I have this rnd.key file on my system:
key "rndc-key1" {
algorithm hmac-md5;
secret "xxxxxxxxxxxxxxx==";
};
key "rndc-key2" {
algorithm hmac-md5;
secret "yyyyyyyyyyy==";
};
Then I use them for different zones:
zone "somedomain1.com" {
type master;
file "/etc/bind/master/db.somedomain1.com";
allow-update {
key rndc-key1;
};
};
zone "somedomain2.com" {
type master;
file "/etc/bind/master/db.somedomain2.com";
allow-update {
key rndc-key2;
};
};
When I try to run "rndc freeze" then I get this error:
rndc: error: /etc/bind/rndc.key:5: 'key' redefined near 'key'
rndc: could not load rndc configuration
What does it mean? What is the problem here? Is it not possible to use different keys for different zones?
It appears that you have misunderstood the purpose of the
rndckey.Quite possibly this misunderstanding stems from reading one of many sloppily written tutorials that cuts corners by misusing an already existing key (the
rndckey) created for one specific purpose in a wildly different context without even commenting on that misuse.The
rndckey is supposed to have ONE purpose, it is to be used by therndcutility andnamedso thatrndccan send control commands tonamed(egrndc reload,rndc freezeor whatever).This key is NOT supposed to be used for dynamic updates (as in
allow-update).There should NOT be multiple keys in the
rndc.keyfile.You are however free, encouraged if you will, to add any number of
keystatements for your TSIG keys to thenamedconfiguration (named.conf). These are what you are supposed to use for purposes such as dynamic updates, zone transfers, etc.I would suggest that you name these keys something that reflects their usage.
If you have a modern version of BIND, simply use
tsig-keygen footo create a new key. It's both more convenient and has sensible defaults (hmac-sha256rather than thehmac-md5keys you have created).