summaryrefslogtreecommitdiffstats
path: root/bin/rndc/rndc.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--bin/rndc/rndc.c984
-rw-r--r--bin/rndc/rndc.conf39
-rw-r--r--bin/rndc/rndc.conf.5234
-rw-r--r--bin/rndc/rndc.conf.docbook241
-rw-r--r--bin/rndc/rndc.conf.html234
5 files changed, 1732 insertions, 0 deletions
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
new file mode 100644
index 0000000..9eb0ce0
--- /dev/null
+++ b/bin/rndc/rndc.c
@@ -0,0 +1,984 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/file.h>
+#include <isc/log.h>
+#include <isc/net.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/socket.h>
+#include <isc/stdtime.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <isccfg/namedconf.h>
+
+#include <isccc/alist.h>
+#include <isccc/base64.h>
+#include <isccc/cc.h>
+#include <isccc/ccmsg.h>
+#include <isccc/result.h>
+#include <isccc/sexpr.h>
+#include <isccc/types.h>
+#include <isccc/util.h>
+
+#include <dns/name.h>
+
+#include <bind9/getaddresses.h>
+
+#include "util.h"
+
+#define SERVERADDRS 10
+
+const char *progname;
+bool verbose;
+
+static const char *admin_conffile;
+static const char *admin_keyfile;
+static const char *version = VERSION;
+static const char *servername = NULL;
+static isc_sockaddr_t serveraddrs[SERVERADDRS];
+static isc_sockaddr_t local4, local6;
+static bool local4set = false, local6set = false;
+static int nserveraddrs;
+static int currentaddr = 0;
+static unsigned int remoteport = 0;
+static isc_socketmgr_t *socketmgr = NULL;
+static isc_buffer_t *databuf;
+static isccc_ccmsg_t ccmsg;
+static uint32_t algorithm;
+static isccc_region_t secret;
+static bool failed = false;
+static bool c_flag = false;
+static isc_mem_t *rndc_mctx;
+static int sends, recvs, connects;
+static char *command;
+static char *args;
+static char program[256];
+static isc_socket_t *sock = NULL;
+static uint32_t serial;
+static bool quiet = false;
+static bool showresult = false;
+
+static void rndc_startconnect(isc_sockaddr_t *addr, isc_task_t *task);
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(int status) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(int status) {
+ fprintf(stderr, "\
+Usage: %s [-b address] [-c config] [-s server] [-p port]\n\
+ [-k key-file ] [-y key] [-r] [-V] command\n\
+\n\
+command is one of the following:\n\
+\n\
+ addzone zone [class [view]] { zone-options }\n\
+ Add zone to given view. Requires allow-new-zones option.\n\
+ delzone [-clean] zone [class [view]]\n\
+ Removes zone from given view.\n\
+ dnstap -reopen\n\
+ Close, truncate and re-open the DNSTAP output file.\n\
+ dnstap -roll count\n\
+ Close, rename and re-open the DNSTAP output file(s).\n\
+ dumpdb [-all|-cache|-zones|-adb|-bad|-fail] [view ...]\n\
+ Dump cache(s) to the dump file (named_dump.db).\n\
+ flush Flushes all of the server's caches.\n\
+ flush [view] Flushes the server's cache for a view.\n\
+ flushname name [view]\n\
+ Flush the given name from the server's cache(s)\n\
+ flushtree name [view]\n\
+ Flush all names under the given name from the server's cache(s)\n\
+ freeze Suspend updates to all dynamic zones.\n\
+ freeze zone [class [view]]\n\
+ Suspend updates to a dynamic zone.\n\
+ halt Stop the server without saving pending updates.\n\
+ halt -p Stop the server without saving pending updates reporting\n\
+ process id.\n\
+ loadkeys zone [class [view]]\n\
+ Update keys without signing immediately.\n\
+ managed-keys refresh [class [view]]\n\
+ Check trust anchor for RFC 5011 key changes\n\
+ managed-keys status [class [view]]\n\
+ Display RFC 5011 managed keys information\n\
+ managed-keys sync [class [view]]\n\
+ Write RFC 5011 managed keys to disk\n\
+ modzone zone [class [view]] { zone-options }\n\
+ Modify a zone's configuration.\n\
+ Requires allow-new-zones option.\n\
+ notify zone [class [view]]\n\
+ Resend NOTIFY messages for the zone.\n\
+ notrace Set debugging level to 0.\n\
+ nta -dump\n\
+ List all negative trust anchors.\n\
+ nta [-lifetime duration] [-force] domain [view]\n\
+ Set a negative trust anchor, disabling DNSSEC validation\n\
+ for the given domain.\n\
+ Using -lifetime specifies the duration of the NTA, up\n\
+ to one week.\n\
+ Using -force prevents the NTA from expiring before its\n\
+ full lifetime, even if the domain can validate sooner.\n\
+ nta -remove domain [view]\n\
+ Remove a negative trust anchor, re-enabling validation\n\
+ for the given domain.\n\
+ querylog [ on | off ]\n\
+ Enable / disable query logging.\n\
+ reconfig Reload configuration file and new zones only.\n\
+ recursing Dump the queries that are currently recursing (named.recursing)\n\
+ refresh zone [class [view]]\n\
+ Schedule immediate maintenance for a zone.\n\
+ reload Reload configuration file and zones.\n\
+ reload zone [class [view]]\n\
+ Reload a single zone.\n\
+ retransfer zone [class [view]]\n\
+ Retransfer a single zone without checking serial number.\n\
+ scan Scan available network interfaces for changes.\n\
+ secroots [view ...]\n\
+ Write security roots to the secroots file.\n\
+ showzone zone [class [view]]\n\
+ Print a zone's configuration.\n\
+ sign zone [class [view]]\n\
+ Update zone keys, and sign as needed.\n\
+ signing -clear all zone [class [view]]\n\
+ Remove the private records for all keys that have\n\
+ finished signing the given zone.\n\
+ signing -clear <keyid>/<algorithm> zone [class [view]]\n\
+ Remove the private record that indicating the given key\n\
+ has finished signing the given zone.\n\
+ signing -list zone [class [view]]\n\
+ List the private records showing the state of DNSSEC\n\
+ signing in the given zone.\n\
+ signing -nsec3param hash flags iterations salt zone [class [view]]\n\
+ Add NSEC3 chain to zone if already signed.\n\
+ Prime zone with NSEC3 chain if not yet signed.\n\
+ signing -nsec3param none zone [class [view]]\n\
+ Remove NSEC3 chains from zone.\n\
+ signing -serial <value> zone [class [view]]\n\
