Manualshelf

Bind 9 Administrator Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series
21222324252627282930
Chapter 3. Nameserver Configuration
alternate location can be specified with the -c option. If the configuration file is not found, rndc
will also look in /etc/rndc.key (or whatever sysconfdir was defined when the BIND build
was configured). The rndc.key file is generated by running rndc-confgen -a as described in
Section 6.2.4.
The format of the configuration file is similar to that of named.conf, but limited to only four
statements, the options, key, server and include statements. These statements are what associate
the secret keys to the servers with which they are meant to be shared. The order of statements is not
significant.
The options statement has three clauses: default-server, default-key, and default-port.
default-server takes a host name or address argument and represents the server that will be
contacted if no -s option is provided on the command line. default-key takes the name of key as its
argument, as defined by a key statement. default-port specifies the port to which rndc should
connect if no port is given on the command line or in a server statement.
The key statement names a key with its string argument. The string is required by the server to be a
valid domain name, though it need not actually be hierarchical; thus, a string like "rndc_key" is a
valid name. The key statement has two clauses: algorithm and secret. While the configuration
parser will accept any string as the argument to algorithm, currently only the string "hmac-md5"
has any meaning. The secret is a base-64 encoded string.
The server statement uses the key clause to associate a key-defined key with a server. The argument
to the server statement is a host name or address (addresses must be double quoted). The argument
to the key clause is the name of the key as defined by the key statement. The port clause can be
used to specify the port to which rndc should connect on the given server.
A sample minimal configuration file is as follows:
key rndc_key {
algorithm "hmac-md5";
se-
cret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
};
options {
default-server localhost;
default-key rndc_key;
};
This file, if installed as /etc/rndc.conf, would allow the command:
$ rndc reload
to connect to 127.0.0.1 port 953 and cause the nameserver to reload, if a nameserver on the local
machine were running with following controls statements:
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
23