Installation guide

ManualsBrandsPythonQ ManualsIndustrial248-8XX

231

232

233

234

235

236

237

238

239

240

240 Chapter 16. Berkeley Internet Name Domain (BIND)

address to be reversed and ".in-addr.arpa" to be included after them. This allows the single block

of IP numbers used in the reverse name resolution zone ﬁle to be correctly attached with this zone.

16.3. Using rndc

BIND includes a utility called rndc which allows you to use command line statements to administer

the named daemon, locally, or remotely. The rndc program uses the /etc/rndc.conf ﬁle for its

conﬁguration options, which can be overridden with command line options.

In order to prevent unauthorized users on other systems from controlling BIND on your server, a

shared secret key method is used to explicitly grant privileges to particular hosts. In order for rndc

to issue commands to any named, even on a local machine, the keys used in /etc/named.conf and

/etc/rndc.conf must match.

16.3.1. Conﬁguring rndc

Before attempting to use the rndc command, verify that the proper conﬁguration lines are in place in

the necessary ﬁles. Most likely, your conﬁguration ﬁles are not properly set if you run rndc and see a

message that states:

rndc: connect: connection refused

16.3.1.1. rndc and /etc/named.conf

In order for rndc to be allowed to connect to your named service, you must have a controls state-

ment in your /etc/named.conf ﬁle when named starts. The sample controls statement shown in

the next example will allow you to execute rndc commands locally.

controls {

inet 127.0.0.1 allow { localhost; } keys {

key-name ; };

};

This statement tells named to listen on the default TCP port 953 of the loopback address and allow

rndc commands coming from the localhost, if the proper key is given. The

key-name relates to

the key statement, which is also in the /etc/named.conf ﬁle. The next example illustrates a sample

key statement.

key " key-name " {

algorithm hmac-md5;

secret "

key-value ";

};

In this case, the key-value is a HMAC-MD5 key. You can generate your own HMAC-MD5

keys with the following command:

dnssec-keygen -a hmac-md5 -b

bit-length -n HOST key-file-name

A key with at least a 256-bit length is good idea. The actual key that should be placed in the key-

value

area can found in the key-file-name .

The name of the key used in /etc/named.conf should be something other than key.