Skip to main content

DNS and BIND: Working with RNDC Keys

Hands-On Lab

 

Photo of Cara Nolte

Cara Nolte

Linux Training Architect II

Length

00:15:00

Difficulty

Intermediate

BIND uses a shared secret key authentication method to grant privileges to hosts. It is important to know how to generate this key for administration purposes. In this hands-on lab we will learn to configure the RNDC key and configuration file, and link it to the named service. To accomplish this, we will install the BIND package and recreate the RNDC key and configuration. We will then copy the new configuration to the named.conf file. To complete this lab, you will have to show that a new configuration has been created and that DNS queries are being cached on localhost.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

DNS and BIND: Working with RNDC Keys

Introduction

BIND uses a shared secret key authentication method to grant privileges to hosts. In this hands-on lab we will learn to configure the RNDC key and configuration file, and link it to the named service. To accomplish this, we will install the BIND package and recreate the RNDC key and configuration. We will then copy the new configuration to the named.conf file. To complete this lab, you will have to show that a new configuration has been created and that DNS queries are being cached on localhost.

The Scenario

An application team at ABCCompany is experiencing and outage with their application. It was discovered that the key file for the named configuration was accidentally deleted. Since they were unable to restore the original file, we have been asked to recreate the RNDC key and link it to the named configuration.

  • Use the yum utility to install bind and bind-utils.
  • Remove the auto-generated /etc/rndc.key file in order to learn to configure and link new keys.
  • Create a new RNDC key and link it to the named configuration using rndc-confgen.
  • Use systemctl to start the named service.
  • Use the nslookup utility to verify that DNS records are being cached on localhost.

Logging In

Use the credentials provided on the hands-on lab page to get into Server1 to begin with. Since we need root privileges, let's just run sudo -i right off and become root.

Install and Enable the named Service

To install BIND, run:

yum install bind bind-utils -y

To start and enable it, run:

systemctl start named
systemctl enable named

When we do that, it creates a key automatically. It contains an encrypted string that we'll use in the named configuration. Read the file to see it:

more /etc/rndc.key

Recreate the RNDC Key and Configuration File

Remove the rndc key file:

rm /etc/rndc.key

Now reload RNDC:

rndc reload

We'll get an error.

We can generate a new key though:

rndc-confgen -r /dev/urandom -a

Reload RNDC again, and this time well get an error saying the key is invalid. We need to recreate the key but have it connected to named.

Let's stop the named service:

systemctl stop named

Then we'll generate an RNDC key and configuration file:

rndc-confgen -r /dev/urandom > /etc/rndc.conf

Link the RNDC Configuration to the named Configuration

Read that file again:

more /etc/rndc.conf

Copy the section just after the line that starts with Use with the following in named.conf. It should look something like this (with a different secret):

# key "rndc-key" {
#   algorithm hmac-md5;
#   secret "9qx/t4pn4edrdoY5S90pgg==";
# };
#
# controls {
#   inet 127.0.0.1 port 953
#       allow { 127.0.0.1; } keys { "rndc-key"; };
# };

Now we've got to paste that into /etc/named.conf. Open it for for editing:

vim /etc/named.conf

Now we can paste that section into the file, just before the include statements. One it's pasted in, we also need to delete the # signs at the beginning of the lines, to uncomment them. It should look something like this:

...
zone "." IN {
        type hint;
        file "named.ca";
};
 key "rndc-key" {
        algorithm hmac-md5;
        secret "9qx/t4pn4edrdoY5S90pgg==";
 };

 controls {
        inet 127.0.0.1 port 953
                allow { 127.0.0.1; } keys { "rndc-key"; };
 };
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Check to make sure there aren't any errors in the file with this:

named-checkconf

Start the named Service

Now we can fire named back up, and reload RNDC:

systemctl start named
rndc reload

We're getting an error about using the default configuration. So let's remove that key file. We don't need it any more, because all of the infomration is in named.conf now. We can reload again afterward:

rm /etc/rndc.key
rndc reload

Test the Configuration to Ensure DNS Records Are Being Cached on localhost

Now we can test the server:

nslookup www.google.com 127.0.0.1

We'll get an answer back showing domain information about Google. If we run it again, it will be a quicker response, because now the information is cached.

Conclusion

Well, we did it. We set up a name server using RNDC keys. Congratulations!