause in the
server statement of the server being used, or if no
server statement is present for that host, then the
default-key clause of the options statement. Note
that the configuration file contains shared secrets
which are used to send authenticated control com-
mands to name servers. It should therefore not have
general read or write access.
For the complete set of commands supported by rndc, see
the BIND 9 Administrator Reference Manual or run rndc
without arguments to see its help message.
rndc does not yet support all the commands of the BIND 8
There is currently no way to provide the shared secret for
a key_id without using the configuration file.
Several error messages could be clearer.
rndc.conf(5), named(8), named.conf(5) ndc(8), BIND 9
Administrator Reference Manual.
Internet Software Consortium
BIND9 June 30, 2000 2