Wednesday, March 3, 2010

Introduction

rndc is a nameserver control utility that comes along with the bind package. It uses digital signature to communicate with nameserver. It is used to reload the configuration file and zones, flush the DNS cache, to see the status of nameservers etc.

Configuring rndc

The bind package has utilities to configure rndc with the nameserver. The binary rndc-confgen generates the configuration file for rndc. To generate the configuration file for rndc, run the binary as, 
[root@localhost ~]# rndc-confgen
# Start of rndc.conf
key "rndckey" {
        algorithm hmac-md5;
        secret "YAytbNi94tMD26FPxes3Yg==";
};

options {
        default-key "rndckey";
        default-server 127.0.0.1;
        default-port 953;
};
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndckey" {
#       algorithm hmac-md5;
#       secret "YAytbNi94tMD26FPxes3Yg==";
# };
#
# controls {
#       inet 127.0.0.1 port 953
#               allow { 127.0.0.1; } keys { "rndckey"; };
# };
# End of named.conf
[root@localhost ~]#
Copy the configuration directives between # Start of rndc.conf and # End of rndc.conf into the file /etc/rndc.conf. We need to configure nameserver to accept the commands issued from rndc utility. For that, copy the directives between # Use with the following in named.conf, adjusting the allow list as needed: and # End of named.conf to /etc/named.conf file removing the leading '#' symbol. The nameserver is now ready to be managed by rndc. Just restart the named service and issue the following command. 
[root@localhost ~]# rndc reload
server reload successful
[root@localhost ~]#
You will get server reload successful message, if rndc is able to communicate with the nameserver.

Configuration statements

The key statement specifies the key name being used to communicate with nameserver. The clauses algorithm and secret in the key statement specify the name of algorithm and the the key respectively.
The statement options in rndc.conf specifies the default server and the key to be used, when command rndc is used without specifying any server name.
The control statement in named.conf allows rndc to update the nameserver listening on IP 127.0.0.1 via port 953 using the key "rndckey" from localhost, ie from the server itself.
The rndc-confgen has option to specify the size of the key in bytes. By default, the size is 128. The HMAC-MD5 key can also be generated by using the utility dnssec-keygen. To generate the key with size 128 bytes, 
[root@localhost ~]# dnssec-keygen -a HMAC-MD5 -b 128 -n host rndckey
Krndckey.+157+41716
[root@localhost ~]#

The corresponding key can be found in files
Krndckey.+157+41716.key  and
Krndckey.+157+41716.private


Advanced Configuration

Using rndc, we can manage the nameserver remotely. Only thing is both rndc and remote nameserver should use the same digital signature and remote server should accept commands from the server from which it is going to be managed. We can extend the above mentioned configuration to do it.
Using the binary dnssec-keygen, create a new key for managing the remote server and name it as "rndcremotekey". Of course you may use any name for the key as long as the name matches in both servers. To configure rndc to use key "rndcremotekey" to manage the remote server, add the following entries in /etc/rndc.conf file. 
# Add the key generated with command 'dnssec-keygen'

key "rndcremotekey" {
        algorithm hmac-md5;
        secret "mSqfSp6rKNHQwVG3JVHfzw==";
};

# Remote nameserver to be managed

server  {
        key "rndcremotekey";
};
You need to replace with the IP address of the remote nameserver.
We have now configured rndc to use key "rndcremotekey" when controlling the remote nameserver.
For the remote server to accept commands, add the following entries in /etc/named.conf file in the remote nameserver. 
# Remote nameserver should use the same key

key "rndcremotekey" {
        algorithm hmac-md5;
        secret "mSqfSp6rKNHQwVG3JVHfzw==";
};

# Control statement to accept rndc commands

controls {
        inet  port 953
        allow { ; } keys { "rndcremotekey"; };
};
Replace and with the corresponding server IP addresses.
Once done, restart named service in remote nameserver. You can then manage the remote server from the rndc server. To test the configuration, type the following in rndc server. 
[root@localhost ~]# rndc -s  reload
server reload successful
[root@localhost ~]#

Using rndc

After the configuration, you may use rndc to reload, flush cache and see the status of nameserver as 
[root@localhost ~]# rndc reload
server reload successful
[root@localhost ~]# rndc flush
[root@localhost ~]# rndc status
number of zones: 6
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/1000
tcp clients: 0/100
server is up and running
[root@localhost ~]#
To see more command line options, just type the command "rndc" in shell. You will see a handful of useful options.

Conclusion

Though startup script /etc/rc.d/init.d/named has option to reload the configuration than restarting named service, rndc provides more options. For example, reload, refresh or retransfer a single zone, flush dns cache without restarting the named service, flush a single name from cache, see the server status etc. So to manage nameserver efficiently, it is necessary to configure rndc utility properly.
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

 Linux Interview  Linux booting process EXT4 XFS file system runlevel scan disk hba driver systool -c fc_host lspci -nn | grep -i hba single...

  • Configure-hp-serviceguard
    https://thomasvogt.wordpress.com/2008/08/26/mcserviceguard-cluster-installation-on-hp-ux-1131/ http://www.learnitguide.net/2015/05/config...
  • Initrd/ Initial Ramdisk
    "Initrd" is the name of the "initial ramdisk" feature of Linux. With this, you have your loader (probably LILO or Grub)...