mail us  |  mail this page

products  |  company  |  support  |  training  |  contact us

ZYTRAX OPEN LOGO

Blucat Banner

DNS BIND controls clause

This section describes the controls clause in BIND 9.x. The controls clause is used to define access information and controls when using remote administration services, for example, the rndc utility. The controls clause takes a single inet statement type, though more than one inet statement may be defined. Full list of statements.

controls {
   inet inet_spec [inet_spec]  ;
};

A controls clause is always defaulted and generates a TCP listen on port 953 (the default control port) of the loopback address for either or both of IPv4 and IPv6 (127.0.0.1 and/or ::1). If the remote administration will not be used, that is the rndc utility will not be used this control interface should be explicitly disabled by defining an empty controls clause as shown below:

controls {};

The primary access control method for remote administration, for example rndc in BIND 9, is via the use of keys defined within the inet statement (see below). To retain compatibility with previous versions of BIND or to run without a user generated key, a default key may be generated using the following command:

rndc-confgen -a

This command will create a file called rndc.key containing a default key clause with the name rndc-key in same directory as the named.conf file for the version of BIND being used and which is used for subsequent access to the control channel. If this command is not executed before BIND is loaded the following message will appear:

named [39248] none:0: open: /path/to/default/rndc.key: file not found

BIND will continue to run in this state but the control channel will not be operable. For full configuration of the inet statement and examples of its use in the controls clause see inet statements below.

inet

The inet statement defines a method to control access to the rndc (remote administration) utility. More than one inet statement may be included in a controls clause.

inet inet_spec [inet_spec] ..;

Each inet_spec parameter has the following format:

inet_spec = ( ip_addr | * ) [ port ip_port ] allow {  address_match_list  }
                keys {  key_list  };

The ip_address parameter defines the IP address of the local server interface on which rndc connections will be accepted. The wildcard value ("*") will allow connection on any of the server's IP addresses including the loopback address. The optional ip_port parameter allows a specific port to be nominated for use by rndc connections. The address_match_list defines the permitted hosts that can connect to the rndc channel. The key_list parameter contains a reference to one or more key clauses containing the list of permitted users who are allowed access. While address_match_lists can include a key parameter if one is present in the referenced address_match_list it is ignored, only keys defined in the key_list of the inet statement are permitted access. The key_list can be omitted in which case the file rndc.key in the same directory as named.conf and which contains a default key clause with the name rndc-key will be used to provide default access. The rndc.key file is created by running the command:

rndc-confgen -a

The following example shows that a user on the loopback address can use the default key for access while all other users must use the rndc-remote key, in all cases localhost will use port 953 (the default) and external connection port 7766. An acl clause is used as the source of the address_match_list:

// named.conf fragment
acl "rndc-users" {
     10.0.15.0/24;
     !10.0.16.1/24; // negated
     2001:db8:0:27::/64; // any address in subnet
 };
....
key "rndc-remote" {
     algorithm hmac-md5;
     secret "OmItW1lOyLVUEuvv+Fme+Q==";
};
controls {
     // local host - default key
     inet 127.0.0.1 allow {localhost;};
     inet * port 7766 allow {"rndc-users";} keys {"rndc-remote";};
};

Note: The keys clause above would normally be placed in a separate secure file and included into the named.conf file.



Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.

Pro DNS and BIND by Ron Aitchison

Contents

tech info
guides home
dns articles
intro
contents
1 objectives
big picture
2 concepts
3 reverse map
4 dns types
quickstart
5 install bind
6 samples
reference
7 named.conf
8 dns records
operations
9 howtos
10 tools
11 trouble
programming
12 bind api's
security
13 dns security
bits & bytes
15 messages
resources
notes & tips
registration FAQ
dns resources
dns rfc's
change log

Creative Commons License
This work is licensed under a Creative Commons License.

If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Firefox

web zytrax.com

Share Page

share page via facebook tweet this page submit page to stumbleupon submit page to reddit.com

Page Features

Page comment feature Send to a friend feature print this page Decrease font size Increase font size

RSS Feed Icon RSS Feed

Resources

Systems

FreeBSD
NetBSD
OpenBSD
DragonFlyBSD
Linux.org
Debian Linux

Applications

LibreOffice
OpenOffice
Mozilla
SourceForge
GNU-Free SW Foundation

Organisations

Open Source Initiative
Creative Commons

Misc.

Ibiblio - Library
Open Book Project
Open Directory
Wikipedia

SPF Resources

Draft RFC
SPF Web Site
SPF Testing
SPF Testing (member only)

Display full width page Full width page

Print this page Print this page

SPF Record Conformant Domain Logo

Copyright © 1994 - 2014 ZyTrax, Inc.
All rights reserved. Legal and Privacy
site by zytrax
Hosted by super.net.sg
web-master at zytrax
Page modified: January 08 2014.