Bind之rndc介紹及使用

rndc（Remote Name Domain Controllerr）是一個遠程管理bind的工具，通過這個工具可以在本地或者遠程了解當前服務器的運行狀況，也可以對服務器進行關閉、重載、刷新緩存、增加刪除zone等操作。

使用rndc可以在不停止DNS服務器工作的情況進行數據的更新，使修改后的配置文件生效。在實際情況下，DNS服務器是非常繁忙的，任何短時間的停頓都會給用戶的使用帶來影響。因此，使用rndc工具可以使DNS服務器更好地為用戶提供服務。在使用rndc管理bind前需要使用rndc生成一對密鑰文件，一半保存於rndc的配置文件中，另一半保存於bind主配置文件中。rndc的配置文件為/etc/rndc.conf，在CentOS或者RHEL中，rndc的密鑰保存在/etc/rndc.key文件中。rndc默認監聽在953號端口（TCP），其實在bind9中rndc默認就是可以使用，不需要配置密鑰文件。

rndc與DNS服務器實行連接時，需要通過數字證書進行認證，而不是傳統的用戶名/密碼方式。在當前版本下，rndc和named都只支持HMAC-MD5認證算法，在通信兩端使用預共享密鑰。在當前版本的rndc 和 named中，唯一支持的認證算法是HMAC-MD5，在連接的兩端使用共享密鑰。它為命令請求和名字服務器的響應提供 TSIG類型的認證。所有經由通道發送的命令都必須被一個服務器所知道的 key_id 簽名。為了生成雙方都認可的密鑰，可以使用rndc-confgen命令產生密鑰和相應的配置，再把這些配置分別放入named.conf和rndc的配置文件rndc.conf中。

 

根據  https://kb.isc.org/docs/aa-00722 這個文檔描述:

當出現rndc 無效的時候，我們可以手動配置一下:

 我們可以手動跟新key 文件，當跟新完后rndc 就提示key invalid

1.生成key 文件
root@kube /]# rndc-confgen -a
wrote key file "/etc/rndc.key"
[root@kube /]# 

root@kube /]# rndc status
rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not synchronized,
* the key signing algorithm is incorrect, or
* the key is invalid.
[root@kube /]# 

　

algorithm hmac-md5”表示我們是使用”hmac-md5”算法來產生

    ”secret”每次執行都會產生不一樣的”secret”。

2. 產生/etc/rndc.conf文件

　root@kube /]# rndc-confgen > /etc/rndc.conf   創建一個文件

root@kube named]# cat /etc/rndc.conf 
# Start of rndc.conf
key "rndc-key" {
	algorithm hmac-md5;  
	#secret "1UARBi7InqdyVfuLeUfZMA==";   #創建文件時 secret 是隨機生成的，需要改成 rndc.key 中的秘鑰
	secret "5ZkytmCWEMMilRcpvrnEaA==";   #替換過得
};

options {
	default-key "rndc-key";
	default-server 127.0.0.1;
	default-port 953;
};
# End of rndc.conf     #下面這個是要添加到named.conf 文件中，在測試過程中沒添加依然生效了，那么應該在新版本的bind 默認有了配置

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# 	algorithm hmac-md5;
# 	secret "1UARBi7InqdyVfuLeUfZMA==";
# };
# 
# controls {
# 	inet 127.0.0.1 port 953
# 		allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
[root@kube named]# 

　按照正常步驟替換下named.conf 配置文件，secret 文件要和rndc.key  rndc.conf 里面保持一致

zone "." IN {
    type hint;
    file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

#Use with the following in named.conf, adjusting the allow list as needed:
key "rndc-key" {
    algorithm hmac-md5;
    #    secret "1UARBi7InqdyVfuLeUfZMA==";
 secret "5ZkytmCWEMMilRcpvrnEaA==";
            };
    controls {
        inet 127.0.0.1 port 953
        allow { 127.0.0.1; } keys { "rndc-key"; };
     };
# End of named.conf

重啟 ： systemctl restart named

測試：成功

[root@kube ~]# rndc status
WARNING: key file (/etc/rndc.key) exists, but using default configuration file (/etc/rndc.conf)
version: BIND 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 (Extended Support Version) <id:7107deb>
running on kube.master: Linux x86_64 3.10.0-1062.9.1.el7.x86_64 #1 SMP Fri Dec 6 15:49:49 UTC 2019
boot time: Mon, 12 Apr 2021 04:36:16 GMT
last configured: Mon, 12 Apr 2021 04:36:16 GMT
configuration file: /etc/named.conf
CPUs found: 4
worker threads: 4
UDP listeners per interface: 3
number of zones: 107 (97 automatic)
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/900/1000
tcp clients: 3/150
server is up and running
[root@kube ~]# 

