rndc-confgen(8)
NAME
rndc-confgen - rndc key generation tool
SYNOPSIS
rndc-confgen [-a] [-A algorithm] [-b keysize] [-c keyfile] [-h]
[-k keyname] [-p port] [-r randomfile] [-s address]
[-t chrootdir] [-u user]
DESCRIPTION
rndc-confgen generates configuration files for rndc. It can be used as
a convenient alternative to writing the rndc.conf file and the
corresponding controls and key statements in named.conf by hand.
Alternatively, it can be run with the -a option to set up a rndc.key
file and avoid the need for a rndc.conf file and a controls statement
altogether.
OPTIONS
-a
Do automatic rndc configuration. This creates a file rndc.key in
/etc (or whatever sysconfdir was specified as when BIND was built)
that is read by both rndc and named on startup. The rndc.key file
defines a default command channel and authentication key allowing
rndc to communicate with named on the local host with no further
configuration.
Running rndc-confgen -a allows BIND 9 and rndc to be used as
drop-in replacements for BIND 8 and ndc, with no changes to the
existing BIND 8 named.conf file.
If a more elaborate configuration than that generated by
rndc-confgen -a is required, for example if rndc is to be used
remotely, you should run rndc-confgen without the -a option and set
up a rndc.conf and named.conf as directed.
-A algorithm
Specifies the algorithm to use for the TSIG key. Available choices
are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and
hmac-sha512. The default is hmac-md5.
-b keysize
Specifies the size of the authentication key in bits. Must be
between 1 and 512 bits; the default is the hash size.
-c keyfile
Used with the -a option to specify an alternate location for
rndc.key.
-h
Prints a short summary of the options and arguments to
rndc-confgen.
-k keyname
Specifies the key name of the rndc authentication key. This must be
a valid domain name. The default is rndc-key.
-p port
Specifies the command channel port where named listens for
connections from rndc. The default is 953.
-r randomfile
Specifies a source of random data for generating the authorization.
If the operating system does not provide a /dev/random or
equivalent device, the default source of randomness is keyboard
input. randomdev specifies the name of a character device or file
containing random data to be used instead of the default. The
special value keyboard indicates that keyboard input should be
used.
-s address
Specifies the IP address where named listens for command channel
connections from rndc. The default is the loopback address
127.0.0.1.
-t chrootdir
Used with the -a option to specify a directory where named will run
chrooted. An additional copy of the rndc.key will be written
relative to this directory so that it will be found by the chrooted
named.
-u user
Used with the -a option to set the owner of the rndc.key file
generated. If -t is also specified only the file in the chroot area
has its owner changed.
EXAMPLES
To allow rndc to be used with no manual configuration, run
rndc-confgen -a
To print a sample rndc.conf file and corresponding controls and key
statements to be manually inserted into named.conf, run
rndc-confgen
SEE ALSO
rndc(8), rndc.conf(5), named(8), BIND 9 Administrator Reference Manual.
AUTHOR
Internet Systems Consortium
COPYRIGHT
Copyright 2004, 2005, 2007, 2009, 2013, 2014 Internet Systems
Consortium, Inc. ("ISC")
Copyright 2001, 2003 Internet Software Consortium.
Free and Open Source Software