Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
RNDC.CONF(5)			    BIND 9			  RNDC.CONF(5)

       rndc.conf - rndc	configuration file


       rndc.conf  is  the  configuration file for rndc,	the BIND 9 name	server
       control utility.	This file  has	a  similar  structure  and  syntax  to
       named.conf.  Statements	are  enclosed  in braces and terminated	with a
       semi-colon. Clauses in the statements are also  semi-colon  terminated.
       The usual comment styles	are supported:

       C style:	/* */

       C++ style: // to	end of line

       Unix style: # to	end of line

       rndc.conf  is  much simpler than	named.conf. The	file uses three	state-
       ments: an options statement, a server statement and a key statement.

       The options statement contains five clauses. The	default-server	clause
       is  followed by the name	or address of a	name server. This host will be
       used when no name server	is given as an	argument  to  rndc.   The  de-
       fault-key  clause  is followed by the name of a key which is identified
       by a key	statement. If no keyid is provided on the rndc	command	 line,
       and no key clause is found in a matching	server statement, this default
       key will	be used	to authenticate	the server's commands  and  responses.
       The  default-port  clause  is followed by the port to connect to	on the
       remote name server. If no port option is	provided on the	 rndc  command
       line,  and no port clause is found in a matching	server statement, this
       default port will be used to connect.  The  default-source-address  and
       default-source-address-v6 clauses which can be used to set the IPv4 and
       IPv6 source addresses respectively.

       After the server	keyword, the server statement includes a string	 which
       is  the	hostname or address for	a name server. The statement has three
       possible	clauses: key, port and addresses. The key name must match  the
       name of a key statement in the file. The	port number specifies the port
       to connect to. If an addresses clause is	supplied these addresses  will
       be  used	 instead of the	server name. Each address can take an optional
       port. If	an source-address or source-address-v6 of supplied then	 these
       will  be	 used  to  specify  the	IPv4 and IPv6 source addresses respec-

       The key statement begins	with an	identifying string, the	 name  of  the
       key.  The statement has two clauses. algorithm identifies the authenti-
       cation algorithm	for rndc to use; currently only	HMAC-MD5 (for compati-
       bility),	HMAC-SHA1, HMAC-SHA224,	HMAC-SHA256 (default), HMAC-SHA384 and
       HMAC-SHA512 are supported. This is followed by a	 secret	 clause	 which
       contains	 the  base-64  encoding	of the algorithm's authentication key.
       The base-64 string is enclosed in double	quotes.

       There are two common ways to generate the base-64 string	 for  the  se-
       cret.  The BIND 9 program rndc-confgen can be used to generate a	random
       key, or the mmencode program, also known	as mimencode, can be  used  to
       generate	a base-64 string from known input. mmencode does not ship with
       BIND 9 but is available on many systems.	See the	 EXAMPLE  section  for
       sample command lines for	each.

	  options {
	    default-server  localhost;
	    default-key	    samplekey;

	  server localhost {
	    key		    samplekey;

	  server testserver {
	    key	    testkey;
	    addresses	{ localhost port 5353; };

	  key samplekey	{
	    algorithm	    hmac-sha256;
	    secret	    "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";

	  key testkey {
	    algorithm	hmac-sha256;
	    secret	"R3HI8P6BKw9ZwXwN3VZKuQ==";

       In  the above example, rndc will	by default use the server at localhost
       ( and the key called samplekey.  Commands  to	the  localhost
       server  will  use  the samplekey	key, which must	also be	defined	in the
       server's	configuration file with	the same  name	and  secret.  The  key
       statement  indicates  that samplekey uses the HMAC-SHA256 algorithm and
       its secret clause contains the base-64 encoding of the HMAC-SHA256  se-
       cret enclosed in	double quotes.

       If  rndc	 -s testserver is used then rndc will connect to server	on lo-
       calhost port 5353 using the key testkey.

       To generate a random secret with	rndc-confgen:


       A complete rndc.conf file, including the	randomly generated  key,  will
       be  written  to	the  standard  output.	Commented-out key and controls
       statements for named.conf are also printed.

       To generate a base-64 secret with mmencode:

       echo "known plaintext for a secret" | mmencode

       The name	server must be configured to accept rndc  connections  and  to
       recognize  the  key specified in	the rndc.conf file, using the controls
       statement in named.conf.	See the	sections on the	controls statement  in
       the BIND	9 Administrator	Reference Manual for details.

       rndc(8),	 rndc-confgen(8),  mmencode(1),	BIND 9 Administrator Reference

       Internet	Systems	Consortium

       2020, Internet Systems Consortium

9.16.6				  2020-08-10			  RNDC.CONF(5)


Want to link to this manual page? Use this URL:

home | help