rndc.conf.html revision 94bd918b63001277f1b28ae4581645f8a835688f
94bd918b63001277f1b28ae4581645f8a835688fBob Halley - Copyright (C) 2000, 2001 Internet Software Consortium.
94bd918b63001277f1b28ae4581645f8a835688fBob Halley - Permission to use, copy, modify, and distribute this software for any
94bd918b63001277f1b28ae4581645f8a835688fBob Halley - purpose with or without fee is hereby granted, provided that the above
94bd918b63001277f1b28ae4581645f8a835688fBob Halley - copyright notice and this permission notice appear in all copies.
94bd918b63001277f1b28ae4581645f8a835688fBob Halley - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
94bd918b63001277f1b28ae4581645f8a835688fBob Halley - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
94bd918b63001277f1b28ae4581645f8a835688fBob Halley - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
94bd918b63001277f1b28ae4581645f8a835688fBob Halley - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
94bd918b63001277f1b28ae4581645f8a835688fBob Halley - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
94bd918b63001277f1b28ae4581645f8a835688fBob Halley - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
94bd918b63001277f1b28ae4581645f8a835688fBob Halley - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
94bd918b63001277f1b28ae4581645f8a835688fBob Halley - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyNAME="GENERATOR"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCONTENT="Modular DocBook HTML Stylesheet Version 1.63
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="REFENTRY"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyBGCOLOR="#FFFFFF"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyTEXT="#000000"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyLINK="#0000FF"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyVLINK="#840084"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyALINK="#0000FF"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="FILENAME"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="REFNAMEDIV"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="FILENAME"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> -- rndc configuration file</DIV
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="REFSYNOPSISDIV"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>Synopsis</H2
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="COMMAND"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="REFSECT1"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>DESCRIPTION</H2
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="FILENAME"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> is the configuration file
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="COMMAND"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>, the BIND 9 name server control
94bd918b63001277f1b28ae4581645f8a835688fBob Halley utility. This file has a similar structure and syntax to
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="FILENAME"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>. Statements are enclosed
94bd918b63001277f1b28ae4581645f8a835688fBob Halley in braces and terminated with a semi-colon. Clauses in
94bd918b63001277f1b28ae4581645f8a835688fBob Halley the statements are also semi-colon terminated. The usual
94bd918b63001277f1b28ae4581645f8a835688fBob Halley comment styles are supported:
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> C style: /* */
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> C++ style: // to end of line
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> Unix style: # to end of line
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="FILENAME"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> is much simpler than
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="FILENAME"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>. The file uses three
94bd918b63001277f1b28ae4581645f8a835688fBob Halley statements: an options statement, a server statement
94bd918b63001277f1b28ae4581645f8a835688fBob Halley and a key statement.
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> statement contains three clauses.
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>default-server</TT
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> clause is followed by the
94bd918b63001277f1b28ae4581645f8a835688fBob Halley name or address of a name server. This host will be used when
94bd918b63001277f1b28ae4581645f8a835688fBob Halley no name server is given as an argument to
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="COMMAND"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>default-key</TT
94bd918b63001277f1b28ae4581645f8a835688fBob Halley clause is followed by the name of a key which is identified by
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> statement. If no
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> is provided on the rndc command line,
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> clause is found in a matching
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> statement, this default key will be
94bd918b63001277f1b28ae4581645f8a835688fBob Halley used to authenticate the server's commands and responses. The
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>default-port</TT
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> clause is followed by the port
94bd918b63001277f1b28ae4581645f8a835688fBob Halley to connect to on the remote name server. If no
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> option is provided on the rndc command
94bd918b63001277f1b28ae4581645f8a835688fBob Halley line, and no <TT
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> clause is found in a
94bd918b63001277f1b28ae4581645f8a835688fBob Halley matching <TT
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> statement, this default port
94bd918b63001277f1b28ae4581645f8a835688fBob Halley will be used to connect.
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> After the <TT
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> keyword, the server statement
94bd918b63001277f1b28ae4581645f8a835688fBob Halley includes a string which is the hostname or address for a name
94bd918b63001277f1b28ae4581645f8a835688fBob Halley server. The statement has two possible clauses:
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>. The key name must
94bd918b63001277f1b28ae4581645f8a835688fBob Halley match the name of a key statement in the file. The port number
94bd918b63001277f1b28ae4581645f8a835688fBob Halley specifies the port to connect to.
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> statement begins with an identifying
94bd918b63001277f1b28ae4581645f8a835688fBob Halley string, the name of the key. The statement has two clauses.
