| Red Hat Linux 8.0: The Official Red Hat Linux Reference Guide | ||
|---|---|---|
| Prev | Chapter 16. Berkeley Internet Name Domain (BIND) | Next |
BIND includes a utility called rndc which allows you to use command line statements to administer the named daemon, locally, or remotely. The rndc program uses the /etc/rndc.conf file for its configuration options, which can be overridden with command line options.
In order to prevent unauthorized users on other systems from controlling BIND on your server, a shared secret key method is used to explicitly grant privileges to particular hosts. In order for rndc to issue commands to any named, even on a local machine, the keys used in /etc/named.conf and /etc/rndc.conf must match.
Before attempting to use the rndc command, verify that the proper configuration lines are in place in the necessary files. Most likely, your configuration files are not properly set if you run rndc and see a message that states:
rndc: connect: connection refused |
In order for rndc to be allowed to connect to your named service, you must have a controls statement in your /etc/named.conf file when named starts. The sample controls statement shown in the next example will allow you to execute rndc commands locally.
controls {
inet 127.0.0.1 allow { localhost; } keys { <key-name>; };
}; |
This statement tells named to listen on the default TCP port 953 of the loopback address and allow rndc commands coming from the localhost, if the proper key is given. The <key-name> relates to the key statement, which is also in the /etc/named.conf file. The next example illustrates a sample key statement.
key "<key-name>" {
algorithm hmac-md5;
secret "<key-value>";
}; |
In this case, the <key-value> is a HMAC-MD5 key. You can generate your own HMAC-MD5 keys with the following command:
dnssec-keygen -a hmac-md5 -b <bit-length> -n HOST <key-file-name> |
A key with at least a 256-bit length is good idea. The actual key that should be placed in the <key-value> area can found in the <key-file-name>.
The name of the key used in /etc/named.conf should be something other than key.
You need to add the following lines to /etc/rndc.conf if rndc is to automatically use the keys specified in /etc/named.conf. This is done with an options statement:
options {
default-server localhost;
default-key "<key-name>";
}; |
This command sets a global default key, but the rndc command can also use different keys for particular servers, as in the following example:
server localhost {
key "<key-name>";
}; |
However, this server statement is only really helpful if you connect to multiple servers with rndc.
The key is the most important statement in /etc/rndc.conf.
key "<key-name>" {
algorithm hmac-md5;
secret "<key-value>";
}; |
The <key-name> and <key-value> should be exactly the same as their settings in /etc/named.conf.
To test all of the settings, try the rndc reload command. You should see response similar to this:
rndc: reload command successful |
If the command was not successful, carefully look over the /etc/named.conf and /etc/rndc.conf files and look for errors.
An rndc command takes the following form:
rndc <options> <command> <command-options> |
The <options> area is not required, and you do not have to use <command-options> unless the command requires them.
When executing rndc on a properly configured localhost, the following commands are available:
halt — Stops the named service immediately.
querylog — Turns on logging of all queries made by clients to this nameserver.
refresh — Refreshes the nameserver's database.
reload — Tells the nameserver to reload the zone files but keep all other previously cached responses. This allows you to make changes to zone files and have them take effect on your master and slave servers without losing all stored name resolutions.
If your changes only affected a particular zone, you can tell named to only reload that one zone. Type the name of the zone after the reload command.
stats — Dumps the current named stats to the /var/named/named.stats file.
stop — Stops the server gracefully, saving any dynamic update and IXFR data before exiting.
Occasionally, you may want to override the default settings in the /etc/rndc.conf file. The following options are available:
-c <configuration-file> — Tells rndc to use a configuration file other than the default /etc/rndc.conf.
-p <port-number> — Specifies a different port number to use for the rndc connection other than the default 953.
-s <server> — Tells rndc to send the command to a server other than the default-server option in /etc/rndc.conf file.
In order for this to work, you must have configured the other named service to accept commands from your host and have the key for that nameservice.
-y <key-name> — Allows you to specify a key other than the default-key option in /etc/rndc.conf file.
Additional information about these options can be found in the rndc man page.