HP-UX Reference (11i v2 04/09) - 4 File Formats (vol 8)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

191

192

193

194

195

196

197

198

199

200

named.conf(4) named.conf(4)

trusted-keys

deﬁnes trusted DNSSEC keys.

view deﬁnes a view.

zone deﬁnes a zone.

The

logging and options statements may occur only once per conﬁguration.

acl Statement Grammar

acl acl-name {

address_match_list

};

acl Statement Deﬁnition and Usage

The acl statement assigns a symbolic name to an address match list. It gets its name from the primary

use of address match lists: "Access Control Lists" (ACLs). Note that an address match list’s name must be

deﬁned with acl before it can be used elsewhere; no forward references are allowed. The following

ACLs are built-in:

any Matches all hosts.

none Matches no hosts.

localhost Matches the IPv4 addresses of all network interfaces on the system.

localnets Matches any host on an IPv4 network for which the system has an interface.

The

localhost and localnets ACLs do not currently support IPv6 (i.e., localhost does not

match the host’s IPv6 addresses, and localnets does not match the host’s attached IPv6 networks) due

to the lack of a standard method of determining the complete set of local IPv6 addresses for a host.

controls Statement Grammar

controls {

inet (ip_addr| * )[port ip_port] allow { address_match_list

}

keys { key_list };

[ inet ...; ]

};

controls Statement Deﬁnition and Usage

The controls statement declares control channels to be used by system administrators to affect the

operation of the local nameserver. These control channels are used by the rndc utility to send com-

mands to and retrieve non-DNS results from a nameserver.

inet control channel is a TCP/IP socket accessible to the Internet, created at the speciﬁed ip_port on

the speciﬁed ip_addr . If no port is speciﬁed, port 953 is used by default.

* cannot be used for ip_port .

The ability to issue commands over the control channel is restricted by the

allow and keys clauses.

Connections to the control channel are permitted based on the address permissions in

address_match_list. key_id members of the address_match_list

are ignored, and instead

are interpreted independently based on the

key_list. Each key_id in the key_list is allowed to be

used to authenticate commands and responses given over the control channel by digitally signing each

message between the server and a command client. All commands to the control channel must be signed

by one of its speciﬁed keys to be honored.

If no

controls statement is present, named will set up a default control channel listening on the loop-

back address 127.0.0.1 and its IPv6 counterpart ::1. In this case, and also when the controls state-

ment is present but does not have a keys clause, named will attempt to load the command channel key

from the ﬁle rndc.key in /etc. To create a rndc.key ﬁle, run rndc-confgen -a. The

rndc.key feature was implemented to ease the transition of systems from BIND 8, which did not have

digital signatures on its command channel messages and thus did not have a keys clause.

Since the

rndc.key feature is only intended to allow the backward-compatible usage of BIND 8

conﬁguration ﬁles, this feature does not have a high degree of conﬁgurability. You cannot easily change

the key name or the size of the secret, so you should make a rndc.conf with your own key if you wish

to change them. The rndc.key ﬁle also has its permissions set such that only the owner of the ﬁle (the

user that named is running as) can access it. If you desire greater ﬂexibility in allowing other users to

access rndc commands, then you need to create an rndc.conf and make it group-readable by a group

that contains the users who should have access.

Section 4−−178 Hewlett-Packard Company − 3 − HP-UX 11i Version 2: September 2004