DNS BIND controls clause

This section describes the controls clause in BIND 9.x. The controls clause is used to define access information and controls when using remote administration services, for example, the rndc utility. The controls clause takes a single inet statement type, though more than one inet statement may be defined. Full list of statements.

controls {
   inet inet_spec [inet_spec]  ;

A controls clause is always defaulted and generates a TCP listen on port 953 (the default control port) of the loopback address for either or both of IPv4 and IPv6 ( and/or ::1). If the remote administration will not be used, that is the rndc utility will not be used this control interface should be explicitly disabled by defining an empty controls clause as shown below:

controls {};

The primary access control method for remote administration, for example rndc in BIND 9, is via the use of keys defined within the inet statement (see below). To retain compatibility with previous versions of BIND or to run without a user generated key, a default key may be generated using the following command:

rndc-confgen -a

This command will create a file called rndc.key containing a default key clause with the name rndc-key in same directory as the named.conf file for the version of BIND being used and which is used for subsequent access to the control channel. If this command is not executed before BIND is loaded the following message will appear:

named [39248] none:0: open: /path/to/default/rndc.key: file not found

BIND will continue to run in this state but the control channel will not be operable. For full configuration of the inet statement and examples of its use in the controls clause see inet statements below.


The inet statement defines a method to control access to the rndc (remote administration) utility. More than one inet statement may be included in a controls clause.

inet inet_spec [inet_spec] ..;

Each inet_spec parameter has the following format:

inet_spec = ( ip_addr | * ) [ port ip_port ] allow {  address_match_list  }
                keys {  key_list  };

The ip_address parameter defines the IP address of the local server interface on which rndc connections will be accepted. The wildcard value ("*") will allow connection on any of the server's IP addresses including the loopback address. The optional ip_port parameter allows a specific port to be nominated for use by rndc connections. The address_match_list defines the permitted hosts that can connect to the rndc channel. The key_list parameter contains a reference to one or more key clauses containing the list of permitted users who are allowed access. While address_match_lists can include a key parameter if one is present in the referenced address_match_list it is ignored, only keys defined in the key_list of the inet statement are permitted access. The key_list can be omitted in which case the file rndc.key in the same directory as named.conf and which contains a default key clause with the name rndc-key will be used to provide default access. The rndc.key file is created by running the command:

rndc-confgen -a

The following example shows that a user on the loopback address can use the default key for access while all other users must use the rndc-remote key, in all cases localhost will use port 953 (the default) and external connection port 7766. An acl clause is used as the source of the address_match_list:

// named.conf fragment
acl "rndc-users" {;
     !; // negated
     2001:db8:0:27::/64; // any address in subnet
key "rndc-remote" {
     algorithm hmac-md5;
     secret "OmItW1lOyLVUEuvv+Fme+Q==";
controls {
     // local host - default key
     inet allow {localhost;};
     inet * port 7766 allow {"rndc-users";} keys {"rndc-remote";};

Note: The keys clause above would normally be placed in a separate secure file and included into the named.conf file.