Bind9 Controls
From: https://www.zytrax.com/books/dns/ch7/controls.html#inet
DNS BIND controls clause
This section describes the controls clause in BIND 9.x. The controls clause is
used to define access information and controls when using remote administration
services, for example, the rndc utility. The controls clause takes a single inet
statement type, though more than one inet statement may be defined. Full list of
statements.
controls
{
inet inet_spec [inet_spec] ;
};
A controls clause is always defaulted and generates a TCP listen on port 953
(the default control port) of the loopback address for either or both of IPv4
and IPv6 (127.0.0.1 and/or ::1). If the remote administration will not be used,
that is the rndc utility will not be used this control interface should be
explicitly disabled by defining an empty controls clause as shown below:
controls {};
The primary access control method for remote administration, for example rndc in
BIND 9, is via the use of keys defined within the inet statement (see below). To
retain compatibility with previous versions of BIND or to run without a user
generated key, a default key may be generated using the following command:
rndc-confgen -a
This command will create a file called rndc.key containing a default key clause
with the name rndc-key in same directory as the named.conf file for the version
of BIND being used and which is used for subsequent access to the control
channel. If this command is not executed before BIND is loaded the following
message will appear:
named [39248] none:0: open: /path/to/default/rndc.key: file not found
BIND will continue to run in this state but the control channel will not be
operable. For full configuration of the inet statement and examples of its use
in the controls clause see inet statements below.
inet
The inet statement defines a method to control access to the rndc (remote
administration) utility. More than one inet statement may be included in a
controls clause.
inet inet_spec [inet_spec] ..;
Each inet_spec parameter has the following format:
inet_spec = ( ip_addr | * ) [ port ip_port ] allow { address_match_list }
keys { key_list };
The ip_address parameter defines the IP address of the local server interface on
which rndc connections will be accepted. The wildcard value ("*") will allow
connection on any of the server's IP addresses including the loopback address.
The optional ip_port parameter allows a specific port to be nominated for use by
rndc connections. The address_match_list defines the permitted hosts that can
connect to the rndc channel. The key_list parameter contains a reference to one
or more key clauses containing the list of permitted users who are allowed
access. While address_match_lists can include a key parameter if one is present
in the referenced address_match_list it is ignored, only keys defined in the
key_list of the inet statement are permitted access. The key_list can be omitted
in which case the file rndc.key in the same directory as named.conf and which
contains a default key clause with the name rndc-key will be used to provide
default access. The rndc.key file is created by running the command:
rndc-confgen -a
The following example shows that a user on the loopback address can use the
default key for access while all other users must use the rndc-remote key, in
all cases localhost will use port 953 (the default) and external connection port
7766. An acl clause is used as the source of the address_match_list:
// named.conf fragment
acl "rndc-users"
{
10.0.15.0/24;
!10.0.16.1/24; // NEGATED
2001:db8:0:27::/64; // ANY ADDRESS IN SUBNET
};
....
key "rndc-remote"
{
algorithm hmac-md5;
secret "OmItW1lOyLVUEuvv+Fme+Q==";
};
controls
{
// LOCAL HOST - DEFAULT KEY
inet 127.0.0.1 allow {localhost;};
inet * port 7766 allow {"rndc-users";} keys {"rndc-remote";};
};
Note: The keys clause above would normally be placed in a separate secure file
and included into the named.conf file.