rndc.conf.html revision 36e0109263bd544578c245fe8db1e2718e8a8551
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
61e1dc26d62c2a0059e3ca7efe2ad0f4a5b8df92Mark Andrews - Copyright (C) 2001 Internet Software Consortium.
94bd918b63001277f1b28ae4581645f8a835688fBob Halley - Permission to use, copy, modify, and distribute this software for any
94bd918b63001277f1b28ae4581645f8a835688fBob Halley - purpose with or without fee is hereby granted, provided that the above
94bd918b63001277f1b28ae4581645f8a835688fBob Halley - copyright notice and this permission notice appear in all copies.
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
36e0109263bd544578c245fe8db1e2718e8a8551Mark Andrews<!-- $Id: rndc.conf.html,v 1.10 2004/06/18 06:00:41 marka Exp $ -->
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyNAME="GENERATOR"
8a66318e41ed14c5a88130e8c362610e8faa2121Mark AndrewsCONTENT="Modular DocBook HTML Stylesheet Version 1.73
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="REFENTRY"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyBGCOLOR="#FFFFFF"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyTEXT="#000000"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyLINK="#0000FF"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyVLINK="#840084"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyALINK="#0000FF"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="FILENAME"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="REFNAMEDIV"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="FILENAME"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> -- rndc configuration file</DIV
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="REFSYNOPSISDIV"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>Synopsis</H2
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="COMMAND"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="REFSECT1"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>DESCRIPTION</H2
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="FILENAME"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> is the configuration file
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="COMMAND"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>, the BIND 9 name server control
94bd918b63001277f1b28ae4581645f8a835688fBob Halley utility. This file has a similar structure and syntax to
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="FILENAME"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>. Statements are enclosed
94bd918b63001277f1b28ae4581645f8a835688fBob Halley in braces and terminated with a semi-colon. Clauses in
94bd918b63001277f1b28ae4581645f8a835688fBob Halley the statements are also semi-colon terminated. The usual
94bd918b63001277f1b28ae4581645f8a835688fBob Halley comment styles are supported:
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> C style: /* */
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> C++ style: // to end of line
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> Unix style: # to end of line
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="FILENAME"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> is much simpler than
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="FILENAME"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>. The file uses three
94bd918b63001277f1b28ae4581645f8a835688fBob Halley statements: an options statement, a server statement
94bd918b63001277f1b28ae4581645f8a835688fBob Halley and a key statement.
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> statement contains three clauses.
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>default-server</TT
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> clause is followed by the
94bd918b63001277f1b28ae4581645f8a835688fBob Halley name or address of a name server. This host will be used when
94bd918b63001277f1b28ae4581645f8a835688fBob Halley no name server is given as an argument to
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="COMMAND"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>default-key</TT
94bd918b63001277f1b28ae4581645f8a835688fBob Halley clause is followed by the name of a key which is identified by
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> statement. If no
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> is provided on the rndc command line,
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> clause is found in a matching
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> statement, this default key will be
94bd918b63001277f1b28ae4581645f8a835688fBob Halley used to authenticate the server's commands and responses. The
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>default-port</TT
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> clause is followed by the port
94bd918b63001277f1b28ae4581645f8a835688fBob Halley to connect to on the remote name server. If no
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> option is provided on the rndc command
94bd918b63001277f1b28ae4581645f8a835688fBob Halley line, and no <TT
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> clause is found in a
94bd918b63001277f1b28ae4581645f8a835688fBob Halley matching <TT
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> statement, this default port
94bd918b63001277f1b28ae4581645f8a835688fBob Halley will be used to connect.
36e0109263bd544578c245fe8db1e2718e8a8551Mark Andrews> After the <TT
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
36e0109263bd544578c245fe8db1e2718e8a8551Mark Andrews> keyword, the server
36e0109263bd544578c245fe8db1e2718e8a8551Mark Andrews statement includes a string which is the hostname or address
36e0109263bd544578c245fe8db1e2718e8a8551Mark Andrews for a name server. The statement has three possible clauses:
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
36e0109263bd544578c245fe8db1e2718e8a8551Mark AndrewsCLASS="OPTION"
36e0109263bd544578c245fe8db1e2718e8a8551Mark Andrews>addresses</TT
36e0109263bd544578c245fe8db1e2718e8a8551Mark Andrews>. The key name must match the
36e0109263bd544578c245fe8db1e2718e8a8551Mark Andrews name of a key statement in the file. The port number
36e0109263bd544578c245fe8db1e2718e8a8551Mark Andrews specifies the port to connect to. If an <TT
36e0109263bd544578c245fe8db1e2718e8a8551Mark AndrewsCLASS="OPTION"
36e0109263bd544578c245fe8db1e2718e8a8551Mark Andrews>addresses</TT
36e0109263bd544578c245fe8db1e2718e8a8551Mark Andrews clause is supplied these addresses will be used instead of
36e0109263bd544578c245fe8db1e2718e8a8551Mark Andrews the server name. Each address can take a optional port.
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> statement begins with an identifying
94bd918b63001277f1b28ae4581645f8a835688fBob Halley string, the name of the key. The statement has two clauses.
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>algorithm</TT
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> identifies the encryption algorithm
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="COMMAND"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> to use; currently only HMAC-MD5 is
94bd918b63001277f1b28ae4581645f8a835688fBob Halley supported. This is followed by a secret clause which contains
94bd918b63001277f1b28ae4581645f8a835688fBob Halley the base-64 encoding of the algorithm's encryption key. The
94bd918b63001277f1b28ae4581645f8a835688fBob Halley base-64 string is enclosed in double quotes.
