3.4 Using rndc with a Remote Name Server

3.4.1 Problem

You want to use rndc to manage a remote name server.

3.4.2 Solution

If you used rndc-confgen to configure a name server's control channel, the name server's named.conf file probably contains key and controls statements like these:

key "rndc-key" {
        algorithm hmac-md5;
        secret "LctVnbqQQPHiZJ80ZwnFDA==";
};

controls {
    inet 127.0.0.1 port 953
    allow { 127.0.0.1; } keys { "rndc-key"; };
};

Modify the controls statement so that the name server listens on all of the local host's IP addresses for control messages, not just the loopback address. Also, change the access control list in the allow substatement to allow connections from the address where you'll run rndc. It'll end up looking something like this:

controls {
    inet * port 953
    allow { 127.0.0.1; 192.168.0.7; } keys { "rndc-key"; };
};

On the host you want to run rndc from, create an rndc.conf file. (The file normally belongs in the /etc directory.) Add a key statement identical to the one in named.conf:

key "rndc-key" {
        algorithm hmac-md5;
        secret "LctVnbqQQPHiZJ80ZwnFDA==";
};

Then add an options statement, specifying the default name server to control and the default key to use to sign commands:

options {
    default-server 192.168.0.1;
    default-key "rndc-key";
};

rndc should now work from the command line with a single argument. For example:

# rndc reload foo.example

3.4.3 Discussion

If the name server's named.conf file didn't have a controls statement to begin with, add one similar to the controls statement in the solution. Then add a key statement defining a key to use to sign control messages. You can generate a key with the dnssec-keygen program that's included with the BIND distribution:

$ dnssec-keygen -a HMAC-MD5 -b 128 -n HOST rndc-key
Krndc-key.+157+22603

See Section 7.10 for instructions on how to drive dnssec-keygen.

The file Krndc-key.+157+22603.key contains:

rndc-key. IN KEY 512 3 157 XvqePraEZOjNklEMu5lfzw==

Add a key statement to the name server's named.conf file defining the new key:

key "rndc-key" {
    algorithm hmac-md5;
    secret "XvqePraEZOjNklEMu5lfzw==";
};

Add the same key statement to the rndc.conf file on the host you'll run rndc from, as well as an options statement like the one shown above.

If you need to control more than one name server from a single host, add server statements to rndc.conf. The argument to the server statement is either the name or the address of the name server. (If you use a name, the name must resolve to the address of the name server.) In each server statement, you can define a different key to use to sign control messages to that server. For example:

server ns2.foo.example {
    key ns2.foo.example.key;
};

Of course, you'll also need key statements for each unique key.

Once you've set up rndc.conf, you can tell rndc to control a particular name server with the -s command-line option:

# rndc -s ns2.foo.example flush

Make sure the argument you specify with -s matches the argument you used in the server statement exactly or rndc won't find the corresponding key.

3.4.4 See Also

Section 3.3 for setting up rndc with a local BIND 9 name server, Recipe Section 7.10 for instructions on using dnssec-keygen, and "rndc and controls (BIND 9)" in Chapter 7 of DNS and BIND.