1*00b67f09SDavid van Moolenbroek<!-- 2*00b67f09SDavid van Moolenbroek - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") 3*00b67f09SDavid van Moolenbroek - Copyright (C) 2000-2003 Internet Software Consortium. 4*00b67f09SDavid van Moolenbroek - 5*00b67f09SDavid van Moolenbroek - Permission to use, copy, modify, and/or distribute this software for any 6*00b67f09SDavid van Moolenbroek - purpose with or without fee is hereby granted, provided that the above 7*00b67f09SDavid van Moolenbroek - copyright notice and this permission notice appear in all copies. 8*00b67f09SDavid van Moolenbroek - 9*00b67f09SDavid van Moolenbroek - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10*00b67f09SDavid van Moolenbroek - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11*00b67f09SDavid van Moolenbroek - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12*00b67f09SDavid van Moolenbroek - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13*00b67f09SDavid van Moolenbroek - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14*00b67f09SDavid van Moolenbroek - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15*00b67f09SDavid van Moolenbroek - PERFORMANCE OF THIS SOFTWARE. 16*00b67f09SDavid van Moolenbroek--> 17*00b67f09SDavid van Moolenbroek<!-- $Id: man.rndc.conf.html,v 1.5 2015/09/03 07:33:34 christos Exp $ --> 18*00b67f09SDavid van Moolenbroek<html> 19*00b67f09SDavid van Moolenbroek<head> 20*00b67f09SDavid van Moolenbroek<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> 21*00b67f09SDavid van Moolenbroek<title>rndc.conf</title> 22*00b67f09SDavid van Moolenbroek<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> 23*00b67f09SDavid van Moolenbroek<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> 24*00b67f09SDavid van Moolenbroek<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> 25*00b67f09SDavid van Moolenbroek<link rel="prev" href="man.rndc.html" title="rndc"> 26*00b67f09SDavid van Moolenbroek<link rel="next" href="man.rndc-confgen.html" title="rndc-confgen"> 27*00b67f09SDavid van Moolenbroek</head> 28*00b67f09SDavid van Moolenbroek<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> 29*00b67f09SDavid van Moolenbroek<div class="navheader"> 30*00b67f09SDavid van Moolenbroek<table width="100%" summary="Navigation header"> 31*00b67f09SDavid van Moolenbroek<tr><th colspan="3" align="center"><code class="filename">rndc.conf</code></th></tr> 32*00b67f09SDavid van Moolenbroek<tr> 33*00b67f09SDavid van Moolenbroek<td width="20%" align="left"> 34*00b67f09SDavid van Moolenbroek<a accesskey="p" href="man.rndc.html">Prev</a>�</td> 35*00b67f09SDavid van Moolenbroek<th width="60%" align="center">Manual pages</th> 36*00b67f09SDavid van Moolenbroek<td width="20%" align="right">�<a accesskey="n" href="man.rndc-confgen.html">Next</a> 37*00b67f09SDavid van Moolenbroek</td> 38*00b67f09SDavid van Moolenbroek</tr> 39*00b67f09SDavid van Moolenbroek</table> 40*00b67f09SDavid van Moolenbroek<hr> 41*00b67f09SDavid van Moolenbroek</div> 42*00b67f09SDavid van Moolenbroek<div class="refentry" lang="en"> 43*00b67f09SDavid van Moolenbroek<a name="man.rndc.conf"></a><div class="titlepage"></div> 44*00b67f09SDavid van Moolenbroek<div class="refnamediv"> 45*00b67f09SDavid van Moolenbroek<h2>Name</h2> 46*00b67f09SDavid van Moolenbroek<p><code class="filename">rndc.conf</code> — rndc configuration file</p> 47*00b67f09SDavid van Moolenbroek</div> 48*00b67f09SDavid van Moolenbroek<div class="refsynopsisdiv"> 49*00b67f09SDavid van Moolenbroek<h2>Synopsis</h2> 50*00b67f09SDavid van Moolenbroek<div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div> 51*00b67f09SDavid van Moolenbroek</div> 