1<!-- 2 - Copyright (C) 2004, 2005, 2007, 2013, 2014 Internet Systems Consortium, Inc. ("ISC") 3 - Copyright (C) 2000, 2001 Internet Software Consortium. 4 - 5 - Permission to use, copy, modify, and/or distribute this software for any 6 - purpose with or without fee is hereby granted, provided that the above 7 - copyright notice and this permission notice appear in all copies. 8 - 9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15 - PERFORMANCE OF THIS SOFTWARE. 16--> 17<!-- Id --> 18<html> 19<head> 20<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> 21<title>rndc.conf</title> 22<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> 23</head> 24<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> 25<a name="man.rndc.conf"></a><div class="titlepage"></div> 26<div class="refnamediv"> 27<h2>Name</h2> 28<p><code class="filename">rndc.conf</code> — rndc configuration file</p> 29</div> 30<div class="refsynopsisdiv"> 31<h2>Synopsis</h2> 32<div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div> 33</div> 34<div class="refsect1" lang="en"> 35<a name="id2543367"></a><h2>DESCRIPTION</h2> 36<p><code class="filename">rndc.conf</code> is the configuration file 37 for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control 38 utility. This file has a similar structure and syntax to 39 <code class="filename">named.conf</code>. Statements are enclosed 40 in braces and terminated with a semi-colon. Clauses in 41 the statements are also semi-colon terminated. The usual 42 comment styles are supported: 43 </p> 44<p> 45 C style: /* */ 46 </p> 47<p> 48 C++ style: // to end of line 49 </p> 50<p> 51 Unix style: # to end of line 52 </p> 53<p><code class="filename">rndc.conf</code> is much simpler than 54 <code class="filename">named.conf</code>. The file uses three 55 statements: an options statement, a server statement 56 and a key statement. 57 </p> 58<p> 59 The <code class="option">options</code> statement contains five clauses. 60 The <code class="option">default-server</code> clause is followed by the 61 name or address of a name server. This host will be used when 62 no name server is given as an argument to 63 <span><strong class="command">rndc</strong></span>. The <code class="option">default-key</code> 64 clause is followed by the name of a key which is identified by 65 a <code class="option">key</code> statement. If no 66 <code class="option">keyid</code> is provided on the rndc command line, 67 and no <code class="option">key</code> clause is found in a matching 68 <code class="option">server</code> statement, this default key will be 69 used to authenticate the server's commands and responses. The 70 <code class="option">default-port</code> clause is followed by the port 71 to connect to on the remote name server. If no 72 <code class="option">port</code> option is provided on the rndc command 73 line, and no <code class="option">port</code> clause is found in a 74 matching <code class="option">server</code> statement, this default port 75 will be used to connect. 76 The <code class="option">default-source-address</code> and 77 <code class="option">default-source-address-v6</code> clauses which 78 can be used to set the IPv4 and IPv6 source addresses 79 respectively. 80 </p> 81<p> 82 After the <code class="option">server</code> keyword, the server 83 statement includes a string which is the hostname or address 84 for a name server. The statement has three possible clauses: 85 <code class="option">key</code>, <code class="option">port</code> and 86 <code class="option">addresses</code>. The key name must match the 87 name of a key statement in the file. The port number 88 specifies the port to connect to. If an <code class="option">addresses</code> 89 clause is supplied these addresses will be used instead of 90 the server name. Each address can take an optional port. 91 If an <code class="option">source-address</code> or <code class="option">source-address-v6</code> 92 of supplied then these will be used to specify the IPv4 and IPv6 93 source addresses respectively. 94 </p> 95<p> 96 The <code class="option">key</code> statement begins with an identifying 97 string, the name of the key. The statement has two clauses. 