RNDC(8)                                                                RNDC(8)


       rndc - name server control utility


       rndc [ -c config-file ]  [ -k key-file ]  [ -s server ]  [ -p port ]  [
       -V ]  [ -y key_id ]  command


       rndc controls the operation of a name server.  It  supersedes  the  ndc
       utility that was provided in old BIND releases. If rndc is invoked with
       no command line options or arguments, it prints a short summary of  the
       supported commands and the available options and their arguments.

       rndc  communicates  with the name server over a TCP connection, sending
       commands authenticated with digital signatures. In the current versions
       of  rndc and named named the only supported authentication algorithm is
       HMAC-MD5, which uses a shared secret on each  end  of  the  connection.
       This provides TSIG-style authentication for the command request and the
       name server’s response. All commands sent  over  the  channel  must  be
       signed by a key_id known to the server.

       rndc  reads  a  configuration file to determine how to contact the name
       server and decide what algorithm and key it should use.


       -c config-file
              Use  config-file  as  the  configuration  file  instead  of  the
              default, /etc/rndc.conf.

       -k key-file
              Use   key-file   as   the  key  file  instead  of  the  default,
              /etc/rndc.key. The key in /etc/rndc.key will be used to  authen-
              ticate  commands  sent to the server if the config-file does not

       -s server
              server is the name or address of  the  server  which  matches  a
              server  statement  in  the  configuration  file  for rndc. If no
              server is supplied on the command line, the host  named  by  the
              default-server  clause in the option statement of the configura-
              tion file will be used.

       -p port
              Send commands to TCP port port instead of BIND 9’s default  con-
              trol channel port, 953.

       -V     Enable verbose logging.

       -y keyid
              Use  the  key  keyid from the configuration file.  keyid must be
              known by named with the same  algorithm  and  secret  string  in
              order for control message validation to succeed.  If no keyid is
              specified, rndc will first look for a key clause in  the  server
              statement of the server being used, or if no server statement is
              present for that  host,  then  the  default-key  clause  of  the
              options  statement.   Note  that the configuration file contains
              shared secrets which are used to send authenticated control com-
              mands to name servers. It should therefore not have general read
              or write access.

       For the complete set of commands supported by  rndc,  see  the  BIND  9
       Administrator Reference Manual or run rndc without arguments to see its
       help message.


       rndc does not yet support all the commands of the BIND 8 ndc utility.

       There is currently no way to provide the shared  secret  for  a  key_id
       without using the configuration file.

       Several error messages could be clearer.


       rndc.conf(5), named(8), named.conf(5) ndc(8), BIND 9 Administrator Ref-
       erence Manual.


       Internet Systems Consortium

BIND9                            June 30, 2000                         RNDC(8)

Man(1) output converted with man2html