man.rndc.conf.html revision 0f863f054cd14a83f8b8464d5976a97df39ee899
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk<!--
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk - Copyright (C) 2000-2016 Internet Systems Consortium, Inc. ("ISC")
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk -
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk - This Source Code Form is subject to the terms of the Mozilla Public
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk - License, v. 2.0. If a copy of the MPL was not distributed with this
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk - file, You can obtain one at http://mozilla.org/MPL/2.0/.
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk-->
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk<html lang="en">
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk<head>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk<title>rndc.conf</title>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk<link rel="prev" href="man.rndc.html" title="rndc">
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk<link rel="next" href="man.rndc-confgen.html" title="rndc-confgen">
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk</head>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk<div class="navheader">
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk<table width="100%" summary="Navigation header">
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk<tr><th colspan="3" align="center"><code class="filename">rndc.conf</code></th></tr>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk<tr>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk<td width="20%" align="left">
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk<a accesskey="p" href="man.rndc.html">Prev</a>�</td>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk<th width="60%" align="center">Manual pages</th>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk<td width="20%" align="right">�<a accesskey="n" href="man.rndc-confgen.html">Next</a>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk</td>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk</tr>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk</table>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk<hr>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk</div>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk<div class="refentry">
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk<a name="man.rndc.conf"></a><div class="titlepage"></div>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk <div class="refnamediv">
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk<h2>Name</h2>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk<p>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk <code class="filename">rndc.conf</code>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk &#8212; rndc configuration file
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk </p>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk</div>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk <div class="refsynopsisdiv">
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk<h2>Synopsis</h2>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk <div class="cmdsynopsis"><p>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk <code class="command">rndc.conf</code>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk </p></div>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk </div>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk <div class="refsection">
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk<a name="id-1.14.28.7"></a><h2>DESCRIPTION</h2>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk <p><code class="filename">rndc.conf</code> is the configuration file
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk for <span class="command"><strong>rndc</strong></span>, the BIND 9 name server control
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk utility. This file has a similar structure and syntax to
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk <code class="filename">named.conf</code>. Statements are enclosed
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk in braces and terminated with a semi-colon. Clauses in
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk the statements are also semi-colon terminated. The usual
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk comment styles are supported:
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk </p>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk <p>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk C style: /* */
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk </p>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk <p>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk C++ style: // to end of line
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk </p>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk <p>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk Unix style: # to end of line
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk </p>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk <p><code class="filename">rndc.conf</code> is much simpler than
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk <code class="filename">named.conf</code>. The file uses three
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk statements: an options statement, a server statement
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk and a key statement.
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk </p>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk <p>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk The <code class="option">options</code> statement contains five clauses.
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk The <code class="option">default-server</code> clause is followed by the
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk name or address of a name server. This host will be used when
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk no name server is given as an argument to
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk <span class="command"><strong>rndc</strong></span>. The <code class="option">default-key</code>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk clause is followed by the name of a key which is identified by
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk a <code class="option">key</code> statement. If no
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk <code class="option">keyid</code> is provided on the rndc command line,
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk and no <code class="option">key</code> clause is found in a matching
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk <code class="option">server</code> statement, this default key will be
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk used to authenticate the server's commands and responses. The
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk <code class="option">default-port</code> clause is followed by the port
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk to connect to on the remote name server. If no
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk <code class="option">port</code> option is provided on the rndc command
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk line, and no <code class="option">port</code> clause is found in a
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk matching <code class="option">server</code> statement, this default port
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk will be used to connect.
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk The <code class="option">default-source-address</code> and
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk <code class="option">default-source-address-v6</code> clauses which
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk can be used to set the IPv4 and IPv6 source addresses
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk respectively.
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk </p>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk <p>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk After the <code class="option">server</code> keyword, the server
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk statement includes a string which is the hostname or address
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk for a name server. The statement has three possible clauses:
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk <code class="option">key</code>, <code class="option">port</code> and
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk <code class="option">addresses</code>. The key name must match the
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk name of a key statement in the file. The port number
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk specifies the port to connect to. If an <code class="option">addresses</code>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk clause is supplied these addresses will be used instead of
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk the server name. Each address can take an optional port.
