RNDC.CONF(5) BIND 9 RNDC.CONF(5)
NAME
rndc.conf - rndc configuration file
SYNOPSIS
rndc.conf
DESCRIPTION
rndc.conf is the configuration file for rndc <#std-iscman-rndc>, the
BIND 9 name server control utility. This file has a similar structure
and syntax to named.conf <#std-iscman-named.conf>. Statements are en-
closed in braces and terminated with a semi-colon. Clauses in the state-
ments are also semi-colon terminated. The usual comment styles are sup-
ported:
C style: /* */
C++ style: // to end of line
Unix style: # to end of line
rndc.conf is much simpler than named.conf <#std-iscman-named.conf>. The
file uses three statements: an options statement, a server statement,
and a key statement.
The options statement contains five clauses. The default-server clause
is followed by the name or address of a name server. This host is used
when no name server is given as an argument to rndc <#std-iscman-rndc>.
The default-key clause is followed by the name of a key, which is iden-
tified by a key statement. If no keyid is provided on the rndc command
line, and no key clause is found in a matching server statement, this
default key is used to authenticate the server's commands and responses.
The default-port clause is followed by the port to connect to on the re-
mote name server. If no port option is provided on the rndc command
line, and no port clause is found in a matching server statement, this
default port is used to connect. The default-source-address and de-
fault-source-address-v6 clauses can be used to set the IPv4 and IPv6
source addresses respectively.
After the server keyword, the server statement includes a string which
is the hostname or address for a name server. The statement has three
possible clauses: key, port, and addresses. The key name must match the
name of a key statement in the file. The port number specifies the port
to connect to. If an addresses clause is supplied, these addresses are
used instead of the server name. Each address can take an optional port.
If an source-address or source-address-v6 is supplied, it is used to
specify the IPv4 and IPv6 source address, respectively.
The key statement begins with an identifying string, the name of the
key. The statement has two clauses. algorithm identifies the authentica-
tion algorithm for rndc <#std-iscman-rndc> to use; currently only
HMAC-MD5 (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256 (de-
fault), HMAC-SHA384, and HMAC-SHA512 are supported. This is followed by
a secret clause which contains the base-64 encoding of the algorithm's
authentication key. The base-64 string is enclosed in double quotes.
There are two common ways to generate the base-64 string for the secret.
The BIND 9 program rndc-confgen <#std-iscman-rndc-confgen> can be used
to generate a random key, or the mmencode program, also known as mimen-
code, can be used to generate a base-64 string from known input. mmen-
code does not ship with BIND 9 but is available on many systems. See the
Example section for sample command lines for each.
EXAMPLE
options {
default-server localhost;
default-key samplekey;
};
server localhost {
key samplekey;
};
server testserver {
key testkey;
addresses { localhost port 5353; };
};
key samplekey {
algorithm hmac-sha256;
secret "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
};
key testkey {
algorithm hmac-sha256;
secret "R3HI8P6BKw9ZwXwN3VZKuQ==";
};
In the above example, rndc <#std-iscman-rndc> by default uses the server
at localhost (127.0.0.1) and the key called "samplekey". Commands to the
localhost server use the "samplekey" key, which must also be defined in
the server's configuration file with the same name and secret. The key
statement indicates that "samplekey" uses the HMAC-SHA256 algorithm and
its secret clause contains the base-64 encoding of the HMAC-SHA256 se-
cret enclosed in double quotes.
If rndc -s testserver <#cmdoption-rndc-s> is used, then rndc <#
std-iscman-rndc> connects to the server on localhost port 5353 using the
key "testkey".
To generate a random secret with rndc-confgen <#
std-iscman-rndc-confgen>:
rndc-confgen <#std-iscman-rndc-confgen>
A complete rndc.conf file, including the randomly generated key, is
written to the standard output. Commented-out key and controls state-
ments for named.conf <#std-iscman-named.conf> are also printed.
To generate a base-64 secret with mmencode:
echo "known plaintext for a secret" | mmencode
NAME SERVER CONFIGURATION
The name server must be configured to accept rndc connections and to
recognize the key specified in the rndc.conf file, using the controls
statement in named.conf <#std-iscman-named.conf>. See the sections on
the controls statement in the BIND 9 Administrator Reference Manual for
details.
SEE ALSO
rndc(8) <#std-iscman-rndc>, rndc-confgen(8) <#std-iscman-rndc-confgen>,
mmencode(1), BIND 9 Administrator Reference Manual.
Author
Internet Systems Consortium
Copyright
2026, Internet Systems Consortium
9.20.21-1~deb13u1-Debian 2026-03-13 RNDC.CONF(5)
Generated by dwww version 1.16 on Sat Mar 28 19:10:54 CET 2026.