Scroll to navigation



rndc-confgen - rndc key generation tool


rndc-confgen [-a] [-A algorithm] [-b keysize] [-c keyfile] [-h] [-k keyname] [-p port] [-s address] [-t chrootdir] [-u user]


rndc-confgen generates configuration files for rndc. It can be used as a convenient alternative to writing the rndc.conf file and the corresponding controls and key statements in named.conf by hand. Alternatively, it can be run with the -a option to set up a rndc.key file and avoid the need for a rndc.conf file and a controls statement altogether.


This option sets automatic rndc configuration, which creates a file /etc/bind/rndc.key that is read by both rndc and named on startup. The rndc.key file defines a default command channel and authentication key allowing rndc to communicate with named on the local host with no further configuration.

If a more elaborate configuration than that generated by rndc-confgen -a is required, for example if rndc is to be used remotely, run rndc-confgen without the -a option and set up rndc.conf and named.conf as directed.

This option specifies the algorithm to use for the TSIG key. Available choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, and hmac-sha512. The default is hmac-sha256.

This option specifies the size of the authentication key in bits. The size must be between 1 and 512 bits; the default is the hash size.

This option is used with the -a option to specify an alternate location for rndc.key.

This option prints a short summary of the options and arguments to rndc-confgen.

This option specifies the key name of the rndc authentication key. This must be a valid domain name. The default is rndc-key.

This option specifies the command channel port where named listens for connections from rndc. The default is 953.

This option prevets printing the written path in automatic configuration mode.

This option specifies the IP address where named listens for command-channel connections from rndc. The default is the loopback address

This option is used with the -a option to specify a directory where named runs chrooted. An additional copy of the rndc.key is written relative to this directory, so that it is found by the chrooted named.

This option is used with the -a option to set the owner of the generated rndc.key file. If -t is also specified, only the file in the chroot area has its owner changed.


To allow rndc to be used with no manual configuration, run:

rndc-confgen -a

To print a sample rndc.conf file and the corresponding controls and key statements to be manually inserted into named.conf, run:



rndc(8), rndc.conf(5), named(8), BIND 9 Administrator Reference Manual.


Internet Systems Consortium


2024, Internet Systems Consortium

2024-02-02 9.19.21-1+b1-Debian