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>algorithm</TT
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> identifies the encryption algorithm
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="COMMAND"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> to use; currently only HMAC-MD5 is
94bd918b63001277f1b28ae4581645f8a835688fBob Halley supported. This is followed by a secret clause which contains
94bd918b63001277f1b28ae4581645f8a835688fBob Halley the base-64 encoding of the algorithm's encryption key. The
94bd918b63001277f1b28ae4581645f8a835688fBob Halley base-64 string is enclosed in double quotes.
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> There are two common ways to generate the base-64 string for the
94bd918b63001277f1b28ae4581645f8a835688fBob Halley secret. The BIND 9 program <B
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="COMMAND"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>dnssec-keygen</B
94bd918b63001277f1b28ae4581645f8a835688fBob Halley be used to generate a random key, or the
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="COMMAND"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> program, also known as
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="COMMAND"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>mimencode</B
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>, can be used to generate a base-64
94bd918b63001277f1b28ae4581645f8a835688fBob Halley string from known input. <B
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="COMMAND"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley ship with BIND 9 but is available on many systems. See the
94bd918b63001277f1b28ae4581645f8a835688fBob Halley EXAMPLE section for sample command lines for each.
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="REFSECT1"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="PROGRAMLISTING"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley default-server localhost;
94bd918b63001277f1b28ae4581645f8a835688fBob Halley default-key samplekey;
94bd918b63001277f1b28ae4581645f8a835688fBob Halley server localhost {
94bd918b63001277f1b28ae4581645f8a835688fBob Halley key samplekey;
94bd918b63001277f1b28ae4581645f8a835688fBob Halley key samplekey {
94bd918b63001277f1b28ae4581645f8a835688fBob Halley algorithm hmac-md5;
94bd918b63001277f1b28ae4581645f8a835688fBob Halley secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> In the above example, <B
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="COMMAND"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> will by default use
94bd918b63001277f1b28ae4581645f8a835688fBob Halley the server at localhost (127.0.0.1) and the key called samplekey.
94bd918b63001277f1b28ae4581645f8a835688fBob Halley Commands to the localhost server will use the samplekey key, which
94bd918b63001277f1b28ae4581645f8a835688fBob Halley must also be defined in the server's configuration file with the
94bd918b63001277f1b28ae4581645f8a835688fBob Halley same name and secret. The key statement indicates that samplekey
94bd918b63001277f1b28ae4581645f8a835688fBob Halley uses the HMAC-MD5 algorithm and its secret clause contains the
94bd918b63001277f1b28ae4581645f8a835688fBob Halley base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> To generate a random secret with <B
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="COMMAND"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>dnssec-keygen</B
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="USERINPUT"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>$ dnssec-keygen -a hmac-md5 -b 128 -n user rndc</B
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> The base-64 string will appear in two files,
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="FILENAME"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>Krndc.+157.+{random}.key</TT
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="FILENAME"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>Krndc.+157.+{random}.private</TT
94bd918b63001277f1b28ae4581645f8a835688fBob Halley extracting the key to be placed in the
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="FILENAME"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="FILENAME"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> key statements, the
94bd918b63001277f1b28ae4581645f8a835688fBob Halley .key and .private files can be removed.
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> To generate a random secret with <B
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="COMMAND"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="USERINPUT"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>$ echo "known plaintext for a secret" | mmencode</B
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="REFSECT1"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>NAME SERVER CONFIGURATION</H2
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> The name server must be configured to accept rndc connections and
94bd918b63001277f1b28ae4581645f8a835688fBob Halley to recognize the key specified in the <TT
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="FILENAME"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley file, using the controls statement in <TT
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="FILENAME"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley See the sections on the <TT
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="OPTION"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>controls</TT
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> statement in the
94bd918b63001277f1b28ae4581645f8a835688fBob Halley BIND 9 Administrator Reference Manual for details.
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="REFSECT1"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>SEE ALSO</H2
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="CITEREFENTRY"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="REFENTRYTITLE"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="CITEREFENTRY"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="REFENTRYTITLE"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>dnssec-keygen</SPAN
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="CITEREFENTRY"
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="REFENTRYTITLE"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>mmencode</SPAN
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="CITETITLE"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley>BIND 9 Administrator Reference Manual</I
94bd918b63001277f1b28ae4581645f8a835688fBob HalleyCLASS="REFSECT1"
94bd918b63001277f1b28ae4581645f8a835688fBob Halley> Internet Software Consortium