Bind之rndc介绍及使用
rndc(Remote Name Domain Controllerr)是一个远程管理bind的工具,通过这个工具可以在本地或者远程了解当前服务器的运行状况,也可以对服务器进行关闭、重载、刷新缓存、增加删除zone等操作。
使用rndc可以在不停止DNS服务器工作的情况进行数据的更新,使修改后的配置文件生效。在实际情况下,DNS服务器是非常繁忙的,任何短时间的停顿都会给用户的使用带来影响。因此,使用rndc工具可以使DNS服务器更好地为用户提供服务。在使用rndc管理bind前需要使用rndc生成一对密钥文件,一半保存于rndc的配置文件中,另一半保存于bind主配置文件中。rndc的配置文件为/etc/rndc.conf,在CentOS或者RHEL中,rndc的密钥保存在/etc/rndc.key文件中。rndc默认监听在953号端口(TCP),其实在bind9中rndc默认就是可以使用,不需要配置密钥文件。
rndc与DNS服务器实行连接时,需要通过数字证书进行认证,而不是传统的用户名/密码方式。在当前版本下,rndc和named都只支持HMAC-MD5认证算法,在通信两端使用预共享密钥。在当前版本的rndc 和 named中,唯一支持的认证算法是HMAC-MD5,在连接的两端使用共享密钥。它为命令请求和名字服务器的响应提供 TSIG类型的认证。所有经由通道发送的命令都必须被一个服务器所知道的 key_id 签名。为了生成双方都认可的密钥,可以使用rndc-confgen命令产生密钥和相应的配置,再把这些配置分别放入named.conf和rndc的配置文件rndc.conf中。
根据 https://kb.isc.org/docs/aa-00722 这个文档描述:
当出现rndc 无效的时候,我们可以手动配置一下:
我们可以手动跟新key 文件,当跟新完后rndc 就提示key invalid
1.生成key 文件 root@kube /]# rndc-confgen -a wrote key file "/etc/rndc.key" [root@kube /]#
root@kube /]# rndc status rndc: connection to remote host closed This may indicate that * the remote server is using an older version of the command protocol, * this host is not authorized to connect, * the clocks are not synchronized, * the key signing algorithm is incorrect, or * the key is invalid. [root@kube /]#
algorithm hmac-md5”表示我们是使用”hmac-md5”算法來产生
”secret”每次执行都会产生不一样的”secret”。
2. 产生/etc/rndc.conf文件
root@kube /]# rndc-confgen > /etc/rndc.conf 创建一个文件
root@kube named]# cat /etc/rndc.conf
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
#secret "1UARBi7InqdyVfuLeUfZMA=="; #创建文件时 secret 是随机生成的,需要改成 rndc.key 中的秘钥
secret "5ZkytmCWEMMilRcpvrnEaA=="; #替换过得
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf #下面这个是要添加到named.conf 文件中,在测试过程中没添加依然生效了,那么应该在新版本的bind 默认有了配置
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "1UARBi7InqdyVfuLeUfZMA==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
[root@kube named]#
按照正常步骤替换下named.conf 配置文件,secret 文件要和rndc.key rndc.conf 里面保持一致
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
#Use with the following in named.conf, adjusting the allow list as needed:
key "rndc-key" {
algorithm hmac-md5;
# secret "1UARBi7InqdyVfuLeUfZMA==";
secret "5ZkytmCWEMMilRcpvrnEaA==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
# End of named.conf
重启 : systemctl restart named
测试:成功
[root@kube ~]# rndc status WARNING: key file (/etc/rndc.key) exists, but using default configuration file (/etc/rndc.conf) version: BIND 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 (Extended Support Version) <id:7107deb> running on kube.master: Linux x86_64 3.10.0-1062.9.1.el7.x86_64 #1 SMP Fri Dec 6 15:49:49 UTC 2019 boot time: Mon, 12 Apr 2021 04:36:16 GMT last configured: Mon, 12 Apr 2021 04:36:16 GMT configuration file: /etc/named.conf CPUs found: 4 worker threads: 4 UDP listeners per interface: 3 number of zones: 107 (97 automatic) debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/900/1000 tcp clients: 3/150 server is up and running [root@kube ~]#
一 、语法
Usage: rndc [-b address] [-c config] [-s server] [-p port]
[-k key-file ] [-y key] [-r] [-V] command
command is one of the following:
addzone zone [class [view]] { zone-options }
Add zone to given view. Requires allow-new-zones option.
delzone [-clean] zone [class [view]]
Removes zone from given view.
dnstap -reopen
Close, truncate and re-open the DNSTAP output file.
dnstap -roll count
Close, rename and re-open the DNSTAP output file(s).
dumpdb [-all|-cache|-zones|-adb|-bad|-fail] [view ...]
