5.2. rndc.conf - rndc(1) configuration

5.2.1. Description

rndc.conf is the configuration file for rndc(1) --- the remote control for named(8). This file has a similar structure and syntax to named.conf(5). Statements are enclosed in braces and terminated with a semi-colon. Clauses in the statements are also semi-colon terminated. The usual comment styles are supported:

  • C style:

    /* This is a comment */
  • C++ style:

    // This is a comment. It continues to end of line.
  • UNIX style:

    # This is a comment. It continues to end of line.

rndc.conf is much simpler than named.conf(5). The file uses three statements: an options statement, a server statement and a key statement.


TODOMUKS: Insert grammar here and update this section.

The options statement contains five clauses. The default-server clause is followed by the name or address of a name server. This host will be used when no name server is given as an argument to rndc. The default-key clause is followed by the name of a key which is identified by a key statement. If no keyid is provided on the rndc command line, and no key clause is found in a matching server statement, this default key will be used to authenticate the server's commands and responses. The default-port clause is followed by the port to connect to on the remote name server. If no port option is provided on the rndc command line, and no port clause is found in a matching server statement, this default port will be used to connect. The default-source-address and default-source-address-v6 clauses which can be used to set the IPv4 and IPv6 source addresses respectively.

After the server keyword, the server statement includes a string which is the hostname or address for a name server. The statement has three possible clauses: key, port and addresses. The key name must match the name of a key statement in the file. The port number specifies the port to connect to. If an addresses clause is supplied these addresses will be used instead of the server name. Each address can take an optional port. If an source-address or source-address-v6 of supplied then these will be used to specify the IPv4 and IPv6 source addresses respectively.

The key statement begins with an identifying string, the name of the key. The statement has two clauses. algorithm identifies the authentication algorithm for rndc to use --- hmac-sha256 (default) and hmac-sha512 are supported. This is followed by a secret clause which contains the Base64 encoding of the algorithm's authentication key. The Base64 string is enclosed in double quotes.

There are two common ways to generate the Base64 string for the secret. The program rndc-confgen can be used to generate a random key, or the base64 program can be used to generate a Base64 string from known input. base64 does not ship with Loop but is available on many systems. See the Examples section for sample command lines for each.

5.2.2. Examples

options {
  default-server  localhost;
  default-key     samplekey;

server localhost {
  key             samplekey;

server testserver {
  key     testkey;
  addresses   { localhost port 5353; };

key samplekey {
  algorithm       hmac-sha256;
  secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";

key testkey {
  algorithm   hmac-sha256;
  secret      "R3HI8P6BKw9ZwXwN3VZKuQ==";

In the above example, rndc(1) will by default use the server localhost and the key called samplekey. Commands to the localhost server will use the samplekey key, which must also be defined in the server's configuration file with the same name and secret. The key statement indicates that samplekey uses the HMAC-SHA256 algorithm and its secret clause contains the Base64 encoding of the HMAC-SHA256 secret enclosed in double quotes.

If rndc -s testserver is used then rndc(1) will connect to the server on localhost port 5353 using the key testkey.

To generate a random secret with rndc-confgen(1), run:


A complete rndc.conf file, including the randomly generated key, will be written to the standard output. Commented-out key and controls statements for named.conf(5) are also printed.

To generate a Base64 secret with GNU coreutils, run:

echo -n "known plaintext for a secret" | base64

5.2.3. named(8) configuration

named(8) must be configured to accept control-channel connections and to recognize the key specified in the rndc.conf file, using the controls statement in named.conf(5).

5.2.4. See also

rndc(1), rndc-confgen(1), named.conf(5), named(8)