1<!--
2 - Copyright (C) 2004, 2005, 2007, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
3 - Copyright (C) 2000, 2001 Internet Software Consortium.
4 -
5 - Permission to use, copy, modify, and/or distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
8 -
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
16-->
17<!-- Id -->
18<html>
19<head>
20<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
21<title>rndc.conf</title>
22<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
23</head>
24<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
25<a name="man.rndc.conf"></a><div class="titlepage"></div>
26<div class="refnamediv">
27<h2>Name</h2>
28<p><code class="filename">rndc.conf</code> &#8212; rndc configuration file</p>
29</div>
30<div class="refsynopsisdiv">
31<h2>Synopsis</h2>
32<div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
33</div>
34<div class="refsect1" lang="en">
35<a name="id2543367"></a><h2>DESCRIPTION</h2>
36<p><code class="filename">rndc.conf</code> is the configuration file
37      for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
38      utility.  This file has a similar structure and syntax to
39      <code class="filename">named.conf</code>.  Statements are enclosed
40      in braces and terminated with a semi-colon.  Clauses in
41      the statements are also semi-colon terminated.  The usual
42      comment styles are supported:
43    </p>
44<p>
45      C style: /* */
46    </p>
47<p>
48      C++ style: // to end of line
49    </p>
50<p>
51      Unix style: # to end of line
52    </p>
53<p><code class="filename">rndc.conf</code> is much simpler than
54      <code class="filename">named.conf</code>.  The file uses three
55      statements: an options statement, a server statement
56      and a key statement.
57    </p>
58<p>
59      The <code class="option">options</code> statement contains five clauses.
60      The <code class="option">default-server</code> clause is followed by the
61      name or address of a name server.  This host will be used when
62      no name server is given as an argument to
63      <span><strong class="command">rndc</strong></span>.  The <code class="option">default-key</code>
64      clause is followed by the name of a key which is identified by
65      a <code class="option">key</code> statement.  If no
66      <code class="option">keyid</code> is provided on the rndc command line,
67      and no <code class="option">key</code> clause is found in a matching
68      <code class="option">server</code> statement, this default key will be
69      used to authenticate the server's commands and responses.  The
70      <code class="option">default-port</code> clause is followed by the port
71      to connect to on the remote name server.  If no
72      <code class="option">port</code> option is provided on the rndc command
73      line, and no <code class="option">port</code> clause is found in a
74      matching <code class="option">server</code> statement, this default port
75      will be used to connect.
76      The <code class="option">default-source-address</code> and
77      <code class="option">default-source-address-v6</code> clauses which
78      can be used to set the IPv4 and IPv6 source addresses
79      respectively.
80    </p>
81<p>
82      After the <code class="option">server</code> keyword, the server
83      statement includes a string which is the hostname or address
84      for a name server.  The statement has three possible clauses:
85      <code class="option">key</code>, <code class="option">port</code> and
86      <code class="option">addresses</code>. The key name must match the
87      name of a key statement in the file.  The port number
88      specifies the port to connect to.  If an <code class="option">addresses</code>
89      clause is supplied these addresses will be used instead of
90      the server name.  Each address can take an optional port.
91      If an <code class="option">source-address</code> or <code class="option">source-address-v6</code>
92      of supplied then these will be used to specify the IPv4 and IPv6
93      source addresses respectively.
94    </p>
95<p>
96      The <code class="option">key</code> statement begins with an identifying
97      string, the name of the key.  The statement has two clauses.
98      <code class="option">algorithm</code> identifies the authentication algorithm
99      for <span><strong class="command">rndc</strong></span> to use; currently only HMAC-MD5
100      (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
101      (default), HMAC-SHA384 and HMAC-SHA512 are
102      supported.  This is followed by a secret clause which contains
103      the base-64 encoding of the algorithm's authentication key.  The
104      base-64 string is enclosed in double quotes.
105    </p>
106<p>
107      There are two common ways to generate the base-64 string for the
108      secret.  The BIND 9 program <span><strong class="command">rndc-confgen</strong></span>
109      can
110      be used to generate a random key, or the
111      <span><strong class="command">mmencode</strong></span> program, also known as
112      <span><strong class="command">mimencode</strong></span>, can be used to generate a
113      base-64
114      string from known input.  <span><strong class="command">mmencode</strong></span> does
115      not
116      ship with BIND 9 but is available on many systems.  See the
117      EXAMPLE section for sample command lines for each.
118    </p>
119</div>
120<div class="refsect1" lang="en">
121<a name="id2543515"></a><h2>EXAMPLE</h2>
122<pre class="programlisting">
123      options {
124        default-server  localhost;
125        default-key     samplekey;
126      };
127</pre>
128<p>
129    </p>
130<pre class="programlisting">
131      server localhost {
132        key             samplekey;
133      };
134</pre>
135<p>
136    </p>
137<pre class="programlisting">
138      server testserver {
139        key		testkey;
140        addresses	{ localhost port 5353; };
141      };
142</pre>
143<p>
144    </p>
145<pre class="programlisting">
146      key samplekey {
147        algorithm       hmac-sha256;
148        secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
149      };
150</pre>
151<p>
152    </p>
153<pre class="programlisting">
154      key testkey {
155        algorithm	hmac-sha256;
156        secret		"R3HI8P6BKw9ZwXwN3VZKuQ==";
157      };
158    </pre>
159<p>
160    </p>
161<p>
162      In the above example, <span><strong class="command">rndc</strong></span> will by
163      default use
164      the server at localhost (127.0.0.1) and the key called samplekey.
165      Commands to the localhost server will use the samplekey key, which
166      must also be defined in the server's configuration file with the
167      same name and secret.  The key statement indicates that samplekey
168      uses the HMAC-SHA256 algorithm and its secret clause contains the
169      base-64 encoding of the HMAC-SHA256 secret enclosed in double quotes.
170    </p>
171<p>
172      If <span><strong class="command">rndc -s testserver</strong></span> is used then <span><strong class="command">rndc</strong></span> will
173      connect to server on localhost port 5353 using the key testkey.
174    </p>
175<p>
176      To generate a random secret with <span><strong class="command">rndc-confgen</strong></span>:
177    </p>
178<p><strong class="userinput"><code>rndc-confgen</code></strong>
179    </p>
180<p>
181      A complete <code class="filename">rndc.conf</code> file, including
182      the
183      randomly generated key, will be written to the standard
184      output.  Commented-out <code class="option">key</code> and
185      <code class="option">controls</code> statements for
186      <code class="filename">named.conf</code> are also printed.
187    </p>
188<p>
189      To generate a base-64 secret with <span><strong class="command">mmencode</strong></span>:
190    </p>
191<p><strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong>
192    </p>
193</div>
194<div class="refsect1" lang="en">
195<a name="id2543607"></a><h2>NAME SERVER CONFIGURATION</h2>
196<p>
197      The name server must be configured to accept rndc connections and
198      to recognize the key specified in the <code class="filename">rndc.conf</code>
199      file, using the controls statement in <code class="filename">named.conf</code>.
200      See the sections on the <code class="option">controls</code> statement in the
201      BIND 9 Administrator Reference Manual for details.
202    </p>
203</div>
204<div class="refsect1" lang="en">
205<a name="id2543628"></a><h2>SEE ALSO</h2>
206<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
207      <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
208      <span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
209      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
210    </p>
211</div>
212<div class="refsect1" lang="en">
213<a name="id2543667"></a><h2>AUTHOR</h2>
214<p><span class="corpauthor">Internet Systems Consortium</span>
215    </p>
216</div>
217</div></body>
218</html>
219