The controls statement, shown in the following example, allows rndc to connect from thelocalhost.controls { inet 127.0.0.1 allow { localhost; } keys { ; }; };This statement tells named to listen on the default TCP port 953 of the loopback address andallow rndc commands coming from the localhost, if the proper key is given. The specifies a name in the key statement within the /etc/named.conf file. The next exampleillustrates a sample key statement.key "" { algorithm hmac-md5; secret ""; };In this case, the uses the HMAC-MD5 algorithm. Use the following command togenerate keys using the HMAC-MD5 algorithm:dnssec-keygen -a hmac-md5 -b -n HOST A key with at least a 256-bit length is a good idea. The actual key that should be placed in the area can be found in the file generated by this command.WarningBecause /etc/named.conf is world-readable, it is a good idea to place the keystatement in a separate file, readable only by root, and then use an includestatement to reference it. For example:include "/etc/rndc.key";4.2. Configuring /etc/rndc.confThe key is the most important statement in /etc/rndc.conf.key "" { algorithm hmac-md5; secret ""; };The and should be exactly the same as their settings in/etc/named.conf.To match the keys specified in the target server's /etc/named.conf, add the following lines to/etc/rndc.conf.options { default-server localhost; default-key ""; };Chapter 12. Berkeley Internet...228
