| blob | 4bb858f261ad06757ecf963b2f4928c2e8b625a8 |
1 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
3 [<!ENTITY mdash "—">]>
4 <!--
5 - Copyright (C) 2004, 2005, 2007, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
6 - Copyright (C) 2000, 2001 Internet Software Consortium.
7 -
8 - Permission to use, copy, modify, and/or distribute this software for any
9 - purpose with or without fee is hereby granted, provided that the above
10 - copyright notice and this permission notice appear in all copies.
11 -
12 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
13 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
14 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
15 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
16 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
17 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
18 - PERFORMANCE OF THIS SOFTWARE.
19 -->
21 <refentry id="man.rndc.conf">
22 <refentryinfo>
23 <date>March 14, 2013</date>
24 </refentryinfo>
26 <refmeta>
27 <refentrytitle><filename>rndc.conf</filename></refentrytitle>
28 <manvolnum>5</manvolnum>
29 <refmiscinfo>BIND9</refmiscinfo>
30 </refmeta>
32 <refnamediv>
33 <refname><filename>rndc.conf</filename></refname>
34 <refpurpose>rndc configuration file</refpurpose>
35 </refnamediv>
37 <docinfo>
38 <copyright>
39 <year>2004</year>
40 <year>2005</year>
41 <year>2007</year>
42 <year>2013</year>
43 <year>2014</year>
44 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
45 </copyright>
46 <copyright>
47 <year>2000</year>
48 <year>2001</year>
49 <holder>Internet Software Consortium.</holder>
50 </copyright>
51 </docinfo>
53 <refsynopsisdiv>
54 <cmdsynopsis>
55 <command>rndc.conf</command>
56 </cmdsynopsis>
57 </refsynopsisdiv>
59 <refsect1>
60 <title>DESCRIPTION</title>
61 <para><filename>rndc.conf</filename> is the configuration file
62 for <command>rndc</command>, the BIND 9 name server control
63 utility. This file has a similar structure and syntax to
64 <filename>named.conf</filename>. Statements are enclosed
65 in braces and terminated with a semi-colon. Clauses in
66 the statements are also semi-colon terminated. The usual
67 comment styles are supported:
68 </para>
69 <para>
70 C style: /* */
71 </para>
72 <para>
73 C++ style: // to end of line
74 </para>
75 <para>
76 Unix style: # to end of line
77 </para>
78 <para><filename>rndc.conf</filename> is much simpler than
79 <filename>named.conf</filename>. The file uses three
80 statements: an options statement, a server statement
81 and a key statement.
82 </para>
83 <para>
84 The <option>options</option> statement contains five clauses.
85 The <option>default-server</option> clause is followed by the
86 name or address of a name server. This host will be used when
87 no name server is given as an argument to
88 <command>rndc</command>. The <option>default-key</option>
89 clause is followed by the name of a key which is identified by
90 a <option>key</option> statement. If no
91 <option>keyid</option> is provided on the rndc command line,
92 and no <option>key</option> clause is found in a matching
93 <option>server</option> statement, this default key will be
94 used to authenticate the server's commands and responses. The
95 <option>default-port</option> clause is followed by the port
96 to connect to on the remote name server. If no
97 <option>port</option> option is provided on the rndc command
98 line, and no <option>port</option> clause is found in a
99 matching <option>server</option> statement, this default port
100 will be used to connect.
101 The <option>default-source-address</option> and
102 <option>default-source-address-v6</option> clauses which
103 can be used to set the IPv4 and IPv6 source addresses
104 respectively.
105 </para>
106 <para>
107 After the <option>server</option> keyword, the server
108 statement includes a string which is the hostname or address
109 for a name server. The statement has three possible clauses:
110 <option>key</option>, <option>port</option> and
111 <option>addresses</option>. The key name must match the
112 name of a key statement in the file. The port number
113 specifies the port to connect to. If an <option>addresses</option>
114 clause is supplied these addresses will be used instead of
115 the server name. Each address can take an optional port.
116 If an <option>source-address</option> or <option>source-address-v6</option>
117 of supplied then these will be used to specify the IPv4 and IPv6
118 source addresses respectively.
