[sf-lug] bindrndc

Michael Paoli Michael.Paoli at cal.berkeley.edu
Mon May 14 23:23:52 PDT 2007

Another niceity I stumbled across - at least in BIND 9.x,
is that the rndc configuration file (e.g. /etc/rndc.conf) also
respects the include statement - so by using include statement
in both rndc.conf and named.conf, they can both access a common
key file that way.  Note that with chroot things get slightly
more interesting (one will need the symbolic links and files in
the appropriate places, e.g.:
ls -l \
/etc/named-balug.conf \
/etc/rndc-balug.conf \
/etc/rndc-balug.key \
/var/named/chroot-balug/etc/named-balug.conf \
/var/named/chroot-balug/etc/rndc-balug.key \
/var/named/chroot-balug/var/run/named-balug.pid \
lrwxrwxrwx  1 root     root       44 May 12 09:05 /etc/named-balug.conf ->
-rw-r-----  1 root     balugdns 1163 May 12 09:37 /etc/rndc-balug.conf
lrwxrwxrwx  1 root     root       42 May 12 09:05 /etc/rndc-balug.key ->
-rw-r-----  1 root     balugdns 2079 May 13 08:08
-rw-r-----  1 root     balugdns  138 May 12 09:19
-rw-r--r--  1 balugdns balugdns    5 May 13 08:25
lrwxrwxrwx  1 root     root       47 May 13 08:25 /var/run/named-balug.pid ->
The example above is from a non-Debian system, ... so things may be
a wee bit different for Etch (not to mention the above was customized
to separate it out from the default nameserver chroot configuration -
including also customized init scripts and some other tweaks).

Quoting Rick Moen <rick at linuxmafia.com>:

> I wrote:
> > Cutting to the chase, installation of my BIND9 package -- and presumably
> > yours -- had not run the utility required to generate that keypair.  So,
> > rndc was inherently unable to authenticate.  Therefore, it couldn't
> > issue the command to stop that is part of the reload instruction.
> Oh, and, as Michael suggests, one additional way I _could_ have been a
> doofus, but thankfully didn't manage, would have been to firewall off
> port 953/tcp even from localhost.  Don't do that.  ;->
> This article tells more, including the older, more-fussy method of
> writing a /etc/bind/rndc.conf configuration file -- as opposed to the
> newer method of just running rndc-confgen to generate /etc/bind/rndc.key, 
> detailed in a series of comments below the article (and in my earlier
> posting here):
> http://www.debian-administration.org/articles/343

More information about the sf-lug mailing list