+ Set the zones's serial to <value>.\n\
+ stats Write server statistics to the statistics file.\n\
+ status Display status of the server.\n\
+ stop Save pending updates to master files and stop the server.\n\
+ stop -p Save pending updates to master files and stop the server\n\
+ reporting process id.\n\
+ sync [-clean] Dump changes to all dynamic zones to disk, and optionally\n\
+ remove their journal files.\n\
+ sync [-clean] zone [class [view]]\n\
+ Dump a single zone's changes to disk, and optionally\n\
+ remove its journal file.\n\
+ thaw Enable updates to all dynamic zones and reload them.\n\
+ thaw zone [class [view]]\n\
+ Enable updates to a frozen dynamic zone and reload it.\n\
+ trace Increment debugging level by one.\n\
+ trace level Change the debugging level.\n\
+ tsig-delete keyname [view]\n\
+ Delete a TKEY-negotiated TSIG key.\n\
+ tsig-list List all currently active TSIG keys, including both statically\n\
+ configured and TKEY-negotiated keys.\n\
+ validation [ yes | no | status ] [view]\n\
+ Enable / disable DNSSEC validation.\n\
+ zonestatus zone [class [view]]\n\
+ Display the current status of a zone.\n\
+\n\
+Version: %s\n",
+ progname, version);
+
+ exit(status);
+}
+
+static void
+get_addresses(const char *host, in_port_t port) {
+ isc_result_t result;
+ int found = 0, count;
+
+ if (*host == '/') {
+ result = isc_sockaddr_frompath(&serveraddrs[nserveraddrs],
+ host);
+ if (result == ISC_R_SUCCESS)
+ nserveraddrs++;
+ } else {
+ count = SERVERADDRS - nserveraddrs;
+ result = bind9_getaddresses(host, port,
+ &serveraddrs[nserveraddrs],
+ count, &found);
+ nserveraddrs += found;
+ }
+ if (result != ISC_R_SUCCESS)
+ fatal("couldn't get address for '%s': %s",
+ host, isc_result_totext(result));
+ INSIST(nserveraddrs > 0);
+}
+
+static void
+rndc_senddone(isc_task_t *task, isc_event_t *event) {
+ isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+
+ UNUSED(task);
+
+ sends--;
+ if (sevent->result != ISC_R_SUCCESS)
+ fatal("send failed: %s", isc_result_totext(sevent->result));
+ isc_event_free(&event);
+ if (sends == 0 && recvs == 0) {
+ isc_socket_detach(&sock);
+ isc_task_shutdown(task);
+ RUNTIME_CHECK(isc_app_shutdown() == ISC_R_SUCCESS);
+ }
+}
+
+static void
+rndc_recvdone(isc_task_t *task, isc_event_t *event) {
+ isccc_sexpr_t *response = NULL;
+ isccc_sexpr_t *data;
+ isccc_region_t source;
+ char *errormsg = NULL;
+ char *textmsg = NULL;
+ isc_result_t result;
+
+ recvs--;
+
+ if (ccmsg.result == ISC_R_EOF)
+ fatal("connection to remote host closed\n"
+ "This may indicate that\n"
+ "* the remote server is using an older version of"
+ " the command protocol,\n"
+ "* this host is not authorized to connect,\n"
+ "* the clocks are not synchronized, or\n"
+ "* the key is invalid.");
+
+ if (ccmsg.result != ISC_R_SUCCESS)
+ fatal("recv failed: %s", isc_result_totext(ccmsg.result));
+
+ source.rstart = isc_buffer_base(&ccmsg.buffer);
+ source.rend = isc_buffer_used(&ccmsg.buffer);
+
+ DO("parse message",
+ isccc_cc_fromwire(&source, &response, algorithm, &secret));
+
+ data = isccc_alist_lookup(response, "_data");
+ if (!isccc_alist_alistp(data))
+ fatal("bad or missing data section in response");
+ result = isccc_cc_lookupstring(data, "err", &errormsg);
+ if (result == ISC_R_SUCCESS) {
+ failed = true;
+ fprintf(stderr, "%s: '%s' failed: %s\n",
+ progname, command, errormsg);
+ }
+ else if (result != ISC_R_NOTFOUND)
+ fprintf(stderr, "%s: parsing response failed: %s\n",
+ progname, isc_result_totext(result));
+
+ result = isccc_cc_lookupstring(data, "text", &textmsg);
+ if (result == ISC_R_SUCCESS) {
+ if ((!quiet || failed) && strlen(textmsg) != 0U)
+ fprintf(failed ? stderr : stdout, "%s\n", textmsg);
+ } else if (result != ISC_R_NOTFOUND)
+ fprintf(stderr, "%s: parsing response failed: %s\n",
+ progname, isc_result_totext(result));
+
+ if (showresult) {
+ isc_result_t eresult;
+
+ result = isccc_cc_lookupuint32(data, "result", &eresult);
+ if (result == ISC_R_SUCCESS)
+ printf("%s %u\n", isc_result_toid(eresult), eresult);
+ else
+ printf("NONE -1\n");
+ }
+
+ isc_event_free(&event);
+ isccc_sexpr_free(&response);
+ if (sends == 0 && recvs == 0) {
+ isc_socket_detach(&sock);
+ isc_task_shutdown(task);
+ RUNTIME_CHECK(isc_app_shutdown() == ISC_R_SUCCESS);
+ }
+}
+
+static void
+rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
+ isccc_sexpr_t *response = NULL;
+ isccc_sexpr_t *_ctrl;
+ isccc_region_t source;
+ isc_result_t result;
+ uint32_t nonce;
+ isccc_sexpr_t *request = NULL;
+ isccc_time_t now;
+ isc_region_t r;
+ isccc_sexpr_t *data;
+ isc_buffer_t b;
+
+ recvs--;
+
+ if (ccmsg.result == ISC_R_EOF)
+ fatal("connection to remote host closed\n"
+ "This may indicate that\n"
+ "* the remote server is using an older version of"
+ " the command protocol,\n"
+ "* this host is not authorized to connect,\n"
+ "* the clocks are not synchronized,\n"
+ "* the key signing algorithm is incorrect, or\n"
+ "* the key is invalid.");
+
+ if (ccmsg.result != ISC_R_SUCCESS)
+ fatal("recv failed: %s", isc_result_totext(ccmsg.result));
+
+ source.rstart = isc_buffer_base(&ccmsg.buffer);
+ source.rend = isc_buffer_used(&ccmsg.buffer);
+
+ DO("parse message",
+ isccc_cc_fromwire(&source, &response, algorithm, &secret));
+
+ _ctrl = isccc_alist_lookup(response, "_ctrl");
+ if (!isccc_alist_alistp(_ctrl))
+ fatal("bad or missing ctrl section in response");
+ nonce = 0;
+ if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS)
+ nonce = 0;
+
+ isc_stdtime_get(&now);
+
+ DO("create message", isccc_cc_createmessage(1, NULL, NULL, ++serial,
+ now, now + 60, &request));
+ data = isccc_alist_lookup(request, "_data");
+ if (data == NULL)
+ fatal("_data section missing");
+ if (isccc_cc_definestring(data, "type", args) == NULL)
+ fatal("out of memory");
+ if (nonce != 0) {
+ _ctrl = isccc_alist_lookup(request, "_ctrl");
+ if (_ctrl == NULL)
+ fatal("_ctrl section missing");
+ if (isccc_cc_defineuint32(_ctrl, "_nonce", nonce) == NULL)
