interactions with a running instance of named). You also might need to configure the resolver software, as discussed later. Three configuration files are used:
> rndc.key to specify the key used to authenticate between rndc and named
> rndc.conf to configure rndc
> named.conf to configure named
When rndc communicates with named, it uses cryptographic keys to digitally sign commands before sending them over the network to named. The configuration file, /etc/rndc.key, specifies the key used for the authentication.
The only authentication mechanism currently supported by named is the use of a secret key, encrypted with the HMAC-MD5 algorithm and shared between rndc and named. The easiest way to generate a key is to use the dnssec-keygen utility. In the following example, the utility is asked to generate a 128-bit HMAC-MD5 user key named rndc:
$ dnssec-keygen -a hmac-md5 -b 128 -n user rndc
Krndc.+157+14529
$ cat Krndc.+157+14529.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: mKKd2FiHMFe1JqXl/z4cfw==
The utility creates two files with .key and .private extensions, respectively. The Key: line in the .private file reveals the secret that rndc and named need to share (mKKd2FiHMFe1JqXl/z4cfw==). When you have this, you can set up the rndc.key configu ration file, which is shared by both rndc.conf and named.conf:
----------
key 'rndc' { algorithm hmac-md5; secret 'mKKd2FiHMFe1JqXl/z4cfw=='; };
----------
rndc.conf
rndc uses a TCP connection (on port 953) to communicate with named. The configuration file, /etc/rndc.conf by default, must specify a server to talk to as well as include the corresponding key (which must be recognized by named) to use while talking to it:
----------
# Use the key named 'rndc' when talking to the nameserver 'localhost.'
server localhost {
key 'rndc';
};
# Defaults. options {
default-server localhost;
default-key 'rndc';
};
# Include the key to use
include '/etc/rndc.key;
----------
The file needs to have three sections:
> Server section — Defines a nameserver (localhost) and specifies a key (rndc) to be used while communicating with it
> Options section — Sets up reasonable defaults because the file might list multiple servers and keys
> Key section — Includes the file already created, /etc/rndc.key
Should you need it, the rndc(8) and rndc.conf(5) manual pages contain more information.
named.conf
You next must configure named itself. Its single configuration file (/etc/named.conf) has syntax very similar to rndc.conf; this section describes only a small subset of the configuration directives essential to the configuration of a functional nameserver. For a more exhaustive reference, consult the BIND 9 ARM (Administrator Reference Manual); it is distributed with BIND, and Fedora installs it under /usr/share/doc/bind-*/arm/).
Only the options and named sections in the named.conf file are absolutely necessary. The options section must tell named where the zone files are kept, and named must know where to find the root zone (.). We also set up a controls section to enable suitably authenticated commands from rndc to be accepted. Because clients (notably nslookup) often depend on resolving the nameserver's IP, we set up the 0.0.127.in-addr.arpa reverse zone, too.
We start with a configuration file similar to this:
----------
options {
# This is where zone files are kept.
Directory '/var/named';
};
# Allow rndc running on localhost to send us commands.
Controls {
inet 127.0.0.1
allow { localhost; }
keys { rndc; };
};
''include '/etc/rndc.key';
# Information about the root zone.
Zone '.' {
type hint;
file 'root.hints';
};
# Lots of software depends on being able to resolve 127.0.0.1
zone '0.0.127.in-addr.arpa' {
type master;
file 'rev/127.0.0';
