The rndc utility is a command-line tool to administer the named service, both locally and from a remote machine. To prevent unauthorized access to the service, rndc must be configured to listen on the selected port (port 953 by default), and an identical key must be used by both the service and the rndc utility. The rndc key is generated by using the following command:

# rndc-confgen -a
wrote key file "/etc/rndc.key"

 

This command creates the /etc/rndc.key file, which contains the key.

# cat /etc/rndc.key
key "rndc-key" {
        algorithm hmac-md5;
        secret "k7WFNCP01e1NwIgaIhvtQQ==";
};

 

To configure named to use the key, include the following entries in /etc/named.conf:

# vi /etc/named.conf<
include “/etc/rndc.key”;
controls {
         inet 127.0.0.1 allow { localhost; } keys { “rndckey”; }
};

 

The include statement allows files to be included so that potentially sensitive data can be placed in a separate file with restricted permissions. To ensure that only root can read the file, enter the following:

# chmod o-rwx /etc/rndc.key

 

The controls statement defines access information and the various security requirements necessary to use the rndc command.

inet: The example allows you to control rndc from a console on the localhost (127.0.0.1).

keys: Keys are used to authenticate various actions and are the primary access control method for remote administration. The example specifies using rndckey, which is defined in the /etc/rndc.key include file.

 

rndc command Examples

 

Type rndc to display usage of the utility and a list of available commands:

# rndc
Usage: rndc [-b address] [-c config] [-s server] [-p port]
        [-k key-file ] [-y key] [-V] command
command is one of the following:
  reload        Reload configuration file and zones.
  reload zone [class [view]]
                Reload a single zone.
  refresh zone [class [view]]
                Schedule immediate maintenance for a zone.
  retransfer zone [class [view]]
                Retransfer a single zone without checking the serial number.
  freeze        Suspend updates to all dynamic zones.
  freeze zone [class [view]]
                Suspend updates to a dynamic zone.
  thaw          Enable updates to all dynamic zones and reload them.
  thaw zone [class [view]]
                Enable updates to a frozen dynamic zone and reload it.
  sync [-clean] Dump changes to all dynamic zones to disk, and optionally
  ....

 

The following is an example of some of the rndc commands:

 

1. Use the rndc status command to check the current status of the named service:

# rndc status
number of zones: 3
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/1000
tcp clients: 0/100
server is up and running

 

Use the rndc reload command to reload both the configuration file and zones:

# rndc reload
server reload successful

 

這篇文章有幫助嗎? 0 Users Found This Useful (0 Votes)