diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 7fa1c3f156..dce5ef1d71 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -2,7 +2,7 @@ - + BIND 9 Administrator Reference Manual @@ -813,7 +813,11 @@ configuration file. The default location for the location can be specified with the option. If the configuration file is not found, rndc will also look in -/etc/rndc.key to find a key to use +/etc/rndc.key (or whatever +sysconfdir was defined when +the BIND build was configured). +The rndc.key file is generated by +running rndc-confgen -a as described in . The format of the configuration file is similar to @@ -882,11 +886,22 @@ to reload, if a nameserver on the local machine were running with following controls statements: controls { - inet 127.0.0.1 allow { localhost; } keys { rndc_key; }; + inet 127.0.0.1 allow { localhost; } keys { rndc_key; }; }; and it had an identical key statement for rndc_key. + +Running the rndc-confgen program will +conveniently create a rndc.conf +file for you, and also display the +corresponding controls statement that you need to +add to named.conf. Alternatively, +you can run rndc-confgen -a to set up +a rndc.key file and not modify +named.conf at all. + + @@ -2204,26 +2219,43 @@ the system has an interface. must be signed by one of its specified keys to be honored. - If keys clause does not exist - named will look for - /etc/rndc.key and use the key found - there. + +If no controls statement is present, +named will set up a default +control channel listening on the loopback address 127.0.0.1 +and its IPv6 counterpart ::1. - Similarly, /etc/rndc.key.key is used - no controls statement is present at all. In - that situation it will configure control channels to run on - all interfaces. +In this case, and also when the controls statement +is present but does not have a keys clause, +named will attempt to load the command channel key +from the file rndc.key in +/etc (or whatever sysconfdir +was specified as when BIND was built). +To create a rndc.key file, run +rndc-confgen -a. + - The /etc/rndc.key feature was created to + The rndc.key feature was created to ease the transition of systems from BIND 8, which did not have digital signatures on its command channel messages - and thus did not have a keys clause. Since - it is only intended to allow the backward-compatible usage of + and thus did not have a keys clause. + +It makes it possible to use an existing BIND 8 +configuration file in BIND 9 unchanged, +and still have rndc work the same way +ndc worked in BIND 8, simply by executing the +command rndc-keygen -a after BIND 9 is +installed. + + + + Since the rndc.key feature + is only intended to allow the backward-compatible usage of BIND 8 configuration files, this feature does not have a high degree of configurability. You cannot easily change the key name or the size of the secret, so you should make a rndc.conf with your own key if you wish to change - those things. The /etc/rndc.key file also has its + those things. The rndc.key file also has its permissions set such that only the owner of the file (the user that named is running as) can access it. If you desire greater flexibility in allowing other users to access