52*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 53*00b67f09SDavid van Moolenbroek<a name="id2619249"></a><h2>DESCRIPTION</h2> 54*00b67f09SDavid van Moolenbroek<p><code class="filename">rndc.conf</code> is the configuration file 55*00b67f09SDavid van Moolenbroek for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control 56*00b67f09SDavid van Moolenbroek utility. This file has a similar structure and syntax to 57*00b67f09SDavid van Moolenbroek <code class="filename">named.conf</code>. Statements are enclosed 58*00b67f09SDavid van Moolenbroek in braces and terminated with a semi-colon. Clauses in 59*00b67f09SDavid van Moolenbroek the statements are also semi-colon terminated. The usual 60*00b67f09SDavid van Moolenbroek comment styles are supported: 61*00b67f09SDavid van Moolenbroek </p> 62*00b67f09SDavid van Moolenbroek<p> 63*00b67f09SDavid van Moolenbroek C style: /* */ 64*00b67f09SDavid van Moolenbroek </p> 65*00b67f09SDavid van Moolenbroek<p> 66*00b67f09SDavid van Moolenbroek C++ style: // to end of line 67*00b67f09SDavid van Moolenbroek </p> 68*00b67f09SDavid van Moolenbroek<p> 69*00b67f09SDavid van Moolenbroek Unix style: # to end of line 70*00b67f09SDavid van Moolenbroek </p> 71*00b67f09SDavid van Moolenbroek<p><code class="filename">rndc.conf</code> is much simpler than 72*00b67f09SDavid van Moolenbroek <code class="filename">named.conf</code>. The file uses three 73*00b67f09SDavid van Moolenbroek statements: an options statement, a server statement 74*00b67f09SDavid van Moolenbroek and a key statement. 75*00b67f09SDavid van Moolenbroek </p> 76*00b67f09SDavid van Moolenbroek<p> 77*00b67f09SDavid van Moolenbroek The <code class="option">options</code> statement contains five clauses. 78*00b67f09SDavid van Moolenbroek The <code class="option">default-server</code> clause is followed by the 79*00b67f09SDavid van Moolenbroek name or address of a name server. This host will be used when 80*00b67f09SDavid van Moolenbroek no name server is given as an argument to 81*00b67f09SDavid van Moolenbroek <span><strong class="command">rndc</strong></span>. The <code class="option">default-key</code> 82*00b67f09SDavid van Moolenbroek clause is followed by the name of a key which is identified by 83*00b67f09SDavid van Moolenbroek a <code class="option">key</code> statement. If no 84*00b67f09SDavid van Moolenbroek <code class="option">keyid</code> is provided on the rndc command line, 85*00b67f09SDavid van Moolenbroek and no <code class="option">key</code> clause is found in a matching 86*00b67f09SDavid van Moolenbroek <code class="option">server</code> statement, this default key will be 87*00b67f09SDavid van Moolenbroek used to authenticate the server's commands and responses. The 88*00b67f09SDavid van Moolenbroek <code class="option">default-port</code> clause is followed by the port 89*00b67f09SDavid van Moolenbroek to connect to on the remote name server. If no 90*00b67f09SDavid van Moolenbroek <code class="option">port</code> option is provided on the rndc command 91*00b67f09SDavid van Moolenbroek line, and no <code class="option">port</code> clause is found in a 92*00b67f09SDavid van Moolenbroek matching <code class="option">server</code> statement, this default port 93*00b67f09SDavid van Moolenbroek will be used to connect. 94*00b67f09SDavid van Moolenbroek The <code class="option">default-source-address</code> and 95*00b67f09SDavid van Moolenbroek <code class="option">default-source-address-v6</code> clauses which 96*00b67f09SDavid van Moolenbroek can be used to set the IPv4 and IPv6 source addresses 97*00b67f09SDavid van Moolenbroek respectively. 