Manualshelf

Bind 9 Administrator Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series
41424344454647484950
Chapter 6. BIND 9 Configuration Reference
localnets Matches any host on an IPv4 network for which the system has an
interface.
The localhost and localnets ACLs do not currently support IPv6 (that is, localhost does not match the
host’s IPv6 addresses, and localnets does not match the host’s attached IPv6 networks) due to the lack of
a standard method of determining the complete set of local IPv6 addresses for a host.
6.2.3. controls Statement Grammar
controls {
inet ( ip_addr | * ) [ port ip_port ] allow { address_match_list }
keys { key_list };
[ inet ...; ]
};
6.2.4. controls Statement Definition and Usage
The controls statement declares control channels to be used by system administrators to affect the
operation of the local nameserver. These control channels are used by the rndc utility to send commands
to and retrieve non-DNS results from a nameserver.
An inet control channel is a TCP socket listening at the specified ip_port on the specified ip_addr,
which can be an IPv4 or IPv6 address. An ip_addr of * is interpreted as the IPv4 wildcard address;
connections will be accepted on any of the system’s IPv4 addresses. To listen on the IPv6 wildcard
address, use an ip_addr of ::. If you will only use rndc on the local host, using the loopback address
(127.0.0.1 or ::1) is recommended for maximum security.
The ability to issue commands over the control channel is restricted by the allow and keys clauses.
Connections to the control channel are permitted based on the address permissions in
address_match_list. key_id members of the address_match_list are ignored, and instead are
interpreted independently based the key_list. Each key_id in the key_list is allowed to be used to
authenticate commands and responses given over the control channel by digitally signing each message
between the server and a command client (See Remote Name Daemon Control application in Section
3.4.1.2). All commands to the control channel must be signed by one of its specified keys to be honored.
If no controls statement is present, named will set up a default control channel listening on the loopback
address 127.0.0.1 and its IPv6 counterpart ::1. In this case, and also when the controls statement is
present but does not have a keys clause, named will attempt to load the command channel key from the
49