rndc.conf(4) rndc.conf(4)
NAME [Toc] [Back]
rndc.conf - rndc configuration file
DESCRIPTION [Toc] [Back]
The BIND utility for controlling the name server, rndc, has its own
configuration file /etc/rndc.conf. This file has a structure and
syntax similar to that of named's configuration file, named.conf.
Statements are enclosed in braces and terminated with a semi-colon.
Clauses in the statements are also semi-colon terminated. The usual
comment styles supported are:
C style: /* */
C++ style: // to end of line
Unix style: # to end of line
The syntax of the rndc.conf file is much simpler compared to that of
named.conf. This file includes three statements:
options statement
server statement
key statement
The options statement contains two clauses: default-server and
default-key.
The default-server clause is used to specify the default server on
which rndc runs, if the server is not specified on the command line
when rndc is executed. The default-server keyword is followed by the
name or address of a name server.
The default-key clause is used to specify the default key that will be
used to authenticate the server's commands and responses if a key is
not specified using the -y option when executed on the command line.
The default-key keyword is followed by the name of a key which is
identified by the key statement.
The server statement begins with an identifying string, the hostname
or address for a name server. This statement has a single clause,
key. The key name must match the name that is specified in the key
statement.
The key statement begins with an identifying string, the name of the
key. This statement has two clauses: algorithm and secret.
The algorithm clause identifies the encryption algorithm that rndc
uses. Currently only HMAC-MD5 is supported.
The secret clause contains the random key that will be used for
authentication. It is base-64 encoded using the algorithm specified in
the algorithm clause. The base-64 string is enclosed in double
quotes.
Hewlett-Packard Company - 1 - HP-UX 11i Version 2: August 2003
rndc.conf(4) rndc.conf(4)
The BIND 9 program dnssec-keygen can be used to generate the base-64
string for the secret clause.
EXAMPLES [Toc] [Back]
Host and key names must be quoted using double quotes if they match a
keyword, such as having a key named "key".
options {
default-server localhost;
default-key samplekey;
};
server localhost {
key samplekey;
};
key samplekey {
algorithm hmac-md5;
secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
};
In the above example, rndc will by default use the server at localhost
(127.0.0.1) and the key called samplekey. Commands to the localhost
server will use the samplekey key. The key statement indicates that
samplekey uses the HMAC-MD5 algorithm and its secret clause contains
the base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
The secret can be generated using dnssec-keygen as follows:
$ dnssec-keygen -a hmac-md5 -b 128 -n user rndc
The base-64 string will appear in two files, Krndc.+157.+{random}.key
and Krndc.+157.+{random}.private. After extracting the key to be
placed in the rndc.conf and named.conf key statements, the .key and
.private files can be removed.
NAME SERVER CONFIGURATION [Toc] [Back]
The name server must be configured to accept rndc connections and to
recognize the key specified in the rndc.conf file, using the controls
statement in named.conf.
LIMITATIONS [Toc] [Back]
There is currently no way to specify the port on which rndc must run.
AUTHOR [Toc] [Back]
rndc.conf was developed by ISC (Internet Software Consortium).
SEE ALSO [Toc] [Back]
dnssec-keygen(1), rndc(1), named(1M).
Hewlett-Packard Company - 2 - HP-UX 11i Version 2: August 2003 [ Back ] |