+ fatal("out of memory");
+ }
+
+ isc_buffer_clear(databuf);
+ /* Skip the length field (4 bytes) */
+ isc_buffer_add(databuf, 4);
+
+ DO("render message",
+ isccc_cc_towire(request, &databuf, algorithm, &secret));
+
+ isc_buffer_init(&b, databuf->base, 4);
+ isc_buffer_putuint32(&b, databuf->used - 4);
+
+ r.base = databuf->base;
+ r.length = databuf->used;
+
+ isccc_ccmsg_cancelread(&ccmsg);
+ DO("schedule recv", isccc_ccmsg_readmessage(&ccmsg, task,
+ rndc_recvdone, NULL));
+ recvs++;
+ DO("send message", isc_socket_send(sock, &r, task, rndc_senddone,
+ NULL));
+ sends++;
+
+ isc_event_free(&event);
+ isccc_sexpr_free(&response);
+ isccc_sexpr_free(&request);
+ return;
+}
+
+static void
+rndc_connected(isc_task_t *task, isc_event_t *event) {
+ char socktext[ISC_SOCKADDR_FORMATSIZE];
+ isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+ isccc_sexpr_t *request = NULL;
+ isccc_sexpr_t *data;
+ isccc_time_t now;
+ isc_region_t r;
+ isc_buffer_t b;
+ isc_result_t result;
+
+ connects--;
+
+ if (sevent->result != ISC_R_SUCCESS) {
+ isc_sockaddr_format(&serveraddrs[currentaddr], socktext,
+ sizeof(socktext));
+ if (sevent->result != ISC_R_CANCELED &&
+ ++currentaddr < nserveraddrs)
+ {
+ notify("connection failed: %s: %s", socktext,
+ isc_result_totext(sevent->result));
+ isc_socket_detach(&sock);
+ isc_event_free(&event);
+ rndc_startconnect(&serveraddrs[currentaddr], task);
+ return;
+ } else
+ fatal("connect failed: %s: %s", socktext,
+ isc_result_totext(sevent->result));
+ }
+
+ isc_stdtime_get(&now);
+ DO("create message", isccc_cc_createmessage(1, NULL, NULL, ++serial,
+ now, now + 60, &request));
+ data = isccc_alist_lookup(request, "_data");
+ if (data == NULL)
+ fatal("_data section missing");
+ if (isccc_cc_definestring(data, "type", "null") == NULL)
+ fatal("out of memory");
+
+ isc_buffer_clear(databuf);
+ /* Skip the length field (4 bytes) */
+ isc_buffer_add(databuf, 4);
+
+ DO("render message",
+ isccc_cc_towire(request, &databuf, algorithm, &secret));
+
+ isc_buffer_init(&b, databuf->base, 4);
+ isc_buffer_putuint32(&b, databuf->used - 4);
+
+ r.base = databuf->base;
+ r.length = databuf->used;
+
+ isccc_ccmsg_init(rndc_mctx, sock, &ccmsg);
+ isccc_ccmsg_setmaxsize(&ccmsg, 1024 * 1024);
+
+ DO("schedule recv", isccc_ccmsg_readmessage(&ccmsg, task,
+ rndc_recvnonce, NULL));
+ recvs++;
+ DO("send message", isc_socket_send(sock, &r, task, rndc_senddone,
+ NULL));
+ sends++;
+ isc_event_free(&event);
+ isccc_sexpr_free(&request);
+}
+
+static void
+rndc_startconnect(isc_sockaddr_t *addr, isc_task_t *task) {
+ isc_result_t result;
+ int pf;
+ isc_sockettype_t type;
+
+ char socktext[ISC_SOCKADDR_FORMATSIZE];
+
+ isc_sockaddr_format(addr, socktext, sizeof(socktext));
+
+ notify("using server %s (%s)", servername, socktext);
+
+ pf = isc_sockaddr_pf(addr);
+ if (pf == AF_INET || pf == AF_INET6)
+ type = isc_sockettype_tcp;
+ else
+ type = isc_sockettype_unix;
+ DO("create socket", isc_socket_create(socketmgr, pf, type, &sock));
+ switch (isc_sockaddr_pf(addr)) {
+ case AF_INET:
+ DO("bind socket", isc_socket_bind(sock, &local4, 0));
+ break;
+ case AF_INET6:
+ DO("bind socket", isc_socket_bind(sock, &local6, 0));
+ break;
+ default:
+ break;
+ }
+ DO("connect", isc_socket_connect(sock, addr, task, rndc_connected,
+ NULL));
+ connects++;
+}
+
+static void
+rndc_start(isc_task_t *task, isc_event_t *event) {
+ isc_event_free(&event);
+
+ currentaddr = 0;
+ rndc_startconnect(&serveraddrs[currentaddr], task);
+}
+
+static void
+parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
+ cfg_parser_t **pctxp, cfg_obj_t **configp)
+{
+ isc_result_t result;
+ const char *conffile = admin_conffile;
+ const cfg_obj_t *addresses = NULL;
+ const cfg_obj_t *defkey = NULL;
+ const cfg_obj_t *options = NULL;
+ const cfg_obj_t *servers = NULL;
+ const cfg_obj_t *server = NULL;
+ const cfg_obj_t *keys = NULL;
+ const cfg_obj_t *key = NULL;
+ const cfg_obj_t *defport = NULL;
+ const cfg_obj_t *secretobj = NULL;
+ const cfg_obj_t *algorithmobj = NULL;
+ cfg_obj_t *config = NULL;
+ const cfg_obj_t *address = NULL;
+ const cfg_listelt_t *elt;
+ const char *secretstr;
+ const char *algorithmstr;
+ static char secretarray[1024];
+ const cfg_type_t *conftype = &cfg_type_rndcconf;
+ bool key_only = false;
+ const cfg_listelt_t *element;
+
+ if (! isc_file_exists(conffile)) {
+ conffile = admin_keyfile;
+ conftype = &cfg_type_rndckey;
+
+ if (c_flag)
+ fatal("%s does not exist", admin_conffile);
+
+ if (! isc_file_exists(conffile))
+ fatal("neither %s nor %s was found",
+ admin_conffile, admin_keyfile);
+ key_only = true;
+ } else if (! c_flag && isc_file_exists(admin_keyfile)) {
+ fprintf(stderr, "WARNING: key file (%s) exists, but using "
+ "default configuration file (%s)\n",
+ admin_keyfile, admin_conffile);
+ }
+
+ DO("create parser", cfg_parser_create(mctx, log, pctxp));
+
+ /*
+ * The parser will output its own errors, so DO() is not used.
+ */
+ result = cfg_parse_file(*pctxp, conffile, conftype, &config);
+ if (result != ISC_R_SUCCESS)
+ fatal("could not load rndc configuration");
+
+ if (!key_only)
+ (void)cfg_map_get(config, "options", &options);
+
+ if (key_only && servername == NULL)
+ servername = "127.0.0.1";
+ else if (servername == NULL && options != NULL) {
+ const cfg_obj_t *defserverobj = NULL;
+ (void)cfg_map_get(options, "default-server", &defserverobj);
+ if (defserverobj != NULL)
+ servername = cfg_obj_asstring(defserverobj);
+ }
+
+ if (servername == NULL)
+ fatal("no server specified and no default");
+
+ if (!key_only) {
+ (void)cfg_map_get(config, "server", &servers);
+ if (servers != NULL) {
+ for (elt = cfg_list_first(servers);
+ elt != NULL;
+ elt = cfg_list_next(elt))
+ {
+ const char *name;
+ server = cfg_listelt_value(elt);
+ name = cfg_obj_asstring(cfg_map_getname(server));
+ if (strcasecmp(name, servername) == 0)
+ break;
+ server = NULL;
+ }
+ }
+ }
+
+ /*
+ * Look for the name of the key to use.
