// rndc.key — TSIG key shared between named and the rndc client (bindcar)
//
// WARNING: This file contains a placeholder secret. Replace it before use.
//
// Generate a real key with either of:
//
// tsig-keygen -a hmac-sha256 rndc-key
// (prints key block to stdout — paste it below)
//
// rndc-confgen -a -A hmac-sha256 -k rndc-key -b 256 -c /etc/bind/rndc.key
// (writes directly to /etc/bind/rndc.key)
//
// The "secret" value (base64 string) is what you set in bindcar:
// RNDC_KEY_NAME=rndc-key
// RNDC_ALGORITHM=hmac-sha256
// RNDC_SECRET=<the base64 secret from this file>
//
// File permissions must be 0640, owned by root:bind:
// chown root:bind /etc/bind/rndc.key && chmod 0640 /etc/bind/rndc.key
key "rndc-key" {
algorithm hmac-sha256;
secret "REPLACE_WITH_BASE64_HMAC_SHA256_SECRET==";
};