Keys on master server: $ cd /var/named $ sudo /usr/sbin/dnssec-keygen -a hmac-md5 -b 128 -n HOST dns1.intra.example.com. $ sudo /usr/sbin/dnssec-keygen -a hmac-md5 -b 128 -n user rndc generates $ ls -al |egrep 'Kdns1|Krndc' -rw------- 1 named named 63 Feb 22 22:47 Kdns1.intra.example.com.+157+44903.key -rw------- 1 named named 81 Feb 22 22:47 Kdns1.intra.example.com.+157+44903.private -rw------- 1 named namd 46 Mar 10 19:29 Krndc.+157+29194.key -rw------- 1 named named 81 Mar 10 19:29 Krndc.+157+29194.private Make sure the files are owned by named:named, and not root. Then create /var/named/dnskeys.conf, containing key key_rndc {algorithm hmac-md5; secret "uOrufk3kl3jcke3q9es7rw=="; }; key dns1.intra.example.com. {algorithm hmac-md5; secret "/VjnPrddlSAot4kcjukYkw=="; }; where the secrets are the content of the *.private files just created. /var/named/dnskeys.conf should also be 0600 named:named. Create /etc/rndc.conf containing key key_rndc { algorithm hmac-md5; secret "uOrufk3kl3jcke3q9es7rw=="; }; options { default-server 127.0.0.1; default-key key_rndc; }; The secret is from the /var/named/Krndc*.private file. /etc/rndc.conf should be 0600 named:named. /etc/named.conf contains the statement // Setup keys include "/var/named/dnskeys.conf"; which includes the two keys. rndc is controlled with the statement controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "key_rndc"; }; }; and further down the statement zone "intra.example.com" { type master; file "zone/master/forward/intra.example.com.db"; allow-update { key dns1.intra.example.com.;}; }; which means that only the one who posses the key named 'dns1.intra.example.com' is allowed to perform updates. The update script will be using the keys created in /var/named above, and rndc use the configuration file /etc/rndc.conf. The Krndc* files can be deleted - the secret is mentioned in dnskeys.conf and rndc.conf. The Kdns1* files should not be deleted. The update script will use the two files. Keys on slave server: