Configuring RNDC for Fine-Grained BIND9 Control
RNDC is an extremely useful utility bundled with BIND that allows controlling the DNS server in a fine-grained way. So instead of reloading the whole server to add a single record, you can issue a "rndc reload myzone.com" command and only that zone will be loaded without restarting the server.
1. Generate a cryptographic key
First we'll generate a crypto key that will be used to access the control channel of BIND:
dnssec-keygen -a HMAC-MD5 -b256 \
-n HOST rndc
This creates a file named "Krndc.+157+62322" (the numbers will depend on the generated key)
2. Create a configuration file for rndc
This file will not be accesed by BIND, only by rndc. It can be placed anywhere within the system.
---- cut here ----
key "rndckey" {
algorithm "hmac-md5";
// this "secret" is the same crypto material found in the
secret "BxUpUZLIymdkMsfvdrTnudVwefhYEGBbhfRMgAgR81M=";
};
options {
default-key "rndckey";
default-server 127.0.0.1;
default-port 953;
};
---- cut here ----
• The name of the key ("rndckey") is arbitrary
• Content of the "secret" statement is obtained from private key file generated in step 1.
3. Configure BIND to accept rndc commands
Edit named.conf and include the following statements:
---- cut here ----
# RNDC
key "rndckey" {
algorithm "hmac-md5";
secret "BxUpUZLIymdkMsfvdrTnudVwefhYEGBbhfRMgAgR81M=";
};
controls {
inet 127.0.0.1 allow { 127.0.0.1; } keys { rndckey; };
};
---- cut here ----
4. Restart BIND and test "rndc"
[root@vm3-lab2 var]# /etc/init.d/bind restart
[root@vm3-lab2 var]# /opt/bind/sbin/rndc -c /path/to/rndc.conf -s localhost status
version: 9.7.2-P3
number of zones: 30
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is ON
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
ts: 1300910749