rndc
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Wed Jul 17 21:51:31 UTC 2002
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Okay, this will probably draw some critcism but here goes....I'm trying
> to get rndc to work on 9.1.3.
Upgrade 9.1.3 has passed it's use by date. Also 9.2 has
rndc-confgen to help out with all of this.
> From what I can gather from DNS/BIND,
> as a minimum I need info in both my named.conf and a file called
> rndc.conf. Here's what I've tried to do. Please feel free to comment
> on areas where I should fix because I keep getting "connection
> refused" errors when running rndc.
>
> * Create a key pair # dnssec-keygen -a hmac-md5 -b 512 -n host
> rndc.key
> * Rename the generated key/private files created by dnssec-keygen to
> "rndc.key" and "rndc.private". I also relocated these files to /etc.
You extract shared secret from these files. You don't include
them in rndc.conf or named.conf.
> * Modified my named.conf with the following:
> include "/etc/rndc.key";
> };
Why are you including "/etc/rndc.key" here?
> controls {
> inet * allow {any;} keys {"rndc.key";};
> };
>
> key "rndc.key" {
> algorithm hmac-md5;
> secret
> "yS5NyCsVKZGc/G/8D5p0dtVyZnbbugZbxnOTHr1aXt1GH6Kk8A17dVe9
> svk9HFyE81oKjJrKboyilekmVYfznA==";
> };
Move the key before the controls. Also I would use 127.0.0.1
instead of "*" (named.conf) and localhost (rndc.conf).
> * Created /etc/rndc.conf and added the following:
> options {
> default-server localhost;
> default-key "rndc.key";
> };
>
> key "rndc.key" {
> algorithm hmac-md5;
> secret
> "yS5NyCsVKZGc/G/8D5p0dtVyZnbbugZbxnOTHr1aXt1GH6Kk8A17dVe9
> svk9HFyE81oKjJrKboyilekmVYfznA==";
> };
>
> The contents of my rndc.key is this:
>
> rndc.key. IN KEY 512 3 157
> yS5NyCsVKZGc/G/8D5p0dtVyZnbbugZbxnOTHr1aXt1GH6Kk8A17dVe9
> svk9HFyE81oKjJrKboyilekmVYfznA==
>
> What am I doing wrong? It seems basic that I should want to be able
> to run rndc just like ndc. This is a caching server and requires no
> zone signing nor do I require encryption of any sort. I just want to
> be able to run cache dumps and stats and all the fun little things
> like that. Thank you in advance for any constructive criticism you
> can provide.
>
>
> Regards,
> Evan Georgeson
> QIP Support Engineer
>
> Internetwork Defense Consultant
> Email: egeorges at ncsus.jnj.com
> Tel: (908) 429.3331
> E-Page: 1740561 at worldcom.com
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.1
>
> iQA/AwUBPTVjE2cmEMqSL6AwEQLM8wCfQF1nDjkDH+3ttYpHButnOknpqDoAoN1S
> NkrFDmyQc30hvneF2zciweM0
> =U4Jm
> -----END PGP SIGNATURE-----
>
>
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list