Man page generated from reStructuredText.
. . .nr rst2man-indent-level 0 . \\$1 \\n[an-margin] level \\n[rst2man-indent-level] level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] - \\n[rst2man-indent0] \\n[rst2man-indent1] \\n[rst2man-indent2] .. .rstReportMargin pre:
. RS \\$1 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] . nr rst2man-indent-level +1 .rstReportMargin post:
.. . RE indent \\n[an-margin]
old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1 new: \\n[rst2man-indent\\n[rst2man-indent-level]]
..
.
. . .nr rst2man-indent-level 0 . \\$1 \\n[an-margin] level \\n[rst2man-indent-level] level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] - \\n[rst2man-indent0] \\n[rst2man-indent1] \\n[rst2man-indent2] .. .rstReportMargin pre:
. RS \\$1 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] . nr rst2man-indent-level +1 .rstReportMargin post:
.. . RE indent \\n[an-margin]
old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1 new: \\n[rst2man-indent\\n[rst2man-indent-level]]
..
"RNDC.CONF" "5" "@RELEASE_DATE@" "@PACKAGE_VERSION@" "BIND 9"
NAME
rndc.conf - rndc configuration file
SYNOPSIS
rndc.conf
DESCRIPTION
rndc.conf is the configuration file for \%rndc, the BIND 9 name
server control utility. This file has a similar structure and syntax to
\%named.conf. Statements are enclosed in braces and terminated with a
semi-colon. Clauses in the statements are also semi-colon terminated.
The usual comment styles are supported:
C style: /* */
C++ style: // to end of line
Unix style: # to end of line
rndc.conf is much simpler than \%named.conf. The file uses three
statements: an options statement, a server statement, and a key
statement.
The options statement contains five clauses. The default-server
clause is followed by the name or address of a name server. This host
is used when no name server is given as an argument to \%rndc.
The default-key clause is followed by the name of a key, which is
identified by a key statement. If no keyid is provided on the
rndc command line, and no key clause is found in a matching
server statement, this default key is used to authenticate the
server\(aqs commands and responses. The default-port clause is followed
by the port to connect to on the remote name server. If no port
option is provided on the rndc command line, and no port clause is
found in a matching server statement, this default port is used
to connect. The default-source-address and
default-source-address-v6 clauses can be used to set the IPv4
and IPv6 source addresses respectively.
After the server keyword, the server statement includes a string
which is the hostname or address for a name server. The statement has
three possible clauses: key, port, and addresses. The key
name must match the name of a key statement in the file. The port number
specifies the port to connect to. If an addresses clause is supplied,
these addresses are used instead of the server name. Each address
can take an optional port. If an source-address or
source-address-v6 is supplied, it is used to specify the
IPv4 and IPv6 source address, respectively.
The key statement begins with an identifying string, the name of the
key. The statement has two clauses. algorithm identifies the
authentication algorithm for \%rndc to use; currently only HMAC-MD5
(for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256 (default),
HMAC-SHA384, and HMAC-SHA512 are supported. This is followed by a secret
clause which contains the base-64 encoding of the algorithm\(aqs
authentication key. The base-64 string is enclosed in double quotes.
There are two common ways to generate the base-64 string for the secret.
The BIND 9 program \%rndc-confgen can be used to generate a random
key, or the mmencode program, also known as mimencode, can be
used to generate a base-64 string from known input. mmencode does
not ship with BIND 9 but is available on many systems. See the Example
section for sample command lines for each.
EXAMPLE
NDENT 0.0 NDENT 3.5 .EX
options {
default-server localhost;
default-key samplekey;
};
NINDENT NINDENT NDENT 0.0 NDENT 3.5 .EX
server localhost {
key samplekey;
};
NINDENT NINDENT NDENT 0.0 NDENT 3.5 .EX
server testserver {
key testkey;
addresses { localhost port 5353; };
};
NINDENT NINDENT NDENT 0.0 NDENT 3.5 .EX
key samplekey {
algorithm hmac-sha256;
secret \(dq6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz\(dq;
};
NINDENT NINDENT NDENT 0.0 NDENT 3.5 .EX
key testkey {
algorithm hmac-sha256;
secret \(dqR3HI8P6BKw9ZwXwN3VZKuQ==\(dq;
};
NINDENT NINDENT In the above example, \%rndc by default uses the server at
localhost (127.0.0.1) and the key called \(dqsamplekey\(dq. Commands to the
localhost server use the \(dqsamplekey\(dq key, which must also be defined
in the server\(aqs configuration file with the same name and secret. The
key statement indicates that \(dqsamplekey\(dq uses the HMAC-SHA256 algorithm
and its secret clause contains the base-64 encoding of the HMAC-SHA256
secret enclosed in double quotes.
If \%rndc -s testserver is used, then \%rndc connects to the server
on localhost port 5353 using the key \(dqtestkey\(dq.
To generate a random secret with \%rndc-confgen:
\%rndc-confgen
A complete rndc.conf file, including the randomly generated key,
is written to the standard output. Commented-out key and
controls statements for \%named.conf are also printed.
To generate a base-64 secret with mmencode:
echo \(dqknown plaintext for a secret\(dq | mmencode
NAME SERVER CONFIGURATION
The name server must be configured to accept rndc connections and to
recognize the key specified in the rndc.conf file, using the
controls statement in \%named.conf. See the sections on the
controls statement in the BIND 9 Administrator Reference Manual for
details.
SEE ALSO
\%rndc(8), \%rndc-confgen(8), mmencode(1), BIND 9 Administrator Reference Manual.
AUTHOR
Internet Systems Consortium
COPYRIGHT
2024, Internet Systems Consortium
Generated by docutils manpage writer..