rndc key

Kevin Darcy kcd at daimlerchrysler.com
Tue Jun 22 23:24:28 UTC 2004 

rndc has nothing to do with master-slave communication, except in the 
indirect sense that if you do an rndc reload or rndc refresh on a slave 
nameserver (this is strictly hypothetical, since your BIND 8 slave isn't 
rndc-compatible), this may trigger it to perform one or more 
serial-checks and/or zone transfers.

If you don't care to control your BIND 9 nameserver(s) with the "rndc" 
program, you can get rid of that /etc/rndc.key error message by putting 
"controls { };" into your named.conf file.

If you want to TSIG-sign your zone transfers, you need to generate a 
shared TSIG key and then set up the appropriate "key" and "server" 
clauses on either side.

                                                                         
                           - Kevin

Paul Roddy wrote:

>We are in the midst of upgrading our DNS servers and I'm having a hard time
>understanding how to configure rndc.key  - Here's what I have so far.
>
>I've setup a primary DNS server and nslookup and dig return correct
>information.  I have also setup a secondary DNS server but this is where I
>have the problem.  when the secondary DNS tries to get updates, a error
>message is recored in the syslog that says:   "Jun 21 17:32:46 ns2
>named[72]: none:0: open: /etc/rndc.key: permission denied"
>
>I don't understand how I am supposed to setup rndc.key on the secondary DNS
>server so that it can authenticate and get the updates.  Can somebody point
>me in the right direction please?
>
>
>
>here is the named.config from our new primary dns server which is also setup
>as chroot
>===== cut here =====
>controls {
>        inet 127.0.0.1 allow { localhost; } keys { rndckey; };
>};
>
>zone "." {
>        type hint;
>        file "named.hint";
>};
>
>zone "0.0.127.in-addr.arpa" {
>        type master;
>        file "rev/named.local";
>        allow-update { none; };
>};
>
>zone "mydomain.com" {
>        type master;
>        file "primary/mydomain.com.zone";
>};
>==== end cut here ===
>
>Here is the named.conf from my secondary DNS server (which is an older bind
>8.1 server)
>=== cut here ===
>options {
>        directory "/var/named";
>        /*
>         * If there is a firewall between you and nameservers you want
>         * to talk to, you might need to uncomment the query-source
>         * directive below.  Previous versions of BIND always asked
>         * questions using port 53, but BIND 8.1 uses an unprivileged
>         * port by default.
>         */
>        // query-source address * port 53;
>};
>
>logging {
>        category lame-servers { null; };
>};
>
>//
>// a caching only nameserver config
>//
>zone "." IN {
>        type hint;
>        file "caching-example/named.ca";
>};
>
>zone "localhost" IN {
>        type master;
>        file "caching-example/localhost.zone";
>        allow-update { none; };
>};
>
>zone "0.0.127.in-addr.arpa" IN {
>        type master;
>        file "caching-example/named.local";
>        allow-update { none; };
>};
>
>zone "mydomains.com" in {
>        type slave;
>        file "2nd/mydomains.com.zone";
>        masters { xxx.xxx.xxx.xxx; };
>};
>
>=== end cut here ===
>
>
>
>
>  
>

More information about the bind-users mailing list