ISC BIND Server Control Channel
The remote name daemon control (rndc) program included with the BIND distribution provides a control channel to perform BIND 9 DNS server operations. The rndc command provides access to perform these operations. The rndc client or sender of commands utilizes a separate configuration file for rndc, called rndc.conf. The configuration file contains three statement blocks as follows.
//rndc.conf file | ||
options { | ||
default-server (name | IP ); | // DNS server to which to send commands | |
default-port port; | // DNS server port to which to connect | |
default-key key_name; | // a key defined within the key statement | |
}; | ||
server (name | IP ) { | // DNS server name or IP | |
port port; | // port on which server is listening | |
key key_name; | // a key referenced on this server | |
}; | ||
key key_name { | ||
algorithm hmac-md5; | // port on which server is listening | |
secret key; | // the key value | |
}; |
The options statement block defines defaults for the DNS server to which to send commands, along with the corresponding TCP port and shared secret key name. The server statement block associates a key name with a given server, listening for rndc on a specified port. The key statement block defines the shared key corresponding to a given key name. The only other valid statement within the rndc.conf file is include, which requires a filename as an argument and enables inclusion of the referred filename's contents at the corresponding point in the rndc.conf file. The rndc.conf file is typically stored in the /etc directory on Unix or Linux systems.
BIND ships with the rndc-confgen utility to automate the creation of an rndc.key file, which contains the key statement block formatted as in the above example.
The controls statement block, defined in the DNS server's named.conf file, has the following format. Note the unix statement has been added in BIND 9.5.0 (harkening back to BIND 8 ndc controls) and defines a UNIX domain socket for rndc commands.
controls { | |
[inet (ip-address | *) [port port] allow {address_match_list} keys {key_list}; ] | |
[inet ... ;] | |
[unix path perm octal owner ownerid group groupid keys {key_list};] | |
[unix ... ;] | |
}; |
where:
- ip-address is the IP address on which the server will listen for rndc commands; use of the “*†wildcard character means that rndc will accept commands from any of the server's configured IP addresses.
- port is the TCP port on which the server will accept rndc commands (953 is the default)
- address_match_list is a defined address match list comprising an access control list allowable sources of rndc commands
- key_list is a list of one or more shared secret transaction keys
- path is the file path on which the domain socket is listening
- octal is an octal representation of the permissions level preceded by a 0 (rwx - read, write, execute) for file permissions; thus 0660 is read and write permission by owner and group as identified by the respective ownerid and groupid fields
- ownerid is the UNIX system numerical identifier associated with the file owner. Owner ID 0 is superuser for example.
- groupid is the UNIX system numerical identifier or the group associated with the socket