rndc documentation does not mention include directive
The code is (mostly) willing, but the documentation is weak :-(
I finally noticed that the rndc documentation describes rndc.conf as
"has a similar structure and syntax to
named.conf
".
This is true, but omits a valuable feature:
include
works in rndc.conf
.
It turns out that this is useful if you ever need (or want) to rotate keys, since a (suitably protected) .key file can be include
d in rndc.conf
and likewise include
d in named.conf
.
In any case, this structure avoids duplication of the secret key; makes updating the key simpler, and allows rndc.conf
to have read permissions - thus making the options
clause visible, which may be desirable. It also means that if you use unique keys for more than one named
instance, you can simply move the key file to your management stations, but retain the default-server without editing each station's rndc.conf
.
For example:
named.conf
# Define the rndc control key
include "rndc.key";
cat >/etc/named/rndc.conf
include "rndc.key";
options {
default-server: 2001:0db8::53;
default-port: 953;
};
# Now, updating and initial key creation becomes simply:
touch /etc/named/rndc.key
chmod 600 /etc/named/rndc.key
tsig-keygen -a sha256 rndc-key >/etc/named/rndc.key
rndc reconfig
No more copying the key
clause into both files, or including in named.conf
but copying into rndc.conf
.
For extra credit - rndc-confgen
should probably produce this structure, since it's better than the current suggestions.
Happy New Year.