I l@ve RuBoard Previous Section Next Section

3.3 Configuring a Name Server to Work with rndc

3.3.1 Problem

You want to use rndc, the remote name daemon controller, to control a local BIND 9 name server.

3.3.2 Solution

By far the easiest way to get rndc working with a name server is to use rndc-confgen, a program shipped with the BIND distribution. rndc, unlike ndc, its BIND 8 counterpart, requires a configuration file to work properly. The configuration file's syntax, mercifully, is very similar to that of named.conf. But rather than learning the new syntax, you can run rndc-confgen on the host that will run the name server to generate a useable configuration file. For example, running rndc-confgen might produce output like this: 

$ rndc-confgen
# Start of rndc.conf
key "rndc-key" {
        algorithm hmac-md5;
        secret "LctVnbqQQPHiZJ80ZwnFDA==";
};

options {
        default-key "rndc-key";
        default-server 127.0.0.1;
        default-port 953;
};
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
#       algorithm hmac-md5;
#       secret "LctVnbqQQPHiZJ80ZwnFDA==";
# };
# 
# controls {
#       inet 127.0.0.1 port 953
#               allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf

The beginning of the output (the uncommented part) is the contents of rndc.conf, rndc's configuration file. rndc will expect to find it in a particular location. If you're not sure what that location is, running an innocuous command like rndc status will tell you where it's looking: 

# rndc status
rndc: neither /etc/rndc.conf nor /etc/rndc.key was found

Save the contents of the file there.

The commented part of the file belongs in the name server's named.conf file. If you haven't already added a controls statement, you can add it to named.conf as-is.

3.3.3 Discussion

rndc-confgen appeared in BIND 9.2.0. The configuration files it generates, however, work with older versions of BIND 9, too. So if you're running a version prior to 9.2.0, you can still build 9.2.0 and use the rndc-confgen program from that distribution.

With BIND 9.2.0 and later, there's an even easier way to get this working: just run rndc-confgen -a on the host that will run the name server. This will write a key definition to the file /etc/rndc.key, which rndc and named will then use to negotiate a control channel between them. If you use this option, make sure you don't have a controls statement in named.conf or an rndc.conf file -- either of those would override the automatic configuration.

3.3.4 See Also

"rndc and controls" in Chapter 7 of DNS and BIND.

    I l@ve RuBoard Previous Section Next Section