98*00b67f09SDavid van Moolenbroek </p> 99*00b67f09SDavid van Moolenbroek<p> 100*00b67f09SDavid van Moolenbroek After the <code class="option">server</code> keyword, the server 101*00b67f09SDavid van Moolenbroek statement includes a string which is the hostname or address 102*00b67f09SDavid van Moolenbroek for a name server. The statement has three possible clauses: 103*00b67f09SDavid van Moolenbroek <code class="option">key</code>, <code class="option">port</code> and 104*00b67f09SDavid van Moolenbroek <code class="option">addresses</code>. The key name must match the 105*00b67f09SDavid van Moolenbroek name of a key statement in the file. The port number 106*00b67f09SDavid van Moolenbroek specifies the port to connect to. If an <code class="option">addresses</code> 107*00b67f09SDavid van Moolenbroek clause is supplied these addresses will be used instead of 108*00b67f09SDavid van Moolenbroek the server name. Each address can take an optional port. 109*00b67f09SDavid van Moolenbroek If an <code class="option">source-address</code> or <code class="option">source-address-v6</code> 110*00b67f09SDavid van Moolenbroek of supplied then these will be used to specify the IPv4 and IPv6 111*00b67f09SDavid van Moolenbroek source addresses respectively. 112*00b67f09SDavid van Moolenbroek </p> 113*00b67f09SDavid van Moolenbroek<p> 114*00b67f09SDavid van Moolenbroek The <code class="option">key</code> statement begins with an identifying 115*00b67f09SDavid van Moolenbroek string, the name of the key. The statement has two clauses. 116*00b67f09SDavid van Moolenbroek <code class="option">algorithm</code> identifies the authentication algorithm 117*00b67f09SDavid van Moolenbroek for <span><strong class="command">rndc</strong></span> to use; currently only HMAC-MD5 118*00b67f09SDavid van Moolenbroek (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256 119*00b67f09SDavid van Moolenbroek (default), HMAC-SHA384 and HMAC-SHA512 are 120*00b67f09SDavid van Moolenbroek supported. This is followed by a secret clause which contains 121*00b67f09SDavid van Moolenbroek the base-64 encoding of the algorithm's authentication key. The 122*00b67f09SDavid van Moolenbroek base-64 string is enclosed in double quotes. 123*00b67f09SDavid van Moolenbroek </p> 124*00b67f09SDavid van Moolenbroek<p> 125*00b67f09SDavid van Moolenbroek There are two common ways to generate the base-64 string for the 126*00b67f09SDavid van Moolenbroek secret. The BIND 9 program <span><strong class="command">rndc-confgen</strong></span> 127*00b67f09SDavid van Moolenbroek can 128*00b67f09SDavid van Moolenbroek be used to generate a random key, or the 129*00b67f09SDavid van Moolenbroek <span><strong class="command">mmencode</strong></span> program, also known as 130*00b67f09SDavid van Moolenbroek <span><strong class="command">mimencode</strong></span>, can be used to generate a 131*00b67f09SDavid van Moolenbroek base-64 132*00b67f09SDavid van Moolenbroek string from known input. <span><strong class="command">mmencode</strong></span> does 133*00b67f09SDavid van Moolenbroek not 134*00b67f09SDavid van Moolenbroek ship with BIND 9 but is available on many systems. See the 135*00b67f09SDavid van Moolenbroek EXAMPLE section for sample command lines for each. 136*00b67f09SDavid van Moolenbroek </p> 137*00b67f09SDavid van Moolenbroek</div> 138*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 139*00b67f09SDavid van Moolenbroek<a name="id2661200"></a><h2>EXAMPLE</h2> 140*00b67f09SDavid van Moolenbroek<pre class="programlisting"> 141*00b67f09SDavid van Moolenbroek options { 142*00b67f09SDavid van Moolenbroek default-server localhost; 143*00b67f09SDavid van Moolenbroek default-key samplekey; 144*00b67f09SDavid van Moolenbroek }; 145*00b67f09SDavid van Moolenbroek</pre> 146*00b67f09SDavid van Moolenbroek<p> 147*00b67f09SDavid van Moolenbroek </p> 148*00b67f09SDavid van Moolenbroek<pre class="programlisting"> 149*00b67f09SDavid van Moolenbroek server localhost { 150*00b67f09SDavid van Moolenbroek key samplekey; 151*00b67f09SDavid van Moolenbroek }; 152*00b67f09SDavid van Moolenbroek</pre> 153*00b67f09SDavid van Moolenbroek<p> 154*00b67f09SDavid van Moolenbroek </p> 155*00b67f09SDavid van Moolenbroek<pre class="programlisting"> 156*00b67f09SDavid van Moolenbroek server testserver { 157*00b67f09SDavid van Moolenbroek key testkey; 158*00b67f09SDavid van Moolenbroek addresses { localhost port 5353; }; 159*00b67f09SDavid van Moolenbroek }; 160*00b67f09SDavid van Moolenbroek</pre> 161*00b67f09SDavid van Moolenbroek<p> 162*00b67f09SDavid van Moolenbroek </p> 163*00b67f09SDavid van Moolenbroek<pre class="programlisting"> 164*00b67f09SDavid van Moolenbroek key samplekey { 165*00b67f09SDavid van Moolenbroek algorithm hmac-sha256; 166*00b67f09SDavid van Moolenbroek secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz"; 167*00b67f09SDavid van Moolenbroek }; 168*00b67f09SDavid van Moolenbroek</pre> 169*00b67f09SDavid van Moolenbroek<p> 170*00b67f09SDavid van Moolenbroek </p> 171*00b67f09SDavid van Moolenbroek<pre class="programlisting"> 172*00b67f09SDavid van Moolenbroek key testkey { 173*00b67f09SDavid van Moolenbroek algorithm hmac-sha256; 174*00b67f09SDavid van Moolenbroek secret "R3HI8P6BKw9ZwXwN3VZKuQ=="; 175*00b67f09SDavid van Moolenbroek }; 176*00b67f09SDavid van Moolenbroek </pre> 177*00b67f09SDavid van Moolenbroek<p> 178*00b67f09SDavid van Moolenbroek </p> 179*00b67f09SDavid van Moolenbroek<p> 180*00b67f09SDavid van Moolenbroek In the above example, <span><strong class="command">rndc</strong></span> will by 181*00b67f09SDavid van Moolenbroek default use 182*00b67f09SDavid van Moolenbroek the server at localhost (127.0.0.1) and the key called samplekey. 183*00b67f09SDavid van Moolenbroek Commands to the localhost server will use the samplekey key, which 184*00b67f09SDavid van Moolenbroek must also be defined in the server's configuration file with the 185*00b67f09SDavid van Moolenbroek same name and secret. The key statement indicates that samplekey 186*00b67f09SDavid van Moolenbroek uses the HMAC-SHA256 algorithm and its secret clause contains the 187*00b67f09SDavid van Moolenbroek base-64 encoding of the HMAC-SHA256 secret enclosed in double quotes. 188*00b67f09SDavid van Moolenbroek </p> 189*00b67f09SDavid van Moolenbroek<p> 190*00b67f09SDavid van Moolenbroek If <span><strong class="command">rndc -s testserver</strong></span> is used then <span><strong class="command">rndc</strong></span> will 191*00b67f09SDavid van Moolenbroek connect to server on localhost port 5353 using the key testkey. 192*00b67f09SDavid van Moolenbroek </p> 193*00b67f09SDavid van Moolenbroek<p> 194*00b67f09SDavid van Moolenbroek To generate a random secret with <span><strong class="command">rndc-confgen</strong></span>: 195*00b67f09SDavid van Moolenbroek </p> 196*00b67f09SDavid van Moolenbroek<p><strong class="userinput"><code>rndc-confgen</code></strong> 197*00b67f09SDavid van Moolenbroek </p> 198*00b67f09SDavid van Moolenbroek<p> 199*00b67f09SDavid van Moolenbroek A complete <code class="filename">rndc.conf</code> file, including 200*00b67f09SDavid van Moolenbroek the 201*00b67f09SDavid van Moolenbroek randomly generated key, will be written to the standard 202*00b67f09SDavid van Moolenbroek output. Commented-out <code class="option">key</code> and 203*00b67f09SDavid van Moolenbroek <code class="option">controls</code> statements for 204*00b67f09SDavid van Moolenbroek <code class="filename">named.conf</code> are also printed. 