Bind 9 and RNDC

Jim Reid jim at rfc1035.com
Wed Oct 11 10:53:26 UTC 2000


>>>>> "Nicholas" == Nicholas Berry <nberry at Exchange.Wavve.com> writes:

    Nicholas> I have looked over the documentation
    Nicholas> http://www.nominum.com/resources/Bv9ARM-091200.pdf
    Nicholas> regarding how to configure rndc, but am having no luck.

    Nicholas> I do not have any access lists defined in named.conf,
    Nicholas> but I continue to get a "connection refused" when
    Nicholas> attempting to connect.  I have tried using the various
    Nicholas> flags (-s, -p, -y) when issuing rndc reload, but
    Nicholas> continue to get connection refused (and if it's any
    Nicholas> consolation, I have done a port scan on my system and
    Nicholas> port 953 is not showing as an open port).

    Nicholas> Any ideas?

You need to add a controls{} statement to named.conf to make the name
server listen on that port. For security reasons the server won't set
up a management socket unless you tell it to do that. A key{}
statement is also needed to identify the TSIG secret for signing the
rndc requests. Excerpts from named.conf could look like this:

key "localkey" {
        algorithm hmac-md5;
        secret "Ytzd/Fjm2i2smxAwoTuiFq==";
};

server 127.0.0.1 {
        keys {
                localkey;
        };
};

controls {
        inet 127.0.0.1 allow { 127.0.0.1; } keys { localkey; };
};


ie listen for rndc requests on port 753 of the loopback interface and
only accept queries coming from 127.0.0.1 that are signed with
localkey's secret.

And /etc/rndc.conf could look like:

options {
	default-server  localhost;
	default-key     localkey;
};

server localhost {
	key     localkey;
};

key "localkey" {
	algorithm hmac-md5;
        secret "Ytzd/Fjm2i2smxAwoTuiFq==";
};



More information about the bind-users mailing list