Bind之rndc介绍及使用

Bind之rndc介绍及使用

rndc（Remote Name Domain Controllerr）是一个远程管理bind的工具，通过这个工具可以在本地或者远程了解当前服务器的运行状况，也可以对服务器进行关闭、重载、刷新缓存、增加删除zone等操作。

使用rndc可以在不停止DNS服务器工作的情况进行数据的更新，使修改后的配置文件生效。在实际情况下，DNS服务器是非常繁忙的，任何短时间的停顿都会给用户的使用带来影响。因此，使用rndc工具可以使DNS服务器更好地为用户提供服务。在使用rndc管理bind前需要使用rndc生成一对密钥文件，一半保存于rndc的配置文件中，另一半保存于bind主配置文件中。rndc的配置文件为/etc/rndc.conf，在CentOS或者RHEL中，rndc的密钥保存在/etc/rndc.key文件中。rndc默认监听在953号端口（TCP），其实在bind9中rndc默认就是可以使用，不需要配置密钥文件。

rndc与DNS服务器实行连接时，需要通过数字证书进行认证，而不是传统的用户名/密码方式。在当前版本下，rndc和named都只支持HMAC-MD5认证算法，在通信两端使用预共享密钥。在当前版本的rndc 和 named中，唯一支持的认证算法是HMAC-MD5，在连接的两端使用共享密钥。它为命令请求和名字服务器的响应提供 TSIG类型的认证。所有经由通道发送的命令都必须被一个服务器所知道的 key_id 签名。为了生成双方都认可的密钥，可以使用rndc-confgen命令产生密钥和相应的配置，再把这些配置分别放入named.conf和rndc的配置文件rndc.conf中。

根据  https://kb.isc.org/docs/aa-00722 这个文档描述:

当出现rndc 无效的时候，我们可以手动配置一下:

 我们可以手动跟新key 文件，当跟新完后rndc 就提示key invalid

1.生成key 文件
root@kube /]# rndc-confgen -a
wrote key file "/etc/rndc.key"
[root@kube /]# 

root@kube /]# rndc status
rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not synchronized,
* the key signing algorithm is incorrect, or
* the key is invalid.
[root@kube /]# 

　

algorithm hmac-md5”表示我们是使用”hmac-md5”算法來产生

    ”secret”每次执行都会产生不一样的”secret”。

2. 产生/etc/rndc.conf文件

　root@kube /]# rndc-confgen > /etc/rndc.conf   创建一个文件

root@kube named]# cat /etc/rndc.conf 
# Start of rndc.conf
key "rndc-key" {
	algorithm hmac-md5;  
	#secret "1UARBi7InqdyVfuLeUfZMA==";   #创建文件时 secret 是随机生成的，需要改成 rndc.key 中的秘钥
	secret "5ZkytmCWEMMilRcpvrnEaA==";   #替换过得
};

options {
	default-key "rndc-key";
	default-server 127.0.0.1;
	default-port 953;
};
# End of rndc.conf     #下面这个是要添加到named.conf 文件中，在测试过程中没添加依然生效了，那么应该在新版本的bind 默认有了配置

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# 	algorithm hmac-md5;
# 	secret "1UARBi7InqdyVfuLeUfZMA==";
# };
# 
# controls {
# 	inet 127.0.0.1 port 953
# 		allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
[root@kube named]# 

　按照正常步骤替换下named.conf 配置文件，secret 文件要和rndc.key  rndc.conf 里面保持一致

zone "." IN {
    type hint;
    file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

#Use with the following in named.conf, adjusting the allow list as needed:
key "rndc-key" {
    algorithm hmac-md5;
    #    secret "1UARBi7InqdyVfuLeUfZMA==";
        secret "5ZkytmCWEMMilRcpvrnEaA==";
            };
    controls {
        inet 127.0.0.1 port 953
        allow { 127.0.0.1; } keys { "rndc-key"; };
     };
# End of named.conf

重启 ： systemctl restart named

测试：成功

[root@kube ~]# rndc status
WARNING: key file (/etc/rndc.key) exists, but using default configuration file (/etc/rndc.conf)
version: BIND 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 (Extended Support Version) <id:7107deb>
running on kube.master: Linux x86_64 3.10.0-1062.9.1.el7.x86_64 #1 SMP Fri Dec 6 15:49:49 UTC 2019
boot time: Mon, 12 Apr 2021 04:36:16 GMT
last configured: Mon, 12 Apr 2021 04:36:16 GMT
configuration file: /etc/named.conf
CPUs found: 4
worker threads: 4
UDP listeners per interface: 3
number of zones: 107 (97 automatic)
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/900/1000
tcp clients: 3/150
server is up and running
[root@kube ~]# 

一 、语法

Usage: rndc [-b address] [-c config] [-s server] [-p port]
[-k key-file ] [-y key] [-r] [-V] command

command is one of the following:

addzone zone [class [view]] { zone-options }
              Add zone to given view. Requires allow-new-zones option.
delzone [-clean] zone [class [view]]
              Removes zone from given view.
dnstap -reopen
              Close, truncate and re-open the DNSTAP output file.
dnstap -roll count
              Close, rename and re-open the DNSTAP output file(s).
dumpdb [-all|-cache|-zones|-adb|-bad|-fail] [view ...]
               Dump cache(s) to the dump file (named_dump.db).
flush          Flushes all of the server's caches.
flush [view]   Flushes the server's cache for a view.
flushname name [view]
               Flush the given name from the server's cache(s)
flushtree name [view]
               Flush all names under the given name from the server's cache(s)
freeze         Suspend updates to all dynamic zones.
freeze zone [class [view]]
               Suspend updates to a dynamic zone.
halt           Stop the server without saving pending updates.
halt -p        Stop the server without saving pending updates reporting
               process id.
loadkeys zone [class [view]]
              Update keys without signing immediately.
managed-keys refresh [class [view]]
              Check trust anchor for RFC 5011 key changes
managed-keys status [class [view]]
              Display RFC 5011 managed keys information
managed-keys sync [class [view]]
              Write RFC 5011 managed keys to disk
modzone zone [class [view]] { zone-options }
              Modify a zone's configuration.
              Requires allow-new-zones option.
notify zone [class [view]]
              Resend NOTIFY messages for the zone.
notrace       Set debugging level to 0.
nta -dump     List all negative trust anchors.
nta [-lifetime duration] [-force] domain [view]
              Set a negative trust anchor, disabling DNSSEC validation
              for the given domain.Using -lifetime specifies the duration of the NTA, 
              up to one week.Using -force prevents the NTA from expiring before its
              full lifetime, even if the domain can validate sooner.
nta -remove domain [view]
              Remove a negative trust anchor, re-enabling validation
              for the given domain.
querylog newstate
              Enable / disable query logging.
reconfig      Reload configuration file and new zones only.
recursing     Dump the queries that are currently recursing (named.recursing)
refresh zone [class [view]]
              Schedule immediate maintenance for a zone.
reload        Reload configuration file and zones.
reload zone [class [view]]
              Reload a single zone.
retransfer zone [class [view]]
              Retransfer a single zone without checking serial number.
scan          Scan available network interfaces for changes.
secroots [view ...]
              Write security roots to the secroots file.
showzone zone [class [view]]
               Print a zone's configuration.
sign zone [class [view]]
               Update zone keys, and sign as needed.
signing -clear all zone [class [view]]
               Remove the private records for all keys that have
               finished signing the given zone.
signing -clear <keyid>/<algorithm> zone [class [view]]
               Remove the private record that indicating the given key
               has finished signing the given zone.
signing -list zone [class [view]]
               List the private records showing the state of DNSSEC
               signing in the given zone.
signing -nsec3param 
               hash flags iterations salt zone [class [view]]
               Add NSEC3 chain to zone if already signed.
               Prime zone with NSEC3 chain if not yet signed.
signing -nsec3param none zone [class [view]]
               Remove NSEC3 chains from zone.
signing -serial <value> zone [class [view]]
               Set the zones's serial to <value>.
stats          Write server statistics to the statistics file.
status         Display status of the server.
stop           Save pending updates to master files and stop the server.
stop -p        Save pending updates to master files and stop the server
               reporting process id.
sync [-clean]  Dump changes to all dynamic zones to disk, and optionally
               remove their journal files.
sync [-clean] zone [class [view]]
               Dump a single zone's changes to disk, and optionally
               remove its journal file.
thaw           Enable updates to all dynamic zones and reload them.
thaw zone [class [view]]
               Enable updates to a frozen dynamic zone and reload it.
trace          Increment debugging level by one.
trace level    Change the debugging level.
tsig-delete keyname [view]
               Delete a TKEY-negotiated TSIG key.
tsig-list      List all currently active TSIG keys, including both statically
               configured and TKEY-negotiated keys.
validation newstate [view]
               Enable / disable DNSSEC validation.
zonestatus zone [class [view]]
               Display the current status of a zone.

二、rndc常用命令：

二、rndc常用命令：
status #显示bind服务器的工作状态
reload #重新加载配置文件和区域文件
reload zone_name #重新加载指定区域
reconfig   #重读配置文件并加载新增的区域
querylog   #关闭或开启查询日志   比较有用将查询日志写入named.conf log 字段定义的file 中
dumpdb #将高速缓存转储到转储文件 (named_dump.db)
freeze    #暂停更新所有动态zone
freeze zone [class [view]]#暂停更新一个动态zone
flush [view]  #刷新服务器的所有高速缓存
flushname name   #为某一视图刷新服务器的高速缓存
stats   #将服务器统计信息写入统计文件中   将统计信息写入statistics-file "/var/named/data/named_stats.txt";
stop   #将暂挂更新保存到主文件并停止服务器
halt   #停止服务器，但不保存暂挂更新
trace   #打开debug, debug有级别的概念，每执行一次提升一次级别
trace LEVEL   #指定 debug 的级别, trace 0 表示关闭debug
notrace #将调试级别设置为 0
restart #重新启动服务器（尚未实现）
addzone zone [class [view]] { zone-options } #增加一个zone
delzone zone [class [view]]#删除一个zone
tsig-delete keyname [view]#删除一个TSIG key
tsig-list#查询当前有效的TSIG列表
validation newstate [view]#开启/关闭dnssec
说明：rndc命令后面可以跟”-s”和”-p”选项连接到远程DNS服务器，以便对远程DNS服务器进行管理，但此时双方的密钥要一致才能正常连接。在设置rndc.conf时一定要注意key的名称和预共享密钥一定要和named.conf相同，否则rndc工具无法正常工作。