[deployment-guide/comm-rel: 146/727] Corrections in the 8.4 section.
Jaromir Hradilek
jhradile at fedoraproject.org
Tue Oct 19 12:36:32 UTC 2010
commit 6ac001cdb55f943831da58d094f9fe19c3088946
Author: Adam Tkac <atkac at redhat.com>
Date: Mon Jul 12 13:04:12 2010 +0200
Corrections in the 8.4 section.
en-US/The_BIND_DNS_Server.xml | 101 ++++-------------------------------------
1 files changed, 10 insertions(+), 91 deletions(-)
---
diff --git a/en-US/The_BIND_DNS_Server.xml b/en-US/The_BIND_DNS_Server.xml
index dfa23b8..bf9a2af 100644
--- a/en-US/The_BIND_DNS_Server.xml
+++ b/en-US/The_BIND_DNS_Server.xml
@@ -1597,16 +1597,10 @@ zone "1.0.10.in-addr.arpa" IN {
<command>rndc</command> program</secondary>
</indexterm>
<para>BIND includes a utility called <command>rndc</command> which allows command line administration of the <command>named</command> daemon from the localhost or <!-- RHEL5: from -->a remote host.</para>
- <para>In order to prevent unauthorized access to the <command>named</command> daemon, BIND uses a shared secret key authentication method to grant privileges to hosts. This means an identical key must be present in both <filename>/etc/named.conf</filename> and the <command>rndc</command> configuration file, <filename>/etc/rndc.conf</filename>.</para>
- <note>
- <title>Note</title>
- <para>If you have installed the <filename>bind-chroot</filename> package, the BIND service will run in the <command>/var/named/chroot</command> environment. All configuration files will be moved there. As such, the <filename>rndc.conf</filename> file is located in <filename>/var/named/chroot/etc/rndc.conf</filename>.</para>
- <para>Note that since the <command>rndc</command> utility does not run in a <command>chroot</command> environment, <filename>/etc/rndc.conf</filename> is a symlink to <filename>/var/named/chroot/etc/rndc.conf</filename>.</para>
- </note>
+ <para>In order to prevent unauthorized access to the <command>named</command> daemon, BIND uses a shared secret key authentication method to grant privileges to hosts. This means an identical key must be used by both <command>named</command> and the <command>rndc</command> processes. By default, both use key located in <filename>/etc/rndc.key</filename>.</para>
<section
id="s2-bind-rndc-configuration-namedconf">
- <title>Configuring <filename>/etc/named.conf</filename>
- </title>
+ <title>Configuring <command>named</command> process</title>
<indexterm
significance="normal">
<primary>BIND</primary>
@@ -1614,38 +1608,16 @@ zone "1.0.10.in-addr.arpa" IN {
<command>rndc</command> program</secondary>
<tertiary>configuring <command>named</command> to use</tertiary>
</indexterm>
- <para>In order for <command>rndc</command> to connect to a <command>named</command> service, there must be a <command>controls</command> statement in the BIND server's <filename>/etc/named.conf</filename> file.</para>
- <para>The <command>controls</command> statement, shown in the following example, allows <command>rndc</command> to connect from the localhost.</para>
- <screen>
-controls {
- inet 127.0.0.1
- allow { localhost; } keys { <replaceable><key-name></replaceable>; };
-};
-</screen>
- <para>This statement tells <command>named</command> to listen on the default TCP port 953 of the loopback address and allow <command>rndc</command> commands coming from the localhost, if the proper key is given. The <replaceable><key-name></replaceable> specifies a name in the <command>key</command> statement within the <filename>/etc/named.conf</filename> file. The next example illustrates a sample <command>key</command> statement.</para>
- <screen>
-key "<replaceable><key-name></replaceable>" {
- algorithm hmac-md5;
- secret "<replaceable><key-value></replaceable>";
-};
-</screen>
- <para>In this case, the <replaceable><key-value></replaceable> uses the HMAC-MD5 algorithm. Use the following command to generate keys using the HMAC-MD5 algorithm:</para>
- <screen>
-<command>dnssec-keygen -a hmac-md5 -b <replaceable><bit-length></replaceable> -n HOST <replaceable><key-file-name></replaceable>
- </command>
- </screen>
- <para>A key with at least a 256-bit length is a good idea. The actual key that should be placed in the <replaceable><key-value></replaceable> area can be found in the <filename><replaceable><key-file-name></replaceable>
- </filename> file generated by this command.</para>
+ <para>In order for <command>rndc</command> to connect to a <command>named</command> service, <command>named</command> must be configured to listen on the rndc control port (953) and must use same shared key as <command>rndc</command>.</para>
+ <para>The rndc control channel is configured by the <command>controls</command> statement in the <filename>/etc/named.conf</filename>. By default, when no controls statement is present, named allows connection from the loopback device and uses key located in <filename>/etc/rndc.key</filename>, which is automatically generated during installation via <command>rndc-confgen -a</command> command. Refer to the <citetitle>BIND 9 Administrator Reference Manual</citetitle> referenced in <xref linkend="s2-bind-installed-docs"/> and the <filename>named.conf</filename> man page for more details about the <command>controls</command> statement.</para>
<warning>
<title>Warning</title>
