# Bind 9.11_1 in PfSense 2.3.3 Problems for generate RNDC-KEY



## luciano_frc (Feb 27, 2017)

If you do not generate the RNDC key
I get the following result in SSH

```
[2.3.3-RELEASE][root@ns.vnet]/root: rndc status
rndc: neither /usr/local/etc/namedb/rndc.conf nor /usr/local/etc/namedb/rndc.key was found
[2.3.3-RELEASE][root@ns.vnet]/root:
```
I generated the key using the following command

```
'rndc-confgen -a' to generate the proper conf file, with a new   *
*            random key, and appropriate file permissions.
```
As described here

```
**********************************************************************
*            _  _____ _____ _____ _   _ _____ ___ ___  _   _         *
*           / \|_   _|_   _| ____| \ | |_   _|_ _/ _ \| \ | |        *
*          / _ \ | |   | | |  _| |  \| | | |  | | | | |  \| |        *
*         / ___ \| |   | | | |___| |\  | | |  | | |_| | |\  |        *
*        /_/   \_\_|   |_| |_____|_| \_| |_| |___\___/|_| \_|        *
*                                                                    *
*   BIND requires configuration of rndc, including a "secret" key.   *
*    The easiest, and most secure way to configure rndc is to run    *
*   'rndc-confgen -a' to generate the proper conf file, with a new   *
*            random key, and appropriate file permissions.           *
*                                                                    *
*     The /usr/local/etc/rc.d/named script will do that for you.     *
*                                                                    *
*********************************************************************
```
Follows the command output at the terminal

```
[2.3.3-RELEASE][root@ns.vnet]/root: rndc-confgen -a
wrote key file "/usr/local/etc/namedb/rndc.key"
[2.3.3-RELEASE][root@ns.vnet]/root:
```
I tested the connection with the RNDC Status command

```
[2.3.3-RELEASE][root@ns.vnet]/root: rndc status
rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not synchronized,
* the key signing algorithm is incorrect, or
* the key is invalid.
[2.3.3-RELEASE][root@ns.vnet]/root:
```
At this point I know I need to just put the key generated by rndc-confgen -a in the named.conf file
And here is the big problem
I have two named.conf files
One is in chroot And should not be edited, look





And another named.conf in /usr/local/etc/namedb/named.conf look this original file in http://txt.do/d138n

I do not know where to enter rndc-key

UPDATE*

I was looking at the named file
Which is in
/usr/local/etc/rc.d/named
I saw that there is a line talking about rndc

```
# Create an rndc.key file for the user if none exists
   #
   confgen_command="${_named_program_root}/sbin/rndc-confgen -a -b256 -u ${named_uid} \
       -c ${_named_confdir}/rndc.key"
   if [ -s "${_named_confdir}/rndc.conf" ]; then
       unset confgen_command
   fi
   if [ -s "${_named_confdir}/rndc.key" ]; then
       case `stat -f%Su ${_named_confdir}/rndc.key` in
       root|${named_uid}) ;;
       *) ${confgen_command} ;;
       esac
   else
       ${confgen_command}
   fi
```

I also noticed that even deleting the named.conf and rndc.conf files from the /cf/ directory which is the bind chroot
They are recreated again, but the rndc key is not the same as that generated with rndc-confgen -a
So rdnc can not connect and so the above errors
In this script http://pasted.co/3bc490e3 would it be possible for me to tell him where he should get the rndc.conf files and the key?
Sorry for my ignorance, but really I am not aware enough for this change.
And I appreciate all the help


----------



## SirDice (Feb 27, 2017)

PC-BSD, FreeNAS, NAS4Free, and all other FreeBSD Derivatives


----------



## luciano_frc (Feb 27, 2017)

thanks for the answer.
I looked at the official pfsense forum, but I do not think anyone tried to use rndc.key in bind
Anyway I posted a topic there with the same question.
a information
This script that starts bind http://pasted.co/3bc490e3
I would like it not to replace the rndc.conf and rndc.key files
But I do not know how to do it, would it be possible to help in this matter?
I just need it


----------



## aupanner (Feb 28, 2017)

In standard FreeBSD 11 with bind 9.11:

In /usr/local/etc/namedb/rndc.conf (root.wheel 0600):

```
# Start of rndc.conf
key "my_rndc_key" {
        algorithm hmac-md5;
        secret "pppppppppppppppppp==";
};

options {
        default-key "my_rndc_key";
        default-server 127.0.0.1;
        default-port 953;
};
# End of rndc.conf
```

In /usr/local/etc/namedb/named.conf (root.wheel 0600):

```
...
key "my_rndc_key" {
         algorithm hmac-md5;
         secret "pppppppppppppppppp==";
};
controls {
      inet 127.0.0.1 port 953
              allow { 127.0.0.1; } keys { "my_rndc_key"; };
};
...
```

If you're using dhcpd and you care about DDNS, you'll also want this:
In /usr/local/etc/namedb/named.conf:

```
...
key "my_dhcpd_key" {
         algorithm hmac-md5;
         secret "qqqqqqqqqqqqqqqqq==";
};
...
```

In /usr/local/etc/dhcpd.conf:

```
...
ddns-update-style interim;
ddns-updates on;
allow client-updates;

# note lack of quoting
key my_dhcpd_key {
        algorithm hmac-md5;
        secret qqqqqqqqqqqqqqqqq==;
}

zone MYDOMAIN.COM. {
        primary 127.0.0.1;
        key my_dhcpd_key;
}

zone 1.168.192.in-addr.arpa. {
        primary 127.0.0.1;
        key my_dhcpd_key;
}
...
```


----------



## luciano_frc (Mar 1, 2017)

thanks for the answer.
I'll compare the files.


----------

