Professional Documents
Culture Documents
AskF5 - How-To - SOL13485 - Re-Generating BIND RNDC Keys
AskF5 - How-To - SOL13485 - Re-Generating BIND RNDC Keys
AskF5 - How-To - SOL13485 - Re-Generating BIND RNDC Keys
HOME
Supported Products
BIG-IP Edge Apps
Applies To: Show Versions
End-of-Life Products
Recent Additions
SOL13485: Re-generating BIND rndc keys
About AskF5
How-To
You should consider using this procedure under the following condition:
F5 recommends using this procedure on BIG-IP systems running software versions listed in the Applies To box in
order to ensure the BIND rndc key contains sufficient entropy.
Prerequisites
You must meet the following prerequisites to use this procedure:
Description
BIND version 9.x uses the rndc utility to allow command line administration of the name server from the local host or
from a remote host. In order to prevent unauthorized access to the named process, BIND uses the rndc key to grant
privileges to hosts. The rndc utility communicates with the name server over a TCP connection by sending commands
that are cryptographically signed by the rndc key.
The BIG-IP system automatically generates a default rndc key during installation. However, to ensure the key
contains sufficient entropy, F5 recommends that you re-generate the rndc key file during system runtime.
Note: BIG-IP systems running BIG-IP 10.1.0 or higher have the /var/named/config/rndc.key and /var/dnscached
/config/rndc.key files.
Procedures
Re-generating the rndc key for appliance systems
Note: If you are running BIG-IP 10.1.0 or higher, you will need to re-generate two different rndc.key files during this
procedure.
Impact of procedure: This procedure requires that you temporarily stop several DNS-related daemons on the
BIG-IP system. As a result, some DNS services will be interrupted.
Processes listed as run will need to be stopped. Processes listed as down do not need to be stopped during this
procedure. For example, in the following output, the named and zrd processes are listed as run and need to be
temporarily stopped:
1 of 4 10/26/2012 8:25 PM
AskF5 | How-To: SOL13485 - Re-generating BIND rndc keys https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13485.htm...
Home | Site Map | Contact F5 | Glossary | Policies | Trademarks © 1998–2012 F5 Networks, Inc. All rights reserved.
3. Stop the processes that were listed as run in the previous step by using the following command syntax:
For example, if the named and zrd processes are running, use the following command to stop them:
Note: The following commands generate 128-bit key files. You can use the -d option to specify the size of the
key in bits. For more information, refer to the rndc-confgen man page.
/usr/sbin/rndc-confgen -a -c /var/named/config/rndc.key
For BIG-IP 10.1.0 and higher, you must also run the following command:
/usr/sbin/rndc-confgen -a -c /var/dnscached/config/rndc.key
5. Restart the daemons that were stopped in Step 3 by using the following command syntax:
For example, if you stopped the named and zrd processes in Step 3, use the following command to start the
processes:
6. Ensure that named and rndc communication is working properly by entering the following command:
rndc status
The command output should return statistics and report that the server is running. For example:
version: 9.7.3-P3
CPUs found: 12
worker threads: 1
number of zones: 1
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
Note: If you are running BIG-IP 10.1.0 or higher, you will need to re-generate two different rndc.key files during this
procedure.
Impact of procedure: This procedure requires that you temporarily stop several DNS-related daemons on the
BIG-IP system. As a result, some DNS services will be interrupted.
1. Log in to the BIG-IP command line using the VIPRION management IP address.
2. Check the status of the named, dnscached, and zrd processes by typing the following command:
2 of 4 10/26/2012 8:25 PM
AskF5 | How-To: SOL13485 - Re-generating BIND rndc keys https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13485.htm...
Processes listed as run will need to be stopped. Processes listed as down do not need to be stopped during this
procedure. For example, in the following output, the named and zrd processes are listed as run and need to be
temporarily stopped:
3. Stop the processes that were listed as run by using the following command syntax:
For example, if the named and zrd processes are running, use the following command to stop them:
Note: The following commands generate 128-bit key files. You can use the -d option to specify the size of the
key in bits. For more information, refer to the rndc-confgen man page.
For BIG-IP versions 10.1.0 and higher, you must also run the following command:
5. Restart the daemons that were stopped in Step 3 by using the following command syntax:
For example, if you stopped the named and zrd processes in Step 3, use the following command to start the
processes:
6. Ensure that named and rndc communication is working properly by entering the following command:
The command output should return statistics and report that the server is running. For example:
version: 9.7.3-P3
CPUs found: 12
worker threads: 1
number of zones: 1
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
7. Verify the status of the daemons that you previously stopped to ensure that they are running as expected. To do
so type the following command:
Supplemental Information
SOL13132: Backing up and restoring BIG-IP configuration files (11.x)
SOL13607: Hosts may generate weak RSA keys under low entropy conditions
3 of 4 10/26/2012 8:25 PM
AskF5 | How-To: SOL13485 - Re-generating BIND rndc keys https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13485.htm...
Was this resource helpful in solving your issue? Additional Comments (optional)
Yes - this resource was helpful
No - this resource was not helpful
I don‘t know yet
NOTE: Please do not provide personal information.
Submit
4 of 4 10/26/2012 8:25 PM