- <para>Because <filename>/etc/named.conf</filename> is world-readable, it is <!-- RHEL5: a good idea -->advisable to place the <command>key</command> statement in a separate file, readable only by root, and then use an <command>include</command> statement to reference it. For example:</para>
- <screen>include "/etc/rndc.key";</screen>
+ <para>It is a good idea to keep <filename>/etc/rndc.key</filename> readable only by root, otherwise unprivileged users can send control commands to the <command>named</command> process.</para>
</warning>
</section>
<section
id="s2-bind-rndc-configuration-rndcconf">
- <title>Configuring <filename>/etc/rndc.conf</filename>
- </title>
+ <title>Configuring <command>rndc</command></title>
<indexterm
significance="normal">
<primary>BIND</primary>
@@ -1662,33 +1634,7 @@ key "<replaceable><key-name></replaceable>" {
<command>rndc</command> program</secondary>
<tertiary>configuring keys</tertiary>
</indexterm>
- <para>The <command>key</command> is the most important statement in <filename>/etc/rndc.conf</filename>.</para>
- <screen>
-key "<replaceable><key-name></replaceable>" {
- algorithm hmac-md5;
- secret "<replaceable><key-value></replaceable>";
-};
-</screen>
- <para>The <replaceable><key-name></replaceable> and <replaceable><key-value></replaceable> should be exactly the same as their settings in <filename>/etc/named.conf</filename>.</para>
- <para>To match the keys specified in the target server's <filename>/etc/named.conf</filename>, add the following lines to <filename>/etc/rndc.conf</filename>.</para>
- <screen>
-options {
- default-server localhost;
- default-key "<replaceable><key-name></replaceable>";
-};
-</screen>
- <para>This directive sets a global default key. However, the <filename>rndc</filename> configuration file can also specify different keys for different servers, as in the following example:</para>
- <screen>
-server localhost {
- key "<replaceable><key-name></replaceable>";
-};
-</screen>
- <!-- RHEL5: ddomingo at redhat.com: replaced <warning> with <important> below -->
- <important>
- <title>Important</title>
- <para>Make sure that only the root user can read or write to the <filename>/etc/rndc.conf</filename> file.</para>
- </important>
- <para>For more information about the <filename>/etc/rndc.conf</filename> file, refer to the <filename>rndc.conf</filename> man page.</para>
+ <para>The <command>rndc</command> configuration is located in the <filename>/etc/rndc.conf</filename>. By default this file is not present and <command>rndc</command> uses the key located in <filename>/etc/rndc.key</filename>. Refer to the <command>rndc</command> and the <filename>rndc.conf</filename> man pages for more details.</para>
</section>
<section
id="s2-bind-rndc-options">
@@ -1707,54 +1653,27 @@ server localhost {
<itemizedlist>
<listitem>
<para>
- <command>halt</command> — Stops the <filename>named</filename> service immediately.</para>
- </listitem>
- <listitem>
- <para>
<command>querylog</command> — Logs all queries made to this nameserver.</para>
</listitem>
<listitem>
<para>
- <command>refresh</command> — Refreshes the nameserver's database.</para>
- </listitem>
- <listitem>
- <para>
<command>reload</command> — Reloads the zone files but keeps all other previously cached responses. This command also allows changes to zone files without losing all stored name resolutions.</para>
<para>If changes made only affect<!-- RHEL5: ed --> a specific zone, reload only that specific zone by adding the name of the zone after the <command>reload</command> command.</para>
</listitem>
<listitem>
<para>
- <command>stats</command> — Dumps the current <command>named</command> statistics to the <filename>/var/named/named.stats</filename> file.</para>
- </listitem>
- <listitem>
- <para>
<command>stop</command> — Stops the server gracefully, saving any dynamic update and <firstterm>Incremental Zone Transfers</firstterm> (<firstterm>IXFR</firstterm>) data before exiting.</para>
</listitem>
- </itemizedlist>
- <para>Occasionally, it may be necessary to override the default settings in the <filename>/etc/rndc.conf</filename> file. The following options are available:</para>
- <itemizedlist>
- <listitem>
- <para>
- <command>-c <replaceable><configuration-file></replaceable>
- </command> — Specifies the alternate location of a configuration file.</para>
- </listitem>
- <listitem>
- <para>
- <command>-p <replaceable><port-number></replaceable>
- </command> — Specifies a port number to use for the <command>rndc</command> connection other than the default port 953.</para>
- </listitem>
<listitem>
<para>
- <command>-s <replaceable><server></replaceable>
- </command> — Specifies a server other than the <command>default-server</command> listed in <filename>/etc/rndc.conf</filename>.</para>
+ <command>sign <replaceable><zone></replaceable></command> - Update zone DNSSEC keys and sign it as needed.</para>
</listitem>
<listitem>
<para>
- <command>-y <replaceable><key-name></replaceable>
- </command> — Specifies a key other than the <command>default-key</command> option in <filename>/etc/rndc.conf</filename>.</para>
+ <command>validation <replaceable><on|off></replaceable></command> - Turn on/off DNSSEC validation.</para>
</listitem>
</itemizedlist>
- <para>Additional information about these options can be found in the <command>rndc</command> man page.</para>
+ <para>Additional information can be found in the <command>rndc</command> man page.</para>
</section>
</section>
<section
More information about the docs-commits
mailing list