HP-UX Reference (11i v2 07/12) - 4 File Formats (vol 8)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

201

202

203

204

205

206

207

208

209

210

named.conf(4) named.conf(4)

view deﬁnes a view.

zone deﬁnes a zone.

The logging and options statements may occur only once per conﬁguration.

acl Statement Grammar

acl acl-name {

address_match_list

};

acl Statement Deﬁnition and Usage

The acl statement assigns a symbolic name to an address match list. It gets its name from the primary

use of address match lists: "Access Control Lists" (ACLs). Note that an address match list’s name must be

deﬁned with acl before it can be used elsewhere; no forward references are allowed. The following ACLs

are built-in:

any Matches all hosts.

none Matches no hosts.

localhost Matches the IPv4 addresses of all network interfaces on the system.

localnets Matches any host on an IPv4 network for which the system has an interface.

The localhost and localnets ACLs do not currently support IPv6 (i.e., localhost does not

match the host’s IPv6 addresses, and

localnets does not match the host’s attached IPv6 networks) due

to the lack of a standard method of determining the complete set of local IPv6 addresses for a host.

controls Statement Grammar

controls {

inet (

ip_addr| * )[port ip_port] allow { address_match_list

}

keys {

key_list };

[ inet ...; ]

};

controls Statement Deﬁnition and Usage

The controls statement declares control channels to be used by system administrators to affect the

operation of the local nameserver. These control channels are used by the rndc utility to send commands

to and retrieve non-DNS results from a nameserver.

An inet control channel is a TCP/IP socket accessible to the Internet, created at the speciﬁed ip_port on

the speciﬁed ip_addr. If no port is speciﬁed, port 953 is used by default.

* cannot be used for ip_port.

The ability to issue commands over the control channel is restricted by the

allow and keys clauses.

Connections to the control channel are permitted based on the address permissions in

address_match_list

. key_id members of the address_match_list are ignored, and instead

are interpreted independently based on the

key_list. Each key_id in the key_list is allowed to be

used to authenticate commands and responses given over the control channel by digitally signing each mes-

sage between the server and a command client. All commands to the control channel must be signed by

one of its speciﬁed keys to be honored.

If no

controls statement is present, named will set up a default control channel listening on the loop-

back address 127.0.0.1 and its IPv6 counterpart ::1. In this case, and also when the controls statement

is present but does not have a keys clause, named will attempt to load the command channel key from

the ﬁle rndc.key in /etc. To create a rndc.key ﬁle, run rndc-confgen -a. The rndc.key

feature was implemented to ease the transition of systems from BIND 8, which did not have digital signa-

tures on its command channel messages and thus did not have a keys clause.

Since the rndc.key feature is only intended to allow the backward-compatible usage of BIND 8

conﬁguration ﬁles, this feature does not have a high degree of conﬁgurability. You cannot easily change the

key name or the size of the secret, so you should make a rndc.conf with your own key if you wish to

change them. The rndc.key ﬁle also has its permissions set such that only the owner of the ﬁle (the user

that named is running as) can access it. If you desire greater ﬂexibility in allowing other users to access

rndc commands, then you need to create an rndc.conf and make it group-readable by a group that

contains the users who should have access.

210 Hewlett-Packard Company − 3 − HP-UX 11i Version 2: December 2007 Update