+ */
+ if (keyname != NULL)
+ ; /* Was set on command line, do nothing. */
+ else if (server != NULL) {
+ DO("get key for server", cfg_map_get(server, "key", &defkey));
+ keyname = cfg_obj_asstring(defkey);
+ } else if (options != NULL) {
+ DO("get default key", cfg_map_get(options, "default-key",
+ &defkey));
+ keyname = cfg_obj_asstring(defkey);
+ } else if (!key_only)
+ fatal("no key for server and no default");
+
+ /*
+ * Get the key's definition.
+ */
+ if (key_only)
+ DO("get key", cfg_map_get(config, "key", &key));
+ else {
+ DO("get config key list", cfg_map_get(config, "key", &keys));
+ for (elt = cfg_list_first(keys);
+ elt != NULL;
+ elt = cfg_list_next(elt))
+ {
+ key = cfg_listelt_value(elt);
+ if (strcasecmp(cfg_obj_asstring(cfg_map_getname(key)),
+ keyname) == 0)
+ break;
+ }
+ if (elt == NULL)
+ fatal("no key definition for name %s", keyname);
+ }
+ (void)cfg_map_get(key, "secret", &secretobj);
+ (void)cfg_map_get(key, "algorithm", &algorithmobj);
+ if (secretobj == NULL || algorithmobj == NULL)
+ fatal("key must have algorithm and secret");
+
+ secretstr = cfg_obj_asstring(secretobj);
+ algorithmstr = cfg_obj_asstring(algorithmobj);
+
+#ifndef PK11_MD5_DISABLE
+ if (strcasecmp(algorithmstr, "hmac-md5") == 0)
+ algorithm = ISCCC_ALG_HMACMD5;
+ else
+#endif
+ if (strcasecmp(algorithmstr, "hmac-sha1") == 0)
+ algorithm = ISCCC_ALG_HMACSHA1;
+ else if (strcasecmp(algorithmstr, "hmac-sha224") == 0)
+ algorithm = ISCCC_ALG_HMACSHA224;
+ else if (strcasecmp(algorithmstr, "hmac-sha256") == 0)
+ algorithm = ISCCC_ALG_HMACSHA256;
+ else if (strcasecmp(algorithmstr, "hmac-sha384") == 0)
+ algorithm = ISCCC_ALG_HMACSHA384;
+ else if (strcasecmp(algorithmstr, "hmac-sha512") == 0)
+ algorithm = ISCCC_ALG_HMACSHA512;
+ else
+ fatal("unsupported algorithm: %s", algorithmstr);
+
+ secret.rstart = (unsigned char *)secretarray;
+ secret.rend = (unsigned char *)secretarray + sizeof(secretarray);
+ DO("decode base64 secret", isccc_base64_decode(secretstr, &secret));
+ secret.rend = secret.rstart;
+ secret.rstart = (unsigned char *)secretarray;
+
+ /*
+ * Find the port to connect to.
+ */
+ if (remoteport != 0)
+ ; /* Was set on command line, do nothing. */
+ else {
+ if (server != NULL)
+ (void)cfg_map_get(server, "port", &defport);
+ if (defport == NULL && options != NULL)
+ (void)cfg_map_get(options, "default-port", &defport);
+ }
+ if (defport != NULL) {
+ remoteport = cfg_obj_asuint32(defport);
+ if (remoteport > 65535 || remoteport == 0)
+ fatal("port %u out of range", remoteport);
+ } else if (remoteport == 0)
+ remoteport = NS_CONTROL_PORT;
+
+ if (server != NULL)
+ result = cfg_map_get(server, "addresses", &addresses);
+ else
+ result = ISC_R_NOTFOUND;
+ if (result == ISC_R_SUCCESS) {
+ for (element = cfg_list_first(addresses);
+ element != NULL;
+ element = cfg_list_next(element))
+ {
+ isc_sockaddr_t sa;
+
+ address = cfg_listelt_value(element);
+ if (!cfg_obj_issockaddr(address)) {
+ unsigned int myport;
+ const char *name;
+ const cfg_obj_t *obj;
+
+ obj = cfg_tuple_get(address, "name");
+ name = cfg_obj_asstring(obj);
+ obj = cfg_tuple_get(address, "port");
+ if (cfg_obj_isuint32(obj)) {
+ myport = cfg_obj_asuint32(obj);
+ if (myport > UINT16_MAX ||
+ myport == 0)
+ fatal("port %u out of range",
+ myport);
+ } else
+ myport = remoteport;
+ if (nserveraddrs < SERVERADDRS)
+ get_addresses(name, (in_port_t) myport);
+ else
+ fprintf(stderr, "too many address: "
+ "%s: dropped\n", name);
+ continue;
+ }
+ sa = *cfg_obj_assockaddr(address);
+ if (isc_sockaddr_getport(&sa) == 0)
+ isc_sockaddr_setport(&sa, remoteport);
+ if (nserveraddrs < SERVERADDRS)
+ serveraddrs[nserveraddrs++] = sa;
+ else {
+ char socktext[ISC_SOCKADDR_FORMATSIZE];
+
+ isc_sockaddr_format(&sa, socktext,
+ sizeof(socktext));
+ fprintf(stderr,
+ "too many address: %s: dropped\n",
+ socktext);
+ }
+ }
+ }
+
+ if (!local4set && server != NULL) {
+ address = NULL;
+ cfg_map_get(server, "source-address", &address);
+ if (address != NULL) {
+ local4 = *cfg_obj_assockaddr(address);
+ local4set = true;
+ }
+ }
+ if (!local4set && options != NULL) {
+ address = NULL;
+ cfg_map_get(options, "default-source-address", &address);
+ if (address != NULL) {
+ local4 = *cfg_obj_assockaddr(address);
+ local4set = true;
+ }
+ }
+
+ if (!local6set && server != NULL) {
+ address = NULL;
+ cfg_map_get(server, "source-address-v6", &address);
+ if (address != NULL) {
+ local6 = *cfg_obj_assockaddr(address);
+ local6set = true;
+ }
+ }
+ if (!local6set && options != NULL) {
+ address = NULL;
+ cfg_map_get(options, "default-source-address-v6", &address);
+ if (address != NULL) {
+ local6 = *cfg_obj_assockaddr(address);
+ local6set = true;
+ }
+ }
+
+ *configp = config;
+}
+
+int
+main(int argc, char **argv) {
+ isc_result_t result = ISC_R_SUCCESS;
+ bool show_final_mem = false;
+ isc_taskmgr_t *taskmgr = NULL;
+ isc_task_t *task = NULL;
+ isc_log_t *log = NULL;
+ isc_logconfig_t *logconfig = NULL;
