HP-UX Reference (11i v3 07/02) - 4 File Formats (vol 8)
n
named.conf(4) named.conf(4)
(BIND 9.3)
The controls Statement
controls Statement Grammar
controls {
( inet ( ip_addr | * )[port ip_port ]
allow { address_match_list }
keys { key_list }; )...
};
controls Statement Definition and Usage
The
controls statement declares control channels to be used by system administrators to control the
operation of the local name server. These control channels are used by the
rndc utility to send commands
to and retrieve non-DNS results from a name server.
An
inet control channel is a TCP/IP socket accessible to the Internet, created at the specified ip_port on
the specified ip_addr. If no port is specified, port 953 is used by default.
* cannot be used for ip_port.
The
allow and keys clauses restrict the ability to issue commands over the control channel. Connections
to the control channel are permitted based on the address permissions in address_match_list.
key
members of the address_match_list are ignored, and instead are interpreted independently based on the
key_list. Each key_id in the key_list is allowed to be used to authenticate commands and responses given
over the control channel by digitally signing each message between the server and a command client. All
commands to the control channel must be signed by one of its specified keys to be honored.
If no
controls statement is present, named will set up a default control channel listening on the loop-
back address 127.0.0.1 and its IPv6 counterpart ::1. In this case, and also when the
controls statement
is present but does not have a
keys clause, named will attempt to load the command channel key from
the file /etc/rndc.key. To create a
rndc.key file, run rndc-confgen -a. The rndc.key
feature was implemented to ease the transition of systems from BIND 8, which did not have digital signa-
tures on its command channel messages and thus did not have a keys clause.
Since the rndc.key feature is only intended to allow the backward-compatible usage of BIND 8
configuration files, this feature does not have a high degree of configurability. You cannot easily change the
key name or the size of the secret, so you should make an rndc.conf with your own key if you wish to
change them. The rndc.key file also has its permissions set such that only the owner of the file (the user
that named is running as) can access it. If you desire greater flexibility in allowing other users to access
rndc commands, then you need to create an rndc.conf and make it group-readable by a group that
contains the users who should have access.
The UNIX control channel type of BIND 8 is not supported in BIND 9.3, and is not expected to be added in
future releases. If it is present in the controls statement from a BIND 8 configuration file, it is ignored
and a warning is logged.
As a special case, to disable the command channel, use an empty controls statement:
controls { };
The include Statement
include Statement Grammar
include filename ;
include Statement Definition and Usage
The include statement inserts the specified file at the point where the include statement is encoun-
tered. The include statement facilitates the administration of configuration files by permitting the read-
ing or writing of some things but not others. For example, the statement could include private keys that
are readable only by a name server.
The key Statement
key Statement Grammar
key key_id {
algorithm algoname ;
secret secretstring ;
};
236 Hewlett-Packard Company − 4 − HP-UX 11i Version 3: February 2007