10.2.4. Using the rndc Utility

⁠10.2.4. Using the rndc Utility

The rndc utility is a command-line tool that allows you to administer the named service, both locally and from a remote machine. Its usage is as follows:

rndc [option...] command [command-option]

⁠10.2.4.1. Configuring the Utility

To prevent unauthorized access to the service, named must be configured to listen on the selected port (953 by default), and an identical key must be used by both the service and the rndc utility.

⁠

Table 10.7. Relevant files

Path	Description
`/etc/named.conf`	The default configuration file for the `named` service.
`/etc/rndc.conf`	The default configuration file for the `rndc` utility.
`/etc/rndc.key`	The default key location.

The rndc configuration is located in /etc/rndc.conf. If the file does not exist, the utility will use the key located in /etc/rndc.key, which was generated automatically during the installation process using the rndc-confgen -a command.

The named service is configured using the controls statement in the /etc/named.conf configuration file as described in Section 10.2.2.3, “Other Statement Types”. Unless this statement is present, only the connections from the loopback address (127.0.0.1) will be allowed, and the key located in /etc/rndc.key will be used.

For more information on this topic, refer to manual pages and the BIND 9 Administrator Reference Manual listed in Section 10.2.8, “Additional Resources”.

Set the correct permissions

To prevent unprivileged users from sending control commands to the service, make sure only root is allowed to read the /etc/rndc.key file:

~]# chmod o-rwx /etc/rndc.key

⁠10.2.4.2. Checking the Service Status

To check the current status of the named service, use the following command:

~]# rndc status
version: 9.7.0-P2-RedHat-9.7.0-5.P2.el6
CPUs found: 1
worker threads: 1
number of zones: 16
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running

⁠10.2.4.3. Reloading the Configuration and Zones

To reload both the configuration file and zones, type the following at a shell prompt:

~]# rndc reload
server reload successful

This will reload the zones while keeping all previously cached responses, so that you can make changes to the zone files without losing all stored name resolutions.

To reload a single zone, specify its name after the reload command, for example:

~]# rndc reload localhost
zone reload up-to-date

Finally, to reload the configuration file and newly added zones only, type:

~]# rndc reconfig

Modifying zones with dynamic DNS

If you intend to manually modify a zone that uses Dynamic DNS (DDNS), make sure you run the freeze command first:

~]# rndc freeze localhost

Once you are finished, run the thaw command to allow the DDNS again and reload the zone:

~]# rndc thaw localhost
The zone reload and thaw was successful.

⁠10.2.4.4. Updating Zone Keys

To update the DNSSEC keys and sign the zone, use the sign command. For example:

~]# rndc sign localhost

Note that to sign a zone with the above command, the auto-dnssec option has to be set to maintain in the zone statement. For example:

zone "localhost" IN {
  type master;
  file "named.localhost";
  allow-update { none; };
  auto-dnssec maintain;
};

⁠10.2.4.5. Enabling the DNSSEC Validation

To enable the DNSSEC validation, issue the following command as root:

~]# rndc validation on

Similarly, to disable this option, type:

~]# rndc validation off

Refer to the options statement described in Section 10.2.2.2, “Common Statement Types” for information on how to configure this option in /etc/named.conf.

⁠10.2.4.6. Enabling the Query Logging

To enable (or disable in case it is currently enabled) the query logging, issue the following command as root:

~]# rndc querylog

To check the current setting, use the status command as described in Section 10.2.4.2, “Checking the Service Status”.