155N/A - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC") 155N/A - This Source Code Form is subject to the terms of the Mozilla Public 155N/A - License, v. 2.0. If a copy of the MPL was not distributed with this 155N/A<
meta http-
equiv="Content-Type" content="text/html; charset=ISO-8859-1">
155N/A<
meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
155N/A<
link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
155N/A<
body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
741N/A<
table width="100%" summary="Navigation header">
155N/A<
tr><
th colspan="3" align="center"><
code class="filename">
rndc.conf</
code></
th></
tr>
155N/A<
td width="20%" align="left">
485N/A<
th width="60%" align="center">Manual pages</
th>
155N/A <
div class="refnamediv">
155N/A — rndc configuration file
215N/A <
div class="refsynopsisdiv">
215N/A <
div class="cmdsynopsis"><
p>
215N/A <
div class="refsection">
215N/A<
a name="id-1.14.28.7"></
a><
h2>DESCRIPTION</
h2>
215N/A <
p><
code class="filename">
rndc.conf</
code> is the configuration file
155N/A for <
span class="command"><
strong>rndc</
strong></
span>, the BIND 9 name server control
155N/A utility. This file has a similar structure and syntax to
155N/A in braces and terminated with a semi-colon. Clauses in
155N/A the statements are also semi-colon terminated. The usual
155N/A comment styles are supported:
155N/A C++ style: // to end of line
156N/A Unix style: # to end of line
155N/A statements: an options statement, a server statement
155N/A The <
code class="option">options</
code> statement contains five clauses.
155N/A The <
code class="option">default-server</
code> clause is followed by the
155N/A name or address of a name server. This host will be used when
155N/A no name server is given as an argument to
566N/A <
span class="command"><
strong>rndc</
strong></
span>. The <
code class="option">default-key</
code>
155N/A clause is followed by the name of a key which is identified by
155N/A a <
code class="option">key</
code> statement. If no
155N/A <
code class="option">keyid</
code> is provided on the rndc command line,
155N/A and no <
code class="option">key</
code> clause is found in a matching
155N/A <
code class="option">server</
code> statement, this default key will be
155N/A used to authenticate the server's commands and responses. The
155N/A <
code class="option">default-port</
code> clause is followed by the port
155N/A to connect to on the remote name server. If no
155N/A <
code class="option">port</
code> option is provided on the rndc command
155N/A line, and no <
code class="option">port</
code> clause is found in a
741N/A matching <
code class="option">server</
code> statement, this default port
741N/A will be used to connect.
741N/A The <
code class="option">default-source-address</
code> and
155N/A <
code class="option">default-source-address-v6</
code> clauses which
155N/A can be used to set the IPv4 and IPv6 source addresses
155N/A After the <
code class="option">server</
code> keyword, the server
155N/A statement includes a string which is the hostname or address
155N/A for a name server. The statement has three possible clauses:
155N/A <
code class="option">key</
code>, <
code class="option">port</
code> and
155N/A <
code class="option">addresses</
code>. The key name must match the
155N/A name of a key statement in the file. The port number
155N/A specifies the port to connect to. If an <
code class="option">addresses</
code>
155N/A clause is supplied these addresses will be used instead of
155N/A the server name. Each address can take an optional port.
155N/A If an <
code class="option">source-address</
code> or <
code class="option">source-address-v6</
code>
155N/A of supplied then these will be used to specify the IPv4 and IPv6
155N/A source addresses respectively.
181N/A The <
code class="option">key</
code> statement begins with an identifying
155N/A string, the name of the key. The statement has two clauses.
155N/A <
code class="option">algorithm</
code> identifies the authentication algorithm
155N/A for <
span class="command"><
strong>rndc</
strong></
span> to use; currently only HMAC-MD5
155N/A (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
607N/A (default), HMAC-SHA384 and HMAC-SHA512 are
607N/A supported. This is followed by a secret clause which contains
607N/A the base-64 encoding of the algorithm's authentication key. The
607N/A base-64 string is enclosed in double quotes.
155N/A There are two common ways to generate the base-64 string for the
155N/A secret. The BIND 9 program <
span class="command"><
strong>rndc-confgen</
strong></
span>
be used to generate a random key, or the
<
span class="command"><
strong>mmencode</
strong></
span> program, also known as
<
span class="command"><
strong>mimencode</
strong></
span>, can be used to generate a
string from known input. <
span class="command"><
strong>mmencode</
strong></
span> does
ship with BIND 9 but is available on many systems. See the
EXAMPLE section for sample command lines for each.
<
a name="id-1.14.28.8"></
a><
h2>EXAMPLE</
h2>
<
pre class="programlisting">
default-server localhost;
<
pre class="programlisting">
<
pre class="programlisting">
addresses { localhost port 5353; };
<
pre class="programlisting">
secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
<
pre class="programlisting">
secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
In the above example, <
span class="command"><
strong>rndc</
strong></
span> will by
the server at localhost (127.0.0.1) and the key called samplekey.
Commands to the localhost server will use the samplekey key, which
must also be defined in the server's configuration file with the
same name and secret. The key statement indicates that samplekey
uses the HMAC-SHA256 algorithm and its secret clause contains the
base-64 encoding of the HMAC-SHA256 secret enclosed in double quotes.
If <
span class="command"><
strong>rndc -s testserver</
strong></
span> is used then <
span class="command"><
strong>rndc</
strong></
span> will
connect to server on localhost port 5353 using the key testkey.
To generate a random secret with <
span class="command"><
strong>rndc-confgen</
strong></
span>:
<
p><
strong class="userinput"><
code>rndc-confgen</
code></
strong>
A complete <
code class="filename">
rndc.conf</
code> file, including
randomly generated key, will be written to the standard
output. Commented-out <
code class="option">key</
code> and
<
code class="option">controls</
code> statements for
<
code class="filename">
named.conf</
code> are also printed.
To generate a base-64 secret with <
span class="command"><
strong>mmencode</
strong></
span>:
<
p><
strong class="userinput"><
code>echo "known plaintext for a secret" | mmencode</
code></
strong>
<
a name="id-1.14.28.9"></
a><
h2>NAME SERVER CONFIGURATION</
h2>
The name server must be configured to accept rndc connections and
to recognize the key specified in the <
code class="filename">
rndc.conf</
code>
file, using the controls statement in <
code class="filename">
named.conf</
code>.
See the sections on the <
code class="option">controls</
code> statement in the
BIND 9 Administrator Reference Manual for details.
<
a name="id-1.14.28.10"></
a><
h2>SEE ALSO</
h2>
<
p><
span class="citerefentry">
<
span class="refentrytitle">rndc</
span>(8)
<
span class="citerefentry">
<
span class="refentrytitle">rndc-confgen</
span>(8)
<
span class="citerefentry">
<
span class="refentrytitle">mmencode</
span>(1)
<
em class="citetitle">BIND 9 Administrator Reference Manual</
em>.
<
table width="100%" summary="Navigation footer">
<
td width="40%" align="left">
<
td width="20%" align="center"><
a accesskey="u" href="Bv9ARM.ch13.html">Up</
a></
td>
<
td width="40%" align="left" valign="top">
<
span class="application">rndc</
span>�</
td>
<
td width="20%" align="center"><
a accesskey="h" href="Bv9ARM.html">Home</
a></
td>
<
td width="40%" align="right" valign="top">�<
span class="application">rndc-confgen</
span>