Configuring a Name Server to Work with rndc
3.3.1 Problem
You want to use rndc, the remote name daemon controller, to control a local BIND 9 name server.
3.3.2 Solution
By far the easiest way to get rndc working with a name server is to use rndc-confgen, a program shipped with the BIND distribution. rndc, unlike ndc, its BIND 8 counterpart, requires a configuration file to work properly. The configuration file's syntax, mercifully, is very similar to that of named.conf. But rather than learning the new syntax, you can run rndc-confgen on the host that will run the name server to generate a useable configuration file. For example, running rndc-confgen might produce output like this:
$ rndc-confgen
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "LctVnbqQQPHiZJ80ZwnFDA==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "LctVnbqQQPHiZJ80ZwnFDA==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
The beginning of the output (the uncommented part) is the contents of rndc.conf, rndc's configuration file. rndc will expect to find it in a particular location. If you're not sure what that location is, running an innocuous command like rndc status will tell you where it's looking:
# rndc status rndc: neither /etc/rndc.conf nor /etc/rndc.key was found
Save the contents of the file there.
The commented part of the file belongs in the name server's named.conf file. If you haven't already added a controls statement, you can add it to named.conf as-is.
3.3.3 Discussion
rndc-confgen appeared in BIND 9.2.0. The configuration files it generates, however, work with older versions of BIND 9, too. So if you're running a version prior to 9.2.0, you can still build 9.2.0 and use the rndc-confgen program from that distribution.
With BIND 9.2.0 and later, there's an even easier way to get this working: just run rndc-confgen -a on the host that will run the name server. This will write a key definition to the file /etc/rndc.key, which rndc and named will then use to negotiate a control channel between them. If you use this option, make sure you don't have a controls statement in named.conf or an rndc.conf file -- either of those would override the automatic configuration.
3.3.4 See Also
"rndc and controls" in Chapter 7 of DNS and BIND.
Getting Started
- Introduction
- Finding More Information About DNS and BIND
- Asking Questions You Cant Find Answers To
- Getting a List of Top-Level Domains
- Checking Whether a Domain Name Is Registered
- Registering a Domain Name
- Registering Name Servers
- Registering a Reverse-Mapping Domain
- Transferring Your Domain Name to Another Registrar
- Choosing a Version of BIND
- Finding Out Which Version of BIND Youre Running
- Getting BIND
- Building and Installing BIND
- Getting a Precompiled Version of BIND
- Creating a named.conf File
- Configuring a Name Server as the Primary Master for a Zone
- Configuring a Name Server as a Slave for a Zone
- Configuring a Name Server as Authoritative for Multiple Zones
- Starting a Name Server
- Stopping a Name Server
- Starting named at Boot Time
Zone Data
- Introduction
- Creating a Zone Data File
- Adding a Host
- Adding an Alias
- Adding a Mail Destination
- Making the Domain Name of Your Zone Point to Your Web Server
- Pointing a Domain Name to a Particular URL
- Setting Up Round Robin Load Distribution
- Adding a Domain Name in a Subdomain Without Creating a New Zone
- Preventing Remote Name Servers from Caching a Resource Record
- Adding a Multihomed Host
- Updating a Name Servers Root Hints File
- Using a Single Data File for Multiple Zones
- Using Multiple Data Files for a Single Zone
- Resetting Your Zones Serial Number
- Making Manual Changes to a Dynamically Updated Zone
- Moving a Host
- Mapping Any Domain Name in a Zone to a Single IP Address
- Adding Similar Records
- Making Your Services Easy to Find
- Storing the Location of a Host in DNS
- Filtering a Host Table into Zone Data Files
BIND Name Server Configuration
- Introduction
- Configuring a Name Server to Work with ndc
- Configuring a Name Server to Work with rndc
- Using rndc with a Remote Name Server
- Allowing Illegal Characters in Domain Names
- Dividing a Large named.conf File into Multiple Files
- Organizing Zone Data Files in Different Directories
- Configuring a Name Server as Slave for All of Your Zones
- Finding an Offsite Slave Name Server for Your Zone
- Protecting a Slave Name Server from Abuse
- Allowing Dynamic Updates
- Configuring a Name Server to Forward Dynamic Updates
- Notifying a Slave Name Server Not in a Zones NS Records
- Limiting NOTIFY Messages
- Configuring a Name Server to Forward Queries to Another Name Server
- Configuring a Name Server to Forward Some Queries to Other Name Servers
- Configuring a Name Server Not to Forward Certain Queries
