RNDC (Remote Name Daemon Control)

Berkeley Internet Name Domain (BIND) includes a utility called rndc (Remote Name Daemon Control) which allows command line administration of the named daemon from the localhost or a remote host.

In order to prevent unauthorized access to the named daemon, BIND uses a shared secret key authentication method to grant privileges to hosts. This means an identical key must be present in both /etc/named.conf and the rndc configuration file, /etc/rndc.conf.

The name server control utility, rndc, sends named digitally signed commands over a TCP connection. The configuration file for rndc is ‘/etc/rndc.conf’. This configuration file stores configuration information such as the name server to connect to and which key to use for the digital signature. The rndc utility is started when named is started using the initialization script. An rndc.conf file can be generated with a random key with the rndc-confgen commandline utility.

The rndc.conf file uses syntax similar to named.conf. The same comment styles are available, statements are within braces, and the semicolon is used as the terminating character. Only three types of statements can be declared:

• options: The options statement can have three clauses.

a) The default-server clause defines the IP address of the name server to which the rndc should connect to and sends commands.

b) The default-key clause lists the key-id of the key to use if a key statement is not listed in the server statement for the name server. If default-key is used, a key statement with the same key-id must be declared in the same rndc.conf file.

c) The default-port clause specifies the port number to use when connecting to the name server. If a port clause is not listed in the server statement for the name server, this default port is used when connecting. If no port is given, the default is 953.

options {
default-server <ip>;
default-key <key-id>;
default-port <port-num>;

• server: A server statement can be defined for the name server, with <ip> being IP address of the name server to which rndc is configured to connect. The key and port defines the key-id of the key to use for authentication with the name server and the port to use when connecting to the name server.

server <ip> {
key <key-id>;
port <port-num

• key: Each key statement must have a unique key name, or key-id. The algorithm clause provides the encryption algorithm to use for the key. Currently, only hmac-md5 is supported by BIND. The secret clause must be a base-64 encoding of the encryption key, enclosed in double quotation marks.

key <key-id> {
algorithm hmac-md5;
secret “<secret>”;

The following table lists the major options of the rndc utility.



-c <config-file>

The full path of the configuration file to use. Default configuration file for rndc utility is ‘/etc/rndc.conf’.

-k <key-file>

Specifies a key file if there is no key statement in rndc.conf or to override the default key file ‘/etc/rndc.key’.

-s <server>

IP address of a server statement in rndc.conf to connect to as the name server.

-p <port>

 Provide a different port to use instead of the default TCP port of 953.

-y <key-id>

Specifies the key to use. A key with the given <key-id> must be declared in rndc.conf.


Verbose logging.


Reload the configuration file and zones.

reload <zone> <class> <view>

Reload a specific zone. The <class> and <view> are optional.

retransfer <zone> <class> <view>

Retransfer a specific zone without checking the serial number. The <class> and <view> are optional.

freeze <zone> <class> <view>

Temporarily stop updates to a zone. The <class> and <view> are optional.


Reload configuration files but only reload new zones.


Save pending updates to master files, and stop the server.

stop -p

Save pending updates to master files, stop the server, and dump the process ID (PID).


Stop the server without saving pending updates to the master files.

halt –p

Stop the server without saving pending updates to the master
files, and dump process ID (PID).


Flush server’s cache.

flush <view>

Flush server’s cache for a specific view.


Show server status.

Related Tutorials
• Common Linux network tools - ping, telnet, netstat and arp
• Linux xinetd Super Server daemon
• Linux Network Interface Configuration tool - ifconfig
• Important Linux network configuration files
• How to configure Dynamic Host Configuration Protocol (DHCP) in Linux
• Introduction to Domain Name System (DNS)
• Linux Domain Name System (DNS) client configuration files /etc/hosts, /etc/nsswitch.conf and /etc/resolv.conf
• Berkeley Internet Name Domain (BIND) as a DNS server
• How to configure caching-only name server
• BIND configuration file (/etc/named.conf)
• Domain Name System (DNS) zone files