Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
RNDC-CONFGEN(8)			    BIND 9		       RNDC-CONFGEN(8)

       rndc-confgen - rndc key generation tool

       rndc-confgen  [-a]  [-A	algorithm]  [-b	keysize] [-c keyfile] [-h] [-k
       keyname]	[-p port] [-s address] [-t chrootdir] [-u user]

       rndc-confgen generates configuration files for rndc. It can be used  as
       a  convenient  alternative to writing the rndc.conf file	and the	corre-
       sponding	controls and key statements in named.conf  by  hand.  Alterna-
       tively,	it can be run with the -a option to set	up a rndc.key file and
       avoid the need for a rndc.conf file  and	 a  controls  statement	 alto-

       -a     This  option  sets automatic rndc	configuration, which creates a
	      file rndc.key in /etc (or	a different sysconfdir specified  when
	      BIND  was	built) that is read by both rndc and named on startup.
	      The rndc.key file	defines	a default command channel and  authen-
	      tication	key allowing rndc to communicate with named on the lo-
	      cal host with no further configuration.

	      If  a  more  elaborate  configuration  than  that	 generated  by
	      rndc-confgen  -a	is required, for example if rndc is to be used
	      remotely,	run rndc-confgen without the  -a  option  and  set  up
	      rndc.conf	and named.conf as directed.

       -A algorithm
	      This  option  specifies  the  algorithm to use for the TSIG key.
	      Available	 choices  are:	 hmac-md5,   hmac-sha1,	  hmac-sha224,
	      hmac-sha256,   hmac-sha384,  and	hmac-sha512.  The  default  is

       -b keysize
	      This option specifies the	size  of  the  authentication  key  in
	      bits.  The  size	must be	between	1 and 512 bits;	the default is
	      the hash size.

       -c keyfile
	      This option is used with the -a option to	specify	 an  alternate
	      location for rndc.key.

       -h     This  option prints a short summary of the options and arguments
	      to rndc-confgen.

       -k keyname
	      This option specifies the	key name of  the  rndc	authentication
	      key. This	must be	a valid	domain name. The default is rndc-key.

       -p port
	      This  option specifies the command channel port where named lis-
	      tens for connections from	rndc. The default is 953.

       -s address
	      This option specifies the	IP address  where  named  listens  for
	      command-channel  connections from	rndc. The default is the loop-
	      back address

       -t chrootdir
	      This option is used with the -a option to	 specify  a  directory
	      where named runs chrooted. An additional copy of the rndc.key is
	      written relative to this directory, so that it is	found  by  the
	      chrooted named.

       -u user
	      This  option  is used with the -a	option to set the owner	of the
	      generated	rndc.key file.	If -t is also specified, only the file
	      in the chroot area has its owner changed.

       To allow	rndc to	be used	with no	manual configuration, run:

       rndc-confgen -a

       To print	a sample rndc.conf file	and the	corresponding controls and key
       statements to be	manually inserted into named.conf, run:


       rndc(8),	rndc.conf(5), named(8),	BIND 9 Administrator Reference Manual.

       Internet	Systems	Consortium

       2021, Internet Systems Consortium

9.16.21				  2021-09-07		       RNDC-CONFGEN(8)


Want to link to this manual page? Use this URL:

home | help