Open System Services Shell and Utilities Reference Manual (G06.28+, H06.05+)

ManualsBrandsHP ManualsServerHP NonStop G-Series

851

852

853

854

855

856

857

858

859

860

dnssec_rndc(8) OSS Shell and Utilities Reference Manual

NAME

rndc - Starts the secure BIND 9 Internet domain name server control utility

SYNOPSIS

/etc/dns_secure/rndc

[ -c conﬁg_ﬁle ]

[ -k key_ﬁle ]

[ -s server ]

[ -p port ]

[ -V ]

[ -y key_id ]

command

FLAGS

-c config_file Use conﬁg_ﬁle as the conﬁguration ﬁle instead of the default, /etc/rndc.conf.

-k key_file Use key_ﬁle as the key ﬁle instead of the default, /etc/rndc.key. The key in

/etc/rndc.key will be used to authenticate commands sent to the server if the

conﬁg_ﬁle does not exist.

-s server server is the name or address of the server which matches a server statement in

the conﬁguration ﬁle for rndc. If no server is supplied on the command line, the

host named by the default-server clause in the option statement of the

conﬁguration ﬁle is used.

-p port Send commands to TCP port port instead of BIND 9’s default control channel

port, 953.

-V Enable verbose logging.

-y keyid Use the key keyid from the conﬁguration ﬁle. keyid must be known by named

with the same algorithm and secret string in order for control message valida-

tion to succeed. If no keyid is speciﬁed, rndc ﬁrst looks for a key clause in the

server statement of the server being used, or if no server statement is present for

that host, it then looks for the default-key clause of the options statement. Note

that the conﬁguration ﬁle contains shared secrets which are used to send authen-

ticated control commands to name servers. It should therefore not have general

read or write access.

Operands

command For the complete set of commands supported by rndc, see the BIND 9 Adminis-

trator Reference Manual or run rndc without arguments to see its help message.

DESCRIPTION

rndc controls the operation of a BIND 9 domain name server. If rndc is invoked with no com-

mand line options or arguments, it prints a short summary of the supported commands and the

available options and their arguments.

rndc communicates with the name server over a TCP connection, sending commands authenti-

cated with digital signatures. In the nonsecure version of rndc and named, the only supported

authentication algorithm is HMAC-MD5, which uses a shared secret on each end of the connec-

tion. This provides TSIG-style authentication for the command request and the name server’s

response. All commands sent over the channel must be signed by a key_id known to the server.

rndc reads a conﬁguration ﬁle to determine how to contact the name server and decide what

algorithm and key it should use.

12−26 Hewlett-Packard Company 527188-007