.\" Man page generated from reStructuredText
.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.TH "RNDC-CONFGEN" "8" "@RELEASE_DATE@" "@PACKAGE_VERSION@" "BIND 9"
.SH NAME
rndc-confgen \- rndc key generation tool
.SH SYNOPSIS
.sp
\fBrndc\-confgen\fP [\fB\-a\fP] [\fB\-A\fP algorithm] [\fB\-b\fP keysize] [\fB\-c\fP keyfile] [\fB\-h\fP] [\fB\-k\fP keyname] [\fB\-p\fP port] [\fB\-s\fP address] [\fB\-t\fP chrootdir] [\fB\-u\fP user]
.SH DESCRIPTION
.sp
\fBrndc\-confgen\fP generates configuration files for \fBrndc\fP \%<#\:std-iscman-rndc>\&. It can be
used as a convenient alternative to writing the \fBrndc.conf\fP \%<#\:std-iscman-rndc\:.conf> file and
the corresponding \fBcontrols\fP and \fBkey\fP statements in \fBnamed.conf\fP \%<#\:std-iscman-named\:.conf>
by hand. Alternatively, it can be run with the \fB\-a\fP option to set up a
\fBrndc.key\fP file and avoid the need for a \fBrndc.conf\fP \%<#\:std-iscman-rndc\:.conf> file and a
\fBcontrols\fP statement altogether.
.SH OPTIONS
.INDENT 0.0
.TP
.B \-a
This option sets automatic \fBrndc\fP \%<#\:std-iscman-rndc> configuration, which creates a file
\fB@sysconfdir@/rndc.key\fP that is read by both \fBrndc\fP \%<#\:std-iscman-rndc> and \fBnamed\fP \%<#\:std-iscman-named> on startup.
The \fBrndc.key\fP file defines a default command channel and
authentication key allowing \fBrndc\fP \%<#\:std-iscman-rndc> to communicate with \fBnamed\fP \%<#\:std-iscman-named> on
the local host with no further configuration.
.sp
If a more elaborate configuration than that generated by
\fBrndc\-confgen \-a\fP is required, for example if rndc is to be used
remotely, run \fBrndc\-confgen\fP without the \fB\-a\fP option
and set up \fBrndc.conf\fP \%<#\:std-iscman-rndc\:.conf> and \fBnamed.conf\fP \%<#\:std-iscman-named\:.conf> as directed.
.UNINDENT
.INDENT 0.0
.TP
.B \-A algorithm
This option specifies the algorithm to use for the TSIG key. Available choices
are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384, and
hmac\-sha512. The default is hmac\-sha256.
.UNINDENT
.INDENT 0.0
.TP
.B \-b keysize
This option specifies the size of the authentication key in bits. The size must be between
1 and 512 bits; the default is the hash size.
.UNINDENT
.INDENT 0.0
.TP
.B \-c keyfile
This option is used with the \fB\-a\fP option to specify an alternate location for
\fBrndc.key\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-h
This option prints a short summary of the options and arguments to
\fBrndc\-confgen\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-k keyname
This option specifies the key name of the \fBrndc\fP \%<#\:std-iscman-rndc> authentication key. This must be a
valid domain name. The default is \fBrndc\-key\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-p port
This option specifies the command channel port where \fBnamed\fP \%<#\:std-iscman-named> listens for
connections from \fBrndc\fP \%<#\:std-iscman-rndc>\&. The default is 953.
.UNINDENT
.INDENT 0.0
.TP
.B \-q
This option prevets printing the written path in automatic configuration mode.
.UNINDENT
.INDENT 0.0
.TP
.B \-s address
This option specifies the IP address where \fBnamed\fP \%<#\:std-iscman-named> listens for command\-channel
connections from \fBrndc\fP \%<#\:std-iscman-rndc>\&. The default is the loopback address
127.0.0.1.
.UNINDENT
.INDENT 0.0
.TP
.B \-t chrootdir
This option is used with the \fB\-a\fP option to specify a directory where \fBnamed\fP \%<#\:std-iscman-named>
runs chrooted. An additional copy of the \fBrndc.key\fP is
written relative to this directory, so that it is found by the
chrooted \fBnamed\fP \%<#\:std-iscman-named>\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-u user
This option is used with the \fB\-a\fP option to set the owner of the generated \fBrndc.key\fP file.
If \fB\-t\fP is also specified, only the file in the chroot
area has its owner changed.
.UNINDENT
.SH EXAMPLES
.sp
To allow \fBrndc\fP \%<#\:std-iscman-rndc> to be used with no manual configuration, run:
.sp
\fBrndc\-confgen \-a\fP
.sp
To print a sample \fBrndc.conf\fP \%<#\:std-iscman-rndc\:.conf> file and the corresponding \fBcontrols\fP and
\fBkey\fP statements to be manually inserted into \fBnamed.conf\fP \%<#\:std-iscman-named\:.conf>, run:
.sp
\fBrndc\-confgen\fP
.SH SEE ALSO
.sp
\fBrndc(8)\fP \%<#\:std-iscman-rndc>, \fBrndc.conf(5)\fP \%<#\:std-iscman-rndc\:.conf>, \fBnamed(8)\fP \%<#\:std-iscman-named>, BIND 9 Administrator Reference Manual.
.SH Author
Internet Systems Consortium
.SH Copyright
2026, Internet Systems Consortium
.\" End of generated man page.