bin/rndc/rndc.conf.html

	rndc.conf.html revision 33d0a7767d53cb366039fd0ac4f63cf8a9c351b0
acd6c22c85d97aff372a361dc632e8925e331ef9Ryan Grove<!--
acd6c22c85d97aff372a361dc632e8925e331ef9Ryan Grove - Copyright (C) 2004, 2005, 2007, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
acd6c22c85d97aff372a361dc632e8925e331ef9Ryan Grove - Copyright (C) 2000, 2001 Internet Software Consortium.
acd6c22c85d97aff372a361dc632e8925e331ef9Ryan Grove -
acd6c22c85d97aff372a361dc632e8925e331ef9Ryan Grove - Permission to use, copy, modify, and/or distribute this software for any
acd6c22c85d97aff372a361dc632e8925e331ef9Ryan Grove - purpose with or without fee is hereby granted, provided that the above
acd6c22c85d97aff372a361dc632e8925e331ef9Ryan Grove - copyright notice and this permission notice appear in all copies.
acd6c22c85d97aff372a361dc632e8925e331ef9Ryan Grove -
acd6c22c85d97aff372a361dc632e8925e331ef9Ryan Grove - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
c4b1075c8e00edf2fc8a8109920542399cd292d3Ryan Grove - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
acd6c22c85d97aff372a361dc632e8925e331ef9Ryan Grove - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
acd6c22c85d97aff372a361dc632e8925e331ef9Ryan Grove - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
acd6c22c85d97aff372a361dc632e8925e331ef9Ryan Grove - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
acd6c22c85d97aff372a361dc632e8925e331ef9Ryan Grove - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
acd6c22c85d97aff372a361dc632e8925e331ef9Ryan Grove - PERFORMANCE OF THIS SOFTWARE.
acd6c22c85d97aff372a361dc632e8925e331ef9Ryan Grove-->
acd6c22c85d97aff372a361dc632e8925e331ef9Ryan Grove<html>
acd6c22c85d97aff372a361dc632e8925e331ef9Ryan Grove<head>
fa454af0c525b509b00d4f4935a18492556bdb99Eric Ferraiuolo<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
fa454af0c525b509b00d4f4935a18492556bdb99Eric Ferraiuolo<title>rndc.conf</title>
fa454af0c525b509b00d4f4935a18492556bdb99Eric Ferraiuolo<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
fa454af0c525b509b00d4f4935a18492556bdb99Eric Ferraiuolo</head>
fa454af0c525b509b00d4f4935a18492556bdb99Eric Ferraiuolo<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
fa454af0c525b509b00d4f4935a18492556bdb99Eric Ferraiuolo<a name="man.rndc.conf"></a><div class="titlepage"></div>
fa454af0c525b509b00d4f4935a18492556bdb99Eric Ferraiuolo<div class="refnamediv">
fa454af0c525b509b00d4f4935a18492556bdb99Eric Ferraiuolo<h2>Name</h2>
fa454af0c525b509b00d4f4935a18492556bdb99Eric Ferraiuolo<p><code class="filename">rndc.conf</code> &#8212; rndc configuration file</p>
fa454af0c525b509b00d4f4935a18492556bdb99Eric Ferraiuolo</div>
fa454af0c525b509b00d4f4935a18492556bdb99Eric Ferraiuolo<div class="refsynopsisdiv">
fa454af0c525b509b00d4f4935a18492556bdb99Eric Ferraiuolo<h2>Synopsis</h2>
fa454af0c525b509b00d4f4935a18492556bdb99Eric Ferraiuolo<div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
fa454af0c525b509b00d4f4935a18492556bdb99Eric Ferraiuolo</div>
fa454af0c525b509b00d4f4935a18492556bdb99Eric Ferraiuolo<div class="refsection">
fa454af0c525b509b00d4f4935a18492556bdb99Eric Ferraiuolo<a name="id-1.7"></a><h2>DESCRIPTION</h2>
fa454af0c525b509b00d4f4935a18492556bdb99Eric Ferraiuolo<p><code class="filename">rndc.conf</code> is the configuration file
fa454af0c525b509b00d4f4935a18492556bdb99Eric Ferraiuolo      for <span class="command"><strong>rndc</strong></span>, the BIND 9 name server control
fa454af0c525b509b00d4f4935a18492556bdb99Eric Ferraiuolo      utility.  This file has a similar structure and syntax to
fa454af0c525b509b00d4f4935a18492556bdb99Eric Ferraiuolo      <code class="filename">named.conf</code>.  Statements are enclosed
fa454af0c525b509b00d4f4935a18492556bdb99Eric Ferraiuolo      in braces and terminated with a semi-colon.  Clauses in
acd6c22c85d97aff372a361dc632e8925e331ef9Ryan Grove      the statements are also semi-colon terminated.  The usual
acd6c22c85d97aff372a361dc632e8925e331ef9Ryan Grove      comment styles are supported:
acd6c22c85d97aff372a361dc632e8925e331ef9Ryan Grove    </p>
acd6c22c85d97aff372a361dc632e8925e331ef9Ryan Grove<p>
10b29d99683d0782b9f9ccbfc2a38afe7288c4d6Ryan Grove      C style: /* */
fa454af0c525b509b00d4f4935a18492556bdb99Eric Ferraiuolo    </p>
acd6c22c85d97aff372a361dc632e8925e331ef9Ryan Grove<p>
acd6c22c85d97aff372a361dc632e8925e331ef9Ryan Grove      C++ style: // to end of line
acd6c22c85d97aff372a361dc632e8925e331ef9Ryan Grove    </p>
acd6c22c85d97aff372a361dc632e8925e331ef9Ryan Grove<p>
acd6c22c85d97aff372a361dc632e8925e331ef9Ryan Grove      Unix style: # to end of line
acd6c22c85d97aff372a361dc632e8925e331ef9Ryan Grove    </p>
<p><code class="filename">rndc.conf</code> is much simpler than
      <code class="filename">named.conf</code>.  The file uses three
      statements: an options statement, a server statement
      and a key statement.