+ isc_logdestination_t logdest;
+ cfg_parser_t *pctx = NULL;
+ cfg_obj_t *config = NULL;
+ const char *keyname = NULL;
+ struct in_addr in;
+ struct in6_addr in6;
+ char *p;
+ size_t argslen;
+ int ch;
+ int i;
+
+ result = isc_file_progname(*argv, program, sizeof(program));
+ if (result != ISC_R_SUCCESS)
+ memmove(program, "rndc", 5);
+ progname = program;
+
+ admin_conffile = RNDC_CONFFILE;
+ admin_keyfile = RNDC_KEYFILE;
+
+ isc_sockaddr_any(&local4);
+ isc_sockaddr_any6(&local6);
+
+ result = isc_app_start();
+ if (result != ISC_R_SUCCESS)
+ fatal("isc_app_start() failed: %s", isc_result_totext(result));
+
+ isc_commandline_errprint = false;
+
+ while ((ch = isc_commandline_parse(argc, argv, "b:c:hk:Mmp:qrs:Vy:"))
+ != -1) {
+ switch (ch) {
+ case 'b':
+ if (inet_pton(AF_INET, isc_commandline_argument,
+ &in) == 1) {
+ isc_sockaddr_fromin(&local4, &in, 0);
+ local4set = true;
+ } else if (inet_pton(AF_INET6, isc_commandline_argument,
+ &in6) == 1) {
+ isc_sockaddr_fromin6(&local6, &in6, 0);
+ local6set = true;
+ }
+ break;
+
+ case 'c':
+ admin_conffile = isc_commandline_argument;
+ c_flag = true;
+ break;
+
+ case 'k':
+ admin_keyfile = isc_commandline_argument;
+ break;
+
+ case 'M':
+ isc_mem_debugging = ISC_MEM_DEBUGTRACE;
+ break;
+
+ case 'm':
+ show_final_mem = true;
+ break;
+
+ case 'p':
+ remoteport = atoi(isc_commandline_argument);
+ if (remoteport > 65535 || remoteport == 0)
+ fatal("port '%s' out of range",
+ isc_commandline_argument);
+ break;
+
+ case 'q':
+ quiet = true;
+ break;
+
+ case 'r':
+ showresult = true;
+ break;
+
+ case 's':
+ servername = isc_commandline_argument;
+ break;
+
+ case 'V':
+ verbose = true;
+ break;
+
+ case 'y':
+ keyname = isc_commandline_argument;
+ break;
+
+ case '?':
+ if (isc_commandline_option != '?') {
+ fprintf(stderr, "%s: invalid argument -%c\n",
+ program, isc_commandline_option);
+ usage(1);
+ }
+ /* FALLTHROUGH */
+ case 'h':
+ usage(0);
+ break;
+ default:
+ fprintf(stderr, "%s: unhandled option -%c\n",
+ program, isc_commandline_option);
+ exit(1);
+ }
+ }
+
+ argc -= isc_commandline_index;
+ argv += isc_commandline_index;
+
+ if (argc < 1)
+ usage(1);
+
+ isc_random_get(&serial);
+
+ DO("create memory context", isc_mem_create(0, 0, &rndc_mctx));
+ DO("create socket manager", isc_socketmgr_create(rndc_mctx, &socketmgr));
+ DO("create task manager", isc_taskmgr_create(rndc_mctx, 1, 0, &taskmgr));
+ DO("create task", isc_task_create(taskmgr, 0, &task));
+
+ DO("create logging context", isc_log_create(rndc_mctx, &log, &logconfig));
+ isc_log_setcontext(log);
+ DO("setting log tag", isc_log_settag(logconfig, progname));
+ logdest.file.stream = stderr;
+ logdest.file.name = NULL;
+ logdest.file.versions = ISC_LOG_ROLLNEVER;
+ logdest.file.maximum_size = 0;
+ DO("creating log channel",
+ isc_log_createchannel(logconfig, "stderr",
+ ISC_LOG_TOFILEDESC, ISC_LOG_INFO, &logdest,
+ ISC_LOG_PRINTTAG|ISC_LOG_PRINTLEVEL));
+ DO("enabling log channel", isc_log_usechannel(logconfig, "stderr",
+ NULL, NULL));
+
+ parse_config(rndc_mctx, log, keyname, &pctx, &config);
+
+ isccc_result_register();
+
+ command = *argv;
+
+ DO("allocate data buffer",
+ isc_buffer_allocate(rndc_mctx, &databuf, 2048));
+
+ /*
+ * Convert argc/argv into a space-delimited command string
+ * similar to what the user might enter in interactive mode
+ * (if that were implemented).
+ */
+ argslen = 0;
+ for (i = 0; i < argc; i++)
+ argslen += strlen(argv[i]) + 1;
+
+ args = isc_mem_get(rndc_mctx, argslen);
+ if (args == NULL)
+ DO("isc_mem_get", ISC_R_NOMEMORY);
+
+ p = args;
+ for (i = 0; i < argc; i++) {
+ size_t len = strlen(argv[i]);
+ memmove(p, argv[i], len);
+ p += len;
+ *p++ = ' ';
+ }
+
+ p--;
+ *p++ = '\0';
+ INSIST(p == args + argslen);
+
+ notify("%s", command);
+
+ if (strcmp(command, "restart") == 0)
+ fatal("'%s' is not implemented", command);
+
+ if (nserveraddrs == 0)
+ get_addresses(servername, (in_port_t) remoteport);
+
+ DO("post event", isc_app_onrun(rndc_mctx, task, rndc_start, NULL));
+
+ result = isc_app_run();
+ if (result != ISC_R_SUCCESS)
+ fatal("isc_app_run() failed: %s", isc_result_totext(result));
+
+ if (connects > 0 || sends > 0 || recvs > 0)
+ isc_socket_cancel(sock, task, ISC_SOCKCANCEL_ALL);
+
+ isc_task_detach(&task);
+ isc_taskmgr_destroy(&taskmgr);
+ isc_socketmgr_destroy(&socketmgr);
+ isc_log_destroy(&log);
+ isc_log_setcontext(NULL);
+
+ cfg_obj_destroy(pctx, &config);
+ cfg_parser_destroy(&pctx);
+
+ isc_mem_put(rndc_mctx, args, argslen);
+ isccc_ccmsg_invalidate(&ccmsg);
+
+ dns_name_destroy();
+
+ isc_buffer_free(&databuf);
+
+ if (show_final_mem)
+ isc_mem_stats(rndc_mctx, stderr);
+
+ isc_mem_destroy(&rndc_mctx);
+
+ if (failed)
+ return (1);
+
+ return (0);
+}
diff --git a/bin/rndc/rndc.conf b/bin/rndc/rndc.conf
new file mode 100644
index 0000000..6800331
--- /dev/null
+++ b/bin/rndc/rndc.conf
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Sample rndc configuration file.
