rndc key

Paul Roddy proddy at noemail.com.com
Tue Jun 22 14:17:56 UTC 2004


We are in the midst of upgrading our DNS servers and I'm having a hard time
understanding how to configure rndc.key  - Here's what I have so far.

I've setup a primary DNS server and nslookup and dig return correct
information.  I have also setup a secondary DNS server but this is where I
have the problem.  when the secondary DNS tries to get updates, a error
message is recored in the syslog that says:   "Jun 21 17:32:46 ns2
named[72]: none:0: open: /etc/rndc.key: permission denied"

I don't understand how I am supposed to setup rndc.key on the secondary DNS
server so that it can authenticate and get the updates.  Can somebody point
me in the right direction please?



here is the named.config from our new primary dns server which is also setup
as chroot
===== cut here =====
controls {
        inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

zone "." {
        type hint;
        file "named.hint";
};

zone "0.0.127.in-addr.arpa" {
        type master;
        file "rev/named.local";
        allow-update { none; };
};

zone "mydomain.com" {
        type master;
        file "primary/mydomain.com.zone";
};
==== end cut here ===

Here is the named.conf from my secondary DNS server (which is an older bind
8.1 server)
=== cut here ===
options {
        directory "/var/named";
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
        // query-source address * port 53;
};

logging {
        category lame-servers { null; };
};

//
// a caching only nameserver config
//
zone "." IN {
        type hint;
        file "caching-example/named.ca";
};

zone "localhost" IN {
        type master;
        file "caching-example/localhost.zone";
        allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "caching-example/named.local";
        allow-update { none; };
};

zone "mydomains.com" in {
        type slave;
        file "2nd/mydomains.com.zone";
        masters { xxx.xxx.xxx.xxx; };
};

=== end cut here ===



More information about the bind-users mailing list