Implementing rndc

Implementing `rndc`

The BIND 8 ndc and BIND 9 rndc name server control tools are not backward compatible. rndc can not talk to the BIND 8 name server and ndc can not talk to the BIND 9 name server. Features, options, default modes of operation, and configuration file requirements have changed. Therefore, using ndc on a BIND 9 server could result in loss of functionality or insecure operation. See the rndc(1M) man page for more information.

The `rndc.conf` Configuration File

The most significant difference between ndc in BIND 8 and rndc in BIND 9 is that rndc needs its own configuration file, rndc.conf. This file can be generated by rndc-confgen commands. The rndc.conf file specifies which server controls and what algorithm the server should use.

Example 3-1 Sample `rndc.conf` File

options {
             default-server localhost;
             default-key "rndc-key";
     };

     key "rndc-key" {
             algorithm hmac-md5;
             secret "qPWZ3Ndl81aBRY9AmJhVtU==";
     };

Example 3-2 Sample `named.conf` File Entry for `rndc`

controls {
             inet * allow { any; } keys { "rndc-key"; };
     };

     key "rndc-key" {
             algorithm hmac-md5;
             secret "qPWZ3Ndl81aBRY9AmJhVtU==";
     };

Differences in the Control Channels

Both the ndc and the rndc utilities use a control channel to send commands to and retrieve information from a name server. However, there are differences between the utilities.

In BIND 8, ndc can use AF_UNIX domain sockets (UNIX control channel) or TCP/IP sockets (inet control channel). By default, ndc does not need any support in /etc/named.conf, because BIND 8 servers use a UNIX domain socket with a path (/var/run/ndc.d/ndc) compiled into in.named.
For BIND 9, however, rndc only uses an authenticated TCP/IP inet control channel and so is not backward compatible with BIND 8. There is no UNIX domain socket support for control channels in BIND 9 servers.
When using rndc, you need to specify a 'key' clause to communicate with the name server. It is mandatory that the BIND 9 server and the rndc client share the same key (defined both in /etc/named.conf and /etc/rndc.conf). Using the BIND 8 controls entry in BIND 9 will result in an error message.
Some command options have changed from the ndc to the rndc implementation. This includes the -c option, which has a different syntax in BIND 9. Therefore, to specify the control channel in BIND 9, use rndc -s <server> -p <port>.

Commands of BIND 9 `rndc`

The following list describes the rndc commands.

reload: Reload configuration file and zones
reload zone [class [view]]: Reload a single zone
refresh zone [class [view]]: Schedule immediate maintenance for a zone
reconfig: Reload configuration file and new zones only
stats: Write server statistics to the statistics file
querylog: Toggle query logging
dumpdb: Dump cache(s) to the dump file (named_dump.db)
stop: Save pending updates to master files and stop the server
halt: Stop the server without saving pending updates
trace: Increment debugging level by one
trace level: Change the debugging level
notrace: Set debugging level to 0
flush: Flushes all of the server's caches
flush [view]: Flushes the server's cache for a view
status: Display status of the server
restart: Restart the server (not yet implemented)

The rndc.conf Configuration File

Example 3-1 Sample rndc.conf File

Example 3-2 Sample named.conf File Entry for rndc

Differences in the Control Channels

Commands of BIND 9 rndc