NAME

rndc.conf - rndc configuration file

SYNOPSIS

rrnnddcc..ccoonnff

DESCRIPTION

_r_n_d_c_._c_o_n_f is the configuration file for rrnnddcc, the BIND 9 name server control utility. This file has a similar structure and syntax to _n_a_m_e_d_._c_o_n_f. Statements are enclosed in braces and terminated with a semi-colon. Clauses in the statements are also semi-colon terminated. The usual comment styles are supported:

C style: /* */

C++ style: // to end of line

Unix style: # to end of line

_r_n_d_c_._c_o_n_f is much simpler than _n_a_m_e_d_._c_o_n_f. The file uses three statements: an options statement, a server statement and a key statement.

The ooppttiioonnss statement contains five clauses. The ddeeffaauulltt--sseerrvveerr clause is followed by the name or address of a name server. This host will be used when no name server is given as an argument to rrnnddcc. The ddeeffaauulltt--kkeeyy clause is followed by the name of a key which is identified by a kkeeyy statement. If no kkeeyyiidd is provided on the rndc command line, and no kkeeyy clause is found in a matching sseerrvveerr statement, this default key will be used to authenticate the server's commands and responses. The ddeeffaauulltt--ppoorrtt clause is followed by the port to connect to on the remote name server. If no ppoorrtt option is provided on the rndc command line, and no ppoorrtt clause is found in a matching sseerrvveerr statement, this default port will be used to connect. The ddeeffaauulltt--ssoouurrccee--aaddddrreessss and ddeeffaauulltt--ssoouurrccee--aaddddrreessss--vv66 clauses which can be used to set the IPv4 and IPv6 source addresses respectively.

After the sseerrvveerr keyword, the server statement includes a string which is the hostname or address for a name server. The statement has three possible clauses: kkeeyy, ppoorrtt and aaddddrreesssseess. The key name must match the name of a key statement in the file. The port number specifies the port to connect to. If an aaddddrreesssseess clause is supplied these addresses will be used instead of the server name. Each address can take an optional port. If an ssoouurrccee--aaddddrreessss or ssoouurrccee--aaddddrreessss--vv66 of supplied then these will be used to specify the IPv4 and IPv6 source addresses respectively.

The kkeeyy statement begins with an identifying string, the name of the key. The statement has two clauses. aallggoorriitthhmm identifies the encryption algorithm for rrnnddcc to use; currently only HMAC-MD5 is supported. This is followed by a secret clause which contains the base-64 encoding of the algorithm's encryption key. The base-64 string is enclosed in double quotes.

There are two common ways to generate the base-64 string for the secret. The BIND 9 program rrnnddcc--ccoonnffggeenn can be used to generate a random key, or the mmmmeennccooddee program, also known as mmiimmeennccooddee, can be used to generate a base-64 string from known input. mmmmeennccooddee does not ship with BIND 9 but is available on many systems. See the EXAMPLE section for sample command lines for each.

EXAMPLE


      options {
        default-server  localhost;
        default-key     samplekey;
      };



      server localhost {
        key             samplekey;
      };



      server testserver {
        key             testkey;
        addresses       { localhost port 5353; };
      };



      key samplekey {
        algorithm       hmac-md5;
        secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
      };



      key testkey {
        algorithm       hmac-md5;
        secret          "R3HI8P6BKw9ZwXwN3VZKuQ==";
      };


In the above example, rrnnddcc will by default use the server at localhost (127.0.0.1) and the key called samplekey. Commands to the localhost server will use the samplekey key, which must also be defined in the server's configuration file with the same name and secret. The key statement indicates that samplekey uses the HMAC-MD5 algorithm and its secret clause contains the base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.

If rrnnddcc --ss tteessttsseerrvveerr is used then rrnnddcc will connect to server on localhost port 5353 using the key testkey.

To generate a random secret with rrnnddcc--ccoonnffggeenn:

rrnnddcc--ccoonnffggeenn

A complete _r_n_d_c_._c_o_n_f file, including the randomly generated key, will be written to the standard output. Commented-out kkeeyy and ccoonnttrroollss statements for _n_a_m_e_d_._c_o_n_f are also printed.

To generate a base-64 secret with mmmmeennccooddee:

eecchhoo ""kknnoowwnn ppllaaiinntteexxtt ffoorr aa sseeccrreett"" || mmmmeennccooddee

NAME SERVER CONFIGURATION

The name server must be configured to accept rndc connections and to recognize the key specified in the _r_n_d_c_._c_o_n_f file, using the controls statement in _n_a_m_e_d_._c_o_n_f. See the sections on the ccoonnttrroollss statement in the BIND 9 Administrator Reference Manual for details.

SEE ALSO

rrnnddcc(8), rrnnddcc--ccoonnffggeenn(8), mmmmeennccooddee(1), BIND 9 Administrator Reference Manual.

AUTHOR

Internet Systems Consortium

Copyright © 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
Copyright © 2000, 2001 Internet Software Consortium.