0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - This Source Code Form is subject to the terms of the Mozilla Public
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - License, v. 2.0. If a copy of the MPL was not distributed with this
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - file, You can obtain one at http://mozilla.org/MPL/2.0/.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<!-- Converted by db4-upgrade version 1.0 -->
83a28ca274521e15086fc39febde507bcc4e145eMark Andrews<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc.conf">
94bd918b63001277f1b28ae4581645f8a835688fBob Halley <refentryinfo>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
94bd918b63001277f1b28ae4581645f8a835688fBob Halley </refentryinfo>
94bd918b63001277f1b28ae4581645f8a835688fBob Halley <refentrytitle><filename>rndc.conf</filename></refentrytitle>
94bd918b63001277f1b28ae4581645f8a835688fBob Halley <refnamediv>
94bd918b63001277f1b28ae4581645f8a835688fBob Halley <refname><filename>rndc.conf</filename></refname>
94bd918b63001277f1b28ae4581645f8a835688fBob Halley </refnamediv>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </copyright>
94bd918b63001277f1b28ae4581645f8a835688fBob Halley <refsynopsisdiv>
94bd918b63001277f1b28ae4581645f8a835688fBob Halley </cmdsynopsis>
94bd918b63001277f1b28ae4581645f8a835688fBob Halley </refsynopsisdiv>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <refsection><info><title>DESCRIPTION</title></info>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <para><filename>rndc.conf</filename> is the configuration file
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein for <command>rndc</command>, the BIND 9 name server control
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein utility. This file has a similar structure and syntax to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <filename>named.conf</filename>. Statements are enclosed
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein in braces and terminated with a semi-colon. Clauses in
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein the statements are also semi-colon terminated. The usual
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein comment styles are supported:
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein C style: /* */
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein C++ style: // to end of line
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Unix style: # to end of line
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <para><filename>rndc.conf</filename> is much simpler than
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <filename>named.conf</filename>. The file uses three
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein statements: an options statement, a server statement
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein and a key statement.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The <option>options</option> statement contains five clauses.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The <option>default-server</option> clause is followed by the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein name or address of a name server. This host will be used when
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein no name server is given as an argument to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <command>rndc</command>. The <option>default-key</option>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein clause is followed by the name of a key which is identified by
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <option>keyid</option> is provided on the rndc command line,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein and no <option>key</option> clause is found in a matching
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <option>server</option> statement, this default key will be
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein used to authenticate the server's commands and responses. The
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <option>default-port</option> clause is followed by the port
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein to connect to on the remote name server. If no
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <option>port</option> option is provided on the rndc command
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein line, and no <option>port</option> clause is found in a
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein matching <option>server</option> statement, this default port
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein will be used to connect.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <option>default-source-address-v6</option> clauses which
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein can be used to set the IPv4 and IPv6 source addresses
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein respectively.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein After the <option>server</option> keyword, the server
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein statement includes a string which is the hostname or address
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein for a name server. The statement has three possible clauses:
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <option>addresses</option>. The key name must match the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein name of a key statement in the file. The port number
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein specifies the port to connect to. If an <option>addresses</option>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein clause is supplied these addresses will be used instead of
8b9fc7617b8f54641708c985697848e6cc10a5bbMark Andrews the server name. Each address can take an optional port.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein If an <option>source-address</option> or <option>source-address-v6</option>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein of supplied then these will be used to specify the IPv4 and IPv6
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein source addresses respectively.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The <option>key</option> statement begins with an identifying
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein string, the name of the key. The statement has two clauses.
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt <option>algorithm</option> identifies the authentication algorithm
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein for <command>rndc</command> to use; currently only HMAC-MD5
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt (default), HMAC-SHA384 and HMAC-SHA512 are
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein supported. This is followed by a secret clause which contains
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt the base-64 encoding of the algorithm's authentication key. The
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein base-64 string is enclosed in double quotes.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein There are two common ways to generate the base-64 string for the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein secret. The BIND 9 program <command>rndc-confgen</command>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein be used to generate a random key, or the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <command>mmencode</command> program, also known as
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <command>mimencode</command>, can be used to generate a
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein string from known input. <command>mmencode</command> does
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein ship with BIND 9 but is available on many systems. See the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein EXAMPLE section for sample command lines for each.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refsection>
94bd918b63001277f1b28ae4581645f8a835688fBob Halley default-server localhost;
94bd918b63001277f1b28ae4581645f8a835688fBob Halley default-key samplekey;
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</programlisting>
94bd918b63001277f1b28ae4581645f8a835688fBob Halley server localhost {
94bd918b63001277f1b28ae4581645f8a835688fBob Halley key samplekey;
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</programlisting>
7389e8330d62a059b8923fb8ca6f933caeb559d9Mark Andrews server testserver {
7389e8330d62a059b8923fb8ca6f933caeb559d9Mark Andrews key testkey;
7389e8330d62a059b8923fb8ca6f933caeb559d9Mark Andrews addresses { localhost port 5353; };
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</programlisting>
94bd918b63001277f1b28ae4581645f8a835688fBob Halley key samplekey {
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt algorithm hmac-sha256;
7389e8330d62a059b8923fb8ca6f933caeb559d9Mark Andrews secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</programlisting>
7389e8330d62a059b8923fb8ca6f933caeb559d9Mark Andrews key testkey {
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt algorithm hmac-sha256;
7389e8330d62a059b8923fb8ca6f933caeb559d9Mark Andrews secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
94bd918b63001277f1b28ae4581645f8a835688fBob Halley </programlisting>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein In the above example, <command>rndc</command> will by
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein the server at localhost (127.0.0.1) and the key called samplekey.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Commands to the localhost server will use the samplekey key, which
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein must also be defined in the server's configuration file with the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein same name and secret. The key statement indicates that samplekey
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt uses the HMAC-SHA256 algorithm and its secret clause contains the
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt base-64 encoding of the HMAC-SHA256 secret enclosed in double quotes.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein If <command>rndc -s testserver</command> is used then <command>rndc</command> will
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein connect to server on localhost port 5353 using the key testkey.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein To generate a random secret with <command>rndc-confgen</command>:
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein A complete <filename>rndc.conf</filename> file, including
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein randomly generated key, will be written to the standard
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <filename>named.conf</filename> are also printed.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein To generate a base-64 secret with <command>mmencode</command>:
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <para><userinput>echo "known plaintext for a secret" | mmencode</userinput>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refsection>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <refsection><info><title>NAME SERVER CONFIGURATION</title></info>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The name server must be configured to accept rndc connections and
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein to recognize the key specified in the <filename>rndc.conf</filename>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein file, using the controls statement in <filename>named.conf</filename>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein See the sections on the <option>controls</option> statement in the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein BIND 9 Administrator Reference Manual for details.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refsection>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
94bd918b63001277f1b28ae4581645f8a835688fBob Halley </citerefentry>,
94bd918b63001277f1b28ae4581645f8a835688fBob Halley <citerefentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <refentrytitle>rndc-confgen</refentrytitle><manvolnum>8</manvolnum>
94bd918b63001277f1b28ae4581645f8a835688fBob Halley </citerefentry>,
94bd918b63001277f1b28ae4581645f8a835688fBob Halley <citerefentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <refentrytitle>mmencode</refentrytitle><manvolnum>1</manvolnum>
94bd918b63001277f1b28ae4581645f8a835688fBob Halley </citerefentry>,
94bd918b63001277f1b28ae4581645f8a835688fBob Halley <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refsection>