rndc(Remote Name Domain Controllerr)是一个远程管理bind的工具,通过这个工具可以在本地或者远程了解当前服务器的运行状况,也可以对服务器进行关闭、重载、刷新缓存、增加删除zone等操作。
使用rndc可以在不停止DNS服务器工作的情况进行数据的更新,使修改后的配置文件生效。在实际情况下,DNS服务器是非常繁忙的,任何短时间的停顿都会给用户的使用带来影响。因此,使用rndc工具可以使DNS服务器更好地为用户提供服务。在使用rndc管理bind前需要使用rndc生成一对密钥文件,一半保存于rndc的配置文件中,另一半保存于bind主配置文件中。rndc的配置文件为/etc/rndc.conf,在CentOS或者RHEL中,rndc的密钥保存在/etc/rndc.key文件中。rndc默认监听在953号端口(TCP),其实在bind9中rndc默认就是可以使用,不需要配置密钥文件。
rndc与DNS服务器实行连接时,需要通过数字证书进行认证,而不是传统的用户名/密码方式。在当前版本下,rndc和named都只支持HMAC-MD5认证算法,在通信两端使用预共享密钥。在当前版本的rndc 和 named中,唯一支持的认证算法是HMAC-MD5,在连接的两端使用共享密钥。它为命令请求和名字服务器的响应提供 TSIG类型的认证。所有经由通道发送的命令都必须被一个服务器所知道的 key_id 签名。为了生成双方都认可的密钥,可以使用rndc-confgen命令产生密钥和相应的配置,再把这些配置分别放入named.conf和rndc的配置文件rndc.conf中。
一 、语法
Usage: rndc [-b address] [-c config] [-s server] [-p port] [-k key-file ] [-y key] [-r] [-V] command command is one of the following: addzone zone [class [view]] { zone-options } Add zone to given view. Requires allow-new-zones option. delzone [-clean] zone [class [view]] Removes zone from given view. dnstap -reopen Close, truncate and re-open the DNSTAP output file. dnstap -roll count Close, rename and re-open the DNSTAP output file(s). dumpdb [-all|-cache|-zones|-adb|-bad|-fail] [view ...] Dump cache(s) to the dump file (named_dump.db). flush Flushes all of the server's caches. flush [view] Flushes the server's cache for a view. flushname name [view] Flush the given name from the server's cache(s) flushtree name [view] Flush all names under the given name from the server's cache(s) freeze Suspend updates to all dynamic zones. freeze zone [class [view]] Suspend updates to a dynamic zone. halt Stop the server without saving pending updates. halt -p Stop the server without saving pending updates reporting process id. loadkeys zone [class [view]] Update keys without signing immediately. managed-keys refresh [class [view]] Check trust anchor for RFC 5011 key changes managed-keys status [class [view]] Display RFC 5011 managed keys information managed-keys sync [class [view]] Write RFC 5011 managed keys to disk modzone zone [class [view]] { zone-options } Modify a zone's configuration. Requires allow-new-zones option. notify zone [class [view]] Resend NOTIFY messages for the zone. notrace Set debugging level to 0. nta -dump List all negative trust anchors. nta [-lifetime duration] [-force] domain [view] Set a negative trust anchor, disabling DNSSEC validation for the given domain.Using -lifetime specifies the duration of the NTA, up to one week.Using -force prevents the NTA from expiring before its full lifetime, even if the domain can validate sooner. nta -remove domain [view] Remove a negative trust anchor, re-enabling validation for the given domain. querylog newstate Enable / disable query logging. reconfig Reload configuration file and new zones only. recursing Dump the queries that are currently recursing (named.recursing) refresh zone [class [view]] Schedule immediate maintenance for a zone. reload Reload configuration file and zones. reload zone [class [view]] Reload a single zone. retransfer zone [class [view]] Retransfer a single zone without checking serial number. scan Scan available network interfaces for changes. secroots [view ...] Write security roots to the secroots file. showzone zone [class [view]] Print a zone's configuration. sign zone [class [view]] Update zone keys, and sign as needed. signing -clear all zone [class [view]] Remove the private records for all keys that have finished signing the given zone. signing -clear <keyid>/<algorithm> zone [class [view]] Remove the private record that indicating the given key has finished signing the given zone. signing -list zone [class [view]] List the private records showing the state of DNSSEC signing in the given zone. signing -nsec3param hash flags iterations salt zone [class [view]] Add NSEC3 chain to zone if already signed. Prime zone with NSEC3 chain if not yet signed. signing -nsec3param none zone [class [view]] Remove NSEC3 chains from zone. signing -serial <value> zone [class [view]] Set the zones's serial to <value>. stats Write server statistics to the statistics file. status Display status of the server. stop Save pending updates to master files and stop the server. stop -p Save pending updates to master files and stop the server reporting process id. sync [-clean] Dump changes to all dynamic zones to disk, and optionally remove their journal files. sync [-clean] zone [class [view]] Dump a single zone's changes to disk, and optionally remove its journal file. thaw Enable updates to all dynamic zones and reload them. thaw zone [class [view]] Enable updates to a frozen dynamic zone and reload it. trace Increment debugging level by one. trace level Change the debugging level. tsig-delete keyname [view] Delete a TKEY-negotiated TSIG key. tsig-list List all currently active TSIG keys, including both statically configured and TKEY-negotiated keys. validation newstate [view] Enable / disable DNSSEC validation. zonestatus zone [class [view]] Display the current status of a zone.
二、rndc常用命令:
- status #显示bind服务器的工作状态
- reload #重新加载配置文件和区域文件
- reload zone_name #重新加载指定区域
- reconfig #重读配置文件并加载新增的区域
- querylog #关闭或开启查询日志
- dumpdb #将高速缓存转储到转储文件 (named_dump.db)
- freeze #暂停更新所有动态zone
- freeze zone [class [view]]#暂停更新一个动态zone
- flush [view] #刷新服务器的所有高速缓存
- flushname name #为某一视图刷新服务器的高速缓存
- stats #将服务器统计信息写入统计文件中
- stop #将暂挂更新保存到主文件并停止服务器
- halt #停止服务器,但不保存暂挂更新
- trace #打开debug, debug有级别的概念,每执行一次提升一次级别
- trace LEVEL #指定 debug 的级别, trace 0 表示关闭debug
- notrace #将调试级别设置为 0
- restart #重新启动服务器(尚未实现)
- addzone zone [class [view]] { zone-options } #增加一个zone
- delzone zone [class [view]]#删除一个zone
- tsig-delete keyname [view]#删除一个TSIG key
- tsig-list#查询当前有效的TSIG列表
- validation newstate [view]#开启/关闭dnssec
说明:rndc命令后面可以跟”-s”和”-p”选项连接到远程DNS服务器,以便对远程DNS服务器进行管理,但此时双方的密钥要一致才能正常连接。在设置rndc.conf时一定要注意key的名称和预共享密钥一定要和named.conf相同,否则rndc工具无法正常工作。
Pingback引用通告: Bind中控制语句 controls 的定义和使用 | 精彩每一天
Pingback引用通告: Bind的安装与详细配置 | 精彩每一天