RNDC.CONF(5)RNDC.CONF(5)NAMErndc.conf - rndc configuration file
SYNOPSISrndc.confDESCRIPTIONrndc.conf is the configuration file for rndc, the BIND 9 name server
control utility. This file has a similar structure and syntax to
named.conf. Statements are enclosed in braces and terminated with a
semi-colon. Clauses in the statements are also semi-colon terminated.
The usual comment styles are supported:
C style: /* */
C++ style: // to end of line
Unix style: # to end of line
rndc.conf is much simpler than named.conf. The file uses three state‐
ments: an options statement, a server statement and a key statement.
The options statement contains three clauses. The default-server
clause is followed by the name or address of a name server. This host
will be used when no name server is given as an argument to rndc. The
default-key clause is followed by the name of a key which is identified
by a key statement. If no keyid is provided on the rndc command line,
and no key clause is found in a matching server statement, this default
key will be used to authenticate the server's commands and responses.
The default-port clause is followed by the port to connect to on the
remote name server. If no port option is provided on the rndc command
line, and no port clause is found in a matching server statement, this
default port will be used to connect.
After the server keyword, the server statement includes a string which
is the hostname or address for a name server. The statement has two
possible clauses: key and port. The key name must match the name of a
key statement in the file. The port number specifies the port to con‐
nect to.
The key statement begins with an identifying string, the name of the
key. The statement has two clauses. algorithm identifies the encryp‐
tion algorithm for rndc to use; currently only HMAC-MD5 is supported.
This is followed by a secret clause which contains the base-64 encoding
of the algorithm's encryption key. The base-64 string is enclosed in
double quotes.
There are two common ways to generate the base-64 string for the
secret. The BIND 9 program rndc-confgen can be used to generate a ran‐
dom key, or the mmencode program, also known as mimencode, can be used
to generate a base-64 string from known input. mmencode does not ship
with BIND 9 but is available on many systems. See the EXAMPLE section
for sample command lines for each.
EXAMPLE
options {
default-server localhost;
default-key samplekey;
};
server localhost {
key samplekey;
};
key samplekey {
algorithm hmac-md5;
secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
};
In the above example, rndc will by default use the server at localhost
(127.0.0.1) and the key called samplekey. Commands to the localhost
server will use the samplekey key, which must also be defined in the
server's configuration file with the same name and secret. The key
statement indicates that samplekey uses the HMAC-MD5 algorithm and its
secret clause contains the base-64 encoding of the HMAC-MD5 secret
enclosed in double quotes.
To generate a random secret with rndc-confgen:
rndc-confgen
A complete rndc.conf file, including the randomly generated key, will
be written to the standard output. Commented out key and controls
statements for named.conf are also printed.
To generate a base-64 secret with mmencode:
echo "known plaintext for a secret" | mmencode
NAME SERVER CONFIGURATION
The name server must be configured to accept rndc connections and to
recognize the key specified in the rndc.conf file, using the controls
statement in named.conf. See the sections on the controls statement in
the BIND 9 Administrator Reference Manual for details.
SEE ALSOrndc(8), rndc-confgen(8), mmencode(1), BIND 9 Administrator Reference
Manual.
AUTHOR
Internet Systems Consortium
BIND9 June 30, 2000 RNDC.CONF(5)