couldn't add command channel ::1#953: address not available
Jim Reid
jim at rfc1035.com
Mon Mar 14 12:20:20 UTC 2005
>>>>> "MJ" == MJ <php at cyberia.net.sa> writes:
MJ> Many thanks Jim, Actually why I am confused because of the
MJ> following paragraph from the "Admin reference manual", would
MJ> you please shade some light on the last two lines of this
MJ> paragraph.
MJ> Running the rndc-confgen program will conveniently create a
MJ> rndc.conf file for you, and also display the corresponding
MJ> controls statement that you need to add to named.conf.
MJ> Alternatively, you can run rndc-confgen -a to set up a
MJ> rndc.key file and not modify named.conf at all.
I cannot find this text in the current documentation. See what I mean
about using old releases?
Here's what's in the 9.3.1 ARM:
If no controls statement is present, named will set up a default
control channel listening on the loopback address 127.0.0.1 and its
IPv6 counterpart ::1. In this case, and also when the controls
statement is present but does not have a keys clause, named will
attempt to load the command channel key from the file rndc.key in
/etc (or whatever sysconfdir was specified as when BIND was built).
Tocreate a rndc.key file, run rndc-confgen -a.
The rndc.key feature was created to ease the transition of systems
from BIND 8, which did not have digital signatures on its command
channel messages and thus did not have a keys clause. It makes it
possible to use an existing BIND 8 configuration file in BIND 9
unchanged, and still have rndc work the same way ndc worked in BIND 8,
simply by executing the command rndc-confgen -a after BIND 9 is installed.
Since the rndc.key feature is only intended to allow the
backward-compatible usage of BIND 8 configuration files, this feature
does not have a high degree of configurability. You cannot easily
change the key name or the size of the secret, so you should make a
rndc.conf with your own key if you wish to change those things. The
rndc.key file also has its permissions set such that only the owner of
the file (the user that named is running as) can access it. If you
desire greater flexibility in allowing other users to access rndc
commands then you need to create an rndc.conf and make it group
readable by a group that contains the users who should have access.
So I was wrong to tell you that the control socket would only be
created if there was a controls{} statement in named.conf. It seems
this behaviour changed in 9.2. Before then, a controls{} statement was
required. IMO the old behaviour is the Right Thing. The defaults should
be not to do anything unless it was explicitly enabled in the
configuration file. Especially for important stuff like server
control.
More information about the bind-users
mailing list