manpagez: man pages & more
man knotc(8)
Home | html | info | man
knotc(8)                           Knot DNS                           knotc(8)


NAME

       knotc - Knot DNS control utility


SYNOPSIS

       knotc [config_option] [options] [action]


DESCRIPTION

       This program controls a running knotd process using a socket.

       If an action is specified, it is performed and knotc exits, otherwise
       the program is executed in the interactive mode.

   Config options

       -c, --config file
              Use a textual configuration file (default is
              /usr/local/etc/knot/knot.conf).

       -C, --confdb directory
              Use a binary configuration database directory (default is
              /usr/local/var/lib/knot/confdb).  The default configuration
              database, if exists, has a preference to the default
              configuration file.

   Options

       -m, --max-conf-size MiB
              Set maximum size of the configuration database (default is 500
              MiB, maximum 10000 MiB).

       -s, --socket path
              Use a control UNIX socket path (default is
              /usr/local/var/run/knot/knot.sock).

       -t, --timeout seconds
              Use a control timeout in seconds. Set to 0 for infinity (default
              is 60).  The control socket operations are also subject to the
              timeout parameter set on the server side in server's Control
              configuration section.

       -b, --blocking
              Zone event trigger commands wait until the event is finished.
              Control timeout is set to infinity if not forced by explicit
              timeout specification.

       -e, --extended
              Show extended output (even empty items in zone status).

       -f, --force
              Forced operation. Overrides some checks.

       -x, --mono
              Don't generate colorized output.

       -X, --color
              Force colorized output in extended output or to a pipe.

       -v, --verbose
              Enable debug output.

       -h, --help
              Print the program help.

       -V, --version
              Print the program version. The option -VV makes the program
              print the compile time configuration summary.

   Actions

       status [detail]
              Check if the server is running. Details are version for the
              running server version, workers for the numbers of worker
              threads, configure for the configure summary, or cert-key for
              the public key pin of the currently used certificate.

       stop   Stop the server if running.

       reload Reload the server configuration and modified zone files, and
              reopen the log files if they are configured. All open zone
              transactions will be aborted!

       stats [module[.counter]]
              Show global statistics counter(s). To print also counters with
              value 0, use force option.

       zone-check [zone...]
              Test if the server can load the zone. Semantic checks are
              executed if enabled in the configuration. If invoked with the
              force option, an error is returned when semantic check warning
              appears. (*)

       zone-status [zone...] [filter]
              Show the zone status. Filters are +role, +serial, +transaction,
              +events, +freeze, and +catalog. Empty zone parameters are
              omitted, unless the --extended option is used. A single dash in
              the output represents an unset value. Automatic colorization can
              be overruled using the --mono and --color options.

              The color code is: green - zone acts as a master / red - zone
              acts as a slave, bold font (highlited) - zone is active / normal
              - zone is empty, underscored - zone is an interpreted catalog
              member.

       zone-reload [zone...]
              Trigger a zone reload from a disk without checking its
              modification time. For secondary zone, the refresh event from
              primary server(s) is scheduled; for primary zone, the notify
              event to secondary server(s) is scheduled. An open zone
              transaction will be aborted! If invoked with the force option,
              also zone modules will be re-loaded, but blocking mode might not
              work reliably. (#)

       zone-refresh [zone...]
              Trigger a check for the zone serial on the zone's primary
              server. If the primary server has a newer zone, a transfer is
              scheduled. This command is valid for secondary zones. (#)

       zone-retransfer [zone...]
              Trigger a zone transfer from the zone's primary server. The
              server doesn't check the serial of the primary server's zone.
              This command is valid for secondary zones. (#)

       zone-notify [zone...]
              Trigger a NOTIFY message to all configured remotes. This can
              help in cases when previous NOTIFY had been lost or the
              secondary servers have been offline. (#)

       zone-flush [zone...] [+outdir directory]
              Trigger a zone journal flush to the configured zone file. If an
              output directory is specified, the current zone is immediately
              dumped (in the blocking mode) to a zone file in the specified
              directory. See Notes below about the directory permissions. (#)

