Configuring a Name Server to Work with rndc

3.3.1 Problem

You want to use rndc, the remote name daemon controller, to control a local BIND 9 name server.

3.3.2 Solution

By far the easiest way to get rndc working with a name server is to use rndc-confgen, a program shipped with the BIND distribution. rndc, unlike ndc, its BIND 8 counterpart, requires a configuration file to work properly. The configuration file's syntax, mercifully, is very similar to that of named.conf. But rather than learning the new syntax, you can run rndc-confgen on the host that will run the name server to generate a useable configuration file. For example, running rndc-confgen might produce output like this:

$ rndc-confgen
# Start of rndc.conf
key "rndc-key" {
 algorithm hmac-md5;
 secret "LctVnbqQQPHiZJ80ZwnFDA==";
};

options {
 default-key "rndc-key";
 default-server 127.0.0.1;
 default-port 953;
};
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "LctVnbqQQPHiZJ80ZwnFDA==";
# };
# 
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf

The beginning of the output (the uncommented part) is the contents of rndc.conf, rndc's configuration file. rndc will expect to find it in a particular location. If you're not sure what that location is, running an innocuous command like rndc status will tell you where it's looking:

# rndc status
rndc: neither /etc/rndc.conf nor /etc/rndc.key was found

Save the contents of the file there.

The commented part of the file belongs in the name server's named.conf file. If you haven't already added a controls statement, you can add it to named.conf as-is.

3.3.3 Discussion

rndc-confgen appeared in BIND 9.2.0. The configuration files it generates, however, work with older versions of BIND 9, too. So if you're running a version prior to 9.2.0, you can still build 9.2.0 and use the rndc-confgen program from that distribution.

With BIND 9.2.0 and later, there's an even easier way to get this working: just run rndc-confgen -a on the host that will run the name server. This will write a key definition to the file /etc/rndc.key, which rndc and named will then use to negotiate a control channel between them. If you use this option, make sure you don't have a controls statement in named.conf or an rndc.conf file -- either of those would override the automatic configuration.

3.3.4 See Also

"rndc and controls" in Chapter 7 of DNS and BIND.

Getting Started

Zone Data

BIND Name Server Configuration

Electronic Mail

BIND Name Server Operations

Delegation and Registration

Security

Interoperability and Upgrading

Resolvers and Programming

Logging and Troubleshooting

IPv6



DNS & BIND Cookbook
DNS & BIND Cookbook
ISBN: 0596004109
EAN: 2147483647
Year: 2005
Pages: 220
Authors: Cricket Liu

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net