This section describes the controls clause in BIND 9.x. The controls clause is used to define access information and controls when using remote administration services, for example, the rndc utility. The controls clause takes a single inet statement type, though more than one inet statement may be defined. Full list of statements.
controls { inet inet_spec [inet_spec] ; };
A controls clause is always defaulted and generates a TCP listen on port 953 (the default control port) of the loopback address for either or both of IPv4 and IPv6 (127.0.0.1 and/or ::1). If the remote administration will not be used, that is the rndc utility will not be used this control interface should be explicitly disabled by defining an empty controls clause as shown below:
controls {};
The primary access control method for remote administration, for example rndc in BIND 9, is via the use of keys defined within the inet statement (see below). To retain compatibility with previous versions of BIND or to run without a user generated key, a default key may be generated using the following command:
rndc-confgen -a
This command will create a file called rndc.key containing a default key clause with the name rndc-key in same directory as the named.conf file for the version of BIND being used and which is used for subsequent access to the control channel. If this command is not executed before BIND is loaded the following message will appear:
named [39248] none:0: open: /path/to/default/rndc.key: file not found
BIND will continue to run in this state but the control channel will not be operable. For full configuration of the inet statement and examples of its use in the controls clause see inet statements below.
The inet statement defines a method to control access to the rndc (remote administration) utility. More than one inet statement may be included in a controls clause.
inet inet_spec [inet_spec] ..;
Each inet_spec parameter has the following format:
inet_spec = ( ip_addr | * ) [ port ip_port ] allow { address_match_list } keys { key_list };
The ip_address parameter defines the IP address of the local server interface on which rndc connections will be accepted. The wildcard value ("*") will allow connection on any of the server's IP addresses including the loopback address. The optional ip_port parameter allows a specific port to be nominated for use by rndc connections. The address_match_list defines the permitted hosts that can connect to the rndc channel. The key_list parameter contains a reference to one or more key clauses containing the list of permitted users who are allowed access. While address_match_lists can include a key parameter if one is present in the referenced address_match_list it is ignored, only keys defined in the key_list of the inet statement are permitted access. The key_list can be omitted in which case the file rndc.key in the same directory as named.conf and which contains a default key clause with the name rndc-key will be used to provide default access. The rndc.key file is created by running the command:
rndc-confgen -a
The following example shows that a user on the loopback address can use the default key for access while all other users must use the rndc-remote key, in all cases localhost will use port 953 (the default) and external connection port 7766. An acl clause is used as the source of the address_match_list:
// named.conf fragment acl "rndc-users" { 10.0.15.0/24; !10.0.16.1/24; // negated 2001:db8:0:27::/64; // any address in subnet }; .... key "rndc-remote" { algorithm hmac-md5; secret "OmItW1lOyLVUEuvv+Fme+Q=="; }; controls { // local host - default key inet 127.0.0.1 allow {localhost;}; inet * port 7766 allow {"rndc-users";} keys {"rndc-remote";}; };
Note: The keys clause above would normally be placed in a separate secure file and included into the named.conf file.
Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.
Contents
tech info
guides home
dns articles
intro
contents
1 objectives
big picture
2 concepts
3 reverse map
4 dns types
quickstart
5 install bind
6 samples
reference
7 named.conf
8 zone records
operations
9 howtos
10 tools
11 trouble
programming
12 bind api's
security
13 dns security
bits & bytes
15 messages
resources
notes & tips
registration FAQ
dns resources
dns rfcs
change log
This work is licensed under a
Creative Commons License.
If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Firefox
Search
Share
Page
Resources
Systems
FreeBSD
NetBSD
OpenBSD
DragonFlyBSD
Linux.org
Debian Linux
Software
LibreOffice
OpenOffice
Mozilla
GitHub
GNU-Free SW Foundation
get-dns
Organizations
Open Source Initiative
Creative Commons
Misc.
Ibiblio - Library
Open Book Project
Open Directory
Wikipedia
Site
Copyright © 1994 - 2024 ZyTrax, Inc. All rights reserved. Legal and Privacy |
site by zytrax hosted by javapipe.com |
web-master at zytrax Page modified: January 20 2022. |