Configuring rndc


rndc is a nameserver control utility that comes along with the bind package. It uses digital signature to communicate with nameserver. It is used to reload the configuration file and zones, flush the DNS cache, to see the status of nameservers etc.
Configuring rndc

The bind package has utilities to configure rndc with the nameserver. The binary rndc-confgen generates the configuration file for rndc. To generate the configuration file for rndc, run the binary as,
[root@localhost ~]# rndc-confgen
# Start of rndc.conf
key “rndckey” {
algorithm hmac-md5;
secret “YAytbNi94tMD26FPxes3Yg==”;

options {
default-key “rndckey”;
default-port 953;
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key “rndckey” {
# algorithm hmac-md5;
# secret “YAytbNi94tMD26FPxes3Yg==”;
# };
# controls {
# inet port 953
# allow {; } keys { “rndckey”; };
# };
# End of named.conf
[root@localhost ~]#

Copy the configuration directives between # Start of rndc.conf and # End of rndc.conf into the file /etc/rndc.conf. We need to configure nameserver to accept the commands issued from rndc utility. For that, copy the directives between # Use with the following in named.conf, adjusting the allow list as needed: and # End of named.conf to /etc/named.conf file removing the leading ‘#’ symbol. The nameserver is now ready to be managed by rndc. Just restart the named service and issue the following command.
[root@localhost ~]# rndc reload
server reload successful
[root@localhost ~]#

You will get server reload successful message, if rndc is able to communicate with the nameserver.
Configuration statements

The key statement specifies the key name being used to communicate with nameserver. The clauses algorithm and secret in the key statement specify the name of algorithm and the the key respectively.

The statement options in rndc.conf specifies the default server and the key to be used, when command rndc is used without specifying any server name.

The control statement in named.conf allows rndc to update the nameserver listening on IP via port 953 using the key “rndckey” from localhost, ie from the server itself.

The rndc-confgen has option to specify the size of the key in bytes. By default, the size is 128. The HMAC-MD5 key can also be generated by using the utility dnssec-keygen. To generate the key with size 128 bytes,
[root@localhost ~]# dnssec-keygen -a HMAC-MD5 -b 128 -n host rndckey
[root@localhost ~]#

The corresponding key can be found in files
Krndckey.+157+41716.key and

Advanced Configuration

Using rndc, we can manage the nameserver remotely. Only thing is both rndc and remote nameserver should use the same digital signature and remote server should accept commands from the server from which it is going to be managed. We can extend the above mentioned configuration to do it.

Using the binary dnssec-keygen, create a new key for managing the remote server and name it as “rndcremotekey”. Of course you may use any name for the key as long as the name matches in both servers. To configure rndc to use key “rndcremotekey” to manage the remote server, add the following entries in /etc/rndc.conf file.
# Add the key generated with command ‘dnssec-keygen’

key “rndcremotekey” {
algorithm hmac-md5;
secret “mSqfSp6rKNHQwVG3JVHfzw==”;

# Remote nameserver to be managed

server <remote server ip> {
key “rndcremotekey”;

You need to replace <remote server ip> with the IP address of the remote nameserver.

We have now configured rndc to use key “rndcremotekey” when controlling the remote nameserver.

For the remote server to accept commands, add the following entries in /etc/named.conf file in the remote nameserver.
# Remote nameserver should use the same key

key “rndcremotekey” {
algorithm hmac-md5;
secret “mSqfSp6rKNHQwVG3JVHfzw==”;

# Control statement to accept rndc commands

controls {
inet <remote server ip> port 953
allow { <rndc server ip>; } keys { “rndcremotekey”; };

Replace <rndc server ip> and <rndc server ip> with the corresponding server IP addresses.

Once done, restart named service in remote nameserver. You can then manage the remote server from the rndc server. To test the configuration, type the following in rndc server.
[root@localhost ~]# rndc -s <remote server ip> reload
server reload successful
[root@localhost ~]#
Using rndc

After the configuration, you may use rndc to reload, flush cache and see the status of nameserver as
[root@localhost ~]# rndc reload
server reload successful
[root@localhost ~]# rndc flush
[root@localhost ~]# rndc status
number of zones: 6
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/1000
tcp clients: 0/100
server is up and running
[root@localhost ~]#

To see more command line options, just type the command “rndc” in shell. You will see a handful of useful options.

Though startup script /etc/rc.d/init.d/named has option to reload the configuration than restarting named service, rndc provides more options. For example, reload, refresh or retransfer a single zone, flush dns cache without restarting the named service, flush a single name from cache, see the server status etc. So to manage nameserver efficiently, it is necessary to configure rndc utility properly.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: