Using rndc
BIND includes a utility called rndc which allows you to use command line statements to administer the named daemon, locally, or remotely. The rndc program uses the /etc/rndc.conf file for its configuration options, which can be overridden with command line options.
In order to prevent unauthorized users on other systems from controlling BIND on your server, a shared secret key method is used to explicitly grant privileges to particular hosts. In order for rndc to issue commands to any named, even on a local machine, the keys used in /etc/named.conf and /etc/rndc.conf must match.
Configuration Files
Before attempting to use the rndc command, verify that the proper configuration lines are in place in the necessary files. Most likely, your configuration files are not properly set if you run rndc and see a message that states:
rndc: connect: connection refused |
/etc/named.conf
In order for rndc to be allowed to connect to your named service, you must have a controls statement in your /etc/named.conf file when named starts. The sample controls statement shown in Figure 17-21 will allow you to execute rndc commands locally.
controls {
inet 127.0.0.1 allow { localhost; } keys { <key-name>; };
}; |
Figure 17-21. Sample controls statement in /etc/named.conf
This statement tells named to listen on the default TCP port 953 of the loopback address and allow rndc commands coming from the localhost, if the proper key is given. The <key-name> relates to the key statement, which is also in the /etc/named.conf file. A sample key statement is shown in Figure 17-22.
key "<key-name>" {
algorithm hmac-md5;
secret "<key-value>";
}; |
Figure 17-22. Sample key statement in /etc/named.conf
In this case, the <key-value> is a HMAC-MD5 key. You can generate your own HMAC-MD5 keys with the following command:
dnssec-keygen -a hmac-md5 -b <bit-length> -n HOST <key-file-name> |
A key with at least a 256-bit length is good idea. The actual key that should be placed in the <key-value> area can found in the <key-file-name>.
The name of the key used in /etc/named.conf should be something other than key.
/etc/rndc.conf
To configure rndc to automatically use the key specified in /etc/named.conf for the localhost, three statements are needed. The options statement allows you to set the default server and key for rndc to use, as seen in Figure 17-23.
options {
default-server localhost;
default-key "<key-name>";
}; |
Figure 17-23. Sample options statement in /etc/rndc.conf
Optionally, the rndc command can be told to use a default key when accessing a particular server, as seen in Figure 17-24.
However, this server statement is only really helpful if you connect to multiple servers with rndc.
The key is the most important statement in /etc/rndc.conf.
key "<key-name>" {
algorithm hmac-md5;
secret "<key-value>";
}; |
Figure 17-25. Sample key statement in /etc/rndc.conf
The <key-name> and <key-value> should be exactly the same as their settings in /etc/named.conf.
To test all of the settings, try the rndc reload command. You should see response similar to this:
rndc: reload command successful |
If the command was not successful, carefully go over the /etc/named.conf and /etc/rndc.conf files and look for errors.
 | Caution |
|---|---|
You should make sure that unprivileged users cannot read or write the /etc/rndc.conf file. |
Command Line Options
An rndc command takes the following form:
The <options> area is not required, and you do not have to use <command-options> unless the command requires them.
When executing rndc on a properly configured localhost, the following commands are available:
halt — Stops the named service immediately.
querylog — Turns on logging of all queries made by clients to this nameserver.
refresh — Refreshes the nameserver's database.
reload — Tells the nameserver to reload the zone files but keep all other previously cached responses. This allows you to make changes to zone files and have them take effect on your master and slave servers without losing all stored name resolutions.
If your changes only affected a particular zone, you can tell named to only reload that one zone. Type the name of the zone after the reload command.
stats — Dumps the current named stats to the /var/named/named.stats file.
stop — Stops the server gracefully, saving any dynamic update and IXFR data before exiting.
Occasionally, you may want to override the default settings in the /etc/rndc.conf file. The following options are available:
-c <configuration-file> — Tells rndc to use a configuration file other than the default /etc/rndc.conf.
-p <port-number> — Specifies a different port number to use for the rndc connection other than the default 953.
-s <server> — Tells rndc to send the command to a server other than the default-server option in /etc/rndc.conf file.
In order for this to work, you must have configured the other named service to accept commands from your host and have the key for that nameservice.
-y <key-name> — Allows you to specify a key other than the default-key option in /etc/rndc.conf file.
Additional information about these options can be found in the rndc man page.