1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
|
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. highlight: console
.. _man_rndc.conf:
rndc.conf - rndc configuration file
-----------------------------------
Synopsis
~~~~~~~~
:program:`rndc.conf`
Description
~~~~~~~~~~~
``rndc.conf`` is the configuration file for ``rndc``, the BIND 9 name
server control utility. This file has a similar structure and syntax to
``named.conf``. Statements are enclosed in braces and terminated with a
semi-colon. Clauses in the statements are also semi-colon terminated.
The usual comment styles are supported:
C style: /\* \*/
C++ style: // to end of line
Unix style: # to end of line
``rndc.conf`` is much simpler than ``named.conf``. The file uses three
statements: an options statement, a server statement, and a key
statement.
The ``options`` statement contains five clauses. The ``default-server``
clause is followed by the name or address of a name server. This host
is used when no name server is given as an argument to ``rndc``.
The ``default-key`` clause is followed by the name of a key, which is
identified by a ``key`` statement. If no ``keyid`` is provided on the
rndc command line, and no ``key`` clause is found in a matching
``server`` statement, this default key is used to authenticate the
server's commands and responses. The ``default-port`` clause is followed
by the port to connect to on the remote name server. If no ``port``
option is provided on the rndc command line, and no ``port`` clause is
found in a matching ``server`` statement, this default port is used
to connect. The ``default-source-address`` and
``default-source-address-v6`` clauses can be used to set the IPv4
and IPv6 source addresses respectively.
After the ``server`` keyword, the server statement includes a string
which is the hostname or address for a name server. The statement has
three possible clauses: ``key``, ``port``, and ``addresses``. The key
name must match the name of a key statement in the file. The port number
specifies the port to connect to. If an ``addresses`` clause is supplied,
these addresses are used instead of the server name. Each address
can take an optional port. If an ``source-address`` or
``source-address-v6`` is supplied, it is used to specify the
IPv4 and IPv6 source address, respectively.
The ``key`` statement begins with an identifying string, the name of the
key. The statement has two clauses. ``algorithm`` identifies the
authentication algorithm for ``rndc`` to use; currently only HMAC-MD5
(for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256 (default),
HMAC-SHA384, and HMAC-SHA512 are supported. This is followed by a secret
clause which contains the base-64 encoding of the algorithm's
authentication key. The base-64 string is enclosed in double quotes.
There are two common ways to generate the base-64 string for the secret.
The BIND 9 program ``rndc-confgen`` can be used to generate a random
key, or the ``mmencode`` program, also known as ``mimencode``, can be
used to generate a base-64 string from known input. ``mmencode`` does
not ship with BIND 9 but is available on many systems. See the Example
section for sample command lines for each.
Example
~~~~~~~
::
options {
default-server localhost;
default-key samplekey;
};
::
server localhost {
key samplekey;
};
::
server testserver {
key testkey;
addresses { localhost port 5353; };
};
::
key samplekey {
algorithm hmac-sha256;
secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
};
::
key testkey {
algorithm hmac-sha256;
secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
};
In the above example, ``rndc`` by default uses the server at
localhost (127.0.0.1) and the key called "samplekey". Commands to the
localhost server use the "samplekey" key, which must also be defined
in the server's configuration file with the same name and secret. The
key statement indicates that "samplekey" uses the HMAC-SHA256 algorithm
and its secret clause contains the base-64 encoding of the HMAC-SHA256
secret enclosed in double quotes.
If ``rndc -s testserver`` is used, then ``rndc`` connects to the server
on localhost port 5353 using the key "testkey".
To generate a random secret with ``rndc-confgen``:
``rndc-confgen``
A complete ``rndc.conf`` file, including the randomly generated key,
is written to the standard output. Commented-out ``key`` and
``controls`` statements for ``named.conf`` are also printed.
To generate a base-64 secret with ``mmencode``:
``echo "known plaintext for a secret" | mmencode``
Name Server Configuration
~~~~~~~~~~~~~~~~~~~~~~~~~
The name server must be configured to accept rndc connections and to
recognize the key specified in the ``rndc.conf`` file, using the
controls statement in ``named.conf``. See the sections on the
``controls`` statement in the BIND 9 Administrator Reference Manual for
details.
See Also
~~~~~~~~
:manpage:`rndc(8)`, :manpage:`rndc-confgen(8)`, :manpage:`mmencode(1)`, BIND 9 Administrator Reference Manual.
|