rndc key
Kevin Darcy
kcd at daimlerchrysler.com
Tue Jun 22 23:24:28 UTC 2004
rndc has nothing to do with master-slave communication, except in the
indirect sense that if you do an rndc reload or rndc refresh on a slave
nameserver (this is strictly hypothetical, since your BIND 8 slave isn't
rndc-compatible), this may trigger it to perform one or more
serial-checks and/or zone transfers.
If you don't care to control your BIND 9 nameserver(s) with the "rndc"
program, you can get rid of that /etc/rndc.key error message by putting
"controls { };" into your named.conf file.
If you want to TSIG-sign your zone transfers, you need to generate a
shared TSIG key and then set up the appropriate "key" and "server"
clauses on either side.
- Kevin
Paul Roddy wrote:
>We are in the midst of upgrading our DNS servers and I'm having a hard time
>understanding how to configure rndc.key - Here's what I have so far.
>
>I've setup a primary DNS server and nslookup and dig return correct
>information. I have also setup a secondary DNS server but this is where I
>have the problem. when the secondary DNS tries to get updates, a error
>message is recored in the syslog that says: "Jun 21 17:32:46 ns2
>named[72]: none:0: open: /etc/rndc.key: permission denied"
>
>I don't understand how I am supposed to setup rndc.key on the secondary DNS
>server so that it can authenticate and get the updates. Can somebody point
>me in the right direction please?
>
>
>
>here is the named.config from our new primary dns server which is also setup
>as chroot
>===== cut here =====
>controls {
> inet 127.0.0.1 allow { localhost; } keys { rndckey; };
>};
>
>zone "." {
> type hint;
> file "named.hint";
>};
>
>zone "0.0.127.in-addr.arpa" {
> type master;
> file "rev/named.local";
> allow-update { none; };
>};
>
>zone "mydomain.com" {
> type master;
> file "primary/mydomain.com.zone";
>};
>==== end cut here ===
>
>Here is the named.conf from my secondary DNS server (which is an older bind
>8.1 server)
>=== cut here ===
>options {
> directory "/var/named";
> /*
> * If there is a firewall between you and nameservers you want
> * to talk to, you might need to uncomment the query-source
> * directive below. Previous versions of BIND always asked
> * questions using port 53, but BIND 8.1 uses an unprivileged
> * port by default.
> */
> // query-source address * port 53;
>};
>
>logging {
> category lame-servers { null; };
>};
>
>//
>// a caching only nameserver config
>//
>zone "." IN {
> type hint;
> file "caching-example/named.ca";
>};
>
>zone "localhost" IN {
> type master;
> file "caching-example/localhost.zone";
> allow-update { none; };
>};
>
>zone "0.0.127.in-addr.arpa" IN {
> type master;
> file "caching-example/named.local";
> allow-update { none; };
>};
>
>zone "mydomains.com" in {
> type slave;
> file "2nd/mydomains.com.zone";
> masters { xxx.xxx.xxx.xxx; };
>};
>
>=== end cut here ===
>
>
>
>
>
>
More information about the bind-users
mailing list