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> There are two common ways to generate the base-64 string for the
94bd918b63001277f1b28ae4581645f8a835688fBob Halley secret. The BIND 9 program <B
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="COMMAND"
699095b077b0e4e6138b7546d5bb3f05b0d00bb7Andreas Gustafsson>rndc-confgen</B
94bd918b63001277f1b28ae4581645f8a835688fBob Halley be used to generate a random key, or the
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="COMMAND"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> program, also known as
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="COMMAND"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>mimencode</B
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>, can be used to generate a base-64
94bd918b63001277f1b28ae4581645f8a835688fBob Halley string from known input. <B
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="COMMAND"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley ship with BIND 9 but is available on many systems. See the
94bd918b63001277f1b28ae4581645f8a835688fBob Halley EXAMPLE section for sample command lines for each.
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="REFSECT1"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="PROGRAMLISTING"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley default-server localhost;
94bd918b63001277f1b28ae4581645f8a835688fBob Halley default-key samplekey;
94bd918b63001277f1b28ae4581645f8a835688fBob Halley server localhost {
94bd918b63001277f1b28ae4581645f8a835688fBob Halley key samplekey;
36e0109263bd544578c245fe8db1e2718e8a8551Mark Andrews server testserver {
36e0109263bd544578c245fe8db1e2718e8a8551Mark Andrews key testkey;
36e0109263bd544578c245fe8db1e2718e8a8551Mark Andrews addresses { localhost port 5353; };
94bd918b63001277f1b28ae4581645f8a835688fBob Halley key samplekey {
94bd918b63001277f1b28ae4581645f8a835688fBob Halley algorithm hmac-md5;
36e0109263bd544578c245fe8db1e2718e8a8551Mark Andrews secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
36e0109263bd544578c245fe8db1e2718e8a8551Mark Andrews key testkey {
36e0109263bd544578c245fe8db1e2718e8a8551Mark Andrews algorithm hmac-md5;
36e0109263bd544578c245fe8db1e2718e8a8551Mark Andrews secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> In the above example, <B
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="COMMAND"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> will by default use
94bd918b63001277f1b28ae4581645f8a835688fBob Halley the server at localhost (127.0.0.1) and the key called samplekey.
94bd918b63001277f1b28ae4581645f8a835688fBob Halley Commands to the localhost server will use the samplekey key, which
94bd918b63001277f1b28ae4581645f8a835688fBob Halley must also be defined in the server's configuration file with the
94bd918b63001277f1b28ae4581645f8a835688fBob Halley same name and secret. The key statement indicates that samplekey
94bd918b63001277f1b28ae4581645f8a835688fBob Halley uses the HMAC-MD5 algorithm and its secret clause contains the
94bd918b63001277f1b28ae4581645f8a835688fBob Halley base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
36e0109263bd544578c245fe8db1e2718e8a8551Mark AndrewsCLASS="COMMAND"
36e0109263bd544578c245fe8db1e2718e8a8551Mark Andrews>rndc -s testserver</B
36e0109263bd544578c245fe8db1e2718e8a8551Mark Andrews> is used then <B
36e0109263bd544578c245fe8db1e2718e8a8551Mark AndrewsCLASS="COMMAND"
36e0109263bd544578c245fe8db1e2718e8a8551Mark Andrews connect to server on localhost port 5353 using the key testkey.
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> To generate a random secret with <B
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="COMMAND"
699095b077b0e4e6138b7546d5bb3f05b0d00bb7Andreas Gustafsson>rndc-confgen</B
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="USERINPUT"
699095b077b0e4e6138b7546d5bb3f05b0d00bb7Andreas Gustafsson>rndc-confgen</B
699095b077b0e4e6138b7546d5bb3f05b0d00bb7Andreas Gustafsson> A complete <TT
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="FILENAME"
699095b077b0e4e6138b7546d5bb3f05b0d00bb7Andreas Gustafsson> file, including the
699095b077b0e4e6138b7546d5bb3f05b0d00bb7Andreas Gustafsson randomly generated key, will be written to the standard
699095b077b0e4e6138b7546d5bb3f05b0d00bb7Andreas Gustafsson output. Commented out <TT
699095b077b0e4e6138b7546d5bb3f05b0d00bb7Andreas Gustafsson> statements for
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="FILENAME"
699095b077b0e4e6138b7546d5bb3f05b0d00bb7Andreas Gustafsson> are also printed.
699095b077b0e4e6138b7546d5bb3f05b0d00bb7Andreas Gustafsson> To generate a base-64 secret with <B
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="COMMAND"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="USERINPUT"
699095b077b0e4e6138b7546d5bb3f05b0d00bb7Andreas Gustafsson>echo "known plaintext for a secret" | mmencode</B
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="REFSECT1"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>NAME SERVER CONFIGURATION</H2
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> The name server must be configured to accept rndc connections and
94bd918b63001277f1b28ae4581645f8a835688fBob Halley to recognize the key specified in the <TT
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="FILENAME"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley file, using the controls statement in <TT
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="FILENAME"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley See the sections on the <TT
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>controls</TT
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> statement in the
94bd918b63001277f1b28ae4581645f8a835688fBob Halley BIND 9 Administrator Reference Manual for details.
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="REFSECT1"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>SEE ALSO</H2
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="CITEREFENTRY"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="REFENTRYTITLE"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="CITEREFENTRY"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="REFENTRYTITLE"
699095b077b0e4e6138b7546d5bb3f05b0d00bb7Andreas Gustafsson>rndc-confgen</SPAN
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="CITEREFENTRY"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="REFENTRYTITLE"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>mmencode</SPAN
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="CITETITLE"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>BIND 9 Administrator Reference Manual</I
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="REFSECT1"
6564bfdd885e3e0f1c3764de0969ac54a84b0dcaMark Andrews> Internet Systems Consortium