119 </para>
120 <para>
121 The <option>key</option> statement begins with an identifying
122 string, the name of the key. The statement has two clauses.
123 <option>algorithm</option> identifies the authentication algorithm
124 for <command>rndc</command> to use; currently only HMAC-MD5
125 (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
126 (default), HMAC-SHA384 and HMAC-SHA512 are
127 supported. This is followed by a secret clause which contains
128 the base-64 encoding of the algorithm's authentication key. The
129 base-64 string is enclosed in double quotes.
130 </para>
131 <para>
132 There are two common ways to generate the base-64 string for the
133 secret. The BIND 9 program <command>rndc-confgen</command>
134 can
135 be used to generate a random key, or the
136 <command>mmencode</command> program, also known as
137 <command>mimencode</command>, can be used to generate a
138 base-64
139 string from known input. <command>mmencode</command> does
140 not
141 ship with BIND 9 but is available on many systems. See the
142 EXAMPLE section for sample command lines for each.
143 </para>
144 </refsect1>
146 <refsect1>
147 <title>EXAMPLE</title>
149 <para><programlisting>
150 options {
151 default-server localhost;
152 default-key samplekey;
153 };
154 </programlisting>
155 </para>
156 <para><programlisting>
157 server localhost {
158 key samplekey;
159 };
160 </programlisting>
161 </para>
162 <para><programlisting>
163 server testserver {
164 key testkey;
165 addresses { localhost port 5353; };
166 };
167 </programlisting>
168 </para>
169 <para><programlisting>
170 key samplekey {
171 algorithm hmac-sha256;
172 secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
173 };
174 </programlisting>
175 </para>
176 <para><programlisting>
177 key testkey {
178 algorithm hmac-sha256;
179 secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
180 };
181 </programlisting>
182 </para>
184 <para>
185 In the above example, <command>rndc</command> will by
186 default use
187 the server at localhost (127.0.0.1) and the key called samplekey.
188 Commands to the localhost server will use the samplekey key, which
189 must also be defined in the server's configuration file with the
190 same name and secret. The key statement indicates that samplekey
191 uses the HMAC-SHA256 algorithm and its secret clause contains the
192 base-64 encoding of the HMAC-SHA256 secret enclosed in double quotes.
193 </para>
194 <para>
195 If <command>rndc -s testserver</command> is used then <command>rndc</command> will
196 connect to server on localhost port 5353 using the key testkey.
197 </para>
198 <para>
199 To generate a random secret with <command>rndc-confgen</command>:
200 </para>
201 <para><userinput>rndc-confgen</userinput>
202 </para>
203 <para>
204 A complete <filename>rndc.conf</filename> file, including
205 the
206 randomly generated key, will be written to the standard
207 output. Commented-out <option>key</option> and
208 <option>controls</option> statements for
209 <filename>named.conf</filename> are also printed.
210 </para>
211 <para>
212 To generate a base-64 secret with <command>mmencode</command>:
213 </para>
214 <para><userinput>echo "known plaintext for a secret" | mmencode</userinput>
215 </para>
216 </refsect1>
218 <refsect1>
219 <title>NAME SERVER CONFIGURATION</title>
220 <para>
221 The name server must be configured to accept rndc connections and
222 to recognize the key specified in the <filename>rndc.conf</filename>
223 file, using the controls statement in <filename>named.conf</filename>.
224 See the sections on the <option>controls</option> statement in the
225 BIND 9 Administrator Reference Manual for details.
226 </para>
227 </refsect1>
229 <refsect1>
230 <title>SEE ALSO</title>
231 <para><citerefentry>
232 <refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
233 </citerefentry>,
234 <citerefentry>
235 <refentrytitle>rndc-confgen</refentrytitle><manvolnum>8</manvolnum>
236 </citerefentry>,
237 <citerefentry>
238 <refentrytitle>mmencode</refentrytitle><manvolnum>1</manvolnum>
239 </citerefentry>,
240 <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
241 </para>
242 </refsect1>
244 <refsect1>
245 <title>AUTHOR</title>
246 <para><corpauthor>Internet Systems Consortium</corpauthor>
247 </para>
248 </refsect1>
250 </refentry><!--
251 - Local variables:
252 - mode: sgml
253 - End:
254 -->