Red Hat LINUX 7.2 Reference Manual page 239

Section 14.3:Using rndc
14.3.1 Configuration Files
Before attempting to use the rndc command, verify that the proper configuration lines are in place
in the necessary files. Most likely, your configuration files are not properly set if you run rndc and
see a message that states:
rndc: connect: connection refused
/etc/named.conf
In order for rndc to be allowed to connect to your named service, you must have a controls
statement in your /etc/named.conf file when named starts. The sample controls statement
shown in Figure 14–21, Sample controls statement in /etc/named.conf will allow you to
execute rndc commands locally.
Figure 14–21 Sample controls statement in /etc/named.conf
controls {
inet 127.0.0.1 allow { localhost; } keys { <key-name> ; };
};
This statement tells named to listen on the default TCP port 953 of the loopback address and allow
rndc commands coming from the localhost, if the proper key is given. The <key-name> relates to
the key statement, which is also in the /etc/named.conf file. A sample key statement is shown
in Figure 14–22, Sample key statement in /etc/named.conf .
Figure 14–22 Sample key statement in /etc/named.conf
key " <key-name> " {
algorithm hmac-md5;
secret " <key-value> ";
};
In this case, the <key-value> is a HMAC-MD5 key. You can generate your own HMAC-MD5
keys with the following command:
dnssec-keygen -a hmac-md5 -b <bit-length> -n HOST <key-file-name>
A key with at least a 256-bit length is good idea. The actual key that should be placed in the <key-
value> area can found in the <key-file-name> .
The name of the key used in /etc/named.conf should be something other than key.
/etc/rndc.conf
To configure rndc to automatically use the key specified in /etc/named.conf for the localhost,
three statements are needed. The options statement allows you to set the default server and key for
rndc to use, as seen in Figure 14–23, Sample options statement in /etc/rndc.conf .
239