Why does rndc log warning key file ... exists, but using default configuration file (rndc.conf)?


After upgrading BIND to a current version, you might be surprised to see this warning when using rndc commands (although the command should still work as before, unless you've made other configuration changes):
WARNING: key file (rndc.key) exists, but using default configuration file (rndc.conf)

Both named and rndc can operate with explicit or automatic control configuration.  They do this by looking for the file rndc.key in the default configuration files directory.

If there is no explicit configuration (the controls statement in named.conf for named, or the existence of the file rndc.conf for rndc), then the key in the rndc.key file will be used instead (if it exists).

The rndc.key file isn't created automatically on installation

Use "rndc-confgen -a" to create the rndc.key file

Unfortunately, in the situation where there is both an explicit configuration, and the file rndc.key exists, it can sometimes be confusing for troubleshooting to know which configuration option is in use, particularly if there are problems with issuing rndc commands.  So from BIND 9.7.0, the warning was added so that the choice made by rndc was clearly indicated to the operator.

Administrators who have made use of the include functionality of named.conf and rndc.conf to import an independently-generated rndc.key file will see this new warning, but can safely ignore it.

Getting rid of the warning message

There is no need to make any configuration changes if rndc commands are not failing, but administrators might prefer to ensure that any ambiguity is removed.  Options include:

  • Removing the rndc.key file
  • Keeping rndc.key, but removing the controls statements from named.conf and deleting rndc.conf
  • If using include for rndc.key, you could put the file elsewhere and import it from there