What and how to use RNDC?
Posted on August 4th, 2016
RNDC stands for Remote Name Daemon Control. It is a name server control utility in bind. This name server control utility allows command line administration of the named service both locally and remotely. It is a command line utility and it controls the operation of a name server.
Configuration file of rndc is located at /etc/rndc.conf. Syntax of rndc configuration file is similar to configuration file of bind, /etc/named.conf. If the rndc configuration file /etc/rndc.conf does not exist, the utility will use the key located in /etc/rndc.key, which was generated automatically during the installation process using the rndc-confgen -a command. Rndc configuration file specifies which server controls and what algorithm the server should use. To prevent unauthorized users to the named daemon, BIND uses a shared secret key authentication method to grant privileges to particular hosts. It means that an identical key must be present in the configuration file of bind, /etc/named.conf and configuration file, /etc/rndc.conf.
Rndc uses a TCP connection to communicate with the name server. It sends commands authenticated with digital signatures over a TCP connection. HMAC-MD5 is the authentication algorithm supported in the current versions of rndc and named. This uses a shared secret on each end of the TCP connection. This provides a TSIG-style authentication for the command request and the name servers response.
The rndc configuration file consists of three statements:
1) Option statement
2) Server Statement
3) Key statement
The option statement consists of three clauses default-server clause, default-key clause and default-port clause. The default-server clause is followed by the name or address of the name server. This host is used when a no name server is given as an rndc argument. The default-key clause is followed by the name of a key which is identified by a key statement. This default key will be used for authenticating a server when there is no key clause found in a matching server statement, and no keyid is provided in the rndc command line. The default port clause is followed by the port to connect to the remote name server. This default port will be used when no port option is provided on the rndc command line and no port clause is found in a matching server environment.
The server statement includes two clauses, the key and port. The key name must match the name of a key statement in the file. The server statement consists of a string which is the name server address or the host name of name server.
The key statement starts with the name of the key. It consists of two clauses algorithm and a secret clause. Algorithm identifies the encryption algorithm for rndc, currently HMAC-MD5 is used. Secret clause contains the base-64 encoding of the algorithm encryption key.
Rndc reads a configuration file to determine how to contact the name server and decide what algorithm and key it should use.
syntax of rndc takes the following form: –
rndc [option…] command [command-option]
If rndc is invoked with no command-options or arguments, it prints a short summary of the supported commands and the available options and arguments. To display options of rndc command use #rndc
Commands used in rndc are: –
.halt -It is used to stop the named service.
.querylog -logs all queries made to the name server.
.refresh -used to refreshes name server database.
.reload -reloades the zone file.
.stats -dumps the current named stats to the /var/named/named.stats file
.stop -stops the server gracefully.
Options of rndc includes: –
-c <configuration file> -specifies the alternate location of a configuration file.
-p <port number> -Specifies a port number to use rndc other than port 953.
-s <server> -specifies a server other than default- server listed in /etc/rndc.conf file.
-y <key name> -specifies a key other than default-key option in the /etc/rndc.conf file.
To reload the server, use command
#rndc reload
Limitations of rndc: –
1) rndc does not yet support all the commands of the BIND 8 ndc utility.
2) There is currently no way to provide the shared secret for a key_id without using the configuration file.
3) Several error messages could be clearer.
If you need any further assistance please reach our support department.
Is it possible to send rndc commands from a random server to a bind9 server(within the same LAN)?
Yes possible. You must set shared secret key on each end of the TCP connection.
Here is some additional info: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/3/html/Reference_Guide/s1-bind-rndc.html
how to fix ?
rndc: connect failed: 127.0.0.1#953: host unreachable