help needed w/rndc

mr king mrking01 at hotmail.com
Fri Feb 16 18:52:28 UTC 2001


I'm having a hard time understanding rndc (mostly what goes in the "secret" 
string in named.conf and rndc.conf, and where to put the key files after 
they're created).  I've looked through arm and manpages but I'm still stuck 
getting "rndc: decode base64 secret: bad base64 encoding".  Here's what I've 
done so far:
`dnssec-keygen -a hmac-md5 -b 512 host rndc-hmac`

here's an excerpt from named.conf:
options {
        directory "/var/named";
};
controls {
        inet 127.0.0.1 allow { localhost; } keys { rndc-hmac; };
};
key rndc-hmac {
        algorithm "hmac-md5";
       secret 
"Q3FAMx77UIG6YeleBt9VDUCSa8rKZ459P7MYKOCxeQmlahCDlyvnmYgYfTSLXnB0
poaE+U/QzN1GcBzJziOgQQ==";
};

and here's a copy of rndc.conf:

options {
        default-server localhost;
        default-key rndc-hmac;
};
key rndc-hmac {
        algorithm "hmac-md5";
        secret 
"Q3FAMx77UIG6YeleBt9VDUCSa8rKZ459P7MYKOCxeQmlahCDlyvnmYgYfTSLXnB0
GcBzJziOgQQ==";
};

I then copy both keys to /var/named (because I wasn't sure which should go 
there), restart named, and run `rndc reload` and get the following error: 
rndc: decode base64 secret: bad base64 encoding
Here's what's in the logs:

Feb 16 13:27:18 nameserver ./named[947]: starting BIND 9.1.0
Feb 16 13:27:18 nameserver ./named[947]: the default for the 'auth-nxdomain' 
option is now 'no'
Feb 16 13:27:18 nameserver ./named[947]: command channel listening on 
127.0.0.1#953

I thought it was a problem with the secret string so I've tried putting the 
string from the private key in rndc.conf and the public in named.conf, 
reversing that, putting private key in both and public key in both all 
getting the same result.  I'm sure I'm doing something blatantly wrong but 
can't, for the life of me, figure out what it is.  I'll be grateful for 
whatever help I can get.  Thanks.
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com



More information about the bind-users mailing list