一 、語法

Usage: rndc [-b address] [-c config] [-s server] [-p port]
[-k key-file ] [-y key] [-r] [-V] command

command is one of the following:

addzone zone [class [view]] { zone-options }
              Add zone to given view. Requires allow-new-zones option.
delzone [-clean] zone [class [view]]
              Removes zone from given view.
dnstap -reopen
              Close, truncate and re-open the DNSTAP output file.
dnstap -roll count
              Close, rename and re-open the DNSTAP output file(s).
dumpdb [-all|-cache|-zones|-adb|-bad|-fail] [view ...]
               Dump cache(s) to the dump file (named_dump.db).
flush          Flushes all of the server's caches.
flush [view]   Flushes the server's cache for a view.
flushname name [view]
               Flush the given name from the server's cache(s)
flushtree name [view]
               Flush all names under the given name from the server's cache(s)
freeze         Suspend updates to all dynamic zones.
freeze zone [class [view]]
               Suspend updates to a dynamic zone.
halt           Stop the server without saving pending updates.
halt -p        Stop the server without saving pending updates reporting
               process id.
loadkeys zone [class [view]]
              Update keys without signing immediately.
managed-keys refresh [class [view]]
              Check trust anchor for RFC 5011 key changes
managed-keys status [class [view]]
              Display RFC 5011 managed keys information
managed-keys sync [class [view]]
              Write RFC 5011 managed keys to disk
modzone zone [class [view]] { zone-options }
              Modify a zone's configuration.
              Requires allow-new-zones option.
notify zone [class [view]]
              Resend NOTIFY messages for the zone.
notrace       Set debugging level to 0.
nta -dump     List all negative trust anchors.
nta [-lifetime duration] [-force] domain [view]
              Set a negative trust anchor, disabling DNSSEC validation
              for the given domain.Using -lifetime specifies the duration of the NTA, 
              up to one week.Using -force prevents the NTA from expiring before its
              full lifetime, even if the domain can validate sooner.
nta -remove domain [view]
              Remove a negative trust anchor, re-enabling validation
              for the given domain.
querylog newstate
              Enable / disable query logging.
reconfig      Reload configuration file and new zones only.
recursing     Dump the queries that are currently recursing (named.recursing)
refresh zone [class [view]]
              Schedule immediate maintenance for a zone.
reload        Reload configuration file and zones.
reload zone [class [view]]
              Reload a single zone.
retransfer zone [class [view]]
              Retransfer a single zone without checking serial number.
scan          Scan available network interfaces for changes.
secroots [view ...]
              Write security roots to the secroots file.
showzone zone [class [view]]
               Print a zone's configuration.
sign zone [class [view]]
               Update zone keys, and sign as needed.
signing -clear all zone [class [view]]
               Remove the private records for all keys that have
               finished signing the given zone.
signing -clear <keyid>/<algorithm> zone [class [view]]
               Remove the private record that indicating the given key
               has finished signing the given zone.
signing -list zone [class [view]]
               List the private records showing the state of DNSSEC
               signing in the given zone.
signing -nsec3param 
               hash flags iterations salt zone [class [view]]
               Add NSEC3 chain to zone if already signed.
               Prime zone with NSEC3 chain if not yet signed.
signing -nsec3param none zone [class [view]]
               Remove NSEC3 chains from zone.
signing -serial <value> zone [class [view]]
               Set the zones's serial to <value>.
stats          Write server statistics to the statistics file.
status         Display status of the server.
stop           Save pending updates to master files and stop the server.
stop -p        Save pending updates to master files and stop the server
               reporting process id.
sync [-clean]  Dump changes to all dynamic zones to disk, and optionally
               remove their journal files.
sync [-clean] zone [class [view]]
               Dump a single zone's changes to disk, and optionally
               remove its journal file.
thaw           Enable updates to all dynamic zones and reload them.
thaw zone [class [view]]
               Enable updates to a frozen dynamic zone and reload it.
trace          Increment debugging level by one.
trace level    Change the debugging level.
tsig-delete keyname [view]
               Delete a TKEY-negotiated TSIG key.
tsig-list      List all currently active TSIG keys, including both statically
               configured and TKEY-negotiated keys.
validation newstate [view]
               Enable / disable DNSSEC validation.
zonestatus zone [class [view]]
               Display the current status of a zone.

二、rndc常用命令：

二、rndc常用命令：
status #顯示bind服務器的工作狀態
reload #重新加載配置文件和區域文件
reload zone_name #重新加載指定區域
reconfig   #重讀配置文件並加載新增的區域
querylog #關閉或開啟查詢日志 比較有用將查詢日志寫入named.conf log 字段定義的file 中
dumpdb #將高速緩存轉儲到轉儲文件 (named_dump.db)
freeze    #暫停更新所有動態zone
freeze zone [class [view]]#暫停更新一個動態zone
flush [view]  #刷新服務器的所有高速緩存
flushname name   #為某一視圖刷新服務器的高速緩存
stats #將服務器統計信息寫入統計文件中 將統計信息寫入statistics-file "/var/named/data/named_stats.txt";
stop   #將暫掛更新保存到主文件並停止服務器
halt   #停止服務器，但不保存暫掛更新
trace   #打開debug, debug有級別的概念，每執行一次提升一次級別
trace LEVEL   #指定 debug 的級別, trace 0 表示關閉debug
notrace #將調試級別設置為 0
restart #重新啟動服務器（尚未實現）
addzone zone [class [view]] { zone-options } #增加一個zone
delzone zone [class [view]]#刪除一個zone
tsig-delete keyname [view]#刪除一個TSIG key
tsig-list#查詢當前有效的TSIG列表
validation newstate [view]#開啟/關閉dnssec
說明：rndc命令后面可以跟”-s”和”-p”選項連接到遠程DNS服務器，以便對遠程DNS服務器進行管理，但此時雙方的密鑰要一致才能正常連接。在設置rndc.conf時一定要注意key的名稱和預共享密鑰一定要和named.conf相同，否則rndc工具無法正常工作。