Configuring RNDC for Fine-Grained BIND9 Control

RNDC is an extremely useful utility bundled with BIND that allows controlling the DNS server in a fine-grained way. So instead of reloading the whole server to add a single record, you can issue a "rndc reload myzone.com" command and only that zone will be loaded without restarting the server.

1. Generate a cryptographic key

First we'll generate a crypto key that will be used to access the control channel of BIND:

dnssec-keygen -a HMAC-MD5 -b256 \
-n HOST rndc

This creates a file named "Krndc.+157+62322" (the numbers will depend on the generated key)

2. Create a configuration file for rndc

This file will not be accesed by BIND, only by rndc. It can be placed anywhere within the system.

---- cut here ----
key "rndckey" {
algorithm "hmac-md5";
// this "secret" is the same crypto material found in the
secret "BxUpUZLIymdkMsfvdrTnudVwefhYEGBbhfRMgAgR81M=";
};

options {
default-key "rndckey";
default-server 127.0.0.1;
default-port 953;
};
---- cut here ----

• The name of the key ("rndckey") is arbitrary
• Content of the "secret" statement is obtained from private key file generated in step 1.

3. Configure BIND to accept rndc commands

Edit named.conf and include the following statements:

---- cut here ----
# RNDC
key "rndckey" {
algorithm "hmac-md5";
secret "BxUpUZLIymdkMsfvdrTnudVwefhYEGBbhfRMgAgR81M=";
};

controls {
inet 127.0.0.1 allow { 127.0.0.1; } keys { rndckey; };
};
---- cut here ----

4. Restart BIND and test "rndc"

[root@vm3-lab2 var]# /etc/init.d/bind restart

[root@vm3-lab2 var]# /opt/bind/sbin/rndc -c /path/to/rndc.conf -s localhost status
version: 9.7.2-P3
number of zones: 30
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is ON
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
 

---

ts: 1300910749