DNS and BIND
Configuring and Using the rndc tool
Configuring the rndc tool
The rndc tool is used to control named. This tool can be used locally (on the same machine running named), or remotely. Run the following command to create the rndc configuration files:
/usr/local/sbin/rndc-confgen
This will produce the following output; however, the secret key will be different:
key "rndc-key" {
algorithm hmac-md5;
secret "sqDTXGGjF9nwpb4n6nxJhQ==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
#
The first section (between # Start of rndc.conf and # End of rndc.conf) is for the rndc.conf file. Copy this into a new file and save it as /etc/rndc.conf. The following is an example /etc/rndc.conf file:
key "rndc-key" {
algorithm hmac-md5;
secret "sqDTXGGjF9nwpb4n6nxJhQ==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
The /etc/rndc.conf file is self explanatory: an algorithm and a secret key are defined. You can set the IP address rndc will connect to along with the port using defaultserver and defaultport respectively. The /etc/rndc.conf file is the client side configuration. The IP address and port are for a remote server. If you are running rndc on the same server as named, leave the default-server and default-port options as their default.
Copy the next section into /etc/named.conf after the options section:
key "rndc-key" {
algorithm hmac-md5;
secret "sqDTXGGjF9nwpb4n6nxJhQ==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
This is the server side configuration. You can configure an IP address and port to listen on. These can be left as the default values. If you change the IP address here, conigure the allow { 127.0.0.1; } option with the correct IP address. The /etc/rndc.conf file may also have to be reconfigured.
To keep named.conf tidy you can include the key information in another file. This is an example /etc/bind/named_key file:
key "rndc-key" {
algorithm hmac-md5;
secret "sqDTXGGjF9nwpb4n6nxJhQ==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
Use the include option in /etc/named.conf after the options section to include this file. Change the permissions appropriately, particularly so that the named user has read permissions:
include "/etc/bind/named_key";
rndc.conf Permissions
Run the following command as root to set the correct user and group for rndc.conf:
chown root:root rndc.conf
Run the following command as root to set the correct mode:
chmod 400 rndc.conf
If you are running SELinux, run the following command as root to set the correct SELinux context:
chcon -t named_conf_t /etc/rndc.conf
Note: the rndc.conf file must be in the /etc/ directory, even when you are running bind in a chroot environment.
Using the rndc tool
After installation, an /etc/rndc.key file is created. Remove this file before using the rndc command. The following are useful rndc commands:
rndc stats : write detailed statistical information about the DNS server to a file named named.stats underneath the directory specified using statistics-file in named.conf. This tool requires that zone-statistics yes; be configured in named.conf.
rndc reload : reloads all configuration and zone database files. Run this command after modifying configuration or zone database files so that your changes take affect.
rndc status : display statistical information about the DNS server. The output is similar to the following:
number of zones: 2
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
Run the following command as root to display a full list of rndc commands:
rndc
The rndc tool is located in the /usr/local/sbin/ directory. If this directory is not configured in your $PATH, run rndc using the following command:
/usr/local/sbin/rndc
Administration Guide - TOC
Previous Page - Configuring Logging
Next Page - Checking Configuration Files