Implementing rndc

The BIND 8 ndc and BIND 9 rndc name server control tools are not backward compatible. rndc can not talk to the BIND 8 name server and ndc can not talk to the BIND 9 name server. Features, options, default modes of operation, and configuration file requirements have changed. Therefore, using ndc on a BIND 9 server could result in loss of functionality or insecure operation. See the rndc(1M) man page for more information.

The rndc.conf Configuration File

The most significant difference between ndc in BIND 8 and rndc in BIND 9 is that rndc needs its own configuration file, rndc.conf. This file can be generated by rndc-confgen commands. The rndc.conf file specifies which server controls and what algorithm the server should use.

Example 3-1 Sample rndc.conf File

options {
             default-server localhost;
             default-key "rndc-key";
     };

     key "rndc-key" {
             algorithm hmac-md5;
             secret "qPWZ3Ndl81aBRY9AmJhVtU==";
     };

Example 3-2 Sample named.conf File Entry for rndc

controls {
             inet * allow { any; } keys { "rndc-key"; };
     };

     key "rndc-key" {
             algorithm hmac-md5;
             secret "qPWZ3Ndl81aBRY9AmJhVtU==";
     };

Differences in the Control Channels

Both the ndc and the rndc utilities use a control channel to send commands to and retrieve information from a name server. However, there are differences between the utilities.

• In BIND 8, ndc can use AF_UNIX domain sockets (UNIX control channel) or TCP/IP sockets (inet control channel). By default, ndc does not need any support in /etc/named.conf, because BIND 8 servers use a UNIX domain socket with a path (/var/run/ndc.d/ndc) compiled into in.named.

  For BIND 9, however, rndc only uses an authenticated TCP/IP inet control channel and so is not backward compatible with BIND 8. There is no UNIX domain socket support for control channels in BIND 9 servers.

• When using rndc, you need to specify a 'key' clause to communicate with the name server. It is mandatory that the BIND 9 server and the rndc client share the same key (defined both in /etc/named.conf and /etc/rndc.conf). Using the BIND 8 controls entry in BIND 9 will result in an error message.

• Some command options have changed from the ndc to the rndc implementation. This includes the -c option, which has a different syntax in BIND 9. Therefore, to specify the control channel in BIND 9, use rndc -s <server> -p <port>.

Commands of BIND 9 rndc

The following list describes the rndc commands.

reload

Reload configuration file and zones

reload zone [class [view]]

Reload a single zone

refresh zone [class [view]]

Schedule immediate maintenance for a zone

reconfig

Reload configuration file and new zones only

stats

Write server statistics to the statistics file

querylog

Toggle query logging

dumpdb

Dump cache(s) to the dump file (named_dump.db)

stop

Save pending updates to master files and stop the server

halt

Stop the server without saving pending updates

trace

Increment debugging level by one

trace level

Change the debugging level

notrace

Set debugging level to 0

flush

Flushes all of the server's caches

flush [view]

Flushes the server's cache for a view

status

Display status of the server

restart

Restart the server (not yet implemented)