
234 Chapter 17. Berkeley Internet Name Domain (BIND)
key " key-name " {
algorithm hmac-md5;
secret "
key-value ";
};
Figure 17-22. Sample key statement in /etc/named.conf
In this case, the key-value is a HMAC-MD5 key. You can generate your own HMAC-MD5 keys
with the following command:
dnssec-keygen -a hmac-md5 -b
bit-length -n HOST key-file-name
A key with at least a 256-bit length is good idea. The actual key that should be placed in the key-
value
area can found in the key-file-name .
The name of the key used in /etc/named.conf should be something other than key.
17.3.1.2. /etc/rndc.conf
To configure rndc to automatically use the key specified in /etc/named.conf for the localhost,
three statements are needed. The options statement allows you to set the default server and key for
rndc to use, as seen in Figure 17-23.
options {
default-server localhost;
default-key " key-name ";
};
Figure 17-23. Sample options statement in /etc/rndc.conf
Optionally, the rndc command can be told to use a default key when accessing a particular server, as
seen in Figure 17-24.
server localhost {
key "
key-name ";
};
Figure 17-24. Sample server statement in /etc/rndc.conf
However, this server statement is only really helpful if you connect to multiple servers with rndc.
The key is the most important statement in /etc/rndc.conf.
key " key-name " {
algorithm hmac-md5;
secret " key-value ";
};
Figure 17-25. Sample key statement in /etc/rndc.conf
The key-name and key-value should be exactly the same as their settings in
/etc/named.conf.
To test all of the settings, try the rndc reload command. You should see response similar to this:
rndc: reload command successful
Comentarios a estos manuales