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk If an <code class="option">source-address</code> or <code class="option">source-address-v6</code>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk of supplied then these will be used to specify the IPv4 and IPv6
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk source addresses respectively.
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk </p>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk <p>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk The <code class="option">key</code> statement begins with an identifying
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk string, the name of the key. The statement has two clauses.
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk <code class="option">algorithm</code> identifies the authentication algorithm
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk for <span class="command"><strong>rndc</strong></span> to use; currently only HMAC-MD5
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk (default), HMAC-SHA384 and HMAC-SHA512 are
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk supported. This is followed by a secret clause which contains
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk the base-64 encoding of the algorithm's authentication key. The
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk base-64 string is enclosed in double quotes.
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk </p>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk <p>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk There are two common ways to generate the base-64 string for the
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk secret. The BIND 9 program <span class="command"><strong>rndc-confgen</strong></span>
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk can
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk be used to generate a random key, or the
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk <span class="command"><strong>mmencode</strong></span> program, also known as
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk <span class="command"><strong>mimencode</strong></span>, can be used to generate a
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk base-64
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk string from known input. <span class="command"><strong>mmencode</strong></span> does
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk not
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk ship with BIND 9 but is available on many systems. See the
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk EXAMPLE section for sample command lines for each.
45916cd2fec6e79bca5dee0421bd39e3c2910d1ejpk </p>
</div>
<div class="refsection">
<a name="id-1.14.28.8"></a><h2>EXAMPLE</h2>
<pre class="programlisting">
options {
default-server localhost;
default-key samplekey;
};
</pre>
<p>
</p>
<pre class="programlisting">
server localhost {
key samplekey;
};
</pre>
<p>
</p>
<pre class="programlisting">
server testserver {
key testkey;
addresses { localhost port 5353; };
};
</pre>
<p>
</p>
<pre class="programlisting">
key samplekey {
algorithm hmac-sha256;
secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
};
</pre>
<p>
</p>
<pre class="programlisting">
key testkey {
algorithm hmac-sha256;
secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
};
</pre>
<p>
</p>
<p>
In the above example, <span class="command"><strong>rndc</strong></span> will by
default use
the server at localhost (127.0.0.1) and the key called samplekey.
Commands to the localhost server will use the samplekey key, which
must also be defined in the server's configuration file with the
same name and secret. The key statement indicates that samplekey
uses the HMAC-SHA256 algorithm and its secret clause contains the
base-64 encoding of the HMAC-SHA256 secret enclosed in double quotes.
</p>
<p>
If <span class="command"><strong>rndc -s testserver</strong></span> is used then <span class="command"><strong>rndc</strong></span> will
connect to server on localhost port 5353 using the key testkey.
</p>
<p>
To generate a random secret with <span class="command"><strong>rndc-confgen</strong></span>:
</p>
<p><strong class="userinput"><code>rndc-confgen</code></strong>
</p>
<p>
A complete <code class="filename">rndc.conf</code> file, including
the
randomly generated key, will be written to the standard
output. Commented-out <code class="option">key</code> and
<code class="option">controls</code> statements for
<code class="filename">named.conf</code> are also printed.
</p>
<p>
To generate a base-64 secret with <span class="command"><strong>mmencode</strong></span>:
</p>
<p><strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong>
</p>
</div>
<div class="refsection">
<a name="id-1.14.28.9"></a><h2>NAME SERVER CONFIGURATION</h2>
<p>
The name server must be configured to accept rndc connections and
to recognize the key specified in the <code class="filename">rndc.conf</code>
file, using the controls statement in <code class="filename">named.conf</code>.
See the sections on the <code class="option">controls</code> statement in the
BIND 9 Administrator Reference Manual for details.
</p>
</div>
<div class="refsection">
<a name="id-1.14.28.10"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">rndc</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">rndc-confgen</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">mmencode</span>(1)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.rndc.html">Prev</a>�</td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
<td width="40%" align="right">�<a accesskey="n" href="man.rndc-confgen.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">rndc</span>�</td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top">�<span class="application">rndc-confgen</span>
</td>
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
</body>
</html>