<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
"http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd">
-<!-- File: $Id: Bv9ARM-book.xml,v 1.152 2001/07/30 22:55:23 gson Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.153 2001/08/06 04:42:24 marka Exp $ -->
<book>
<title>BIND 9 Administrator Reference Manual</title>
location can be specified with the <option>-c</option>
option. If the configuration file is not found,
<command>rndc</command> will also look in
-<filename>/var/run/named.key</filename> (or wherever
-<varname>localstatedir</varname> was defined when
-the <acronym>BIND</acronym> build was configured).
-The <filename>named.key</filename> file is generated by
-<command>named</command> as described in
+<filename>/etc/rndc.key</filename> to find a key to use
<xref linkend="controls_statement_definition_and_usage"/>.</para>
<para>The format of the configuration file is similar to
must be signed by one of its specified keys to
be honored.</para>
- <para>The <command>keys</command> clause is not strictly required.
- If it is not present, then a random key will be generated automatically
- and placed in a file named <filename>named.key</filename>, which is
- usually in <filename>/var/run</filename> but will be wherever
- <varname>localstatedir</varname> was specified as when
- <acronym>BIND</acronym> was built. <filename>named.key</filename>
- contains a complete <filename>rndc.conf</filename>-compatible
- configuration and is used by <command>rndc</command> when it
- cannot find its primary configuration file.</para>
-
- <para>Similarly, <filename>named.key</filename> is generated when
- no <command>controls</command> statement is present at all. In
- that situation it will configure a control channel to run on
- 127.0.0.1.</para>
+ <para>If <command>keys</command> clause does not exist
+ <command>named</command> will look for
+ <filename>/etc/rndc.key</filename> and use the key found
+ there.
- <para>There are two ways to disable the creation of
- <filename>named.key</filename>. One is to ensure that all of your
- <command>inet</command> control channels have a <command>keys</command>
- clause. The other is to have a <command>controls</command> statement
- with no <command>inet</command> phrases it all. The latter will
- prevent the creation of any control channel.</para>
+ <para>Similarly, <filename>/etc/rndc.key.key</filename> is used
+ no <command>controls</command> statement is present at all. In
+ that situation it will configure control channels to run on
+ all interfaces.</para>
- <para>The <filename>named.key</filename> feature was created to
+ <para>The <filename>/etc/rndc.key</filename> feature was created to
ease the transition of systems from <acronym>BIND</acronym> 8,
which did not have digital signatures on its command channel messages
and thus did not have a <command>keys</command> clause. Since
have a high degree of configurability. You cannot easily change
the key name or the size of the secret, so you should make a
<filename>rndc.conf</filename> with your own key if you wish to change
- those things. The <filename>named.key</filename> file also has its
+ those things. The <filename>/etc/rndc.key</filename> file also has its
permissions set such that only the owner of the file (the user that
<command>named</command> is running as) can access it. If you
desire greater flexibility in allowing other users to access
projects / thirdparty / bind9.git / commitdiff