- Returning Different Answers to Different Queriers
- Determining the Order in Which a Name Server Returns Answers
- Setting Up a Slave Name Server for a Zone in Multiple Views
- Disabling Caching
- Limiting the Memory a Name Server Uses
- Configuring IXFR
- Limiting the Size of the IXFR Log File
- Configuring a Name Server to Listen Only on Certain Network Interfaces
- Running a Name Server on an Alternate Port
- Setting Up a Root Name Server
- Returning a Default Record
- Configuring DNS to Let Clients Find the Closest Server
- Handling Dialup Connections
Electronic Mail
- Introduction
- Configuring a Backup Mail Server in DNS
- Configuring Multiple Mail Servers in DNS
- Configuring Mail to Go to One Server and the Web to Another
- Configuring DNS for Virtual Email Addresses
- Configuring DNS So a Mail Server and the Email It Sends Pass Anti-Spam Tests
BIND Name Server Operations
- Introduction
- Figuring Out How Much Memory a Name Server Will Need
- Testing a Name Servers Configuration
- Viewing a Name Servers Cache
- Flushing (Clearing) a Name Servers Cache
- Modifying Zone Data Without Restarting the Name Server
- Adding or Removing Zones Without Restarting or Reloading the Name Server
- Initiating a Zone Transfer
- Restarting a Name Server Automatically If It Dies
- Restarting a Name Server with the Same Arguments
- Controlling Multiple named Processes with rndc
- Controlling Multiple named Processes with ndc
- Finding Out Whos Querying a Name Server
- Measuring a Name Servers Performance
- Measuring Queries for Records in Particular Zones
- Monitoring a Name Server
- Limiting Concurrent Zone Transfers
- Limiting Concurrent TCP Clients
- Limiting Concurrent Recursive Clients
- Dynamically Updating a Zone
- Sending Dynamic Updates to a Particular Name Server
- Setting Prerequisites in a Dynamic Update
- Sending TSIG-Signed Dynamic Updates
- Setting Up a Backup Primary Master Name Server
- Promoting a Slave Name Server to the Primary Master
- Running Multiple Primary Master Name Servers for the Same Zone
- Creating a Zone Programmatically
- Migrating from One Domain Name to Another
Delegation and Registration
- Introduction
- Delegating a Subdomain
- Delegating a Subdomain of a Reverse-Mapping Zone
- Delegating Reverse-Mapping for Networks with Non-Octet Masks
- Delegating Reverse-Mapping for Networks Smaller than a /24
- Checking Delegation
- Moving a Name Server
- Changing Your Zones Name Servers
Security
- Introduction
- Concealing a Name Servers Version
- Configuring a Name Server to Work with a Firewall (or Vice Versa)
- Setting Up a Hidden Primary Master Name Server
- Setting Up a Stealth Slave Name Server
- Configuring an Authoritative-Only Name Server
- Configuring a Caching-Only Name Server
- Running a Name Server in a chroot( ) Jail
- Running the Name Server as a User Other than Root
- Defining a TSIG Key
- Securing Zone Transfers
- Restricting the Queries a Name Server Answers
- Preventing a Name Server from Querying a Particular Remote Name Server
- Preventing a Name Server from Responding to DNS Traffic from Certain Networks
- Protecting a Name Server from Spoofing
Interoperability and Upgrading
- Introduction
- Upgrading from BIND 4 to BIND 8 or 9
- Upgrading from BIND 8 to BIND 9
- Configuring a Name Server to Accommodate a Slave Running BIND 4
- Configuring a BIND Name Server to Accommodate a Slave Running the Microsoft DNS Server
- Configuring a BIND Name Server as a Slave to a Microsoft DNS Server
- Preventing Windows Computers from Trying to Update Your Zones
- Handling Windows Registration with a BIND Name Server
- Handling Active Directory with a Name Server
- Configuring a DHCP Server to Update a BIND Name Server
Resolvers and Programming
- Introduction
- Configuring a Resolver to Query a Remote Name Server
- Configuring a Resolver to Resolve Single-Label Domain Names
- Configuring a Resolver to Append Multiple Domain Names to Arguments
- Sorting Multiple Addresses in a Response
- Changing the Resolvers Timeout
- Configuring the Order in Which a Resolver Uses DNS, /etc/hosts, and NIS
- Looking Up Records Programmatically
- Transferring a Zone Programmatically
- Updating a Zone Programmatically
- Signing Queries and Dynamic Updates with TSIG Programmatically
Logging and Troubleshooting
- Introduction
- Finding a Syntax Error in a named.conf File
- Finding a Syntax Error in a Zone Data File
- Sending Log Messages to a Particular File
- Discarding a Category of Messages
- Determining Which Category a Message Is In
- Sending syslog Output to Another Host
- Logging Dynamic Updates
- Rotating Log Files
- Looking Up Records with dig
- Reverse-Mapping an Address with dig
- Transferring a Zone Using dig
- Tracing Name Resolution Using dig
IPv6