       zone-backup [zone...] +backupdir directory [filter...]
              Trigger a zone data and metadata backup to a specified
              directory.  Available filters are +zonefile, +journal, +timers,
              +kaspdb, +keysonly, +catalog, +quic, and their negative
              counterparts +nozonefile, +nojournal, +notimers, +nokaspdb,
              +nokeysonly, +nocatalog, and +noquic. With these filters set,
              zone contents, zone's journal, zone-related timers, zone-related
              data in the KASP database together with keys (or keys without
              the KASP database), zone's catalog, and the server QUIC key and
              certificate, respectively, are backed up, or omitted from the
              backup. By default, filters +zonefile, +timers, +kaspdb,
              +catalog, +quic, +nojournal, and +nokeysonly are set for backup.
              The same defaults are set for restore, with the only difference
              being +noquic. Setting a filter for an item doesn't change the
              default settings for other items. The only exception is
              +keysonly, which disables all other filters by default, but they
              can still be turned on explicitly. If zone flushing is disabled,
              the original zone file is backed up instead of writing out zone
              contents to a file. When backing-up a catalog zone, it is
              recommended to prevent ongoing changes to it by use of
              zone-freeze. The force option allows an already existing
              backupdir to be overwritten. See Notes below about the directory
              permissions.  (#)

       zone-restore [zone...] +backupdir directory [filter...]
              Trigger a zone data and metadata restore from a specified backup
              directory.  Optional filters are equivalent to the same filters
              of zone-backup.  Restore from backups created by Knot DNS
              releases prior to 3.1 is possible with the force option. See
              Notes below about the directory permissions. (#)

       zone-sign [zone...]
              Trigger a DNSSEC re-sign of the zone. Existing signatures will
              be dropped.  This command is valid for zones with DNSSEC signing
              enabled. (#)

       zone-validate [zone...]
              Trigger a DNSSEC validation of the zone. If the validation fails
              and the zone is secondary, the zone expires immediately! (#)

       zone-keys-load [zone...]
              Trigger a load of DNSSEC keys and other signing material from
              KASP database (which might have been altered manually). If
              suitable, re-sign the zone afterwards (keeping valid signatures
              intact). (#)

       zone-key-rollover zone key_type
              Trigger immediate key rollover. Publish new key and start a key
              rollover, even when the key has a lifetime to go. Key type can
              be ksk (also for CSK) or zsk. This command is valid for zones
              with DNSSEC signing and automatic key management enabled. Note
              that complete key rollover consists of several steps and the
              blocking mode relates to the initial one only! (#)

       zone-ksk-submitted zone...
              Use when the zone's KSK rollover is in submission phase. By
              calling this command the user confirms manually that the parent
              zone contains DS record for the new KSK in submission phase and
              the old KSK can be retired. (#)

       zone-freeze [zone...]
              Trigger a zone freeze. All running events will be finished and
              all new and pending (planned) zone-changing events (load,
              refresh, update, flush, and DNSSEC signing) will be held up
              until the zone is thawed. Up to 8 (this limit is hardcoded) DDNS
              updates per zone will be queued, subsequent updates will be
              refused. (#)

       zone-thaw [zone...]
              Trigger dismissal of zone freeze. (#)

       zone-xfr-freeze [zone...]
              Temporarily disable outgoing AXFR/IXFR for the zone(s). (#)

       zone-xfr-thaw [zone...]
              Dismiss outgoing XFR freeze. (#)

       zone-read zone [owner [type]]
              Get zone data that are currently being presented.

       zone-begin zone... [+benevolent]
              Begin a zone transaction. If +benevolent is used, the zone
              transaction will be committed even when it contains removals of
              non-existing or additions of existing records.

       zone-commit zone...
              Commit the zone transaction. All changes are applied to the
              zone.

       zone-abort zone...
              Abort the zone transaction. All changes are discarded.

       zone-diff zone
              Get zone changes within the transaction.

       zone-get zone [owner [type]]
              Get zone data within the transaction.

       zone-set zone owner [ttl] type rdata
              Add zone record within the transaction. The first record in a
              rrset requires a ttl value specified.

       zone-unset zone owner [type [rdata]]
              Remove zone data within the transaction.

