bin/rndc/rndc.conf.html

	rndc.conf.html revision c651f15b30f1dae5cc2f00878fb5da5b3a35a468
970N/A<!--
970N/A - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
970N/A - Copyright (C) 2000, 2001  Internet Software Consortium.
970N/A -
970N/A - Permission to use, copy, modify, and distribute this software for any
970N/A - purpose with or without fee is hereby granted, provided that the above
970N/A - copyright notice and this permission notice appear in all copies.
970N/A -
970N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
970N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
970N/A - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
970N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
970N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
970N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
970N/A - PERFORMANCE OF THIS SOFTWARE.
970N/A-->
970N/A
970N/A<!-- $Id: rndc.conf.html,v 1.14 2005/04/07 03:50:00 marka Exp $ -->
970N/A
970N/A<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
970N/A<HTML
970N/A><HEAD
970N/A><TITLE
970N/A>rndc.conf</TITLE
970N/A><META
970N/ANAME="GENERATOR"
970N/ACONTENT="Modular DocBook HTML Stylesheet Version 1.79"></HEAD
970N/A><BODY
970N/ACLASS="REFENTRY"
970N/ABGCOLOR="#FFFFFF"
970N/ATEXT="#000000"
970N/ALINK="#0000FF"
970N/AVLINK="#840084"
1018N/AALINK="#0000FF"
1018N/A><H1
1018N/A><A
970N/ANAME="AEN1"
970N/A></A
970N/A><TT
970N/ACLASS="FILENAME"
970N/A>rndc.conf</TT
970N/A></H1
970N/A><DIV
970N/ACLASS="REFNAMEDIV"
970N/A><A
970N/ANAME="AEN9"
970N/A></A
970N/A><H2
970N/A>Name</H2
970N/A><TT
970N/ACLASS="FILENAME"
970N/A>rndc.conf</TT
970N/A>&nbsp;--&nbsp;rndc configuration file</DIV
970N/A><DIV
970N/ACLASS="REFSYNOPSISDIV"
970N/A><A
970N/ANAME="AEN13"
970N/A></A
970N/A><H2
980N/A>Synopsis</H2
970N/A><P
970N/A><B
970N/ACLASS="COMMAND"
970N/A>rndc.conf</B
970N/A> </P
970N/A></DIV
970N/A><DIV
970N/ACLASS="REFSECT1"
970N/A><A
970N/ANAME="AEN16"
970N/A></A
970N/A><H2
970N/A>DESCRIPTION</H2
970N/A><P
970N/A>        <TT
970N/ACLASS="FILENAME"
970N/A>rndc.conf</TT
970N/A> is the configuration file
970N/A    for <B
970N/ACLASS="COMMAND"
970N/A>rndc</B
970N/A>, the BIND 9 name server control
970N/A    utility.  This file has a similar structure and syntax to
970N/A    <TT
970N/ACLASS="FILENAME"
970N/A>named.conf</TT
970N/A>.  Statements are enclosed
970N/A    in braces and terminated with a semi-colon.  Clauses in
970N/A    the statements are also semi-colon terminated.  The usual
970N/A    comment styles are supported:
970N/A    </P
><P
>        C style: /* */
    </P
><P
>        C++ style: // to end of line
    </P
><P
>        Unix style: # to end of line
    </P
><P
>        <TT
CLASS="FILENAME"
>rndc.conf</TT
> is much simpler than
    <TT
CLASS="FILENAME"
>named.conf</TT
>.  The file uses three
    statements: an options statement, a server statement
    and a key statement.
    </P
><P
>        The <CODE
CLASS="OPTION"
>options</CODE
> statement contains five clauses.
    The <CODE
CLASS="OPTION"
>default-server</CODE
> clause is followed by the
    name or address of a name server.  This host will be used when
    no name server is given as an argument to
    <B
CLASS="COMMAND"
>rndc</B
>.  The <CODE
CLASS="OPTION"
>default-key</CODE
>
    clause is followed by the name of a key which is identified by
    a <CODE
CLASS="OPTION"
>key</CODE
> statement.  If no
    <CODE
CLASS="OPTION"
>keyid</CODE
> is provided on the rndc command line,
    and no <CODE
CLASS="OPTION"
>key</CODE
> clause is found in a matching
    <CODE
CLASS="OPTION"
>server</CODE
> statement, this default key will be
    used to authenticate the server's commands and responses.  The
    <CODE
CLASS="OPTION"
>default-port</CODE
> clause is followed by the port
    to connect to on the remote name server.  If no
    <CODE
CLASS="OPTION"
>port</CODE
> option is provided on the rndc command
    line, and no <CODE
CLASS="OPTION"
>port</CODE
> clause is found in a
    matching <CODE
CLASS="OPTION"
>server</CODE
> statement, this default port
    will be used to connect.
    The <CODE
CLASS="OPTION"
>default-source-address</CODE
> and
    <CODE
CLASS="OPTION"
>default-source-address-v6</CODE
> clauses which
    can be used to set the IPv4 and IPv6 source addresses
    respectively.
    </P
><P
>   After the <CODE
CLASS="OPTION"
>server</CODE
> keyword, the server
    statement includes a string which is the hostname or address
    for a name server.  The statement has three possible clauses:
    <CODE
CLASS="OPTION"
>key</CODE
>, <CODE
CLASS="OPTION"
>port</CODE
> and
    <CODE
CLASS="OPTION"
>addresses</CODE
>. The key name must match the
    name of a key statement in the file.  The port number
    specifies the port to connect to.  If an <CODE
CLASS="OPTION"
>addresses</CODE
>
    clause is supplied these addresses will be used instead of
    the server name.  Each address can take a optional port.
    If an <CODE
CLASS="OPTION"
>source-address</CODE
> or <CODE
CLASS="OPTION"
>source-address-v6</CODE
>
    of supplied then these will be used to specify the IPv4 and IPv6
    source addresses respectively.
    </P
><P
>        The <CODE
CLASS="OPTION"
>key</CODE
> statement begins with an identifying
    string, the name of the key.  The statement has two clauses.
    <CODE
CLASS="OPTION"
>algorithm</CODE
> identifies the encryption algorithm
    for <B
CLASS="COMMAND"
>rndc</B
> to use; currently only HMAC-MD5 is
    supported.  This is followed by a secret clause which contains
    the base-64 encoding of the algorithm's encryption key.  The
    base-64 string is enclosed in double quotes.
    </P
><P
>        There are two common ways to generate the base-64 string for the
    secret.  The BIND 9 program <B
CLASS="COMMAND"
>rndc-confgen</B
> can
    be used to generate a random key, or the
    <B
CLASS="COMMAND"
>mmencode</B
> program, also known as
    <B
CLASS="COMMAND"
>mimencode</B
>, can be used to generate a base-64
    string from known input.  <B
CLASS="COMMAND"
>mmencode</B
> does not
    ship with BIND 9 but is available on many systems.  See the
    EXAMPLE section for sample command lines for each.
    </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN60"
></A
><H2
>EXAMPLE</H2
><PRE
CLASS="PROGRAMLISTING"
>      options {
        default-server  localhost;
        default-key     samplekey;
      };

