bind9: rndc freeze: key redefined?

Question

I have this rnd.key file on my system:

key "rndc-key1" {
    algorithm hmac-md5;
    secret "xxxxxxxxxxxxxxx==";
};
key "rndc-key2" {
        algorithm hmac-md5;
        secret "yyyyyyyyyyy==";
};

Then I use them for different zones:

zone "somedomain1.com" {
    type master;
    file "/etc/bind/master/db.somedomain1.com";
    allow-update {
    key rndc-key1;
    };
};


zone "somedomain2.com" {
    type master;
    file "/etc/bind/master/db.somedomain2.com";
    allow-update {
    key rndc-key2;
    };
};

When I try to run "rndc freeze" then I get this error:

rndc: error: /etc/bind/rndc.key:5: 'key' redefined near 'key'
rndc: could not load rndc configuration

What does it mean? What is the problem here? Is it not possible to use different keys for different zones?

Answer 1

It appears that you have misunderstood the purpose of the rndc key.
Quite possibly this misunderstanding stems from reading one of many sloppily written tutorials that cuts corners by misusing an already existing key (the rndc key) created for one specific purpose in a wildly different context without even commenting on that misuse.

The rndc key is supposed to have ONE purpose, it is to be used by the rndc utility and named so that rndc can send control commands to named (eg rndc reload, rndc freeze or whatever).

This key is NOT supposed to be used for dynamic updates (as in allow-update).

There should NOT be multiple keys in the rndc.key file.

You are however free, encouraged if you will, to add any number of key statements for your TSIG keys to the named configuration (named.conf). These are what you are supposed to use for purposes such as dynamic updates, zone transfers, etc.
I would suggest that you name these keys something that reflects their usage.

If you have a modern version of BIND, simply use tsig-keygen foo to create a new key. It's both more convenient and has sensible defaults (hmac-sha256 rather than the hmac-md5 keys you have created).