Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
RNDC.CONF(5)			    BIND 9			  RNDC.CONF(5)

NAME
       rndc.conf - rndc	configuration file

SYNOPSIS
       rndc.conf

DESCRIPTION
       rndc.conf  is  the  configuration file for rndc,	the BIND 9 name	server
       control utility.	This file  has	a  similar  structure  and  syntax  to
       named.conf.  Statements	are  enclosed  in braces and terminated	with a
       semi-colon. Clauses in the statements are also  semi-colon  terminated.
       The usual comment styles	are supported:

       C style:	/* */

       C++ style: // to	end of line

       Unix style: # to	end of line

       rndc.conf  is  much simpler than	named.conf. The	file uses three	state-
       ments: an options statement, a server statement,	and a key statement.

       The options statement contains five clauses. The	default-server	clause
       is  followed by the name	or address of a	name server. This host is used
       when no name server is given as an argument to rndc.   The  default-key
       clause  is  followed by the name	of a key, which	is identified by a key
       statement. If no	keyid is provided on the rndc command line, and	no key
       clause is found in a matching server statement,	this  default  key  is
       used  to	 authenticate  the  server's  commands	and responses. The de-
       fault-port clause is followed by	the port to connect to on  the	remote
       name  server.  If  no port option is provided on	the rndc command line,
       and no port clause is found in a	matching server	 statement,  this  de-
       fault  port  is	used  to  connect.  The	default-source-address and de-
       fault-source-address-v6 clauses can be used to set the  IPv4  and  IPv6
       source addresses	respectively.

       After  the server keyword, the server statement includes	a string which
       is the hostname or address for a	name server. The statement  has	 three
       possible	clauses: key, port, and	addresses. The key name	must match the
       name of a key statement in the file. The	port number specifies the port
       to  connect to. If an addresses clause is supplied, these addresses are
       used instead of the server name.	Each  address  can  take  an  optional
       port. If	an source-address or source-address-v6 is supplied, it is used
       to specify the IPv4 and IPv6 source address, respectively.

       The  key	 statement  begins with	an identifying string, the name	of the
       key. The	statement has two clauses. algorithm identifies	the  authenti-
       cation algorithm	for rndc to use; currently only	HMAC-MD5 (for compati-
       bility),	 HMAC-SHA1,  HMAC-SHA224,  HMAC-SHA256 (default), HMAC-SHA384,
       and HMAC-SHA512 are supported. This is  followed	 by  a	secret	clause
       which  contains	the base-64 encoding of	the algorithm's	authentication
       key. The	base-64	string is enclosed in double quotes.

       There are two common ways to generate the base-64 string	 for  the  se-
       cret.  The BIND 9 program rndc-confgen can be used to generate a	random
       key,  or	 the mmencode program, also known as mimencode,	can be used to
       generate	a base-64 string from known input. mmencode does not ship with
       BIND 9 but is available on many systems.	See the	 Example  section  for
       sample command lines for	each.

EXAMPLE
	  options {
	    default-server  localhost;
	    default-key	    samplekey;
	  };

	  server localhost {
	    key		    samplekey;
	  };

	  server testserver {
	    key	    testkey;
	    addresses	{ localhost port 5353; };
	  };

	  key samplekey	{
	    algorithm	    hmac-sha256;
	    secret	    "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
	  };

	  key testkey {
	    algorithm	hmac-sha256;
	    secret	"R3HI8P6BKw9ZwXwN3VZKuQ==";
	  };

       In  the	above  example,	 rndc  by default uses the server at localhost
       (127.0.0.1) and the key called "samplekey". Commands to	the  localhost
       server  use  the	 "samplekey"  key,  which  must	also be	defined	in the
       server's	configuration file with	the same  name	and  secret.  The  key
       statement indicates that	"samplekey" uses the HMAC-SHA256 algorithm and
       its  secret clause contains the base-64 encoding	of the HMAC-SHA256 se-
       cret enclosed in	double quotes.

       If rndc -s testserver is	used, then rndc	connects to the	server on  lo-
       calhost port 5353 using the key "testkey".

       To generate a random secret with	rndc-confgen:

       rndc-confgen

       A  complete  rndc.conf  file,  including	the randomly generated key, is
       written to the standard output. Commented-out key and  controls	state-
       ments for named.conf are	also printed.

       To generate a base-64 secret with mmencode:

       echo "known plaintext for a secret" | mmencode

NAME SERVER CONFIGURATION
       The  name  server  must be configured to	accept rndc connections	and to
       recognize the key specified in the rndc.conf file, using	 the  controls
       statement  in named.conf. See the sections on the controls statement in
       the BIND	9 Administrator	Reference Manual for details.

SEE ALSO
       rndc(8),	rndc-confgen(8), mmencode(1), BIND 9  Administrator  Reference
       Manual.

AUTHOR
       Internet	Systems	Consortium

COPYRIGHT
       2025, Internet Systems Consortium

9.20.9				  2025-05-08			  RNDC.CONF(5)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=rndc.conf&sektion=5&manpath=FreeBSD+Ports+14.3.quarterly>

home | help