Re: RNDC Frustrations

I'm not sure that I would agree that configuring rndc is poorly
documented, but I have done this numerous times so I do have an idea of
what is involved.

Configuring rndc is documented in the BIND Administrators Reference
Manual that is distributed with the BIND9 source code and is also
available as a PDF file from the ISC BIND9 web pages. In particular,
this is covered in section 3.4.1.2, "Administrative Tools", and section
6.2.4, "controls Statement Definition". There is some information in
section 5.1 of the "migration" document and the FAQ numerous times.
Both of these documents come with the source code.

This is to say nothing of the documentation provided in "DNS and BIND"
by Paul Albitz and Cricket Liu. If you are serious about understanding
the workings of a name server, this is almost required reading.

Finally, by searching Yahoo for "linux dns howto bind-9 rndc" (I used
"howto" because you mentioned Linux) I was directed to
http://www.linux.org/docs/ldp/howto/DNS-HOWTO-3.html which provides an
almost complete configuration including the necessary rndc
configuration steps. This was an extremely easy step, almost faster
than reaching over to my bookshelf for my copy of "DNS and BIND".
Internet search engines are "a good thing"!

I believe that an inherent problem lies in trying to provide any
"cookie-cutter" documentation for BIND is that everyone's needs are
different. When someone is attempting to configure a name server it is
expected that they have to read through the documentation. The
documentation that I am talking about is the documentation supplied
with BIND, in Cricket's book, and that found searching the Internet.

I can too easily see someone configuring rndc using the Linux DNS HOWTO
simply by copying and pasting what they find from this document. If
this copy and paste includes the rndc key listed in the HOWTO then
there might as will not be any key because the key is already known.
(This is along the same lines of not using "admin" as your root
password. It is already known to the world to be tried, don't use an
rndc key that is published somewhere.) This Linux DNS HOWTO does not
identify how to generate a unique key.

I am surprised that it took you almost two days to get rndc working.

I will say that one line found in the migration notes document makes
configuring rndc very simple: 'The easiest way to generate a
configuration file is to run "rndc-confgen -a"; see the man pages for
rndc(8), rndc-confgen(8), and rndc.conf(5) for details.' This may
indicate that reading all of the documentation could be helpful,
especially when there are problems encountered. Maybe this line
could/should also be included elsewhere, such as the FAQ.

Even if you don't have rndc configured and functioning you still have
the ability to control "named" by sending the process signals. For
example, sending "-INT" will cleanly stop the "named" process ("kill
-INT named_pid"). A "-HUP" signal will cause the server to reload
("kill -HUP named_pid"). Again, refer to the BIND ARM, section 3.4.2
for more details. You don't have to bounce your whole system to
restart "named".

Don't forget about "kill -9" or "kill -KILL" which will really stop any
process that you have running, including "named". But "kill -9" isn't
a very nice way to treat your system - sort of the Unix equivalent of
the Windows three finger salute for solving problems.

Bill Larson

On Thursday, July 17, 2003, at 10:39 AM, Godfried Duodu wrote:

> Good morning guys!
>
> I have just been able to get rndc working on a RH9 bind version
> 9.2.1. Getting bind to work was a breeze but it took almost 2 days to
> get =
> the correct information etc. and make rndc work right.=20
> I believe much progress can be made if a well documented step is
> provided =
> in the ARM. There are bits and pieces=20
> of steps all over e.g rndc-confgen and dnssec-keygen etc.=20
>
> Rndc is a vital part in the running of named, and the thought that it
> is =
> not working is very disconcerting. I cannot explain how frustrating it
> is =
> to know that named is working but it cannot be restarted etc.. without
> a =
> reboot of the server.
>
>
> Thanks for hearing me out!
>
>
>
>
> Godfried Duodu
> (713)802-5146
> fax # (713}802-5140
>
>