James Thornton logo
James Thornton
Google
Web jamesthornton.com
Internet Business Consultant
Home Blog Bio Projects Contact Latest Blog (new site): How to Get to Genius
JamesThornton.com -> Archive -> Redhat -> Linux -> 9 -> Reference-Guide -> One Page

Red Hat Linux 9: Red Hat Linux Reference Guide
PrevChapter 12. Berkeley Internet Name Domain (BIND)Next

12.4. Using rndc

BIND includes a utility called rndc which allows command line administration of the named daemon from the localhost or from a remote host.

In order to prevent unauthorized access to the named daemon, BIND uses a shared secret key method is used to grant privileges to hosts. This means an identical key must be present in both /etc/named.conf and the rndc configuration file, /etc/rndc.conf

12.4.1. Configuring /etc/named.conf

In order for rndc to connect to a named service, there must a controls statement in the BIND server's /etc/named.conf file.

The controls statement below shown in the following example allows rndc to connect from the localhost. 

controls {
  inet 127.0.0.1 allow { localhost; } keys { <key-name>; };
};

This statement tells named to listen on the default TCP port 953 of the loopback address and allow rndc commands coming from the localhost, if the proper key is given. The <key-name> relates to the key statement, which is also in the /etc/named.conf file. The next example illustrates a sample key statement. 

key "<key-name>" {
  algorithm hmac-md5;
  secret "<key-value>";
};

In this case, the <key-value> is a HMAC-MD5 key. Use the following command to generate HMAC-MD5 keys: 

dnssec-keygen -a hmac-md5 -b <bit-length> -n HOST <key-file-name>

A key with at least a 256-bit length is a good idea. The actual key that should be placed in the <key-value> area can be found in the <key-file-name>.

CautionCaution
 

Because /etc/named.conf is world-readable, it is a good idea to place the key statement in a separate file readable only by root and then use an include statement to reference it, as in the following example: 

include "/etc/rndc.key";

12.4.2. Configuring /etc/rndc.conf

The key is the most important statement in /etc/rndc.conf. 

key "<key-name>" {
  algorithm hmac-md5;
  secret "<key-value>";
};

The <key-name> and <key-value> should be exactly the same as their settings in /etc/named.conf.

To match the keys specified in the target server's /etc/named.conf, add the following lines to /etc/rndc.conf. 

options {
  default-server  localhost;
  default-key     "<key-name>";
};

This command sets a global default key. However the rndc command can also use different keys for different servers, as in the following example: 

server localhost {
  key  "<key-name>";
};

CautionCaution
 

Make sure that only the root user can read or write to the /etc/rndc.conf file.

12.4.3. Command Line Options

An rndc command takes the following form: 

rndc <options> <command> <command-options>

When executing rndc on a properly configured localhost, the following commands are available:

  • halt — Stops the named service immediately.

  • querylog — Logs all queries made to this nameserver.

  • refresh — Refreshes the nameserver's database.

  • reload — Reloads the zone files but keeps all other previously cached responses. This command also allows changes to zone files without losing all stored name resolutions.

    If changes only affected a specific zone, reload only one zone by adding the name of the zone after the reload command.

  • stats — Dumps the current named statistics to the /var/named/named.stats file.

  • stop — Stops the server gracefully, saving any dynamic update and Incremental Zone Transfers (IXFR) data before exiting.

Occasionally, it may be necessary to override the default settings in the /etc/rndc.conf file. The following options are available:

  • -c <configuration-file> — Tells rndc to use a configuration file other than the default /etc/rndc.conf.

  • -p <port-number> — Specifies a port number to use for the rndc connection other than port 953, the default.

  • -s <server> — Tells rndc to send the command to a server other than the default-server specified in its configuration file.

  • -y <key-name> — Specifies a key other than the default-key option in the /etc/rndc.conf file.

Additional information about these options can be found in the rndc man page.

PrevHomeNext
Zone FilesUpAdvanced Features of BIND
Follow espeed on Twitter

James Thornton,<james@jamesthornton.com>
Services: Ecommerce Web Site Developer 		Electric Speed: Search Engine Optimization Firm