1RNDC.CONF(5) BIND9 RNDC.CONF(5)
2
3
4
6 rndc.conf - rndc configuration file
7
9 rndc.conf
10
12 rndc.conf is the configuration file for rndc, the BIND 9 name server
13 control utility. This file has a similar structure and syntax to
14 named.conf. Statements are enclosed in braces and terminated with a
15 semi-colon. Clauses in the statements are also semi-colon terminated.
16 The usual comment styles are supported:
17
18 C style: /* */
19
20 C++ style: // to end of line
21
22 Unix style: # to end of line
23
24 rndc.conf is much simpler than named.conf. The file uses three
25 statements: an options statement, a server statement and a key
26 statement.
27
28 The options statement contains five clauses. The default-server clause
29 is followed by the name or address of a name server. This host will be
30 used when no name server is given as an argument to rndc. The
31 default-key clause is followed by the name of a key which is identified
32 by a key statement. If no keyid is provided on the rndc command line,
33 and no key clause is found in a matching server statement, this default
34 key will be used to authenticate the server's commands and responses.
35 The default-port clause is followed by the port to connect to on the
36 remote name server. If no port option is provided on the rndc command
37 line, and no port clause is found in a matching server statement, this
38 default port will be used to connect. The default-source-address and
39 default-source-address-v6 clauses which can be used to set the IPv4 and
40 IPv6 source addresses respectively.
41
42 After the server keyword, the server statement includes a string which
43 is the hostname or address for a name server. The statement has three
44 possible clauses: key, port and addresses. The key name must match the
45 name of a key statement in the file. The port number specifies the port
46 to connect to. If an addresses clause is supplied these addresses will
47 be used instead of the server name. Each address can take an optional
48 port. If an source-address or source-address-v6 of supplied then these
49 will be used to specify the IPv4 and IPv6 source addresses
50 respectively.
51
52 The key statement begins with an identifying string, the name of the
53 key. The statement has two clauses. algorithm identifies the
54 authentication algorithm for rndc to use; currently only HMAC-MD5 (for
55 compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256 (default),
56 HMAC-SHA384 and HMAC-SHA512 are supported. This is followed by a secret
57 clause which contains the base-64 encoding of the algorithm's
58 authentication key. The base-64 string is enclosed in double quotes.
59
60 There are two common ways to generate the base-64 string for the
61 secret. The BIND 9 program rndc-confgen can be used to generate a
62 random key, or the mmencode program, also known as mimencode, can be
63 used to generate a base-64 string from known input. mmencode does not
64 ship with BIND 9 but is available on many systems. See the EXAMPLE
65 section for sample command lines for each.
66
68 options {
69 default-server localhost;
70 default-key samplekey;
71 };
72
73 server localhost {
74 key samplekey;
75 };
76
77 server testserver {
78 key testkey;
79 addresses { localhost port 5353; };
80 };
81
82 key samplekey {
83 algorithm hmac-sha256;
84 secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
85 };
86
87 key testkey {
88 algorithm hmac-sha256;
89 secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
90 };
91
92 In the above example, rndc will by default use the server at localhost
93 (127.0.0.1) and the key called samplekey. Commands to the localhost
94 server will use the samplekey key, which must also be defined in the
95 server's configuration file with the same name and secret. The key
96 statement indicates that samplekey uses the HMAC-SHA256 algorithm and
97 its secret clause contains the base-64 encoding of the HMAC-SHA256
98 secret enclosed in double quotes.
99
100 If rndc -s testserver is used then rndc will connect to server on
101 localhost port 5353 using the key testkey.
102
103 To generate a random secret with rndc-confgen:
104
105 rndc-confgen
106
107 A complete rndc.conf file, including the randomly generated key, will
108 be written to the standard output. Commented-out key and controls
109 statements for named.conf are also printed.
110
111 To generate a base-64 secret with mmencode:
112
113 echo "known plaintext for a secret" | mmencode
114
116 The name server must be configured to accept rndc connections and to
117 recognize the key specified in the rndc.conf file, using the controls
118 statement in named.conf. See the sections on the controls statement in
119 the BIND 9 Administrator Reference Manual for details.
120
122 rndc(8), rndc-confgen(8), mmencode(1), BIND 9 Administrator Reference
123 Manual.
124
126 Internet Systems Consortium, Inc.
127
129 Copyright © 2000, 2001, 2004, 2005, 2007, 2013-2016, 2018, 2019
130 Internet Systems Consortium, Inc. ("ISC")
131
132
133
134ISC 2013-03-14 RNDC.CONF(5)