98 <code class="option">algorithm</code> identifies the authentication algorithm 99 for <span><strong class="command">rndc</strong></span> to use; currently only HMAC-MD5 100 (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256 101 (default), HMAC-SHA384 and HMAC-SHA512 are 102 supported. This is followed by a secret clause which contains 103 the base-64 encoding of the algorithm's authentication key. The 104 base-64 string is enclosed in double quotes. 105 </p> 106<p> 107 There are two common ways to generate the base-64 string for the 108 secret. The BIND 9 program <span><strong class="command">rndc-confgen</strong></span> 109 can 110 be used to generate a random key, or the 111 <span><strong class="command">mmencode</strong></span> program, also known as 112 <span><strong class="command">mimencode</strong></span>, can be used to generate a 113 base-64 114 string from known input. <span><strong class="command">mmencode</strong></span> does 115 not 116 ship with BIND 9 but is available on many systems. See the 117 EXAMPLE section for sample command lines for each. 118 </p> 119</div> 120<div class="refsect1" lang="en"> 121<a name="id2543515"></a><h2>EXAMPLE</h2> 122<pre class="programlisting"> 123 options { 124 default-server localhost; 125 default-key samplekey; 126 }; 127</pre> 128<p> 129 </p> 130<pre class="programlisting"> 131 server localhost { 132 key samplekey; 133 }; 134</pre> 135<p> 136 </p> 137<pre class="programlisting"> 138 server testserver { 139 key testkey; 140 addresses { localhost port 5353; }; 141 }; 142</pre> 143<p> 144 </p> 145<pre class="programlisting"> 146 key samplekey { 147 algorithm hmac-sha256; 148 secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz"; 149 }; 150</pre> 151<p> 152 </p> 153<pre class="programlisting"> 154 key testkey { 155 algorithm hmac-sha256; 156 secret "R3HI8P6BKw9ZwXwN3VZKuQ=="; 157 }; 158 </pre> 159<p> 160 </p> 161<p> 162 In the above example, <span><strong class="command">rndc</strong></span> will by 163 default use 164 the server at localhost (127.0.0.1) and the key called samplekey. 165 Commands to the localhost server will use the samplekey key, which 166 must also be defined in the server's configuration file with the 167 same name and secret. The key statement indicates that samplekey 168 uses the HMAC-SHA256 algorithm and its secret clause contains the 169 base-64 encoding of the HMAC-SHA256 secret enclosed in double quotes. 170 </p> 171<p> 172 If <span><strong class="command">rndc -s testserver</strong></span> is used then <span><strong class="command">rndc</strong></span> will 173 connect to server on localhost port 5353 using the key testkey. 174 </p> 175<p> 176 To generate a random secret with <span><strong class="command">rndc-confgen</strong></span>: 177 </p> 178<p><strong class="userinput"><code>rndc-confgen</code></strong> 179 </p> 180<p> 181 A complete <code class="filename">rndc.conf</code> file, including 182 the 183 randomly generated key, will be written to the standard 184 output. Commented-out <code class="option">key</code> and 185 <code class="option">controls</code> statements for 186 <code class="filename">named.conf</code> are also printed. 187 </p> 188<p> 189 To generate a base-64 secret with <span><strong class="command">mmencode</strong></span>: 190 </p> 191<p><strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong> 192 </p> 193</div> 194<div class="refsect1" lang="en"> 195<a name="id2543607"></a><h2>NAME SERVER CONFIGURATION</h2> 196<p> 197 The name server must be configured to accept rndc connections and 198 to recognize the key specified in the <code class="filename">rndc.conf</code> 199 file, using the controls statement in <code class="filename">named.conf</code>. 200 See the sections on the <code class="option">controls</code> statement in the 201 BIND 9 Administrator Reference Manual for details. 202 </p> 203</div> 204<div class="refsect1" lang="en"> 205<a name="id2543628"></a><h2>SEE ALSO</h2> 206<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, 207 <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>, 208 <span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>, 209 <em class="citetitle">BIND 9 Administrator Reference Manual</em>. 210 </p> 211</div> 212<div class="refsect1" lang="en"> 213<a name="id2543667"></a><h2>AUTHOR</h2> 214<p><span class="corpauthor">Internet Systems Consortium</span> 215 </p> 216</div> 217</div></body> 218</html> 219