► rndc.key to specify the key used to authenticate between rndc and named
► rndc.conf to configure rndc
► named.conf to configure named
When rndc communicates with named, it uses cryptographic keys to digitally sign commands before sending them over the network to named. The configuration file, /etc/rndc.key, specifies the key used for the authentication.
The only authentication mechanism currently supported by named is the use of a secret key, encrypted with the HMAC-MD5 algorithm and shared between rndc and named. The easiest way to generate a key is to use the dnssec-keygen utility. In the following example, the utility is asked to generate a 128-bit HMAC-MD5 user key named rndc:
$ dnssec-keygen -a hmac-md5 -b 128 -n user rndc
Krndc.+157+14529
$ cat Krndc.+157+14529.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: mKKd2FiHMFe1JqXl/z4cfw==
The utility creates two files with .key and .private extensions, respectively. The Key: line in the .private file reveals the secret that rndc and named need to share (mKKd2FiHMFe1JqXl/z4cfw==). When you have this, you can set up the rndc.key configu ration file, which is shared by both rndc.conf and named.conf:
----------
key "rndc" { algorithm hmac-md5; secret "mKKd2FiHMFe1JqXl/z4cfw=="; };
----------
rndc.conf
rndc uses a TCP connection (on port 953) to communicate with named. The configuration file, /etc/rndc.conf by default, must specify a server to talk to as well as include the corresponding key (which must be recognized by named) to use while talking to it:
----------
# Use the key named "rndc" when talking to the nameserver "localhost."
server localhost {
key "rndc";
};
# Defaults. options {
default-server localhost;
default-key "rndc";
};
# Include the key to use
include "/etc/rndc.key;
----------
The file needs to have three sections:
► Server section — Defines a nameserver (localhost) and specifies a key (rndc) to be used while communicating with it
► Options section — Sets up reasonable defaults because the file might list multiple servers and keys
► Key section — Includes the file already created, /etc/rndc.key
Should you need it, the rndc(8) and rndc.conf(5) manual pages contain more information.
named.conf
You next must configure named itself. Its single configuration file (/etc/named.conf) has syntax very similar to rndc.conf; this section describes only a small subset of the configuration directives essential to the configuration of a functional nameserver. For a more exhaustive reference, consult the BIND 9 ARM (Administrator Reference Manual); it is distributed with BIND, and Fedora installs it under /usr/share/doc/bind-*/arm/).
Only the options and named sections in the named.conf file are absolutely necessary. The options section must tell named where the zone files are kept, and named must know where to find the root zone (.). We also set up a controls section to enable suitably authenticated commands from rndc to be accepted. Because clients (notably nslookup) often depend on resolving the nameserver's IP, we set up the 0.0.127.in-addr.arpa reverse zone, too.
We start with a configuration file similar to this:
----------
options {
# This is where zone files are kept.
Directory "/var/named";
};
# Allow rndc running on localhost to send us commands.
Controls {
inet 127.0.0.1
allow { localhost; }
keys { rndc; };
};
""include "/etc/rndc.key";
# Information about the root zone.
Zone "." {
type hint;
file "root.hints";
};
# Lots of software depends on being able to resolve 127.0.0.1
zone "0.0.127.in-addr.arpa" {
type master;
file "rev/127.0.0";
};
----------
The options section is where to specify the directory in which named should look for zone files (as named in other sections of the file). You learn about using other options in later examples in this chapter.
Next, we instruct named to accept commands from an authenticated rndc. We include the key file, /etc/rndc.key, and the controls section saying that rndc connects from localhost and uses the specified key. (You can specify more than one IP address in the allow list or use an access control list as described in the "Managing DNS Security" section, later in this chapter.)
The . zone tells named about the root nameservers with names and addresses in the root.hints file. This information determines which root nameserver is initially consulted, although this decision is frequently revised based on the server's response time. Although the hints file can be obtained via FTP, the recommended, network-friendly way to keep it synchronized is to use dig. We ask a root nameserver (it doesn't matter which one) for the NS records of . and use the dig output directly:
----------
| # dig @j.root-servers.net. ns > /var/named/root.hints
| # cat /var/named/root.hints
| ; <<>> DiG 8.2 <<>> @j.root-servers.net . ns
| ; (1 server found)
| ;; res options: init recurs defnam dnsrch
| ;; got answer:
| ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
| ;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13
| ;; QUERY SECTION:
| ;; ., type = NS, class = IN
|
| ;; ANSWER SECTION:
| . 6D IN NS H.ROOT-SERVERS.NET.
| . 6D IN NS C.ROOT-SERVERS.NET.