Configuring a Name Server to Work with rndc

3.3.1 Problem

You want to use rndc, the remote name daemon controller, to control a local BIND 9 name server.

3.3.2 Solution

By far the easiest way to get rndc working with a name server is to use rndc-confgen, a program shipped with the BIND distribution. rndc, unlike ndc, its BIND 8 counterpart, requires a configuration file to work properly. The configuration file's syntax, mercifully, is very similar to that of named.conf. But rather than learning the new syntax, you can run rndc-confgen on the host that will run the name server to generate a useable configuration file. For example, running rndc-confgen might produce output like this:

$ rndc-confgen
# Start of rndc.conf
key "rndc-key" {
 algorithm hmac-md5;
 secret "LctVnbqQQPHiZJ80ZwnFDA==";

options {
 default-key "rndc-key";
 default-port 953;
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "LctVnbqQQPHiZJ80ZwnFDA==";
# };
# controls {
# inet port 953
# allow {; } keys { "rndc-key"; };
# };
# End of named.conf

The beginning of the output (the uncommented part) is the contents of rndc.conf, rndc's configuration file. rndc will expect to find it in a particular location. If you're not sure what that location is, running an innocuous command like rndc status will tell you where it's looking:

# rndc status
rndc: neither /etc/rndc.conf nor /etc/rndc.key was found

Save the contents of the file there.

The commented part of the file belongs in the name server's named.conf file. If you haven't already added a controls statement, you can add it to named.conf as-is.

3.3.3 Discussion

rndc-confgen appeared in BIND 9.2.0. The configuration files it generates, however, work with older versions of BIND 9, too. So if you're running a version prior to 9.2.0, you can still build 9.2.0 and use the rndc-confgen program from that distribution.

With BIND 9.2.0 and later, there's an even easier way to get this working: just run rndc-confgen -a on the host that will run the name server. This will write a key definition to the file /etc/rndc.key, which rndc and named will then use to negotiate a control channel between them. If you use this option, make sure you don't have a controls statement in named.conf or an rndc.conf file -- either of those would override the automatic configuration.

3.3.4 See Also

"rndc and controls" in Chapter 7 of DNS and BIND.

Getting Started

Zone Data

BIND Name Server Configuration

Electronic Mail

BIND Name Server Operations

Delegation and Registration


Interoperability and Upgrading

Resolvers and Programming

Logging and Troubleshooting


DNS & BIND Cookbook
DNS & BIND Cookbook
ISBN: 0596004109
EAN: 2147483647
Year: 2005
Pages: 220
Authors: Cricket Liu © 2008-2020.
If you may any questions please contact us: