a few problems with running rndc.

Jim Reid jim at rfc1035.com
Sun Jan 28 11:10:56 UTC 2001 

>>>>> "Robert" == Robert  <robert at chalmers.com.au> writes:

    Robert> I've looked at the archives, and found two examples of the
    Robert> rndc conf file.  Two almost entirely different examples
    Robert> actually.  Anyway I still keep getting "connection
    Robert> refused" and I suspect it's because I don't really
    Robert> understand the syntax of the rndc command itself?

Please think. A "connection refused" error message generally means
that the thing you're trying to connect to isn't listening for
incoming connections. [Try connecting to the SMTP port on a system
that doesn't run a mail server.] No matter how you set up or use rndc
will have no bearing on these messages. It's the name server
configuration that needs to be checked. The error message means the
name server probably isn't listening on some control socket. That
means your named.conf file doesn't have a controls{} statement telling
it to set one up.

    Robert> Could someone give me an example of actually using the
    Robert> rndc command please?

[1] Cut and paste the sample rndc.conf file from the man page.
[2] Generate a different key with dnssec-keygen
[3] Replace the key in rndc.conf with the one generated in [2]
[4] Add the same key{} statement to named.conf
[5] Put the controls{} statement below after the key[} statement
you've just added to named.conf:

controls {
        inet 127.0.0.1 allow { 127.0.0.1; } keys { localkey; };
};

[6] Restart the name server
[7] Verify it's listening on TCP port 953.
[8] Play with rndc

    Robert> Is the [-y key] the keyname used in the conf file?

No. It's the name of a key when there are many keys in rndc.conf and
you wish to use one other than the default one you've specified in the
file. ie "use key foo when talking to server bar".

    Robert> Also, the man page gives an example of a key generated
    Robert> with mmencode. Will this key work in place of one
    Robert> generated the other way, with the same conf syntax?

How the key is generated doesn't matter. All that matters is that rndc
and named agree on the key that "signs" the exchanges between
them. And that the key is a valid base-64 encoded string of course.

If you're unsure of the syntax of the controls{} statement, consult
the BIND9 Administrator's Reference Manual. The ARM is very clear
about configuring rndc and the syntax of rndc.conf too.

More information about the bind-users mailing list