AskF5 | How-To: SOL13485 - Re-generating BIND rndc keys https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13485.htm...

Support Global Sites How to Buy Careers Contact

Logout | My Account Search

HOME

ASKF5 KNOWLEDGE BASE

Search AskF5 Home > SOL13485

Supported Products
BIG-IP Edge Apps
Applies To: Show Versions
End-of-Life Products
Recent Additions
SOL13485: Re-generating BIND rndc keys
About AskF5

How-To

Downloads Original Publication Date: 03/28/2012

BIG-IP iHealth Updated Date: 10/18/2012
WebSupport
Purpose
Licensing

You should consider using this procedure under the following condition:

F5 recommends using this procedure on BIG-IP systems running software versions listed in the Applies To box in
order to ensure the BIND rndc key contains sufficient entropy.

Prerequisites
You must meet the following prerequisites to use this procedure:

You must have command line access to the BIG-IP system.

You save a UCS file prior to performing this procedure.

Description
BIND version 9.x uses the rndc utility to allow command line administration of the name server from the local host or
from a remote host. In order to prevent unauthorized access to the named process, BIND uses the rndc key to grant
privileges to hosts. The rndc utility communicates with the name server over a TCP connection by sending commands
that are cryptographically signed by the rndc key.

The BIG-IP system automatically generates a default rndc key during installation. However, to ensure the key
contains sufficient entropy, F5 recommends that you re-generate the rndc key file during system runtime.

Note: BIG-IP systems running BIG-IP 10.1.0 or higher have the /var/named/config/rndc.key and /var/dnscached
/config/rndc.key files.

Procedures
Re-generating the rndc key for appliance systems

Note: If you are running BIG-IP 10.1.0 or higher, you will need to re-generate two different rndc.key files during this
procedure.

Impact of procedure: This procedure requires that you temporarily stop several DNS-related daemons on the
BIG-IP system. As a result, some DNS services will be interrupted.

1. Log in to the BIG-IP command line.

2. Check the status of the named, dnscached, and zrd processes by typing the following command:

bigstart status named dnscached zrd

Processes listed as run will need to be stopped. Processes listed as down do not need to be stopped during this
procedure. For example, in the following output, the named and zrd processes are listed as run and need to be
temporarily stopped:

named run (pid 345) 3 hours, 3 starts

dnscached down, Not provisioned

1 of 4 10/26/2012 8:25 PM
AskF5 | How-To: SOL13485 - Re-generating BIND rndc keys https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13485.htm...

Home | Site Map | Contact F5 | Glossary | Policies | Trademarks © 1998–2012 F5 Networks, Inc. All rights reserved.

zrd run (pid 28328) 14 hours, 2 starts

3. Stop the processes that were listed as run in the previous step by using the following command syntax:

bigstart stop <process> <process>

For example, if the named and zrd processes are running, use the following command to stop them:

bigstart stop named zrd

4. Re-generate the rndc.key by entering the following command(s):

Note: The following commands generate 128-bit key files. You can use the -d option to specify the size of the
key in bits. For more information, refer to the rndc-confgen man page.

/usr/sbin/rndc-confgen -a -c /var/named/config/rndc.key

For BIG-IP 10.1.0 and higher, you must also run the following command:

/usr/sbin/rndc-confgen -a -c /var/dnscached/config/rndc.key

5. Restart the daemons that were stopped in Step 3 by using the following command syntax:

bigstart start <process> <process>

For example, if you stopped the named and zrd processes in Step 3, use the following command to start the
processes:

bigstart start named zrd

6. Ensure that named and rndc communication is working properly by entering the following command:

rndc status

The command output should return statistics and report that the server is running. For example:

version: 9.7.3-P3
CPUs found: 12
worker threads: 1
number of zones: 1
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running

Note: You should not receive a message like the following:

rndc: connection to remote host closed

7. Verify the status of the daemons that you previously stopped to ensure that they are running as expected by
typing the following command:

bigstart status named dnscached zrd

Re-generating the rndc key for VIPRION systems

Note: If you are running BIG-IP 10.1.0 or higher, you will need to re-generate two different rndc.key files during this
procedure.

Impact of procedure: This procedure requires that you temporarily stop several DNS-related daemons on the
BIG-IP system. As a result, some DNS services will be interrupted.

1. Log in to the BIG-IP command line using the VIPRION management IP address.
2. Check the status of the named, dnscached, and zrd processes by typing the following command:

clsh bigstart status named dnscached zrd

2 of 4 10/26/2012 8:25 PM
AskF5 | How-To: SOL13485 - Re-generating BIND rndc keys https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13485.htm...

Processes listed as run will need to be stopped. Processes listed as down do not need to be stopped during this
procedure. For example, in the following output, the named and zrd processes are listed as run and need to be
temporarily stopped:

named run (pid 345) 3 hours, 3 starts

dnscached down, Not provisioned
zrd run (pid 28328) 14 hours, 2 starts

3. Stop the processes that were listed as run by using the following command syntax:

clsh bigstart stop <process> <process>

For example, if the named and zrd processes are running, use the following command to stop them:

clsh bigstart stop named zrd

4. Re-generate the rndc.key by entering the following command(s):

Note: The following commands generate 128-bit key files. You can use the -d option to specify the size of the
key in bits. For more information, refer to the rndc-confgen man page.

clsh /usr/sbin/rndc-confgen -a -c /var/named/config/rndc.key

For BIG-IP versions 10.1.0 and higher, you must also run the following command:

clsh /usr/sbin/rndc-confgen -a -c /var/dnscached/config/rndc.key

5. Restart the daemons that were stopped in Step 3 by using the following command syntax:

clsh bigstart start <process> <process>

For example, if you stopped the named and zrd processes in Step 3, use the following command to start the
processes:

clsh bigstart start named zrd

6. Ensure that named and rndc communication is working properly by entering the following command:

clsh rndc status

The command output should return statistics and report that the server is running. For example:

version: 9.7.3-P3
CPUs found: 12
worker threads: 1
number of zones: 1
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running

Note: You should not receive a message like the following:

rndc: connection to remote host closed

7. Verify the status of the daemons that you previously stopped to ensure that they are running as expected. To do
so type the following command:

clsh bigstart status named dnscached zrd

Supplemental Information
SOL13132: Backing up and restoring BIG-IP configuration files (11.x)
SOL13607: Hosts may generate weak RSA keys under low entropy conditions

3 of 4 10/26/2012 8:25 PM
AskF5 | How-To: SOL13485 - Re-generating BIND rndc keys https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13485.htm...

Was this resource helpful in solving your issue? Additional Comments (optional)
Yes - this resource was helpful
No - this resource was not helpful
I don‘t know yet
NOTE: Please do not provide personal information.

Please enter the words to the right:

Reload Audio Help

Submit

4 of 4 10/26/2012 8:25 PM