      server localhost {
        key             samplekey;
      };

      server testserver {
        key     testkey;
        addresses   { localhost port 5353; };
      };

      key samplekey {
        algorithm       hmac-md5;
        secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
      };

      key testkey {
        algorithm   hmac-md5;
        secret      "R3HI8P6BKw9ZwXwN3VZKuQ==";
      }
    </PRE
><P
>        In the above example, <B
CLASS="COMMAND"
>rndc</B
> will by default use
    the server at localhost (127.0.0.1) and the key called samplekey.
    Commands to the localhost server will use the samplekey key, which
    must also be defined in the server's configuration file with the
    same name and secret.  The key statement indicates that samplekey
    uses the HMAC-MD5 algorithm and its secret clause contains the
    base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
    </P
><P
>   If <B
CLASS="COMMAND"
>rndc -s testserver</B
> is used then <B
CLASS="COMMAND"
>rndc</B
> will
    connect to server on localhost port 5353 using the key testkey.
    </P
><P
>        To generate a random secret with <B
CLASS="COMMAND"
>rndc-confgen</B
>:
    </P
><P
>        <KBD
CLASS="USERINPUT"
>rndc-confgen</KBD
>
    </P
><P
>        A complete <TT
CLASS="FILENAME"
>rndc.conf</TT
> file, including the
        randomly generated key, will be written to the standard
        output.  Commented out <CODE
CLASS="OPTION"
>key</CODE
> and
        <CODE
CLASS="OPTION"
>controls</CODE
> statements for
        <TT
CLASS="FILENAME"
>named.conf</TT
> are also printed.
    </P
><P
>        To generate a base-64 secret with <B
CLASS="COMMAND"
>mmencode</B
>:
    </P
><P
>        <KBD
CLASS="USERINPUT"
>echo "known plaintext for a secret" | mmencode</KBD
>
    </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN81"
></A
><H2
>NAME SERVER CONFIGURATION</H2
><P
>        The name server must be configured to accept rndc connections and
    to recognize the key specified in the <TT
CLASS="FILENAME"
>rndc.conf</TT
>
    file, using the controls statement in <TT
CLASS="FILENAME"
>named.conf</TT
>.
    See the sections on the <CODE
CLASS="OPTION"
>controls</CODE
> statement in the
    BIND 9 Administrator Reference Manual for details.
    </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN87"
></A
><H2
>SEE ALSO</H2
><P
>      <SPAN
CLASS="CITEREFENTRY"
><SPAN
CLASS="REFENTRYTITLE"
>rndc</SPAN
>(8)</SPAN
>,
      <SPAN
CLASS="CITEREFENTRY"
><SPAN
CLASS="REFENTRYTITLE"
>rndc-confgen</SPAN
>(8)</SPAN
>,
      <SPAN
CLASS="CITEREFENTRY"
><SPAN
CLASS="REFENTRYTITLE"
>mmencode</SPAN
>(1)</SPAN
>,
      <I
CLASS="CITETITLE"
>BIND 9 Administrator Reference Manual</I
>.
    </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN100"
></A
><H2
>AUTHOR</H2
><P
>        Internet Systems Consortium
    </P
></DIV
></BODY
></HTML
>