+ */
+
+options {
+ default-server localhost;
+ default-key "key";
+};
+
+server localhost {
+ key "key";
+};
+
+key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
+ algorithm hmac-sha256;
+ secret "34f88008d07deabbe65bd01f1d233d47";
+};
+
+server "test1" {
+ key "cc64b3d1db63fc88d7cb5d2f9f57d258";
+ port 5353;
+ addresses { 10.53.0.1; };
+};
+
+key "key" {
+ algorithm hmac-sha256;
+ secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
+};
diff --git a/bin/rndc/rndc.conf.5 b/bin/rndc/rndc.conf.5
new file mode 100644
index 0000000..056ea6c
--- /dev/null
+++ b/bin/rndc/rndc.conf.5
@@ -0,0 +1,234 @@
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\" Title: rndc.conf
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Date: 2013-03-14
+.\" Manual: BIND9
+.\" Source: ISC
+.\" Language: English
+.\"
+.TH "RNDC\&.CONF" "5" "2013\-03\-14" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+rndc.conf \- rndc configuration file
+.SH "SYNOPSIS"
+.HP \w'\fBrndc\&.conf\fR\ 'u
+\fBrndc\&.conf\fR
+.SH "DESCRIPTION"
+.PP
+rndc\&.conf
+is the configuration file for
+\fBrndc\fR, the BIND 9 name server control utility\&. This file has a similar structure and syntax to
+named\&.conf\&. Statements are enclosed in braces and terminated with a semi\-colon\&. Clauses in the statements are also semi\-colon terminated\&. The usual comment styles are supported:
+.PP
+C style: /* */
+.PP
+C++ style: // to end of line
+.PP
+Unix style: # to end of line
+.PP
+rndc\&.conf
+is much simpler than
+named\&.conf\&. The file uses three statements: an options statement, a server statement and a key statement\&.
+.PP
+The
+\fBoptions\fR
+statement contains five clauses\&. The
+\fBdefault\-server\fR
+clause is followed by the name or address of a name server\&. This host will be used when no name server is given as an argument to
+\fBrndc\fR\&. The
+\fBdefault\-key\fR
+clause is followed by the name of a key which is identified by a
+\fBkey\fR
+statement\&. If no
+\fBkeyid\fR
+is provided on the rndc command line, and no
+\fBkey\fR
+clause is found in a matching
+\fBserver\fR
+statement, this default key will be used to authenticate the server\*(Aqs commands and responses\&. The
+\fBdefault\-port\fR
+clause is followed by the port to connect to on the remote name server\&. If no
+\fBport\fR
+option is provided on the rndc command line, and no
+\fBport\fR
+clause is found in a matching
+\fBserver\fR
+statement, this default port will be used to connect\&. The
+\fBdefault\-source\-address\fR
+and
+\fBdefault\-source\-address\-v6\fR
+clauses which can be used to set the IPv4 and IPv6 source addresses respectively\&.
+.PP
+After the
+\fBserver\fR
+keyword, the server statement includes a string which is the hostname or address for a name server\&. The statement has three possible clauses:
+\fBkey\fR,
+\fBport\fR
+and
+\fBaddresses\fR\&. The key name must match the name of a key statement in the file\&. The port number specifies the port to connect to\&. If an
+\fBaddresses\fR
+clause is supplied these addresses will be used instead of the server name\&. Each address can take an optional port\&. If an
+\fBsource\-address\fR
+or
+\fBsource\-address\-v6\fR
+of supplied then these will be used to specify the IPv4 and IPv6 source addresses respectively\&.
+.PP
+The
+\fBkey\fR
+statement begins with an identifying string, the name of the key\&. The statement has two clauses\&.
+\fBalgorithm\fR
+identifies the authentication algorithm for
+\fBrndc\fR
+to use; currently only HMAC\-MD5 (for compatibility), HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256 (default), HMAC\-SHA384 and HMAC\-SHA512 are supported\&. This is followed by a secret clause which contains the base\-64 encoding of the algorithm\*(Aqs authentication key\&. The base\-64 string is enclosed in double quotes\&.
+.PP
+There are two common ways to generate the base\-64 string for the secret\&. The BIND 9 program
+\fBrndc\-confgen\fR
+can be used to generate a random key, or the
+\fBmmencode\fR
+program, also known as
+\fBmimencode\fR, can be used to generate a base\-64 string from known input\&.
+\fBmmencode\fR
+does not ship with BIND 9 but is available on many systems\&. See the EXAMPLE section for sample command lines for each\&.
+.SH "EXAMPLE"
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+ options {
+ default\-server localhost;
+ default\-key samplekey;
+ };
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+ server localhost {
+ key samplekey;
+ };
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+ server testserver {
+ key testkey;
+ addresses { localhost port 5353; };
+ };
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+ key samplekey {
+ algorithm hmac\-sha256;
+ secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
+ };
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+ key testkey {
+ algorithm hmac\-sha256;
+ secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
+ };
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+In the above example,
+\fBrndc\fR
+will by default use the server at localhost (127\&.0\&.0\&.1) and the key called samplekey\&. Commands to the localhost server will use the samplekey key, which must also be defined in the server\*(Aqs configuration file with the same name and secret\&. The key statement indicates that samplekey uses the HMAC\-SHA256 algorithm and its secret clause contains the base\-64 encoding of the HMAC\-SHA256 secret enclosed in double quotes\&.
+.PP
+If
+\fBrndc \-s testserver\fR
+is used then
+\fBrndc\fR
+will connect to server on localhost port 5353 using the key testkey\&.
+.PP
+To generate a random secret with
+\fBrndc\-confgen\fR:
+.PP
+\fBrndc\-confgen\fR
+.PP
+A complete
+rndc\&.conf
+file, including the randomly generated key, will be written to the standard output\&. Commented\-out
+\fBkey\fR
+and
+\fBcontrols\fR
+statements for
+named\&.conf
+are also printed\&.
+.PP
+To generate a base\-64 secret with
+\fBmmencode\fR:
+.PP
+\fBecho "known plaintext for a secret" | mmencode\fR
+.SH "NAME SERVER CONFIGURATION"
+.PP
+The name server must be configured to accept rndc connections and to recognize the key specified in the
+rndc\&.conf
+file, using the controls statement in
+named\&.conf\&. See the sections on the
+\fBcontrols\fR
+statement in the BIND 9 Administrator Reference Manual for details\&.
