Provided by: bind9_9.20.11-1ubuntu3_amd64 bug

NAME
       rndc.conf - rndc configuration file


SYNOPSIS
       rndc.conf


DESCRIPTION
       rndc.conf  is the configuration file for rndc <#std-iscman-rndc>, the BIND 9 name server control utility.
       This file has a similar structure and  syntax  to  named.conf  <#std-iscman-named.conf>.  Statements  are
       enclosed  in  braces  and  terminated  with  a  semi-colon. Clauses in the statements are also semi-colon
       terminated.  The usual comment styles are supported:

       C style: /* */

       C++ style: // to end of line

       Unix style: # to end of line

       rndc.conf is much simpler than named.conf <#std-iscman-named.conf>. The file uses  three  statements:  an
       options statement, a server statement, and a key statement.

       The options statement contains five clauses. The default-server clause is followed by the name or address
       of  a  name  server.  This  host  is  used  when  no  name  server  is  given  as  an argument to rndc <#
       std-iscman-rndc>.  The default-key clause is followed by the name of a key, which is identified by a  key
       statement.  If  no  keyid  is provided on the rndc command line, and no key clause is found in a matching
       server statement, this default key is used to authenticate  the  server's  commands  and  responses.  The
       default-port clause is followed by the port to connect to on the remote name server. If no port option is
       provided  on  the  rndc  command  line,  and no port clause is found in a matching server statement, this
       default port is used to connect. The default-source-address and default-source-address-v6 clauses can  be
       used to set the IPv4 and IPv6 source addresses respectively.

       After  the  server keyword, the server statement includes a string which is the hostname or address for a
       name server. The statement has three possible clauses: key, port, and addresses. The key name must  match
       the  name  of  a  key  statement  in  the  file.  The port number specifies the port to connect to. If an
       addresses clause is supplied, these addresses are used instead of the server name. Each address can  take
       an  optional  port. If an source-address or source-address-v6 is supplied, it is used to specify the IPv4
       and IPv6 source address, respectively.

       The key statement begins with an identifying string, the name of the key. The statement has two  clauses.
       algorithm  identifies  the  authentication  algorithm  for rndc <#std-iscman-rndc> to use; currently only
       HMAC-MD5 (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256 (default), HMAC-SHA384, and HMAC-SHA512
       are supported. This is followed by a secret clause which contains the base-64 encoding of the algorithm's
       authentication key. The base-64 string is enclosed in double quotes.

       There are two common ways to generate the base-64 string for the secret.  The BIND 9 program rndc-confgen
       <#std-iscman-rndc-confgen> can be used to generate a random key, or the mmencode program, also  known  as
       mimencode,  can be used to generate a base-64 string from known input. mmencode does not ship with BIND 9
       but is available on many systems. See the Example section for sample command lines for each.


EXAMPLE
          options {
            default-server  localhost;
            default-key     samplekey;
          };

          server localhost {
            key             samplekey;
          };

          server testserver {
            key     testkey;
            addresses   { localhost port 5353; };
          };

          key samplekey {
            algorithm       hmac-sha256;
            secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
          };

          key testkey {
            algorithm   hmac-sha256;
            secret      "R3HI8P6BKw9ZwXwN3VZKuQ==";
          };

       In the above example, rndc <#std-iscman-rndc> by default uses the server at localhost (127.0.0.1) and the
       key called "samplekey". Commands to the localhost server use the "samplekey"  key,  which  must  also  be
       defined  in  the  server's  configuration file with the same name and secret. The key statement indicates
       that "samplekey" uses the HMAC-SHA256 algorithm and its secret clause contains the  base-64  encoding  of
       the HMAC-SHA256 secret enclosed in double quotes.

       If rndc -s testserver <#cmdoption-rndc-s> is used, then rndc <#std-iscman-rndc> connects to the server on
       localhost port 5353 using the key "testkey".

       To generate a random secret with rndc-confgen <#std-iscman-rndc-confgen>:

       rndc-confgen <#std-iscman-rndc-confgen>

       A  complete  rndc.conf  file,  including  the  randomly generated key, is written to the standard output.
       Commented-out key and controls statements for named.conf <#std-iscman-named.conf> are also printed.

       To generate a base-64 secret with mmencode:

       echo "known plaintext for a secret" | mmencode


NAME SERVER CONFIGURATION
       The name server must be configured to accept rndc connections and to recognize the key specified  in  the
       rndc.conf  file, using the controls statement in named.conf <#std-iscman-named.conf>. See the sections on
       the controls statement in the BIND 9 Administrator Reference Manual for details.


SEE ALSO
       rndc(8) <#std-iscman-rndc>, rndc-confgen(8) <#std-iscman-rndc-confgen>, mmencode(1), BIND 9 Administrator
       Reference Manual.


Author
       Internet Systems Consortium


Copyright
       2025, Internet Systems Consortium

9.20.11-1ubuntu3-Ubuntu                            2025-07-04                                       RNDC.CONF(5)