named.conf.4 (2010 09)
n
named.conf(4) named.conf(4)
(BIND 9.3)
The controls Statement
controls Statement Grammar
controls {
( inet ( ip_addr | * )[port ip_port ]
allow { address_match_list }
keys { key_list }; )...
};
controls Statement Definition and Usage
The
controls statement declares control channels to be used by system administrators to control the
operation of the local name server. These control channels are used by the
rndc utility to send com-
mands to and retrieve non-DNS results from a name server.
An
inet control channel is a TCP/IP socket accessible to the Internet, created at the specified ip_port on
the specified ip_addr . If no port is specified, port 953 is used by default.
* cannot be used for ip_port .
The
allow and keys clauses restrict the ability to issue commands over the control channel. Connec-
tions to the control channel are permitted based on the address permissions in address_match_list.
key
members of the address_match_list are ignored, and instead are interpreted independently based on the
key_list . Each key_id in the key_list is allowed to be used to authenticate commands and responses given
over the control channel by digitally signing each message between the server and a command client. All
commands to the control channel must be signed by one of its specified keys to be honored.
If no
controls statement is present, named will set up a default control channel listening on the loop-
back address 127.0.0.1 and its IPv6 counterpart ::1. In this case, and also when the
controls state-
ment is present but does not have a
keys clause, named will attempt to load the command channel key
from the file /etc/rndc.key
. To create a rndc.key file, run rndc-confgen -a. The rndc.key
feature was implemented to ease the transition of systems from BIND 8, which did not have digital signa-
tures on its command channel messages and thus did not have a keys clause.
Since the
rndc.key feature is only intended to allow the backward-compatible usage of BIND 8
configuration files, this feature does not have a high degree of configurability. You cannot easily change
the key name or the size of the secret, so you should make an rndc.conf with your own key if you wish
to change them. The rndc.key file also has its permissions set such that only the owner of the file (the
user that named is running as) can access it. If you desire greater flexibility in allowing other users to
access rndc commands, then you need to create an rndc.conf and make it group-readable by a group
that contains the users who should have access.
The UNIX control channel type of BIND 8 is not supported in BIND 9.3, and is not expected to be added
in future releases. If it is present in the
controls statement from a BIND 8 configuration file, it is
ignored and a warning is logged.
As a special case, to disable the command channel, use an empty
controls statement:
controls { };
The include Statement
include Statement Grammar
include filename ;
include Statement Definition and Usage
The include statement inserts the specified file at the point where the include statement is encoun-
tered. The include statement facilitates the administration of configuration files by permitting the
reading or writing of some things but not others. For example, the statement could include private keys
that are readable only by a name server.
The key Statement
key Statement Grammar
key key_id {
algorithm algoname ;
secret secretstring ;
};
4 Hewlett-Packard Company − 4 − HP-UX 11i Version 3: September 2010