rndc.conf File

Purpose

Defines the name server, algorithm, and key for the rndc command to use.

Syntax

options { server ;
key ; 
port ; 
address ;
address-ipv6; };

server { key ; 
port ; 
host | address ; };

key { algorithm ; 
secret " strings "; };

Description

The rndc.conf file is the configuration file for the rndc command, which is also the BIND 9 name server control utility. The rndc.conf file has similar structure and syntax to that of the named.conf file. It supports comment styles, such as the C style, the C++ style, and the UNIX style.

The rndc.conf file contains three statements: the options statement, the server statement, and the key statement.

options Statement

The options statement contains the following attributes:
Attributes Definition
server Defines the default name server to be used when the rndc command does not specify a name server. The name or address of a name server can be used in this attribute.
key Defines the default key to authenticate the commands and responses from a server. The key is defined in a key statement. If the rndc command does not specify a key ID, or no key attribute is defined in a matching server statement, the value in this key attribute is used.
port Defines the default port for connection to the remote name server. If the rndc command does not specify a port, or no port attribute is defined in a matching server statement, the value in the port attribute is used.
address Defines the IPv4 source address to be used by default.
address-ipv6 Defines the IPv6 source address to be used by default.

server Statement

Attributes Definition
key Defines the key for the server. The key name must match the name of a key statement in the file.
port Specifies the port to connect to.
host | address Specifies the server name or the address of the server. If the address is specified, it is used instead of the server name. Each address can use an optional port. A source address is used to specify IPv4 source address, and a source address of IPv6 is used to specify IPv6 source address.

key Statement

The key statement begins with the name of the key, which is an identifying string.

Attributes Definition
algorithm Identifies the encryption algorithm for the rndc command to use. Only the HMAC-MD5 algorithm is supported currently.
secret " strings " Contains the base-64 encoding of the algorithm encryption key. The base-64 string is enclosed in quotation marks (" "). To generate the base-64 string for the secret attribute, you can run the rndc-confgen command. The rndc-confgen command generates a random key for the rndc command.

Example

In the following example, the rndc command uses the server at local host (127.0.0.1) by default, and the key is samplekey.

options {
default-server localhost;
default-key samplekey;
};
server localhost {
key samplekey;
};
server testserver {
key testkey;
addresses { localhost port 5353; };
};
key samplekey {
algorithm hmac-md5;
secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
};
key testkey {
algorithm hmac-md5;
secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
};

In the preceding example, the commands to the local host server use the samplekey key, which must also be defined in the configuration file of the server with the same name and secret. The key statement indicates that samplekey uses the HMAC-MD5 algorithm, and its secret attribute contains the base-64 encoding of the HMAC-MD5 secret. If the rndc -s testserver command string is used, the rndc command will connect to server on local host port 5353 using the key testkey.

Configuration

To accept rndc connections and recognize the key specified in the rndc.conf file, the name server must be configured with the control statement in the named.conf file.