In this example I will show a configuation that uses slaves with the views (internal and external).

  • Create the keys. You need one key per view. The key generated by confgen is displayed on the screen, you need to copy/paste this key into a configuration file in /etc/bind, I use -b 512 to generate a stronger key, for no specific reason
root@dns1:~# rndc-confgen -b 512
# Start of rndc.conf
key "rndc-key" {
        algorithm hmac-md5;
        secret "eh/uEdxi45v9VYWbTl/yx+MFoSVAWyPKVbIsx1aBEVRpTVBBMYOEsBpJMDq5UazR0nUk1r1I6z/h0ZSHZ8KwLQ==";
};

options {
        default-key "rndc-key";
        default-server 127.0.0.1;
        default-port 953;
};
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
#       algorithm hmac-md5;
#       secret "eh/uEdxi45v9VYWbTl/yx+MFoSVAWyPKVbIsx1aBEVRpTVBBMYOEsBpJMDq5UazR0nUk1r1I6z/h0ZSHZ8KwLQ==";
# };
#
# controls {
#       inet 127.0.0.1 port 953
#               allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf

root@dns1:~# rndc-confgen -b 512
# Start of rndc.conf
key "rndc-key" {
        algorithm hmac-md5;
        secret "iVtc/a5+03vNW6vTftRbp+NDmkODom/2nIZfJo5EaMaGZC0qzsCzxXI6h4BywAekHwRaRpIPOm+mbuYqhOMtEQ==";
};

options {
        default-key "rndc-key";
        default-server 127.0.0.1;
        default-port 953;
};
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
#       algorithm hmac-md5;
#       secret "iVtc/a5+03vNW6vTftRbp+NDmkODom/2nIZfJo5EaMaGZC0qzsCzxXI6h4BywAekHwRaRpIPOm+mbuYqhOMtEQ==";
# };
#
# controls {
#       inet 127.0.0.1 port 953
#               allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf

I integrated both keys into /etc/bind/rndc-key.conf

root@dns1:/etc/bind# cat /etc/bind/rndc-key.conf
key "rndc-key-int" {
        algorithm hmac-md5;
        secret "eh/uEdxi45v9VYWbTl/yx+MFoSVAWyPKVbIsx1aBEVRpTVBBMYOEsBpJMDq5UazR0nUk1r1I6z/h0ZSHZ8KwLQ==";
};
key "rndc-key-ext" {
        algorithm hmac-md5;
        secret "iVtc/a5+03vNW6vTftRbp+NDmkODom/2nIZfJo5EaMaGZC0qzsCzxXI6h4BywAekHwRaRpIPOm+mbuYqhOMtEQ==";
};

Transfer those keys to the slave

scp /etc/bind/rndc-key.conf dns2.lab.mife.ca:/etc/bind/
  • Configure bind to use the keys Add include "/etc/bind/rndc-key.conf" to your named.conf.local