The controls Statement

The BIND 8 controls statement defines the control channels used by ndc. ndc can use a Unix socket or a network socket as a control channel. The controls statement defines those sockets. The BIND 8 controls statement is shown in Listing B.12.

Listing B.12: BIND 8 controls Statement Syntax controls {

[ inet ip_addr port ip_port allow { address_match_list; }; ] [ unix pathname perm file_permissions owner uid group gid; ]

The first three options (inet, port, and allow) define the IP address and the port number of a network socket and the access control list of those systems allowed to control named through that channel. Because BIND 8 has weak authentication, creating a control channel that is accessible from the network is a risky thing to do. Whoever gains access to that channel has control over the name server process.

The last four options (unix, perm, owner, and group) define the Unix control socket. The Unix socket appears as a file in the filesystem. It is identified by a normal file pathname (for example, /var/run/ndc). Like any file, the Unix socket is assigned the user id (uid) of its owner and a valid group id (gid). It is protected by standard file permissions. Only numeric uid, gid, and file_ permissions values are acceptable. The file_permissions value must start with a 0. For example, to set owner read and write, group read, and world no permission, the numeric value would be 0640.

Most BIND 8 configurations do not contain a controls statement because the default configuration does not need to be changed. ndc cannot be used safely over a network, therefore the inet, port, and allow options are not used to configure a network socket. And ndc works locally on the server without any modifications to the UNIX socket. For BIND 8, the default configuration is all that is required.

The BIND 9 controls statement defines the control channels used by rndc. rndc performs the same functions as the older ndc program, but it can reliably be used over a network. The BIND 9 controls statement is shown in Listing B.13.

Listing B.13: BIND 9 controls Statement Syntax controls {

[ inet ip_addr|* port ip_port allow address_match_list; keys key_list; ]

The inet, port, and allow options perform the same functions in defining a network socket for BIND 9 as they did for BIND 8, except now they are truly useful because rndc can reliably run over a network socket. To these options, BIND 9 adds a keys option that defines the cryptographic keys used to provide strong authentication for the rndc clients and server.

In BIND 9, the controls statement always defines a network socket. It does not provide options to define a Unix socket. The network socket is always used, even when rndc is run locally from the name server's console. See Chapter 4 for an example of the controls statement that is required to run rndc locally on the server.

Was this article helpful?

0 0

Post a comment