| blob | f67f723b9f4cd99e53f4ab4e6daa492ec69cd5f1 |
1 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
3 <!--
4 - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
5 - Copyright (C) 2000-2003 Internet Software Consortium.
6 -
7 - Permission to use, copy, modify, and distribute this software for any
8 - purpose with or without fee is hereby granted, provided that the above
9 - copyright notice and this permission notice appear in all copies.
10 -
11 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
12 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
13 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
14 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
15 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
16 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
17 - PERFORMANCE OF THIS SOFTWARE.
18 -->
20 <!-- $Id: FAQ.xml,v 1.4.6.5.6.1 2007/01/12 02:28:00 marka Exp $ -->
22 <article class="faq">
23 <title>Frequently Asked Questions about BIND 9</title>
24 <articleinfo>
25 <copyright>
26 <year>2004</year>
27 <year>2005</year>
28 <year>2006</year>
29 <year>2007</year>
30 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
31 </copyright>
32 <copyright>
33 <year>2000</year>
34 <year>2001</year>
35 <year>2002</year>
36 <year>2003</year>
37 <holder>Internet Software Consortium.</holder>
38 </copyright>
39 </articleinfo>
40 <qandaset defaultlabel='qanda'>
41 <qandaentry>
42 <question>
43 <para>
44 Why doesn't -u work on Linux 2.2.x when I build with
45 --enable-threads?
46 </para>
47 </question>
48 <answer>
49 <para>
50 Linux threads do not fully implement the Posix threads
51 (pthreads) standard. In particular, setuid() operates only
52 on the current thread, not the full process. Because of
53 this limitation, BIND 9 cannot use setuid() on Linux as it
54 can on all other supported platforms. setuid() cannot be
55 called before creating threads, since the server does not
56 start listening on reserved ports until after threads have
57 started.
58 </para>
59 <para>
60 In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability
61 to preserve capabilities across a setuid() call is present.
62 This allows BIND 9 to call setuid() early, while retaining
63 the ability to bind reserved ports. This is a Linux-specific
64 hack.
65 </para>
66 <para>
67 On a 2.2 kernel, BIND 9 does drop many root privileges, so
68 it should be less of a security risk than a root process
69 that has not dropped privileges.
70 </para>
71 <para>
72 If Linux threads ever work correctly, this restriction will
73 go away.
74 </para>
75 <para>
76 Configuring BIND9 with the --disable-threads option (the
77 default) causes a non-threaded version to be built, which
78 will allow -u to be used.
79 </para>
80 </answer>
81 </qandaentry>
83 <qandaentry>
84 <question>
85 <para>
86 Why do I get the following errors:
87 <programlisting>general: errno2result.c:109: unexpected error:
88 general: unable to convert errno to isc_result: 14: Bad address
89 client: UDP client handler shutting down due to fatal receive error: unexpected error</programlisting>
90 </para>
91 </question>
92 <answer>
93 <para>
94 This is the result of a Linux kernel bug.
95 </para>
96 <para>
97 See:
98 <ulink url="http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2">http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2</ulink>
99 </para>
100 </answer>
101 </qandaentry>
103 <qandaentry>
104 <question>
105 <para>
106 Why does named log the warning message <quote>no TTL specified -
107 using SOA MINTTL instead</quote>?
108 </para>
109 </question>
110 <answer>
111 <para>
112 Your zone file is illegal according to RFC1035. It must either
113 have a line like:
114 </para>
115 <informalexample>
116 <programlisting>
117 $TTL 86400</programlisting>
118 </informalexample>
119 <para>
120 at the beginning, or the first record in it must have a TTL field,
121 like the "84600" in this example:
122 </para>
123 <informalexample>
124 <programlisting>
125 example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )</programlisting>
126 </informalexample>
127 </answer>
128 </qandaentry>
130 <qandaentry>
131 <question>
132 <para>
133 Why do I see 5 (or more) copies of named on Linux?
134 </para>
135 </question>
136 <answer>
137 <para>
138 Linux threads each show up as a process under ps. The
139 approximate number of threads running is n+4, where n is
140 the number of CPUs. Note that the amount of memory used
141 is not cumulative; if each process is using 10M of memory,
142 only a total of 10M is used.
143 </para>
144 <para>
145 Newer versions of Linux's ps command hide the individual threads
146 and require -L to display them.
147 </para>
148 </answer>
149 </qandaentry>
151 <qandaentry>
152 <question>
153 <para>
154 Why does BIND 9 log <quote>permission denied</quote> errors accessing
155 its configuration files or zones on my Linux system even
156 though it is running as root?
157 </para>
158 </question>
159 <answer>
160 <para>
161 On Linux, BIND 9 drops most of its root privileges on
162 startup. This including the privilege to open files owned
163 by other users. Therefore, if the server is running as
164 root, the configuration files and zone files should also
165 be owned by root.
166 </para>
167 </answer>
168 </qandaentry>
170 <qandaentry>
171 <question>
172 <para>
173 Why do I get errors like <quote>dns_zone_load: zone foo/IN: loading
174 master file bar: ran out of space</quote>?
175 </para>
176 </question>
177 <answer>
178 <para>
179 This is often caused by TXT records with missing close
180 quotes. Check that all TXT records containing quoted strings
181 have both open and close quotes.
182 </para>
183 </answer>
184 </qandaentry>
186 <qandaentry>
187 <question>
188 <para>
189 How do I produce a usable core file from a multithreaded
190 named on Linux?
191 </para>
192 </question>
193 <answer>
194 <para>
195 If the Linux kernel is 2.4.7 or newer, multithreaded core
196 dumps are usable (that is, the correct thread is dumped).
197 Otherwise, if using a 2.2 kernel, apply the kernel patch
198 found in contrib/linux/coredump-patch and rebuild the kernel.
199 This patch will cause multithreaded programs to dump the
200 correct thread.
201 </para>
202 </answer>
203 </qandaentry>
205 <qandaentry>
206 <question>
207 <para>
208 How do I restrict people from looking up the server version?
209 </para>
210 </question>
211 <answer>
212 <para>
213 Put a "version" option containing something other than the
214 real version in the "options" section of named.conf. Note
215 doing this will not prevent attacks and may impede people
216 trying to diagnose problems with your server. Also it is
217 possible to "fingerprint" nameservers to determine their
218 version.
219 </para>
220 </answer>
221 </qandaentry>
223 <qandaentry>
224 <question>
225 <para>
226 How do I restrict only remote users from looking up the
227 server version?
228 </para>
229 </question>
230 <answer>
231 <para>
232 The following view statement will intercept lookups as the
233 internal view that holds the version information will be
234 matched last. The caveats of the previous answer still
235 apply, of course.
236 </para>
237 <informalexample>
238 <programlisting>
239 view "chaos" chaos {
240 match-clients { <those to be refused>; };
241 allow-query { none; };
242 zone "." {
243 type hint;
244 file "/dev/null"; // or any empty file
245 };
246 };</programlisting>
247 </informalexample>
248 </answer>
249 </qandaentry>
251 <qandaentry>
252 <question>
253 <para>
254 What do <quote>no source of entropy found</quote> or <quote>could not
255 open entropy source foo</quote> mean?
256 </para>
257 </question>
258 <answer>
259 <para>
260 The server requires a source of entropy to perform certain
261 operations, mostly DNSSEC related. These messages indicate
262 that you have no source of entropy. On systems with
263 /dev/random or an equivalent, it is used by default. A
264 source of entropy can also be defined using the random-device
265 option in named.conf.
266 </para>
267 </answer>
268 </qandaentry>
270 <qandaentry>
271 <question>
272 <para>
273 I installed BIND 9 and restarted named, but it's still BIND 8. Why?
274 </para>
275 </question>
276 <answer>
277 <para>
278 BIND 9 is installed under /usr/local by default. BIND 8
279 is often installed under /usr. Check that the correct named
280 is running.
281 </para>
282 </answer>
283 </qandaentry>
285 <qandaentry>
286 <question>
287 <para>
288 I'm trying to use TSIG to authenticate dynamic updates or
289 zone transfers. I'm sure I have the keys set up correctly,
290 but the server is rejecting the TSIG. Why?
291 </para>
292 </question>
293 <answer>
294 <para>
295 This may be a clock skew problem. Check that the the clocks
296 on the client and server are properly synchronised (e.g.,
297 using ntp).
298 </para>
299 </answer>
300 </qandaentry>
302 <qandaentry>
303 <question>
304 <para>
305 I'm trying to compile BIND 9, and "make" is failing due to
306 files not being found. Why?
307 </para>
308 </question>
309 <answer>
310 <para>
311 Using a parallel or distributed "make" to build BIND 9 is
312 not supported, and doesn't work. If you are using one of
313 these, use normal make or gmake instead.
314 </para>
315 </answer>
316 </qandaentry>
318 <qandaentry>
319 <question>
320 <para>
321 I have a BIND 9 master and a BIND 8.2.3 slave, and the
322 master is logging error messages like <quote>notify to 10.0.0.1#53
323 failed: unexpected end of input</quote>. What's wrong?
324 </para>
325 </question>
326 <answer>
327 <para>
328 This error message is caused by a known bug in BIND 8.2.3
329 and is fixed in BIND 8.2.4. It can be safely ignored - the
330 notify has been acted on by the slave despite the error
331 message.
332 </para>
333 </answer>
334 </qandaentry>
336 <qandaentry>
337 <question>
338 <para>
339 I keep getting log messages like the following. Why?
340 </para>
341 <para>
342 Dec 4 23:47:59 client 10.0.0.1#1355: updating zone
343 'example.com/IN': update failed: 'RRset exists (value
344 dependent)' prerequisite not satisfied (NXRRSET)
345 </para>
346 </question>
347 <answer>
348 <para>
349 DNS updates allow the update request to test to see if
350 certain conditions are met prior to proceeding with the
351 update. The message above is saying that conditions were
352 not met and the update is not proceeding. See doc/rfc/rfc2136.txt
353 for more details on prerequisites.
354 </para>
355 </answer>
356 </qandaentry>
358 <qandaentry>
359 <question>
360 <para>
361 I keep getting log messages like the following. Why?
362 </para>
363 <para>
364 Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
365 </para>
366 </question>
367 <answer>
368 <para>
369 Someone is trying to update your DNS data using the RFC2136
370 Dynamic Update protocol. Windows 2000 machines have a habit
371 of sending dynamic update requests to DNS servers without
372 being specifically configured to do so. If the update
373 requests are coming from a Windows 2000 machine, see
374 <ulink
375 url="http://support.microsoft.com/support/kb/articles/q246/8/04.asp">
376 http://support.microsoft.com/support/kb/articles/q246/8/04.asp
377 </ulink>
378 for information about how to turn them off.
379 </para>
380 </answer>
381 </qandaentry>
383 <qandaentry>
384 <question>
385 <para>
386 I see a log message like the following. Why?
387 </para>
388 <para>
389 couldn't open pid file '/var/run/named.pid': Permission denied
390 </para>
391 </question>
392 <answer>
393 <para>
394 You are most likely running named as a non-root user, and
395 that user does not have permission to write in /var/run.
396 The common ways of fixing this are to create a /var/run/named
397 directory owned by the named user and set pid-file to
398 "/var/run/named/named.pid", or set pid-file to "named.pid",
399 which will put the file in the directory specified by the
400 directory option (which, in this case, must be writable by
401 the named user).
402 </para>
403 </answer>
404 </qandaentry>
406 <qandaentry>
407 <question>
408 <para>
409 When I do a "dig . ns", many of the A records for the root
410 servers are missing. Why?
411 </para>
412 </question>
413 <answer>
414 <para>
415 This is normal and harmless. It is a somewhat confusing
416 side effect of the way BIND 9 does RFC2181 trust ranking
417 and of the efforts BIND 9 makes to avoid promoting glue
418 into answers.
419 </para>
420 <para>
421 When BIND 9 first starts up and primes its cache, it receives
422 the root server addresses as additional data in an authoritative
423 response from a root server, and these records are eligible
424 for inclusion as additional data in responses. Subsequently
425 it receives a subset of the root server addresses as
426 additional data in a non-authoritative (referral) response
427 from a root server. This causes the addresses to now be
428 considered non-authoritative (glue) data, which is not
429 eligible for inclusion in responses.
430 </para>
431 <para>
432 The server does have a complete set of root server addresses
433 cached at all times, it just may not include all of them
434 as additional data, depending on whether they were last
435 received as answers or as glue. You can always look up the
436 addresses with explicit queries like "dig a.root-servers.net A".
437 </para>
438 </answer>
439 </qandaentry>
441 <qandaentry>
442 <question>
443 <para>
444 Zone transfers from my BIND 9 master to my Windows 2000
445 slave fail. Why?
446 </para>
447 </question>
448 <answer>
449 <para>
450 This may be caused by a bug in the Windows 2000 DNS server
451 where DNS messages larger than 16K are not handled properly.
452 This can be worked around by setting the option "transfer-format
453 one-answer;". Also check whether your zone contains domain
454 names with embedded spaces or other special characters,
455 like "John\032Doe\213s\032Computer", since such names have
456 been known to cause Windows 2000 slaves to incorrectly
457 reject the zone.