205*00b67f09SDavid van Moolenbroek </p> 206*00b67f09SDavid van Moolenbroek<p> 207*00b67f09SDavid van Moolenbroek To generate a base-64 secret with <span><strong class="command">mmencode</strong></span>: 208*00b67f09SDavid van Moolenbroek </p> 209*00b67f09SDavid van Moolenbroek<p><strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong> 210*00b67f09SDavid van Moolenbroek </p> 211*00b67f09SDavid van Moolenbroek</div> 212*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 213*00b67f09SDavid van Moolenbroek<a name="id2662004"></a><h2>NAME SERVER CONFIGURATION</h2> 214*00b67f09SDavid van Moolenbroek<p> 215*00b67f09SDavid van Moolenbroek The name server must be configured to accept rndc connections and 216*00b67f09SDavid van Moolenbroek to recognize the key specified in the <code class="filename">rndc.conf</code> 217*00b67f09SDavid van Moolenbroek file, using the controls statement in <code class="filename">named.conf</code>. 218*00b67f09SDavid van Moolenbroek See the sections on the <code class="option">controls</code> statement in the 219*00b67f09SDavid van Moolenbroek BIND 9 Administrator Reference Manual for details. 220*00b67f09SDavid van Moolenbroek </p> 221*00b67f09SDavid van Moolenbroek</div> 222*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 223*00b67f09SDavid van Moolenbroek<a name="id2662029"></a><h2>SEE ALSO</h2> 224*00b67f09SDavid van Moolenbroek<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>, 225*00b67f09SDavid van Moolenbroek <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>, 226*00b67f09SDavid van Moolenbroek <span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>, 227*00b67f09SDavid van Moolenbroek <em class="citetitle">BIND 9 Administrator Reference Manual</em>. 228*00b67f09SDavid van Moolenbroek </p> 229*00b67f09SDavid van Moolenbroek</div> 230*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 231*00b67f09SDavid van Moolenbroek<a name="id2662068"></a><h2>AUTHOR</h2> 232*00b67f09SDavid van Moolenbroek<p><span class="corpauthor">Internet Systems Consortium</span> 233*00b67f09SDavid van Moolenbroek </p> 234*00b67f09SDavid van Moolenbroek</div> 235*00b67f09SDavid van Moolenbroek</div> 236*00b67f09SDavid van Moolenbroek<div class="navfooter"> 237*00b67f09SDavid van Moolenbroek<hr> 238*00b67f09SDavid van Moolenbroek<table width="100%" summary="Navigation footer"> 239*00b67f09SDavid van Moolenbroek<tr> 240*00b67f09SDavid van Moolenbroek<td width="40%" align="left"> 241*00b67f09SDavid van Moolenbroek<a accesskey="p" href="man.rndc.html">Prev</a>�</td> 242*00b67f09SDavid van Moolenbroek<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td> 243*00b67f09SDavid van Moolenbroek<td width="40%" align="right">�<a accesskey="n" href="man.rndc-confgen.html">Next</a> 244*00b67f09SDavid van Moolenbroek</td> 245*00b67f09SDavid van Moolenbroek</tr> 246*00b67f09SDavid van Moolenbroek<tr> 247*00b67f09SDavid van Moolenbroek<td width="40%" align="left" valign="top"> 248*00b67f09SDavid van Moolenbroek<span class="application">rndc</span>�</td> 249*00b67f09SDavid van Moolenbroek<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> 250*00b67f09SDavid van Moolenbroek<td width="40%" align="right" valign="top">�<span class="application">rndc-confgen</span> 251*00b67f09SDavid van Moolenbroek</td> 252*00b67f09SDavid van Moolenbroek</tr> 253*00b67f09SDavid van Moolenbroek</table> 254*00b67f09SDavid van Moolenbroek</div> 255*00b67f09SDavid van Moolenbroek<p style="text-align: center;">BIND 9.10.2-P4</p> 256*00b67f09SDavid van Moolenbroek</body> 257*00b67f09SDavid van Moolenbroek</html> 258