There are several commands that the server understands.
start Start the server. Simply execs nsd(8). The nsd executable is not searched for in the PATH set in
the environment. Instead the default location relative to the installation prefix specified at
compile-time. The executable location can be overridden by setting NSD_PATH in the environment.
It is started with the config file specified using -c or the default config file.
stop Stop the server. The server daemon exits.
reload[<zone>]
Reload zonefiles and reopen logfile. Without argument reads changed zonefiles. With argument
reads the zonefile for the given zone and loads it.
reconfig
Reload nsd.conf and apply changes to TSIG keys and configuration patterns, and apply the changes
to add and remove zones that are mentioned in the config. Other changes are not applied, such as
listening ip address and port and chroot, also per-zone statistics are not applied. The pattern
updates means that the configuration options for zones (request-xfr, zonefile, notify, ...) are
updated. Also new patterns are available for use with the addzone command.
repattern
Same as the reconfig option.
log_reopen
Reopen the logfile, for log rotate that wants to move the logfile away and create a new logfile.
The log can also be reopened with kill -HUP (which also reloads all zonefiles).
status Display server status. Exit code 3 if not running (the connection to the port is refused), 1 on
error, 0 if running.
stats Output a sequence of name=value lines with statistics information, requires NSD to be compiled
with this option enabled.
stats_noreset
Same as stats, but does not zero the counters.
addzone<zonename><patternname>
Add a new zone to the running server. The zone is added to the zonelist file on disk, so it stays
after a restart. The pattern name determines the options for the new zone. For secondary zones a
zone transfer is immediately attempted. For zones with a zonefile, the zone file is attempted to
be read in.
delzone<zonename>
Remove the zone from the running server. The zone is removed from the zonelist file on disk, from
the nsd.db file and from the memory. If it had a zonefile, this remains (but may be outdated).
Zones configured inside nsd.conf itself cannot be removed this way because the daemon does not
write to the nsd.conf file, you need to add such zones to the zonelist file to be able to delete
them with the delzone command.
changezone<zonename><patternname>
Change a zone to use the pattern for options. The zone is deleted and added in one operation,
changing it to use the new pattern for the zone options. Zones configured in nsd.conf cannot be
changed like this, instead edit the nsd.conf (or the included file in nsd.conf) and reconfig.
addzones
Add zones read from stdin of nsd-control. Input is read per line, with name space patternname on
a line. For bulk additions.
delzones
Remove zones read from stdin of nsd-control. Input is one name per line. For bulk removals.
write[<zone>]
Write zonefiles to disk, or the given zonefile to disk. Zones that have changed (via AXFR or
IXFR) are written, or if the zonefile has not been created yet then it is created. Directory
components of the zonefile path are created if necessary. With argument that zone is written if it
was modified, without argument, all modified zones are written.
notify[<zone>]
Send NOTIFY messages to secondary servers. Sends to the IP addresses configured in the 'notify:'
lists for the primary zones hosted on this server. Usually NSD sends NOTIFY messages right away
when a primary zone serial is updated. If a zone is given, notifies are sent for that zone.
These secondary servers are supposed to initiate a zone transfer request later (to this server or
another primary), this can be allowed via the 'provide-xfr:' acl list configuration. With argument
that zone is processed, without argument, all zones are processed.
transfer[<zone>]
Attempt to update secondary zones that are hosted on this server by contacting the primaries. The
primaries are configured via 'request-xfr:' lists. If a zone is given, that zone is updated.
Usually NSD receives a NOTIFY from the primaries (configured via 'allow-notify:' acl list) that a
new zone serial has to be transferred. For zones with no content, NSD may have backed off from
asking often because the primaries did not respond, but this command will reset the backoff to its
initial timeout, for frequent retries. With argument that zone is transferred, without argument,
all zones are transferred.
force_transfer[<zone>]
Force update secondary zones that are hosted on this server. Even if the primary hosts the same
serial number of the zone, a full AXFR is performed to fetch it. If you want to use IXFR and
check that the serial number increases, use the 'transfer' command. With argument that zone is
transferred, without argument, all zones are transferred.
zonestatus[<zone>]
Print state of the zone, the serial numbers and since when they have been acquired. Also prints
the notify action (to which server), and zone transfer (and from which primary) if there is
activity right now. The state of the zone is printed as: 'primary' (primary zones), 'ok'
(secondary zone is up-to-date), 'expired' (secondary zone has expired), 'refreshing' (secondary
zone has transfers active). The serial numbers printed are the 'served-serial' (currently
active), the 'commit-serial' (is in reload), the 'notified-serial' (got notify, busy fetching the
data). The serial numbers are only printed if such a serial number is available. With argument
that zone is printed, without argument, all zones are printed.
serverpid
Prints the PID of the server process. This is used for statistics (and only works when NSD is
compiled with statistics enabled). This pid is not for sending unix signals, use the pid from
nsd.pid for that, that pid is also stable.
verbosity<number>
Change logging verbosity.
print_tsig[<key_name>]
print the secret and algorithm for the TSIG key with that name. Or list all the tsig keys with
their name, secret and algorithm.
update_tsig<name><secret>
Change existing TSIG key with name to the new secret. The secret is a base64 encoded string. The
changes are only in-memory and are gone next restart, for lasting changes edit the nsd.conf file
or a file included from it.
add_tsig<name><secret>[algo]
Add a new TSIG key with the given name, secret and algorithm. Without algorithm a default (hmac-
sha256) algorithm is used. The secret is a base64 encoded string. The changes are only in-memory
and are gone next restart, for lasting changes edit the nsd.conf file or a file included from it.
assoc_tsig<zone><key_name>
Associate the zone with the given tsig. The access control lists for notify, allow-notify,
provide-xfr and request-xfr are adjusted to use the given key.
del_tsig<key_name>
Delete the TSIG key with the given name. Prints error if the key is still in use by some zone.
The changes are only in-memory and are gone next restart, for lasting changes edit the nsd.conf
file or a file included from it.
add_cookie_secret<secret>
Add or replace a cookie secret persistently. <secret> needs to be an 128 bit hex string.
Cookie secrets can be either active or staging. Active cookie secrets are used to create DNS
Cookies, but verification of a DNS Cookie succeeds with any of the active or staging cookie
secrets. The state of the current cookie secrets can be printed with the print_cookie_secrets
command.
When there are no cookie secrets configured yet, the <secret> is added as active. If there is
already an active cookie secret, the <secret> is added as staging or replacing an existing staging
secret.
To "roll" a cookie secret used in an anycast set. The new secret has to be added as staging secret
to all nodes in the anycast set. When all nodes can verify DNS Cookies with the new secret, the
new secret can be activated with the activate_cookie_secret command. After all nodes have the new
secret active for at least one hour, the previous secret can be dropped with the
drop_cookie_secret command.
Persistence is accomplished by writing to a file which if configured with the cookie-secret-file
option in the server section of the config file. The default value for that is:
/var/lib/nsd/cookiesecrets.txt .
drop_cookie_secret
Drop the staging cookie secret.
activate_cookie_secret
Make the current staging cookie secret active, and the current active cookie secret staging.
print_cookie_secrets
Show the current configured cookie secrets with their status.
Install Now
PNG Icons
