Using rndc

BIND includes a utility called rndc that allows you to administer the named daemon, locally or remotely, with command line statements. The rndc program uses the /etc/rndc.conf file for its configuration options, which can be overridden with command line options.

In order to prevent unauthorized users on other systems from controlling BIND on your server, a shared secret key method is used to explicitly grant privileges to particular hosts. In order for rndc to issue commands to any named, even on a local machine, the keys used in /etc/named.conf and /etc/rndc.conf must match.

Configuration Files

Before attempting to use the rndc command, verify that the proper configuration lines are in place in the necessary files. Most likely, your configuration files are not properly set if you run rndc and see a message that states:

rndc: connect: connection refused

/etc/named.conf

In order for rndc to be allowed to connect to your named service, you must have a controls statement in your /etc/named.conf file when named starts. The sample controls statement shown in Figure 14-21 will allow you to execute rndc commands locally.

controls {
  inet 127.0.0.1 allow { localhost; } keys { <key-name>; };
};

Figure 14-21. Sample controls statement in /etc/named.conf

This statement tells named to listen on the default TCP port 953 of the loopback address and allow rndc commands coming from the localhost, if the proper key is given. The <key-name> relates to the key statement, which is also in the /etc/named.conf file. A sample key statement is shown in Figure 14-22.

key "<key-name>" {
  algorithm hmac-md5;
  secret "<key-value>";
};

Figure 14-22. Sample key statement in /etc/named.conf

In this case, the <key-value> is a HMAC-MD5 key. You can generate your own HMAC-MD5 keys with the following command:

dnssec-keygen -a hmac-md5 -b <bit-length> -n HOST <key-file-name>

A key with at least a 256-bit length is good idea. The actual key that should be placed in the <key-value> area can found in the <key-file-name>.

The name of the key used in /etc/named.conf should be something other than key.

/etc/rndc.conf

To configure rndc to automatically use the key specified in /etc/named.conf for the localhost, three statements are needed. The options statement allows you to set the default server and key for rndc to use, as seen in Figure 14-23.

options {
  default-server  localhost;
  default-key     "<key-name>";
};

Figure 14-23. Sample options statement in /etc/rndc.conf

Optionally, the rndc command can be told to use a default key when accessing a particular server, as seen in Figure 14-24.

server localhost {
  key  "<key-name>";
};

Figure 14-24. Sample server statement in /etc/rndc.conf

However, this server statement is only really helpful if you connect to multiple servers with rndc.

The key is the most important statement in /etc/rndc.conf.

key "<key-name>" {
  algorithm hmac-md5;
  secret "<key-value>";
};

Figure 14-25. Sample key statement in /etc/rndc.conf

The <key-name> and <key-value> should be exactly the same as their settings in /etc/named.conf.

To test all of the settings, try the rndc reload command. You should see response similar to this:

rndc: reload command successful

If the command was not successful, carefully go over the /etc/named.conf and /etc/rndc.conf files and look for errors.

CautionCaution
 

You should make sure that unprivileged users cannot read or write the /etc/rndc.conf file.

Command Line Options

An rndc command takes the following form:

rndc <options> <command> <command-options>

Figure 14-26. Structure of a rndc command

The <options> area is not required, and you do not have to use <command-options> unless the command requires them.

When executing rndc on a properly configured localhost, the following commands are available:

Occasionally, you may want to override the default settings in the /etc/rndc.conf file. The following options are available:

Additional information about these options can be found in the rndc man page.