       zone-purge zone... [+orphan] [filter...]
              Purge zone data, zone file, journal, timers, and/or KASP data of
              specified zones.  Available filters are +expire, +zonefile,
              +journal, +timers, +kaspdb, and +catalog. If no filter is
              specified, all filters are enabled.  If the zone is no longer
              configured, add +orphan parameter (zone file cannot be purged in
              this case). When purging orphans, always check the server log
              for possible errors. For proper operation, it's necessary to
              prevent ongoing changes to the zone and triggering of zone
              related events during purge; use of zone-freeze is advisable.
              This command always requires the force option. (#)

       zone-stats zone [module[.counter]]
              Show zone statistics counter(s). To print also counters with
              value 0, use force option.

       conf-init
              Initialize the configuration database. If the database doesn't
              exist yet, execute this command as an intended user to ensure
              the server is permitted to access the database (e.g. sudo -u
              knot knotc conf-init). (*)

       conf-check
              Check the server configuration. (*)

       conf-import filename [+nopurge]
              Import a configuration file into the configuration database. If
              the database doesn't exist yet, execute this command as an
              intended user to ensure the server is permitted to access the
              database (e.g. sudo -u knot knotc conf-import ...).  An optional
              filter +nopurge prevents possibly existing configuration
              database from purging before the import itself.  Also ensure the
              server is not using the configuration database at the same time!
              (*)

       conf-export [filename] [+schema]
              Export the configuration database (or JSON schema) into a file
              or stdout. (*)

       conf-list [item]
              List the configuration database sections or section items.

       conf-read [item]
              Read the item from the active configuration database.

       conf-begin
              Begin a writing configuration database transaction. Only one
              transaction can be opened at a time.

       conf-commit
              Commit the configuration database transaction.

       conf-abort
              Rollback the configuration database transaction.

       conf-diff [item]
              Get the item difference in the transaction.

       conf-get [item]
              Get the item data from the transaction.

       conf-set item [data...]
              Set the item data in the transaction.

       conf-unset [item] [data...]
              Unset the item data in the transaction.

   Notes
       Empty or -- zone parameter means all zones or all zones with a
       transaction.

       Use @ owner to denote the zone name.

       Type item parameter in the form of section[[id]][.name].

       (*) indicates a local operation which requires a configuration.

       (#) indicates an optionally blocking operation.

       The -b and -f options can be placed right after the command name.

       Responses returned by knotc commands depend on the mode:

       o In the blocking mode, knotc reports if an error occurred during
         processing of the command by the server. If an error is reported, a
         more detailed information about the failure can usually be found in
         the server log.

       o In the non-blocking (default) mode, knotc doesn't report processing
         errors.  The OK response to triggering commands means that the
         command has been successfully sent to the server. To verify if the
         operation succeeded, it's necessary to check the server log.

       Actions zone-flush, zone-backup, and zone-restore are carried out by
       the knotd process. The directory specified must be accessible to the
       user account that knotd runs under and if the directory already exists,
       its permissions must be appropriate for that user account.

   Interactive mode
       The utility provides interactive mode with basic line editing
       functionality, command completion, and command history.

       Interactive mode behavior can be customized in ~/.editrc. Refer to
       editrc(5) for details.

       Command history is saved in ~/.knotc_history.


EXIT VALUES

       Exit status of 0 means successful operation. Any other exit status
       indicates an error.


EXAMPLES

   Reload the whole server configuration

          $ knotc reload

   Flush the example.com and example.org zones

          $ knotc zone-flush example.com example.org

   Get the current server configuration

          $ knotc conf-read server

   Get the list of the current zones

          $ knotc conf-read zone.domain

   Get the primary servers for the example.com zone

          $ knotc conf-read 'zone[example.com].master'

   Add example.org zone with a zonefile location

          $ knotc conf-begin
          $ knotc conf-set 'zone[example.org]'
          $ knotc conf-set 'zone[example.org].file' '/var/zones/example.org.zone'
          $ knotc conf-commit

   Get the SOA record for each configured zone

          $ knotc zone-read -- @ SOA


SEE ALSO

       knotd(8), knot.conf(5), editrc(5).


AUTHOR

       CZ.NIC Labs <https://www.knot-dns.cz>


COPYRIGHT

       Copyright 2010-2024, CZ.NIC, z.s.p.o.

3.4.1                             2024-10-14                          knotc(8)

knot 3.4.1 - Generated Tue Oct 15 07:14:00 CDT 2024
© manpagez.com 2000-2024
Individual documents may contain additional copyright information.