Dump cache(s) to the dump file (named_dump.db).
flush Flushes all of the server's caches.
flush [view] Flushes the server's cache for a view.
flushname name [view]
Flush the given name from the server's cache(s)
flushtree name [view]
Flush all names under the given name from the server's cache(s)
freeze Suspend updates to all dynamic zones.
freeze zone [class [view]]
Suspend updates to a dynamic zone.
halt Stop the server without saving pending updates.
halt -p Stop the server without saving pending updates reporting
process id.
loadkeys zone [class [view]]
Update keys without signing immediately.
managed-keys refresh [class [view]]
Check trust anchor for RFC 5011 key changes
managed-keys status [class [view]]
Display RFC 5011 managed keys information
managed-keys sync [class [view]]
Write RFC 5011 managed keys to disk
modzone zone [class [view]] { zone-options }
Modify a zone's configuration.
Requires allow-new-zones option.
notify zone [class [view]]
Resend NOTIFY messages for the zone.
notrace Set debugging level to 0.
nta -dump List all negative trust anchors.
nta [-lifetime duration] [-force] domain [view]
Set a negative trust anchor, disabling DNSSEC validation
for the given domain.Using -lifetime specifies the duration of the NTA,
up to one week.Using -force prevents the NTA from expiring before its
full lifetime, even if the domain can validate sooner.
nta -remove domain [view]
Remove a negative trust anchor, re-enabling validation
for the given domain.
querylog newstate
Enable / disable query logging.
reconfig Reload configuration file and new zones only.
recursing Dump the queries that are currently recursing (named.recursing)
refresh zone [class [view]]
Schedule immediate maintenance for a zone.
reload Reload configuration file and zones.
reload zone [class [view]]
Reload a single zone.
retransfer zone [class [view]]
Retransfer a single zone without checking serial number.
scan Scan available network interfaces for changes.
secroots [view ...]
Write security roots to the secroots file.
showzone zone [class [view]]
Print a zone's configuration.
sign zone [class [view]]
Update zone keys, and sign as needed.
signing -clear all zone [class [view]]
Remove the private records for all keys that have
finished signing the given zone.
signing -clear <keyid>/<algorithm> zone [class [view]]
Remove the private record that indicating the given key
has finished signing the given zone.
signing -list zone [class [view]]
List the private records showing the state of DNSSEC
signing in the given zone.
signing -nsec3param
hash flags iterations salt zone [class [view]]
Add NSEC3 chain to zone if already signed.
Prime zone with NSEC3 chain if not yet signed.
signing -nsec3param none zone [class [view]]
Remove NSEC3 chains from zone.
signing -serial <value> zone [class [view]]
Set the zones's serial to <value>.
stats Write server statistics to the statistics file.
status Display status of the server.
stop Save pending updates to master files and stop the server.
stop -p Save pending updates to master files and stop the server
reporting process id.
sync [-clean] Dump changes to all dynamic zones to disk, and optionally
remove their journal files.
sync [-clean] zone [class [view]]
Dump a single zone's changes to disk, and optionally
remove its journal file.
thaw Enable updates to all dynamic zones and reload them.
thaw zone [class [view]]
Enable updates to a frozen dynamic zone and reload it.
trace Increment debugging level by one.
trace level Change the debugging level.
tsig-delete keyname [view]
Delete a TKEY-negotiated TSIG key.
tsig-list List all currently active TSIG keys, including both statically
configured and TKEY-negotiated keys.
validation newstate [view]
Enable / disable DNSSEC validation.
zonestatus zone [class [view]]
Display the current status of a zone.
二、rndc常用命令:
二、rndc常用命令:
status #显示bind服务器的工作状态
reload #重新加载配置文件和区域文件
reload zone_name #重新加载指定区域
reconfig #重读配置文件并加载新增的区域
querylog #关闭或开启查询日志 比较有用将查询日志写入named.conf log 字段定义的file 中
dumpdb #将高速缓存转储到转储文件 (named_dump.db)
freeze #暂停更新所有动态zone
freeze zone [class [view]]#暂停更新一个动态zone
flush [view] #刷新服务器的所有高速缓存
flushname name #为某一视图刷新服务器的高速缓存
stats #将服务器统计信息写入统计文件中 将统计信息写入statistics-file "/var/named/data/named_stats.txt";
stop #将暂挂更新保存到主文件并停止服务器
halt #停止服务器,但不保存暂挂更新
trace #打开debug, debug有级别的概念,每执行一次提升一次级别
trace LEVEL #指定 debug 的级别, trace 0 表示关闭debug
notrace #将调试级别设置为 0
restart #重新启动服务器(尚未实现)
addzone zone [class [view]] { zone-options } #增加一个zone
delzone zone [class [view]]#删除一个zone
tsig-delete keyname [view]#删除一个TSIG key
tsig-list#查询当前有效的TSIG列表
validation newstate [view]#开启/关闭dnssec
说明:rndc命令后面可以跟”-s”和”-p”选项连接到远程DNS服务器,以便对远程DNS服务器进行管理,但此时双方的密钥要一致才能正常连接。在设置rndc.conf时一定要注意key的名称和预共享密钥一定要和named.conf相同,否则rndc工具无法正常工作。