The rndc utility is a command-line tool to administer the named service, both locally and from a remote machine. To prevent unauthorized access to the service, rndc must be configured to listen on the selected port (port 953 by default), and an identical key must be used by both the service and the rndc utility. The rndc key is generated by using the following command:
# rndc-confgen -a wrote key file "/etc/rndc.key"
This command creates the /etc/rndc.key file, which contains the key.
# cat /etc/rndc.key
key "rndc-key" {
algorithm hmac-md5;
secret "k7WFNCP01e1NwIgaIhvtQQ==";
};
To configure named to use the key, include the following entries in /etc/named.conf:
# vi /etc/named.conf<
include “/etc/rndc.key”;
controls {
inet 127.0.0.1 allow { localhost; } keys { “rndckey”; }
};
The include statement allows files to be included so that potentially sensitive data can be placed in a separate file with restricted permissions. To ensure that only root can read the file, enter the following:
# chmod o-rwx /etc/rndc.key
The controls statement defines access information and the various security requirements necessary to use the rndc command.
- inet: The example allows you to control rndc from a console on the localhost (127.0.0.1).
- keys: Keys are used to authenticate various actions and are the primary access control method for remote administration. The example specifies using rndckey, which is defined in the /etc/rndc.key include file.
rndc command Examples
Type rndc to display usage of the utility and a list of available commands:
# rndc
Usage: rndc [-b address] [-c config] [-s server] [-p port]
[-k key-file ] [-y key] [-V] command
command is one of the following:
reload Reload configuration file and zones.
reload zone [class [view]]
Reload a single zone.
refresh zone [class [view]]
Schedule immediate maintenance for a zone.
retransfer zone [class [view]]
Retransfer a single zone without checking the serial number.
freeze Suspend updates to all dynamic zones.
freeze zone [class [view]]
Suspend updates to a dynamic zone.
thaw Enable updates to all dynamic zones and reload them.
thaw zone [class [view]]
Enable updates to a frozen dynamic zone and reload it.
sync [-clean] Dump changes to all dynamic zones to disk, and optionally
....
The following is an example of some of the rndc commands:
1. Use the rndc status command to check the current status of the named service:
# rndc status number of zones: 3 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/1000 tcp clients: 0/100 server is up and running
Use the rndc reload command to reload both the configuration file and zones:
# rndc reload server reload successful