Defines the name server, algorithm, and key for the rndc command to use.
options { server ;
key ;
port ;
address ;
address-ipv6; };
server { key ;
port ;
host | address ; };
key { algorithm ;
secret " strings "; };The rndc.conf file is the configuration file for the rndc command, which is also the BIND 9 name server control utility. The rndc.conf file has similar structure and syntax to that of the named.conf file. It supports comment styles, such as the C style, the C++ style, and the UNIX style.
The rndc.conf file contains three statements: the options statement, the server statement, and the key statement.
options Statement
| Attributes | Definition |
|---|---|
| server | Defines the default name server to be used when the rndc command does not specify a name server. The name or address of a name server can be used in this attribute. |
| key | Defines the default key to authenticate the commands and responses from a server. The key is defined in a key statement. If the rndc command does not specify a key ID, or no key attribute is defined in a matching server statement, the value in this key attribute is used. |
| port | Defines the default port for connection to the remote name server. If the rndc command does not specify a port, or no port attribute is defined in a matching server statement, the value in the port attribute is used. |
| address | Defines the IPv4 source address to be used by default. |
| address-ipv6 | Defines the IPv6 source address to be used by default. |
server Statement
| Attributes | Definition |
|---|---|
| key | Defines the key for the server. The key name must match the name of a key statement in the file. |
| port | Specifies the port to connect to. |
| host | address | Specifies the server name or the address of the server. If the address is specified, it is used instead of the server name. Each address can use an optional port. A source address is used to specify IPv4 source address, and a source address of IPv6 is used to specify IPv6 source address. |
key Statement
The key statement begins with the name of the key, which is an identifying string.
| Attributes | Definition |
|---|---|
| algorithm | Identifies the encryption algorithm for the rndc command to use. Only the HMAC-MD5 algorithm is supported currently. |
| secret " strings " | Contains the base-64 encoding of the algorithm encryption key. The base-64 string is enclosed in quotation marks (" "). To generate the base-64 string for the secret attribute, you can run the rndc-confgen command. The rndc-confgen command generates a random key for the rndc command. |
In the following example, the rndc command uses the server at local host (127.0.0.1) by default, and the key is samplekey.
options {
default-server localhost;
default-key samplekey;
};
server localhost {
key samplekey;
};
server testserver {
key testkey;
addresses { localhost port 5353; };
};
key samplekey {
algorithm hmac-md5;
secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
};
key testkey {
algorithm hmac-md5;
secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
};In the preceding example, the commands to the local host server use the samplekey key, which must also be defined in the configuration file of the server with the same name and secret. The key statement indicates that samplekey uses the HMAC-MD5 algorithm, and its secret attribute contains the base-64 encoding of the HMAC-MD5 secret. If the rndc -s testserver command string is used, the rndc command will connect to server on local host port 5353 using the key testkey.
To accept rndc connections and recognize the key specified in the rndc.conf file, the name server must be configured with the control statement in the named.conf file.