rndc-confgen — rndc key generation tool
rndc-confgen  [-a] [-A ] [algorithm-b ] [keysize-c ] [keyfile-h] [-k ] [keyname-p ] [port-r ] [randomfile-s ] [address-t ] [chrootdir-u ]user
rndc-confgen
      generates configuration files
      for rndc.  It can be used as a
      convenient alternative to writing the
      rndc.conf file
      and the corresponding controls
      and key
      statements in named.conf by hand.
      Alternatively, it can be run with the -a
      option to set up a rndc.key file and
      avoid the need for a rndc.conf file
      and a controls statement altogether.
    
            Do automatic rndc configuration.
            This creates a file rndc.key
            in /etc (or whatever
            sysconfdir
            was specified as when BIND was
            built)
            that is read by both rndc
            and named on startup.  The
            rndc.key file defines a default
            command channel and authentication key allowing
            rndc to communicate with
            named on the local host
            with no further configuration.
          
            Running rndc-confgen -a allows
            BIND 9 and rndc to be used as
            drop-in
            replacements for BIND 8 and ndc,
            with no changes to the existing BIND 8
            named.conf file.
          
            If a more elaborate configuration than that
            generated by rndc-confgen -a
            is required, for example if rndc is to be used remotely,
            you should run rndc-confgen without
            the
            -a option and set up a
            rndc.conf and
            named.conf
            as directed.
          
algorithmSpecifies the algorithm to use for the TSIG key. Available choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and hmac-sha512. The default is hmac-md5 or if MD5 was disabled hmac-sha256.
keysizeSpecifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is the hash size.
keyfile
            Used with the -a option to specify
            an alternate location for rndc.key.
          
Prints a short summary of the options and arguments to rndc-confgen.
keyname
            Specifies the key name of the rndc authentication key.
            This must be a valid domain name.
            The default is rndc-key.
          
portSpecifies the command channel port where named listens for connections from rndc. The default is 953.
randomfile
            Specifies a source of random data for generating the
            authorization.  If the operating
            system does not provide a /dev/random
            or equivalent device, the default source of randomness
            is keyboard input.  randomdev
            specifies
            the name of a character device or file containing random
            data to be used instead of the default.  The special value
            keyboard indicates that keyboard
            input should be used.
          
addressSpecifies the IP address where named listens for command channel connections from rndc. The default is the loopback address 127.0.0.1.
chrootdir
            Used with the -a option to specify
            a directory where named will run
            chrooted.  An additional copy of the rndc.key
            will be written relative to this directory so that
            it will be found by the chrooted named.
          
user
            Used with the -a option to set the
            owner
            of the rndc.key file generated.
            If
            -t is also specified only the file
            in
            the chroot area has its owner changed.
          
BIND 9.11.27 (Extended Support Version)