couldn't add command channel ::1#953: address not available

Jim Reid jim at rfc1035.com
Mon Mar 14 12:20:20 UTC 2005 

>>>>> "MJ" == MJ  <php at cyberia.net.sa> writes:

    MJ> Many thanks Jim, Actually why I am confused because of the
    MJ> following paragraph from the "Admin reference manual", would
    MJ> you please shade some light on the last two lines of this
    MJ> paragraph.

    MJ> Running the rndc-confgen program will conveniently create a
    MJ> rndc.conf file for you, and also display the corresponding
    MJ> controls statement that you need to add to named.conf. 
    MJ> Alternatively, you can run rndc-confgen -a to set up a
    MJ> rndc.key file and not modify named.conf at all.

I cannot find this text in the current documentation. See what I mean
about using old releases?

Here's what's in the 9.3.1 ARM:

    If no controls statement is present, named will set up a default
    control channel listening on the loopback address 127.0.0.1 and its
    IPv6 counterpart ::1. In this case, and also when the controls
    statement is present but does not have a keys clause, named will
    attempt to load the command channel key from the file rndc.key in
    /etc (or whatever sysconfdir was specified as when BIND was built).
    Tocreate a rndc.key file, run rndc-confgen -a.

    The rndc.key feature was created to ease the transition of systems
    from BIND 8, which did not have digital signatures on its command
    channel messages and thus did not have a keys clause.  It makes it
    possible to use an existing BIND 8 configuration file in BIND 9
    unchanged, and still have rndc work the same way ndc worked in BIND 8,
    simply by executing the command rndc-confgen -a after BIND 9 is installed.

    Since the rndc.key feature is only intended to allow the
    backward-compatible usage of BIND 8 configuration files, this feature
    does not have a high degree of configurability. You cannot easily
    change the key name or the size of the secret, so you should make a
    rndc.conf with your own key if you wish to change those things. The
    rndc.key file also has its permissions set such that only the owner of
    the file (the user that named is running as) can access it. If you
    desire greater flexibility in allowing other users to access rndc
    commands then you need to create an rndc.conf and make it group
    readable by a group that contains the users who should have access.


So I was wrong to tell you that the control socket would only be
created if there was a controls{} statement in named.conf. It seems
this behaviour changed in 9.2. Before then, a controls{} statement was
required. IMO the old behaviour is the Right Thing. The defaults should
be not to do anything unless it was explicitly enabled in the
configuration file. Especially for important stuff like server
control.

More information about the bind-users mailing list