20140315 configuring rndc for bind 9 - plembo/onemoretech GitHub Wiki

title: Configuring rndc for BIND 9 link: https://onemoretech.wordpress.com/2014/03/15/configuring-rndc-for-bind-9/ author: phil2nc description: post_id: 7145 created: 2014/03/15 20:38:34 created_gmt: 2014/03/16 00:38:34 comment_status: closed post_name: configuring-rndc-for-bind-9 status: publish post_type: post

Configuring rndc for BIND 9

Some quick notes on configuring rndc for BIND (Berkeley Internet Name Domain) 9 servers. I've been carrying through the same basic BIND configuration for my home name servers since version 4, updated along the way as old syntax changed. The rndc tool is used to perform administrative functions on a running BIND server without having to do a restart. After borking the configuration of rndc on a new Fedora 19 server, I decided to commit my notes here for posterity. Forget anything you may read everywhere else. THIS is how to do it on Red Hat Enterprise Linux 6+ and corresponding Fedora releases. I suspect these steps will also work for other Linux distributions as well. 1. Create an rndc.conf file thus:

rndc-confgen >/etc/rndc.conf

It will look like this inside:

key "rndc-key" {
	algorithm hmac-md5;
	secret "KbcFrxgaLM==";
};

options {
	default-key "rndc-key";
	default-server 127.0.0.1;
	default-port 953;
};
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# 	algorithm hmac-md5;
# 	secret "KbcFrxgaLM==";
# };
# 
# controls {
# 	inet 127.0.0.1 port 953
# 		allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf

(the secret show is just for illustration, yours will (should) be different) Permission:

chown root:named /etc/rndc.conf
chmod o-rwx /etc/rndc.conf

2. Create a rndc.key file by copying the "key" statement from your new /etc/rndc.conf file into /etc/rndc.key:

key "rndc-key" {
 	algorithm hmac-md5;
 	secret "KbcFrxgaLM==";
};

Permission identically to the rndc.conf file. 3. Insert the following into /etc/named.conf, between the options and first zone statements:

include "/etc/rndc.key";
controls {
 	inet 127.0.0.1 port 953
	   allow { 127.0.0.1; } keys { "rndc-key"; };
};

Because named.conf should be world-readable (but only writable by root), I use the include directive to avoid exposing its secret to the world. That's all there is to it. Commit by restarting named:

systemctl restart named

Run rndc status to confirm the utility can talk to the server.

Copyright 2004-2019 Phil Lembo