rndc key is not working with bind 9.2.3 on Solaris 9 Server - - f or Zone Transfer

Borhade Ganesh (vMoksha) Ganesh.Borhade at UCB-Group.com
Tue Nov 22 16:00:29 UTC 2005

Dear Joseph,
   Thanks for valuable update. 

My rndc key is link as follows

bash-2.05# ls -lrt /etc/rndc.key
lrwxrwxrwx   1 root     other         26 Nov  8 07:32 /etc/rndc.key ->

   All zone files are also in /chroot/named/etc.

I am able to transfer the zone from Primary DNS Server to Secondary DNS
Server but without rndc key.
My aim is to tranfer ZONE with rndc key ( security ). 
How can i test it? because i change content of /etc/rndc.key on primary DNS
to make sure rndc key will be different from Secondary DNS but still zone
gets transfer.

    I am littel confuse with your statement 2 different keys are available
for named & rndc. I am intrested only in rndc key to improve security during
zone transfer.
    I have created directory /chroot/named to keep DNS info like zone files,
named.conf, rndc.keys etc.

  Please reply if you require any other detail. 
  Any suggessions from experts are always welcome. Waiting for positive


-----Original Message-----
From: Joseph S D Yao [mailto:jsdy at center.osis.gov] 
Sent: Tuesday, November 22, 2005 4:26 PM
To: Borhade Ganesh (vMoksha)
Cc: bind-users at isc.org
Subject: Re: rndc key is not working with bind 9.2.3 on Solaris 9 Server --
f or Zone Transfer

You only need to send to one of this mailing list's e-mail addresses.  I
have only cc'ed one of them.

On Tue, Nov 22, 2005 at 02:43:03PM +0100, Borhade Ganesh (vMoksha) wrote:
> Content-Type: text/plain
> > Dear All,
> > 
> >               I have installed Bind 9.2.3 (with chroot ) on Solaris 9
> > rndc for Primary DNS Server. I have 2nd Solaris Server with Solaris 10
> > with default Bind which i have configured as Secondary DNS Server.
> > 
> >        I am able to transfer "Zone file" from Primary to Secondary DNS
> > without "rndc" in effect. Even i have change rndc key on primary but
> > file " gets transfer from Primary to Secondary DNS Server.
> > 
> >        I haven't received any error message for rndc. I have same
> > rndc.key, rndc.conf on Primary & Secondary DNS Server. In named.conf  on
> > Primary & secondary i have specified rndc key ( both servers ).
> > 
> >       What could be wrong? Is any rndc service we need to start on
> > Secondary? How to test Zone transfer with rndc key?.
> > 
> >       Please find my attached Primary & Secondary DNS files which are
> > in /chroot/named folder.
> > 
> >  <<rndc_key_primary.txt>>  <<named.conf_primary.txt>>  
> > <<rndc_conf_primary.txt>> 
> >  <<rndc_key_Secondary.txt>>  <<named.conf_secondary.txt>>  
> > <<rndc_conf_secondary.txt>> 
> >      
> > Note: 1. Primary DNS ( Solaris 9, Installed Bind 9.2.3), Secondary DNS (
> > Solaris 10 with default bind 9)
> >          2.  My DNS Servers are on Private IP but can access Internet.
> >          3. I can start named & stop it ( using rndc command)

Besides the fact that attachments don't make it onto the mailing list,
it's not clear from the above what your problem is.  I  t h i n k  it's
that 'rndc' is not working for you.

The key must be available to both 'rndc' and to 'named'.  For that to
happen, it should be in the default location for 'rndc' - /etc/rndc.key
- or in a location specified on the command line or in a configuration
file (/etc/rndc.conf or specified on the command line).  It should also
be under the root of the chroot'ed 'named'!  It sounds like you are
saying that it is in the "/chroot/named" directory, so one would assume
that "/chroot" is the directory to which 'named' is chroot'ing.  So, the
/etc/named.conf file for 'named' should include "/named/rndc.key" to let
the key be seen by the associated

controls {
	inet allow { localhost; } keys { rndckey; };


Note that one easy way to make sure that the key on a single machine is
kept current in all locations is to have "/etc/rndc.key" be a symbolic
link to "/chroot/named/rndc.key"!  And then only modify the latter.

I hope that this has been of some help.

If you're still having a problem, check whether IPtable or IPfilter is
running on your system and blocking you.

Joe Yao
   This message is not an official statement of OSIS Center policies.

Legal Notice: This electronic mail and its attachments are intended solely
for the person(s) to whom they are addressed and contain information which
is confidential or otherwise protected from disclosure, except for the
purpose for which they are intended. Dissemination, distribution, or
reproduction by anyone other than the intended recipients is prohibited and
may be illegal. If you are not an intended recipient, please immediately
inform the sender and return the electronic mail and its attachments and
destroy any copies which may be in your possession. UCB screens electronic
mails for viruses but does not warrant that this electronic mail is free of
any viruses. UCB accepts no liability for any damage caused by any virus
transmitted by this electronic mail. 

More information about the bind-users mailing list