Configuring /Etc/Rndc.conf - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

In this case, the <key-value> uses the HMAC-MD5 algorithm. Use the following command to
generate keys using the HMAC-MD5 algorithm:
dnssec-keygen -a hmac-md5 -b <bit-length> -n HOST <key-file-name>
A key with at least a 256-bit length is a good idea. The actual key that should be placed in the <key-
value> area can be found in the <key-file-name> file generated by this command.
Warning
Because /etc/named.conf is world-readable, it is advisable to place the key statement
in a separate file, readable only by root, and then use an include statement to reference
it. For example:
include "/etc/rndc.key";

17.4.2. Configuring /etc/rndc.conf

The key is the most important statement in /etc/rndc.conf.
key "<key-name>" {
algorithm hmac-md5;
secret "<key-value>";
};
The <key-name> and <key-value> should be exactly the same as their settings in /etc/
named.conf.
To match the keys specified in the target server's /etc/named.conf, add the following lines to /
etc/rndc.conf.
options {
default-server localhost;
default-key "<key-name>";
};
This directive sets a global default key. However, the rndc configuration file can also specify different
keys for different servers, as in the following example:
server localhost {
key "<key-name>";
};
Important
Make sure that only the root user can read or write to the /etc/rndc.conf file.
Configuring /etc/rndc.conf
219