    </p>
<p>
      The <code class="option">options</code> statement contains five clauses.
      The <code class="option">default-server</code> clause is followed by the
      name or address of a name server.  This host will be used when
      no name server is given as an argument to
      <span class="command"><strong>rndc</strong></span>.  The <code class="option">default-key</code>
      clause is followed by the name of a key which is identified by
      a <code class="option">key</code> statement.  If no
      <code class="option">keyid</code> is provided on the rndc command line,
      and no <code class="option">key</code> clause is found in a matching
      <code class="option">server</code> statement, this default key will be
      used to authenticate the server's commands and responses.  The
      <code class="option">default-port</code> clause is followed by the port
      to connect to on the remote name server.  If no
      <code class="option">port</code> option is provided on the rndc command
      line, and no <code class="option">port</code> clause is found in a
      matching <code class="option">server</code> statement, this default port
      will be used to connect.
      The <code class="option">default-source-address</code> and
      <code class="option">default-source-address-v6</code> clauses which
      can be used to set the IPv4 and IPv6 source addresses
      respectively.
    </p>
<p>
      After the <code class="option">server</code> keyword, the server
      statement includes a string which is the hostname or address
      for a name server.  The statement has three possible clauses:
      <code class="option">key</code>, <code class="option">port</code> and
      <code class="option">addresses</code>. The key name must match the
      name of a key statement in the file.  The port number
      specifies the port to connect to.  If an <code class="option">addresses</code>
      clause is supplied these addresses will be used instead of
      the server name.  Each address can take an optional port.
      If an <code class="option">source-address</code> or <code class="option">source-address-v6</code>
      of supplied then these will be used to specify the IPv4 and IPv6
      source addresses respectively.
    </p>
<p>
      The <code class="option">key</code> statement begins with an identifying
      string, the name of the key.  The statement has two clauses.
      <code class="option">algorithm</code> identifies the authentication algorithm
      for <span class="command"><strong>rndc</strong></span> to use; currently only HMAC-MD5
      (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
      (default), HMAC-SHA384 and HMAC-SHA512 are
      supported.  This is followed by a secret clause which contains
      the base-64 encoding of the algorithm's authentication key.  The
      base-64 string is enclosed in double quotes.
    </p>
<p>
      There are two common ways to generate the base-64 string for the
      secret.  The BIND 9 program <span class="command"><strong>rndc-confgen</strong></span>
      can
      be used to generate a random key, or the
      <span class="command"><strong>mmencode</strong></span> program, also known as
      <span class="command"><strong>mimencode</strong></span>, can be used to generate a
      base-64
      string from known input.  <span class="command"><strong>mmencode</strong></span> does
      not
      ship with BIND 9 but is available on many systems.  See the
      EXAMPLE section for sample command lines for each.
    </p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>EXAMPLE</h2>
<pre class="programlisting">
      options {
        default-server  localhost;
        default-key     samplekey;
      };
</pre>
<p>
    </p>
<pre class="programlisting">
      server localhost {
        key             samplekey;
      };
</pre>
<p>
    </p>
<pre class="programlisting">
      server testserver {
        key     testkey;
        addresses   { localhost port 5353; };
      };
</pre>
<p>
    </p>
<pre class="programlisting">
      key samplekey {
        algorithm       hmac-sha256;
        secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
      };
</pre>
<p>
    </p>
<pre class="programlisting">
      key testkey {
        algorithm   hmac-sha256;
        secret      "R3HI8P6BKw9ZwXwN3VZKuQ==";
      };
    </pre>
<p>
    </p>
<p>
      In the above example, <span class="command"><strong>rndc</strong></span> will by
      default use
      the server at localhost (127.0.0.1) and the key called samplekey.
      Commands to the localhost server will use the samplekey key, which
      must also be defined in the server's configuration file with the
      same name and secret.  The key statement indicates that samplekey
      uses the HMAC-SHA256 algorithm and its secret clause contains the
      base-64 encoding of the HMAC-SHA256 secret enclosed in double quotes.
    </p>
<p>
      If <span class="command"><strong>rndc -s testserver</strong></span> is used then <span class="command"><strong>rndc</strong></span> will
      connect to server on localhost port 5353 using the key testkey.
    </p>
<p>
      To generate a random secret with <span class="command"><strong>rndc-confgen</strong></span>:
    </p>
<p><strong class="userinput"><code>rndc-confgen</code></strong>
    </p>
<p>
      A complete <code class="filename">rndc.conf</code> file, including
      the
      randomly generated key, will be written to the standard
      output.  Commented-out <code class="option">key</code> and
      <code class="option">controls</code> statements for
      <code class="filename">named.conf</code> are also printed.
    </p>
<p>
      To generate a base-64 secret with <span class="command"><strong>mmencode</strong></span>:
    </p>
<p><strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong>
    </p>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>NAME SERVER CONFIGURATION</h2>
<p>
      The name server must be configured to accept rndc connections and
      to recognize the key specified in the <code class="filename">rndc.conf</code>
      file, using the controls statement in <code class="filename">named.conf</code>.
      See the sections on the <code class="option">controls</code> statement in the
      BIND 9 Administrator Reference Manual for details.
    </p>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
      <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
      <span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
    </p>
</div>
</div></body>
</html>