12.4. Using rndc
BIND includes a utility called rndc which allows
command line administration of the named daemon from
the localhost or from a remote host.
In order to prevent unauthorized access to the named
daemon, BIND uses a shared secret key method is used to grant privileges
to hosts. This means an identical key must be present in both
/etc/named.conf and the rndc
configuration file, /etc/rndc.conf
12.4.1. Configuring /etc/named.conf
In order for rndc to connect to a
named service, there must a
controls statement in the BIND server's
/etc/named.conf file.
The controls statement below shown in the following
example allows rndc to connect from the localhost.
controls {
inet 127.0.0.1 allow { localhost; } keys { <key-name>; };
}; |
This statement tells named to listen on the
default TCP port 953 of the loopback address and allow
rndc commands coming from the localhost, if the
proper key is given. The
<key-name> relates
to the key statement, which is also in the
/etc/named.conf file. The next example
illustrates a sample
key statement.
key "<key-name>" {
algorithm hmac-md5;
secret "<key-value>";
}; |
In this case, the <key-value> is a
HMAC-MD5 key. Use the following command to generate HMAC-MD5 keys:
dnssec-keygen -a hmac-md5 -b <bit-length> -n HOST <key-file-name> |
A key with at least a 256-bit length is a good idea. The actual key
that should be placed in the
<key-value> area
can be found in the
<key-file-name>.
 | Caution |
|---|
| | Because /etc/named.conf is world-readable, it
is a good idea to place the key statement in a
separate file readable only by root and then use an
include statement to reference it, as in the
following example:
|
12.4.2. Configuring /etc/rndc.conf
The key is the most important statement in
/etc/rndc.conf.
key "<key-name>" {
algorithm hmac-md5;
secret "<key-value>";
}; |
The <key-name> and
<key-value> should
be exactly the same as their settings in
/etc/named.conf.
To match the keys specified in the target server's
/etc/named.conf, add the following lines to
/etc/rndc.conf.
options {
default-server localhost;
default-key "<key-name>";
}; |
This command sets a global default key. However the
rndc command can also use different keys for
different servers, as in the following example:
server localhost {
key "<key-name>";
}; |
| Caution |
|---|
| | Make sure that only the root user can read or write to the
/etc/rndc.conf file.
|
12.4.3. Command Line Options
An rndc command takes the following form:
rndc <options> <command> <command-options> |
When executing rndc on a properly configured
localhost, the following commands are available:
halt — Stops the
named service immediately.
querylog — Logs all queries made to
this nameserver.
refresh — Refreshes the nameserver's database.
reload — Reloads the zone files but
keeps all other previously cached responses. This command also
allows changes to zone files without losing all stored name
resolutions.
If changes only affected a specific zone, reload only one zone
by adding the name of the zone after the reload
command.
stats — Dumps the current
named statistics to the
/var/named/named.stats file.
stop — Stops the server gracefully,
saving any dynamic update and Incremental Zone
Transfers (IXFR) data before exiting.
Occasionally, it may be necessary to override the default settings in
the /etc/rndc.conf file. The following options
are available:
-c
<configuration-file>
— Tells rndc to use a configuration file
other than the default /etc/rndc.conf.
-p
<port-number> —
Specifies a port number to use for the rndc
connection other than port 953, the default.
-s
<server> — Tells
rndc to send the command to a server other than
the default-server specified in its
configuration file.
-y
<key-name> —
Specifies a key other than the default-key
option in the /etc/rndc.conf file.
Additional information about these options can be found in the
rndc man page.
