12.4. Using rndc
BIND includes a utility called
rndc
which allows command line administration of the named
daemon from the localhost or from a remote host.
In order to prevent unauthorized access to the
named
daemon, BIND uses a shared secret key authentication method to grant privileges to hosts. This means an identical key must be present in both /etc/named.conf
and the rndc
configuration file, /etc/rndc.conf
.
12.4.1. Configuring /etc/named.conf
In order for
rndc
to connect to a named
service, there must a controls
statement in the BIND server's /etc/named.conf
file.
The
controls
statement, shown in the following example, allows rndc
to connect from the localhost.
controls { inet 127.0.0.1 allow { localhost; } keys { <key-name>; }; };
This statement tells
named
to listen on the default TCP port 953 of the loopback address and allow rndc
commands coming from the localhost, if the proper key is given. The <key-name> specifies a name in the key
statement within the /etc/named.conf
file. The next example illustrates a sample key
statement.
key "<key-name>" { algorithm hmac-md5; secret "<key-value>"; };
In this case, the <key-value> uses the HMAC-MD5 algorithm. Use the following command to generate keys using the HMAC-MD5 algorithm:
dnssec-keygen -a hmac-md5 -b <bit-length> -n HOST <key-file-name>
A key with at least a 256-bit length is a good idea. The actual key that should be placed in the <key-value> area can be found in the
<key-file-name>
file generated by this command.
Warning
Because
/etc/named.conf
is world-readable, it is a good idea to place the key
statement in a separate file, readable only by root, and then use an include
statement to reference it. For example:
include "/etc/rndc.key";