HPlogo HP-UX Reference > R

rndc.conf(4)

HP-UX 11i Version 2: December 2007 Update
» 

Technical documentation

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

NAME

rndc.conf — rndc configuration file

DESCRIPTION

The BIND utility for controlling the name server, rndc, has its own configuration file /etc/rndc.conf. This file has a structure and syntax similar to that of named's configuration file, named.conf. Statements are enclosed in braces and terminated with a semi-colon. Clauses in the statements are also semi-colon terminated. The usual comment styles supported are:

C style: /* */ C++ style: // to end of line Unix style: # to end of line

The syntax of the rndc.conf file is much simpler compared to that of named.conf. This file includes three statements:

options statement server statement key statement

The options statement contains two clauses: default-server and default-key.

The default-server clause is used to specify the default server on which rndc runs, if the server is not specified on the command line when rndc is executed. The default-server keyword is followed by the name or address of a name server.

The default-key clause is used to specify the default key that will be used to authenticate the server's commands and responses if a key is not specified using the -y option when executed on the command line. The default-key keyword is followed by the name of a key which is identified by the key statement.

The server statement begins with an identifying string, the hostname or address for a name server. This statement has a single clause, key. The key name must match the name that is specified in the key statement.

The key statement begins with an identifying string, the name of the key. This statement has two clauses: algorithm and secret.

The algorithm clause identifies the encryption algorithm that rndc uses. Currently only HMAC-MD5 is supported.

The secret clause contains the random key that will be used for authentication. It is base-64 encoded using the algorithm specified in the algorithm clause. The base-64 string is enclosed in double quotes.

The BIND 9 program dnssec-keygen can be used to generate the base-64 string for the secret clause.

EXAMPLES

Host and key names must be quoted using double quotes if they match a keyword, such as having a key named "key".

options { default-server localhost; default-key samplekey; }; server localhost { key samplekey; }; key samplekey { algorithm hmac-md5; secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; };

In the above example, rndc will by default use the server at localhost (127.0.0.1) and the key called samplekey. Commands to the localhost server will use the samplekey key. The key statement indicates that samplekey uses the HMAC-MD5 algorithm and its secret clause contains the base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.

The secret can be generated using dnssec-keygen as follows:

$ dnssec-keygen -a hmac-md5 -b 128 -n user rndc

The base-64 string will appear in two files, Krndc.+157.+{random}.key and Krndc.+157.+{random}.private. After extracting the key to be placed in the rndc.conf and named.conf key statements, the .key and .private files can be removed.

NAME SERVER CONFIGURATION

The name server must be configured to accept rndc connections and to recognize the key specified in the rndc.conf file, using the controls statement in named.conf.

LIMITATIONS

There is currently no way to specify the port on which rndc must run.

AUTHOR

rndc.conf was developed by ISC (Internet Software Consortium).

SEE ALSO

dnssec-keygen(1), rndc(1), named(1M).



rmtab
  		 


rpc