Bind 9 and RNDC
Jim Reid
jim at rfc1035.com
Wed Oct 11 10:53:26 UTC 2000
>>>>> "Nicholas" == Nicholas Berry <nberry at Exchange.Wavve.com> writes:
Nicholas> I have looked over the documentation
Nicholas> http://www.nominum.com/resources/Bv9ARM-091200.pdf
Nicholas> regarding how to configure rndc, but am having no luck.
Nicholas> I do not have any access lists defined in named.conf,
Nicholas> but I continue to get a "connection refused" when
Nicholas> attempting to connect. I have tried using the various
Nicholas> flags (-s, -p, -y) when issuing rndc reload, but
Nicholas> continue to get connection refused (and if it's any
Nicholas> consolation, I have done a port scan on my system and
Nicholas> port 953 is not showing as an open port).
Nicholas> Any ideas?
You need to add a controls{} statement to named.conf to make the name
server listen on that port. For security reasons the server won't set
up a management socket unless you tell it to do that. A key{}
statement is also needed to identify the TSIG secret for signing the
rndc requests. Excerpts from named.conf could look like this:
key "localkey" {
algorithm hmac-md5;
secret "Ytzd/Fjm2i2smxAwoTuiFq==";
};
server 127.0.0.1 {
keys {
localkey;
};
};
controls {
inet 127.0.0.1 allow { 127.0.0.1; } keys { localkey; };
};
ie listen for rndc requests on port 753 of the loopback interface and
only accept queries coming from 127.0.0.1 that are signed with
localkey's secret.
And /etc/rndc.conf could look like:
options {
default-server localhost;
default-key localkey;
};
server localhost {
key localkey;
};
key "localkey" {
algorithm hmac-md5;
secret "Ytzd/Fjm2i2smxAwoTuiFq==";
};
More information about the bind-users
mailing list