Synopsis
~~~~~~~~
-:program:`rndc` [**-b** source-address] [**-c** config-file] [**-k** key-file] [**-s** server] [**-p** port] [**-q**] [**-r**] [**-V**] [**-y** key_id] [[**-4**] | [**-6**]] {command}
+:program:`rndc` [**-b** source-address] [**-c** config-file] [**-k** key-file] [**-s** server] [**-p** port] [**-q**] [**-r**] [**-V**] [**-y** server_key] [[**-4**] | [**-6**]] {command}
Description
~~~~~~~~~~~
HMAC-SHA256 (default), HMAC-SHA384, and HMAC-SHA512. They use a shared
secret on each end of the connection, which provides TSIG-style
authentication for the command request and the name server's response.
-All commands sent over the channel must be signed by a key_id known to
+All commands sent over the channel must be signed by a server_key known to
the server.
:program:`rndc` reads a configuration file to determine how to contact the name
This option enables verbose logging.
-.. option:: -y key_id
+.. option:: -y server_key
- This option indicates use of the key ``key_id`` from the configuration file. For control message validation to succeed, ``key_id`` must be known
- by :iscman:`named` with the same algorithm and secret string. If no ``key_id`` is specified,
+ This option indicates use of the key ``server_key`` from the configuration file. For control message validation to succeed, ``server_key`` must be known
+ by :iscman:`named` with the same algorithm and secret string. If no ``server_key`` is specified,
:program:`rndc` first looks for a key clause in the server statement of
the server being used, or if no server statement is present for that
host, then in the default-key clause of the options statement. Note that
Limitations
~~~~~~~~~~~
-There is currently no way to provide the shared secret for a ``key_id``
+There is currently no way to provide the shared secret for a ``server_key``
without using the configuration file.
Several error messages could be clearer.
address_match_list = address_match_list_element ; ...
address_match_list_element = [ ! ] ( ip_address | netprefix |
- key key_id | acl_name | { address_match_list } )
+ key server_key | acl_name | { address_match_list } )
Definition and Usage
^^^^^^^^^^^^^^^^^^^^
The name of an :term:`address_match_list` as defined by the :any:`acl` statement.
``address_match_list``
- A list of one or more :term:`ip_address`, :term:`netprefix`, ``key_id``, or :term:`acl_name` elements; see :ref:`address_match_lists`.
+ A list of one or more :term:`ip_address`, :term:`netprefix`, ``server_key``, or :term:`acl_name` elements; see :ref:`address_match_lists`.
``remote-servers``
- A named list of one or more :term:`ip_address` s with optional ``tls_id``, ``key_id``, and/or :term:`port`. A ``remote-servers`` list may include other ``remote-servers`` lists. See :any:`primaries` block.
+ A named list of one or more :term:`ip_address` s with optional ``tls_id``, ``server_key``, and/or :term:`port`. A ``remote-servers`` list may include other ``remote-servers`` lists. See :any:`primaries` block.
``domain_name``
A quoted string which is used as a DNS name; for example: ``my.test.domain``.
An IP network specified as an :term:`ip_address`, followed by a slash (``/``) and then the number of bits in the netmask. Trailing zeros in an:term:`ip_address` may be omitted. For example, ``127/8`` is the network ``127.0.0.0`` with netmask ``255.0.0.0`` and ``1.2.3.0/28`` is network ``1.2.3.0`` with netmask ``255.255.255.240``.
When specifying a prefix involving an IPv6-scoped address, the scope may be omitted. In that case, the prefix matches packets from any scope.
- ``key_id``
+ ``server_key``
A :term:`domain_name` representing the name of a shared key, to be used for
:ref:`transaction security <tsig>`. Keys are defined using
:namedconf:ref:`key` blocks.
``allow``
Connections to the control channel
are permitted based on the :term:`address_match_list`. This is for simple IP
- address-based filtering only; any ``key_id`` elements of the
+ address-based filtering only; any ``server_key`` elements of the
:term:`address_match_list` are ignored.
