rndc key is not working with bind 9.2.3 on Solaris 9 Server -- f or Zone Transfer

Joseph S D Yao jsdy at center.osis.gov
Tue Nov 22 15:25:43 UTC 2005

You only need to send to one of this mailing list's e-mail addresses.  I
have only cc'ed one of them.

On Tue, Nov 22, 2005 at 02:43:03PM +0100, Borhade Ganesh (vMoksha) wrote:
> Content-Type: text/plain
> > Dear All,
> > 
> >               I have installed Bind 9.2.3 (with chroot ) on Solaris 9 with
> > rndc for Primary DNS Server. I have 2nd Solaris Server with Solaris 10
> > with default Bind which i have configured as Secondary DNS Server.
> > 
> >        I am able to transfer "Zone file" from Primary to Secondary DNS but
> > without "rndc" in effect. Even i have change rndc key on primary but "Zone
> > file " gets transfer from Primary to Secondary DNS Server.
> > 
> >        I haven't received any error message for rndc. I have same
> > rndc.key, rndc.conf on Primary & Secondary DNS Server. In named.conf  on
> > Primary & secondary i have specified rndc key ( both servers ).
> > 
> >       What could be wrong? Is any rndc service we need to start on
> > Secondary? How to test Zone transfer with rndc key?.
> > 
> >       Please find my attached Primary & Secondary DNS files which are kept
> > in /chroot/named folder.
> > 
> >  <<rndc_key_primary.txt>>  <<named.conf_primary.txt>>  
> > <<rndc_conf_primary.txt>> 
> >  <<rndc_key_Secondary.txt>>  <<named.conf_secondary.txt>>  
> > <<rndc_conf_secondary.txt>> 
> >      
> > Note: 1. Primary DNS ( Solaris 9, Installed Bind 9.2.3), Secondary DNS (
> > Solaris 10 with default bind 9)
> >          2.  My DNS Servers are on Private IP but can access Internet.
> >          3. I can start named & stop it ( using rndc command)

Besides the fact that attachments don't make it onto the mailing list,
it's not clear from the above what your problem is.  I  t h i n k  it's
that 'rndc' is not working for you.

The key must be available to both 'rndc' and to 'named'.  For that to
happen, it should be in the default location for 'rndc' - /etc/rndc.key
- or in a location specified on the command line or in a configuration
file (/etc/rndc.conf or specified on the command line).  It should also
be under the root of the chroot'ed 'named'!  It sounds like you are
saying that it is in the "/chroot/named" directory, so one would assume
that "/chroot" is the directory to which 'named' is chroot'ing.  So, the
/etc/named.conf file for 'named' should include "/named/rndc.key" to let
the key be seen by the associated

controls {
	inet allow { localhost; } keys { rndckey; };


Note that one easy way to make sure that the key on a single machine is
kept current in all locations is to have "/etc/rndc.key" be a symbolic
link to "/chroot/named/rndc.key"!  And then only modify the latter.

I hope that this has been of some help.

If you're still having a problem, check whether IPtable or IPfilter is
running on your system and blocking you.

Joe Yao
   This message is not an official statement of OSIS Center policies.

More information about the bind-users mailing list