Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
$Id: rndc.conf.5,v 1.6 2000/08/01 01:18:48 tale Exp $
.Dd Jun 30, 2000 .Dt RDNC.CONF 5 .Os BIND9 9 .Sh NAME .Nm rdnc.conf .Nd rdnc configuration file .Sh SYNOPSIS .Nm rdnc.conf .Sh DESCRIPTION The BIND9 utility for controlling the name server, .Nm rndc , has its own configuration file
a /etc/rndc.conf . This file has a similar structure and syntax to
a named.conf , the file used to configure the name server. Statements are enclosed in braces and terminated with a semi-colon. Clauses in the statements are also semi-colon terminated. The usual comment styles are supported: l -tag -width UNIX-style: t C style: /* */ t C++ style: // to end of line t Unix style: # to end of line .El
p
a rndc.conf is much simpler than
a named.conf . The file uses three statements: an .Dv options{} statement, a .Dv server{} statement and a .Dv key{} statement.
p The .Dv options{} statement contains two clauses. The .Dv default-server clause is followed by the name or address of a name server. This host will be used when no name server is given as an argument to .Nm rndc . The .Dv default-key clause is followed by the name of a key which is identified by a .Dv key{} statement. If no .Fl y option is provided on the .Xr rndc command line, and no .Dv key clause is found in a a matching .Dv server{} statement, this default key will be used to authenticate the server's commands and responses.
p After the keyword .Dv server , the .Dv server{} statement is followed by a string which is the hostname or address for a name server. The statement has a single clause, .Dv key . The key name must match the name of a .Dv key{} statement in the file.
p The .Dv key{} statement begins with an identifying string, the name of the key. The statement has two clauses. .Dv algorithm identifies the encryption algorithm for .Nm rndc to use; currently only HMAC-MD5 is supported. This is followed by a .Dv secret clause which contains the base-64 encoding of the algorithm's encryption key. The base-64 string is enclosed in double quotes.
p There are two common ways to generate the base-64 string for the .Dv secret . The BIND 9 program .Xr dnssec-keygen 8 can be used to generate a random key, or the .Xr mmencode 1 program, also known as .Xr mimencode 1 , can be used to generate a base-64 string from known input. .Xr mmencode does not ship with BIND 9 but is available on many systems. See the .Sx EXAMPLES section for sample command lines for each.
p Host and key names must be quoted using double quotes if they match a keyword, such as having a key named "key". .Sh EXAMPLE d -literal indent options { default-server localhost; default-key samplekey; }; server localhost { key samplekey; }; key samplekey { algorithm hmac-md5; secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; }; .Ed
p In the above example, .Nm rndc will by default use the server at localhost (127.0.0.1) and the key called .Dv samplekey . Commands to the localhost server will use the .Dv samplekey key. The .Dv key{} statement indicates that .Dv samplekey uses the HMAC-MD5 algorithm and its .Dv secret clause contains the base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
p To generate a random secret with .Xr dnssec-keygen : d -literal indent $ dnssec-keygen -a hmac-md5 -b 128 -n user rndc .Ed
p The base-64 string will appear in two files,
a Krndc.+157.+{random}.key and
a Krndc.+157.+{random}.private . After extracting the key to be placed in the .Nm rndc.conf and .Xr named.conf .Dv key{} statements, the
a .key and
a .private files can be removed.
p To generate a secret from known input with .Xr mmenode : d -literal indent $ echo "known plaintext for a secret" | mmencode .Ed .Sh LIMITATIONS There is currently no way to specify the port for .Xr rndc to use. This will be remedied in future releases by allowing a .Dv port clause to the .Dv server{} statement and a .Dv default-port clause to the .Dv options{} statement. .Sh SEE ALSO .Xr rndc 8 , .Xr named.conf 8 , .Xr dnssec-keygen 8 , .Xr mmencode 1 , "BIND9 Administrators Manual".