:any:`keys`
The primary authorization mechanism of the command channel is the
- list of :term:`key_id` s. Each listed
+ list of :term:`server_key` s. Each listed
:namedconf:ref:`key` is authorized to execute commands over the control
channel. See :ref:`admin_tools` for information about
configuring keys in :iscman:`rndc`.
:any:`controls` statement (see :ref:`controls_statement_definition_and_usage`)
must be defined at the top level.
-The ``key_id``, also known as the key name, is a domain name that uniquely
+The ``server_key``, also known as the key name, is a domain name that uniquely
identifies the key. It can be used in a ``server`` statement to cause
requests sent to that server to be signed with this key, or in address
match lists to verify that incoming requests have been signed with a key
:term:`address_match_list` of the :any:`deny-answer-addresses` option.
In the :term:`address_match_list` of the :any:`deny-answer-addresses` option,
- only :term:`ip_address` and :term:`netprefix` are meaningful; any ``key_id`` is
+ only :term:`ip_address` and :term:`netprefix` are meaningful; any ``server_key`` is
silently ignored.
to fundamentally incompatible concepts.
In the context of a :namedconf:ref:`server` block, the option identifies a
- :term:`key_id` defined by the :namedconf:ref:`key` statement, to be used for
+ :term:`server_key` defined by the :namedconf:ref:`key` statement, to be used for
transaction security (see :ref:`tsig`)
when talking to the remote server. When a request is sent to the remote
server, a request signature is generated using the key specified
rndc \- name server control utility
.SH SYNOPSIS
.sp
-\fBrndc\fP [\fB\-b\fP source\-address] [\fB\-c\fP config\-file] [\fB\-k\fP key\-file] [\fB\-s\fP server] [\fB\-p\fP port] [\fB\-q\fP] [\fB\-r\fP] [\fB\-V\fP] [\fB\-y\fP key_id] [[\fB\-4\fP] | [\fB\-6\fP]] {command}
+\fBrndc\fP [\fB\-b\fP source\-address] [\fB\-c\fP config\-file] [\fB\-k\fP key\-file] [\fB\-s\fP server] [\fB\-p\fP port] [\fB\-q\fP] [\fB\-r\fP] [\fB\-V\fP] [\fB\-y\fP server_key] [[\fB\-4\fP] | [\fB\-6\fP]] {command}
.SH DESCRIPTION
.sp
\fBrndc\fP controls the operation of a name server. If \fBrndc\fP is
HMAC\-SHA256 (default), HMAC\-SHA384, and HMAC\-SHA512. They use a shared
secret on each end of the connection, which provides TSIG\-style
authentication for the command request and the name server\(aqs response.
-All commands sent over the channel must be signed by a key_id known to
+All commands sent over the channel must be signed by a server_key known to
the server.
.sp
\fBrndc\fP reads a configuration file to determine how to contact the name
.UNINDENT
.INDENT 0.0
.TP
-.B \-y key_id
-This option indicates use of the key \fBkey_id\fP from the configuration file. For control message validation to succeed, \fBkey_id\fP must be known
-by \fI\%named\fP with the same algorithm and secret string. If no \fBkey_id\fP is specified,
+.B \-y server_key
+This option indicates use of the key \fBserver_key\fP from the configuration file. For control message validation to succeed, \fBserver_key\fP must be known
+by \fI\%named\fP with the same algorithm and secret string. If no \fBserver_key\fP is specified,
\fBrndc\fP first looks for a key clause in the server statement of
the server being used, or if no server statement is present for that
host, then in the default\-key clause of the options statement. Note that
would specify a zone called "\-redirect".)
.SH LIMITATIONS
.sp
-There is currently no way to provide the shared secret for a \fBkey_id\fP
+There is currently no way to provide the shared secret for a \fBserver_key\fP
without using the configuration file.
.sp
Several error messages could be clearer.
projects / thirdparty / bind9.git / commitdiff
