1 .\" $NetBSD: rndc.conf.5,v 1.6 2014/12/10 04:37:52 christos Exp $
3 .\" Copyright (C) 2004, 2005, 2007, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
4 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
6 .\" Permission to use, copy, modify, and/or distribute this software for any
7 .\" purpose with or without fee is hereby granted, provided that the above
8 .\" copyright notice and this permission notice appear in all copies.
10 .\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
11 .\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
12 .\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
13 .\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
14 .\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
15 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
16 .\" PERFORMANCE OF THIS SOFTWARE.
22 .\" Title: \fIrndc.conf\fR
24 .\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
25 .\" Date: March 14, 2013
29 .TH "\fIRNDC.CONF\fR" "5" "March 14, 2013" "BIND9" "BIND9"
30 .\" disable hyphenation
32 .\" disable justification (adjust text to left margin only)
35 rndc.conf \- rndc configuration file
42 is the configuration file for
43 \fBrndc\fR, the BIND 9 name server control utility. This file has a similar structure and syntax to
44 \fInamed.conf\fR. Statements are enclosed in braces and terminated with a semi\-colon. Clauses in the statements are also semi\-colon terminated. The usual comment styles are supported:
48 C++ style: // to end of line
50 Unix style: # to end of line
54 \fInamed.conf\fR. The file uses three statements: an options statement, a server statement and a key statement.
58 statement contains five clauses. The
60 clause is followed by the name or address of a name server. This host will be used when no name server is given as an argument to
63 clause is followed by the name of a key which is identified by a
67 is provided on the rndc command line, and no
69 clause is found in a matching
71 statement, this default key will be used to authenticate the server's commands and responses. The
73 clause is followed by the port to connect to on the remote name server. If no
75 option is provided on the rndc command line, and no
77 clause is found in a matching
79 statement, this default port will be used to connect. The
80 \fBdefault\-source\-address\fR
82 \fBdefault\-source\-address\-v6\fR
83 clauses which can be used to set the IPv4 and IPv6 source addresses respectively.
87 keyword, the server statement includes a string which is the hostname or address for a name server. The statement has three possible clauses:
91 \fBaddresses\fR. The key name must match the name of a key statement in the file. The port number specifies the port to connect to. If an
93 clause is supplied these addresses will be used instead of the server name. Each address can take an optional port. If an
96 \fBsource\-address\-v6\fR
97 of supplied then these will be used to specify the IPv4 and IPv6 source addresses respectively.
101 statement begins with an identifying string, the name of the key. The statement has two clauses.
103 identifies the authentication algorithm for
105 to use; currently only HMAC\-MD5 (for compatibility), HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256 (default), HMAC\-SHA384 and HMAC\-SHA512 are supported. This is followed by a secret clause which contains the base\-64 encoding of the algorithm's authentication key. The base\-64 string is enclosed in double quotes.
107 There are two common ways to generate the base\-64 string for the secret. The BIND 9 program
109 can be used to generate a random key, or the
111 program, also known as
112 \fBmimencode\fR, can be used to generate a base\-64 string from known input.
114 does not ship with BIND 9 but is available on many systems. See the EXAMPLE section for sample command lines for each.
120 default\-server localhost;
121 default\-key samplekey;
140 addresses { localhost port 5353; };
149 algorithm hmac\-sha256;
150 secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
159 algorithm hmac\-sha256;
160 secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
166 In the above example,
168 will by default use the server at localhost (127.0.0.1) and the key called samplekey. Commands to the localhost server will use the samplekey key, which must also be defined in the server's configuration file with the same name and secret. The key statement indicates that samplekey uses the HMAC\-SHA256 algorithm and its secret clause contains the base\-64 encoding of the HMAC\-SHA256 secret enclosed in double quotes.
171 \fBrndc \-s testserver\fR
174 will connect to server on localhost port 5353 using the key testkey.
176 To generate a random secret with
183 file, including the randomly generated key, will be written to the standard output. Commented\-out
191 To generate a base\-64 secret with
194 \fBecho "known plaintext for a secret" | mmencode\fR
195 .SH "NAME SERVER CONFIGURATION"
197 The name server must be configured to accept rndc connections and to recognize the key specified in the
199 file, using the controls statement in
200 \fInamed.conf\fR. See the sections on the
202 statement in the BIND 9 Administrator Reference Manual for details.
206 \fBrndc\-confgen\fR(8),
208 BIND 9 Administrator Reference Manual.
211 Internet Systems Consortium
213 Copyright \(co 2004, 2005, 2007, 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
215 Copyright \(co 2000, 2001 Internet Software Consortium.