rndc.conf て 何? これが 無くても 動いてるが ?? rndc.conf.html の 抜粋
The key statement begins with an identifying string, the name of the key. The statement has two clauses. algorithm identifies the encryption algorithm for rndc to use; currently only HMAC-MD5 is supported. This is followed by a secret clause which contains the base-64 encoding of the algorithm's encryption key. The base-64 string is enclosed in double quotes.
EXAMPLE
options {
default-server localhost;
default-key samplekey;
};
server localhost {
key samplekey;
};
key samplekey {
algorithm hmac-md5;
secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
};
現状 rndc.conf が 無くても named (bind) の動作は 可能である 何処かに sample が ころがっていないだろうか?
# find / -name rndc.conf /usr/local/src/bind-9.2.3/bin/rndc/rndc.conf /usr/local/src/bind-9.2.3/bin/tests/system/common/rndc.conf
どんな もの?
# cat /usr/local/src/bind-9.2.3/bin/rndc/rndc.conf
/*
* Copyright (C) 2000, 2001 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
* DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
* INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
* FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
* NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: rndc.conf,v 1.7 2001/01/09 21:40:45 bwelling Exp $ */
/*
* Sample rndc configuration file.
*/
options {
default-server localhost;
default-key "key";
};
server localhost {
key "key";
};
key "key" {
algorithm hmac-md5;
secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
};
こちらはどんな もの?
# cat /usr/local/src/bind-9.2.3/bin/tests/system/common/rndc.conf
/*
* Copyright (C) 2000, 2001 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
* DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
* INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
* FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
* NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: rndc.conf,v 1.2 2001/01/09 21:42:29 bwelling Exp $ */
options {
default-key "rndc_key";
};
key rndc_key {
algorithm hmac-md5;
secret "1234abcd8765";
};
簡単な説明は
rndc-confgen Name rndc-confgen -- rndc key generation tool Synopsis rndc-confgen [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user]
この様にして 作成を多々行うが
# which rndc-confgen /usr/local/sbin/rndc-confgen # /usr/local/sbin/rndc-confgen -a -b 512
では もうすこし 丁寧に 作成してみよう
# /usr/local/sbin/rndc-confgen -b 512 -r /dev/random -k samplekey > rndc.conf # ls -l rndc.conf -rw-r--r-- 1 root root 611 Mar 29 23:16 rndc.conf
さすれば
# cat rndc.conf
# Start of rndc.conf
key "samplekey" {
algorithm hmac-md5;
secret "kxvSo3N3R48osXsOl0U950ckbuuZTCSWiM3oF8257W73lV+JMToCTPQqw+IcelLtuDuewRU2aN3v2qOiA==";
};
options {
default-key "samplekey";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as n:
# key "samplekey" {
# algorithm hmac-md5;
# secret "kxvSo3N3R48osXsOl0U950ckbuuZTCSWiM3oF8257W73lV+JMToCTPQqw+IcelLtuDuewRU2aN3v2qOiA==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "samplekey"; };
# };
# End of named.conf
オプション -a を つけると
# /usr/local/sbin/rndc-confgen -a -b 512 -r /dev/random -k samplekey > rndc.conf # ls -l rndc* -rw-r--r-- 1 root root 0 Mar 29 23:28 rndc.conf -rw------- 1 root root 142 Mar 29 23:28 rndc.key
ファイルに するのであれば -a でなくて ということか
# cat -v rndc.key
key "samplekey" {
algorithm hmac-md5;
secret
"rbltTHc/s8M/qQSFc6MKDwj3B+aawmc+eeLt1da42N5xXa359n/pu5vxjhz\
OV2yOOc+VJyGl24XqPHB67TvShQ==";
};
和猫には 無理だが 参考迄に
file:///usr/local/src/bind-9.2.3/bin/rndc/rndc-confgen.html rndc-confgen Name rndc-confgen -- rndc key generation tool Synopsis rndc-confgen [-a] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-r randomfile] [-s address] [-t chrootdir] [-u user] DESCRIPTION rndc-confgen generates configuration files for rndc. It can be used as a convenient alternative to writing the rndc.conf file and the corresponding controls and key statements in named.conf by hand. Alternatively, it can be run with the -a option to set up a rndc.key file and avoid the need for a rndc.conf file and a controls statement altogether. OPTIONS -a Do automatic rndc configuration. This creates a file rndc.key in /etc (or whatever sysconfdir was specified as when BIND was built) that is read by both rndc and named on startup. The rndc.key file defines a default command channel and authentication key allowing rndc to communicate with named with no further configuration. Running rndc-confgen -a allows BIND 9 and rndc to be used as drop-in replacements for BIND 8 and ndc, with no changes to the existing BIND 8 named.conf file. -b keysize Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is 128. -c keyfile Used with the -a option to specify an alternate location for rndc.key. -h Prints a short summary of the options and arguments to rndc-confgen. -k keyname Specifies the key name of the rndc authentication key. This must be a valid domain name. The default is rndc-key. -p port Specifies the command channel port where named listens for connections from rndc. The default is 953. -r randomfile Specifies a source of random data for generating the authorization. If the operating system does not provide a /dev/random or equivalent device, the default source of randomness is keyboard input. randomdev specifies the name of a character device or file containing random data to be used instead of the default. The special value keyboard indicates that keyboard input should be used. -s address Specifies the IP address where named listens for command channel connections from rndc. The default is the loopback address 127.0.0.1. -t chrootdir Used with the -a option to specify a directory where named will run chrooted. An additional copy of the rndc.key will be written relative to this directory so that it will be found by the chrooted named. -u user Used with the -a option to set the owner of the rndc.key file generated. If -t is also specified only the file in the chroot area has its owner changed.
少し 操作してみよう まず /etc に おいて rndc.conf の 無い事を確認
# pwd /etc # ls -l | grep rndc #
適当なところで
# pwd /root # /usr/local/sbin/rndc-confgen -a -b 512 -r /dev/random -k samplekey > rndc.conf # ls -l rndc.conf -rw-r--r-- 1 root root 0 Mar 30 21:46 rndc.conf
/etc に rndc.key が 現れる
# pwd
/etc
# ls -l | grep rndc*
-rw------- 1 root root 142 Mar 30 21:46 rndc.key
# cat rndc.key
key "samplekey" {
algorithm hmac-md5;
secret "8UA5nlL8kVEkVp0gFPtmjckbOkISHWzs0EKOeAsvsoCNj8cl4e9QIc\
8pt130XKs0rmUMnMcxHwduqzKhohYRYA==";
};
これが オプション -a の 意味でしょう
にゃんたろう 拝!
2006年 3月29日 (水) 23:49:33 JST 作成