rndc key for bind 9.3.0. catch-22?

Jim Reid jim at rfc1035.com
Mon Dec 6 19:21:39 UTC 2004

>>>>> "Christopher" == Christopher L Barnard <cbar44 at tsg.cbot.com> writes:

    Christopher> How do I generate a key for the /etc/rndc.conf file
    Christopher> with bind version 9.3.0?

Well the man page for rndc.conf describes two ways of doing this:

[1] rndc-confgen
[2] throw any old rubbish at mmencode or anything else that generates
a valid base-64 encoded string

It's also possible to generate a suitable HMAC-MD5 key with
dnsssec-keygen. You used the wrong argument by insisting on a
ZONE key instead of a HOST key.

That said, there's no need to replace the rndc key whenever the name
server is upgraded. An existing key will work just fine, provided rndc
and named continue to support HMAC-MD5 style authentication. The only
thing that matters with rndc is that the key is kept secret: the
actual key can be anything (within reason). Since the name server and
rndc use the key for mutual authentication, it's important that the
key gets kept away from prying eyes. Unless of course someone thinks
unauthorised management of the name server is a Good Thing.

More information about the bind-users mailing list