+.SH "SEE ALSO"
+.PP
+\fBrndc\fR(8),
+\fBrndc-confgen\fR(8),
+\fBmmencode\fR(1),
+BIND 9 Administrator Reference Manual\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/bin/rndc/rndc.conf.docbook b/bin/rndc/rndc.conf.docbook
new file mode 100644
index 0000000..a021526
--- /dev/null
+++ b/bin/rndc/rndc.conf.docbook
@@ -0,0 +1,241 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc.conf">
+ <info>
+ <date>2013-03-14</date>
+ </info>
+ <refentryinfo>
+ <corpname>ISC</corpname>
+ <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><filename>rndc.conf</filename></refentrytitle>
+ <manvolnum>5</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><filename>rndc.conf</filename></refname>
+ <refpurpose>rndc configuration file</refpurpose>
+ </refnamediv>
+
+ <docinfo>
+ <copyright>
+ <year>2000</year>
+ <year>2001</year>
+ <year>2004</year>
+ <year>2005</year>
+ <year>2007</year>
+ <year>2013</year>
+ <year>2014</year>
+ <year>2015</year>
+ <year>2016</year>
+ <year>2018</year>
+ <year>2019</year>
+ <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+ </copyright>
+ </docinfo>
+
+ <refsynopsisdiv>
+ <cmdsynopsis sepchar=" ">
+ <command>rndc.conf</command>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsection><info><title>DESCRIPTION</title></info>
+
+ <para><filename>rndc.conf</filename> is the configuration file
+ for <command>rndc</command>, the BIND 9 name server control
+ utility. This file has a similar structure and syntax to
+ <filename>named.conf</filename>. Statements are enclosed
+ in braces and terminated with a semi-colon. Clauses in
+ the statements are also semi-colon terminated. The usual
+ comment styles are supported:
+ </para>
+ <para>
+ C style: /* */
+ </para>
+ <para>
+ C++ style: // to end of line
+ </para>
+ <para>
+ Unix style: # to end of line
+ </para>
+ <para><filename>rndc.conf</filename> is much simpler than
+ <filename>named.conf</filename>. The file uses three
+ statements: an options statement, a server statement
+ and a key statement.
+ </para>
+ <para>
+ The <option>options</option> statement contains five clauses.
+ The <option>default-server</option> clause is followed by the
+ name or address of a name server. This host will be used when
+ no name server is given as an argument to
+ <command>rndc</command>. The <option>default-key</option>
+ clause is followed by the name of a key which is identified by
+ a <option>key</option> statement. If no
+ <option>keyid</option> is provided on the rndc command line,
+ and no <option>key</option> clause is found in a matching
+ <option>server</option> statement, this default key will be
+ used to authenticate the server's commands and responses. The
+ <option>default-port</option> clause is followed by the port
+ to connect to on the remote name server. If no
+ <option>port</option> option is provided on the rndc command
+ line, and no <option>port</option> clause is found in a
+ matching <option>server</option> statement, this default port
+ will be used to connect.
+ The <option>default-source-address</option> and
+ <option>default-source-address-v6</option> clauses which
+ can be used to set the IPv4 and IPv6 source addresses
+ respectively.
+ </para>
+ <para>
+ After the <option>server</option> keyword, the server
+ statement includes a string which is the hostname or address
+ for a name server. The statement has three possible clauses:
+ <option>key</option>, <option>port</option> and
+ <option>addresses</option>. The key name must match the
+ name of a key statement in the file. The port number
+ specifies the port to connect to. If an <option>addresses</option>
+ clause is supplied these addresses will be used instead of
+ the server name. Each address can take an optional port.
+ If an <option>source-address</option> or <option>source-address-v6</option>
+ of supplied then these will be used to specify the IPv4 and IPv6
+ source addresses respectively.
+ </para>
+ <para>
+ The <option>key</option> statement begins with an identifying
+ string, the name of the key. The statement has two clauses.
+ <option>algorithm</option> identifies the authentication algorithm
+ for <command>rndc</command> to use; currently only HMAC-MD5
+ (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
+ (default), HMAC-SHA384 and HMAC-SHA512 are
+ supported. This is followed by a secret clause which contains
+ the base-64 encoding of the algorithm's authentication key. The
+ base-64 string is enclosed in double quotes.
+ </para>
+ <para>
+ There are two common ways to generate the base-64 string for the
+ secret. The BIND 9 program <command>rndc-confgen</command>
+ can
+ be used to generate a random key, or the
+ <command>mmencode</command> program, also known as
+ <command>mimencode</command>, can be used to generate a
+ base-64
+ string from known input. <command>mmencode</command> does
+ not
+ ship with BIND 9 but is available on many systems. See the
+ EXAMPLE section for sample command lines for each.
+ </para>
+ </refsection>
+
+ <refsection><info><title>EXAMPLE</title></info>
+
+
+ <para><programlisting>
+ options {
+ default-server localhost;
+ default-key samplekey;
+ };
+</programlisting>
+ </para>
+ <para><programlisting>
+ server localhost {
+ key samplekey;
+ };
+</programlisting>
+ </para>
+ <para><programlisting>
+ server testserver {
+ key testkey;
+ addresses { localhost port 5353; };
+ };
+</programlisting>
+ </para>
+ <para><programlisting>
+ key samplekey {
+ algorithm hmac-sha256;
+ secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
+ };
+</programlisting>
+ </para>
+ <para><programlisting>
+ key testkey {
+ algorithm hmac-sha256;
+ secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
+ };
+ </programlisting>
+ </para>
+
+ <para>
+ In the above example, <command>rndc</command> will by
+ default use
+ the server at localhost (127.0.0.1) and the key called samplekey.
+ Commands to the localhost server will use the samplekey key, which
+ must also be defined in the server's configuration file with the
+ same name and secret. The key statement indicates that samplekey
+ uses the HMAC-SHA256 algorithm and its secret clause contains the
+ base-64 encoding of the HMAC-SHA256 secret enclosed in double quotes.
+ </para>
+ <para>
+ If <command>rndc -s testserver</command> is used then <command>rndc</command> will
+ connect to server on localhost port 5353 using the key testkey.
+ </para>
+ <para>
+ To generate a random secret with <command>rndc-confgen</command>:
+ </para>
+ <para><userinput>rndc-confgen</userinput>
+ </para>
+ <para>
+ A complete <filename>rndc.conf</filename> file, including
+ the
+ randomly generated key, will be written to the standard
+ output. Commented-out <option>key</option> and
+ <option>controls</option> statements for
+ <filename>named.conf</filename> are also printed.
+ </para>
+ <para>
+ To generate a base-64 secret with <command>mmencode</command>:
+ </para>
+ <para><userinput>echo "known plaintext for a secret" | mmencode</userinput>
+ </para>
+ </refsection>
+
+ <refsection><info><title>NAME SERVER CONFIGURATION</title></info>
+
+ <para>
+ The name server must be configured to accept rndc connections and
+ to recognize the key specified in the <filename>rndc.conf</filename>
+ file, using the controls statement in <filename>named.conf</filename>.
+ See the sections on the <option>controls</option> statement in the
+ BIND 9 Administrator Reference Manual for details.
+ </para>
+ </refsection>
+
+ <refsection><info><title>SEE ALSO</title></info>
+
+ <para><citerefentry>
+ <refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>rndc-confgen</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>mmencode</refentrytitle><manvolnum>1</manvolnum>
+ </citerefentry>,
+ <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+ </para>
+ </refsection>
+
+</refentry>
diff --git a/bin/rndc/rndc.conf.html b/bin/rndc/rndc.conf.html
new file mode 100644
index 0000000..c7ca53e
--- /dev/null
+++ b/bin/rndc/rndc.conf.html
@@ -0,0 +1,234 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>rndc.conf</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="man.rndc.conf"></a><div class="titlepage"></div>
+
+
+
+
+
+ <div class="refnamediv">
+<h2>Name</h2>
+<p>
+ <code class="filename">rndc.conf</code>
+ &#8212; rndc configuration file
+ </p>
+</div>
+
+
+
+ <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+ <div class="cmdsynopsis"><p>
+ <code class="command">rndc.conf</code>
+ </p></div>
+ </div>
+
+ <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+ <p><code class="filename">rndc.conf</code> is the configuration file
+ for <span class="command"><strong>rndc</strong></span>, the BIND 9 name server control
+ utility. This file has a similar structure and syntax to
+ <code class="filename">named.conf</code>. Statements are enclosed
+ in braces and terminated with a semi-colon. Clauses in
+ the statements are also semi-colon terminated. The usual
+ comment styles are supported:
+ </p>
+ <p>
+ C style: /* */
+ </p>
+ <p>
+ C++ style: // to end of line
+ </p>
+ <p>
+ Unix style: # to end of line
+ </p>
+ <p><code class="filename">rndc.conf</code> is much simpler than
+ <code class="filename">named.conf</code>. The file uses three
+ statements: an options statement, a server statement
+ and a key statement.
+ </p>
+ <p>
+ The <code class="option">options</code> statement contains five clauses.
+ The <code class="option">default-server</code> clause is followed by the
+ name or address of a name server. This host will be used when
+ no name server is given as an argument to
+ <span class="command"><strong>rndc</strong></span>. The <code class="option">default-key</code>
+ clause is followed by the name of a key which is identified by
+ a <code class="option">key</code> statement. If no
+ <code class="option">keyid</code> is provided on the rndc command line,
+ and no <code class="option">key</code> clause is found in a matching
+ <code class="option">server</code> statement, this default key will be
+ used to authenticate the server's commands and responses. The
+ <code class="option">default-port</code> clause is followed by the port
+ to connect to on the remote name server. If no
+ <code class="option">port</code> option is provided on the rndc command
+ line, and no <code class="option">port</code> clause is found in a
+ matching <code class="option">server</code> statement, this default port
+ will be used to connect.
+ The <code class="option">default-source-address</code> and
+ <code class="option">default-source-address-v6</code> clauses which
+ can be used to set the IPv4 and IPv6 source addresses
+ respectively.
+ </p>
+ <p>
+ After the <code class="option">server</code> keyword, the server
+ statement includes a string which is the hostname or address
+ for a name server. The statement has three possible clauses:
+ <code class="option">key</code>, <code class="option">port</code> and
+ <code class="option">addresses</code>. The key name must match the
+ name of a key statement in the file. The port number
+ specifies the port to connect to. If an <code class="option">addresses</code>
+ clause is supplied these addresses will be used instead of
+ the server name. Each address can take an optional port.
+ If an <code class="option">source-address</code> or <code class="option">source-address-v6</code>
+ of supplied then these will be used to specify the IPv4 and IPv6
+ source addresses respectively.
+ </p>
+ <p>
+ The <code class="option">key</code> statement begins with an identifying
+ string, the name of the key. The statement has two clauses.
+ <code class="option">algorithm</code> identifies the authentication algorithm
+ for <span class="command"><strong>rndc</strong></span> to use; currently only HMAC-MD5
+ (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
+ (default), HMAC-SHA384 and HMAC-SHA512 are
+ supported. This is followed by a secret clause which contains
+ the base-64 encoding of the algorithm's authentication key. The
+ base-64 string is enclosed in double quotes.
+ </p>
+ <p>
+ There are two common ways to generate the base-64 string for the
+ secret. The BIND 9 program <span class="command"><strong>rndc-confgen</strong></span>
+ can
+ be used to generate a random key, or the
+ <span class="command"><strong>mmencode</strong></span> program, also known as
+ <span class="command"><strong>mimencode</strong></span>, can be used to generate a
+ base-64
+ string from known input. <span class="command"><strong>mmencode</strong></span> does
+ not
+ ship with BIND 9 but is available on many systems. See the
+ EXAMPLE section for sample command lines for each.
+ </p>
+ </div>
+
+ <div class="refsection">
+<a name="id-1.8"></a><h2>EXAMPLE</h2>
+
+
+ <pre class="programlisting">
+ options {
+ default-server localhost;
+ default-key samplekey;
+ };
+</pre>
+<p>
+ </p>
+ <pre class="programlisting">
+ server localhost {
+ key samplekey;
+ };
+</pre>
+<p>
+ </p>
+ <pre class="programlisting">
+ server testserver {
+ key testkey;
+ addresses { localhost port 5353; };
+ };
+</pre>
+<p>
+ </p>
+ <pre class="programlisting">
+ key samplekey {
+ algorithm hmac-sha256;
+ secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
+ };
+</pre>
+<p>
+ </p>
+ <pre class="programlisting">
+ key testkey {
+ algorithm hmac-sha256;
+ secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
+ };
+ </pre>
+<p>
+ </p>
+
+ <p>
+ In the above example, <span class="command"><strong>rndc</strong></span> will by
+ default use
+ the server at localhost (127.0.0.1) and the key called samplekey.
+ Commands to the localhost server will use the samplekey key, which
+ must also be defined in the server's configuration file with the
+ same name and secret. The key statement indicates that samplekey
+ uses the HMAC-SHA256 algorithm and its secret clause contains the
+ base-64 encoding of the HMAC-SHA256 secret enclosed in double quotes.
+ </p>
+ <p>
+ If <span class="command"><strong>rndc -s testserver</strong></span> is used then <span class="command"><strong>rndc</strong></span> will
+ connect to server on localhost port 5353 using the key testkey.
+ </p>
+ <p>
+ To generate a random secret with <span class="command"><strong>rndc-confgen</strong></span>:
+ </p>
+ <p><strong class="userinput"><code>rndc-confgen</code></strong>
+ </p>
+ <p>
+ A complete <code class="filename">rndc.conf</code> file, including
+ the
+ randomly generated key, will be written to the standard
+ output. Commented-out <code class="option">key</code> and
+ <code class="option">controls</code> statements for
+ <code class="filename">named.conf</code> are also printed.
+ </p>
+ <p>
+ To generate a base-64 secret with <span class="command"><strong>mmencode</strong></span>:
+ </p>
+ <p><strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong>
+ </p>
+ </div>
+
+ <div class="refsection">
+<a name="id-1.9"></a><h2>NAME SERVER CONFIGURATION</h2>
+
+ <p>
+ The name server must be configured to accept rndc connections and
+ to recognize the key specified in the <code class="filename">rndc.conf</code>
+ file, using the controls statement in <code class="filename">named.conf</code>.
+ See the sections on the <code class="option">controls</code> statement in the
+ BIND 9 Administrator Reference Manual for details.
+ </p>
+ </div>
+
+ <div class="refsection">
+<a name="id-1.10"></a><h2>SEE ALSO</h2>
+
+ <p><span class="citerefentry">
+ <span class="refentrytitle">rndc</span>(8)
+ </span>,
+ <span class="citerefentry">
+ <span class="refentrytitle">rndc-confgen</span>(8)
+ </span>,
+ <span class="citerefentry">
+ <span class="refentrytitle">mmencode</span>(1)
+ </span>,
+ <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+ </p>
+ </div>
+
+</div></body>
+</html>