Configuring rndc for BIND 9

Some quick notes on configuring rndc for BIND (Berkeley Internet Name Domain) 9 servers.

I’ve been carrying through the same basic BIND configuration for my home name servers since version 4, updated along the way as old syntax changed.

The rndc tool is used to perform administrative functions on a running BIND server without having to do a restart.

After borking the configuration of rndc on a new Fedora 19 server, I decided to commit my notes here for posterity.

Forget anything you may read everywhere else. THIS is how to do it on Red Hat Enterprise Linux 6+ and corresponding Fedora releases. I suspect these steps will also work for other Linux distributions as well.

1. Create an rndc.conf file thus:

rndc-confgen >/etc/rndc.conf

It will look like this inside:

key "rndc-key" {
	algorithm hmac-md5;
	secret "KbcFrxgaLM==";
};

options {
	default-key "rndc-key";
	default-server 127.0.0.1;
	default-port 953;
};
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# 	algorithm hmac-md5;
# 	secret "KbcFrxgaLM==";
# };
# 
# controls {
# 	inet 127.0.0.1 port 953
# 		allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf

(the secret show is just for illustration, yours will (should) be different)

Permission:

chown root:named /etc/rndc.conf
chmod o-rwx /etc/rndc.conf

2. Create a rndc.key file by copying the “key” statement from your new /etc/rndc.conf file into /etc/rndc.key:

key "rndc-key" {
 	algorithm hmac-md5;
 	secret "KbcFrxgaLM==";
};

Permission identically to the rndc.conf file.

3. Insert the following into /etc/named.conf, between the options and first zone statements:

include "/etc/rndc.key";
controls {
 	inet 127.0.0.1 port 953
	   allow { 127.0.0.1; } keys { "rndc-key"; };
};

Because named.conf should be world-readable (but only writable by root), I use the include directive to avoid exposing its secret to the world.

That’s all there is to it. Commit by restarting named:

systemctl restart named

Run rndc status to confirm the utility can talk to the server.

This entry was posted in System Administration, Web on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).