458 </para>
459 </answer>
460 </qandaentry>
462 <qandaentry>
463 <question>
464 <para>
465 Why don't my zones reload when I do an "rndc reload" or SIGHUP?
466 </para>
467 </question>
468 <answer>
469 <para>
470 A zone can be updated either by editing zone files and
471 reloading the server or by dynamic update, but not both.
472 If you have enabled dynamic update for a zone using the
473 "allow-update" option, you are not supposed to edit the
474 zone file by hand, and the server will not attempt to reload
475 it.
476 </para>
477 </answer>
478 </qandaentry>
480 <qandaentry>
481 <question>
482 <para>
483 I can query the nameserver from the nameserver but not from other
484 machines. Why?
485 </para>
486 </question>
487 <answer>
488 <para>
489 This is usually the result of the firewall configuration stopping
490 the queries and / or the replies.
491 </para>
492 </answer>
493 </qandaentry>
495 <qandaentry>
496 <question>
497 <para>
498 How can I make a server a slave for both an internal and
499 an external view at the same time? When I tried, both views
500 on the slave were transferred from the same view on the master.
501 </para>
502 </question>
503 <answer>
504 <para>
505 You will need to give the master and slave multiple IP
506 addresses and use those to make sure you reach the correct
507 view on the other machine.
508 </para>
509 <informalexample>
510 <programlisting>
511 Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
512 internal:
513 match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
514 notify-source 10.0.1.1;
515 transfer-source 10.0.1.1;
516 query-source address 10.0.1.1;
517 external:
518 match-clients { any; };
519 recursion no; // don't offer recursion to the world
520 notify-source 10.0.1.2;
521 transfer-source 10.0.1.2;
522 query-source address 10.0.1.2;
524 Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
525 internal:
526 match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
527 notify-source 10.0.1.3;
528 transfer-source 10.0.1.3;
529 query-source address 10.0.1.3;
530 external:
531 match-clients { any; };
532 recursion no; // don't offer recursion to the world
533 notify-source 10.0.1.4;
534 transfer-source 10.0.1.4;
535 query-source address 10.0.1.4;</programlisting>
536 </informalexample>
537 <para>
538 You put the external address on the alias so that all the other
539 dns clients on these boxes see the internal view by default.
540 </para>
541 </answer>
542 <answer>
543 <para>
544 BIND 9.3 and later: Use TSIG to select the appropriate view.
545 </para>
546 <informalexample>
547 <programlisting>
548 Master 10.0.1.1:
549 key "external" {
550 algorithm hmac-md5;
551 secret "xxxxxxxx";
552 };
553 view "internal" {
554 match-clients { !key external; 10.0.1/24; };
555 ...
556 };
557 view "external" {
558 match-clients { key external; any; };
559 server 10.0.1.2 { keys external; };
560 recursion no;
561 ...
562 };
564 Slave 10.0.1.2:
565 key "external" {
566 algorithm hmac-md5;
567 secret "xxxxxxxx";
568 };
569 view "internal" {
570 match-clients { !key external; 10.0.1/24; };
571 ...
572 };
573 view "external" {
574 match-clients { key external; any; };
575 server 10.0.1.1 { keys external; };
576 recursion no;
577 ...
578 };</programlisting>
579 </informalexample>
580 </answer>
581 </qandaentry>
583 <qandaentry>
584 <question>
585 <para>
586 I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
587 </para>
588 </question>
589 <answer>
590 <para>
591 /dev/random is not configured. Use rndcontrol(8) to tell
592 the kernel to use certain interrupts as a source of random
593 events. You can make this permanent by setting rand_irqs
594 in /etc/rc.conf.
595 </para>
596 <informalexample>
597 <programlisting>
598 /etc/rc.conf
599 rand_irqs="3 14 15"</programlisting>
600 </informalexample>
601 <para>
602 See also
603 <ulink url="http://people.freebsd.org/~dougb/randomness.html">
604 http://people.freebsd.org/~dougb/randomness.html
605 </ulink>
606 </para>
607 </answer>
608 </qandaentry>
610 <qandaentry>
611 <question>
612 <para>
613 Why is named listening on UDP port other than 53?
614 </para>
615 </question>
616 <answer>
617 <para>
618 Named uses a system selected port to make queries of other
619 nameservers. This behaviour can be overridden by using
620 query-source to lock down the port and/or address. See
621 also notify-source and transfer-source.
622 </para>
623 </answer>
624 </qandaentry>
626 <qandaentry>
627 <question>
628 <para>
629 I get error messages like <quote>multiple RRs of singleton type</quote>
630 and <quote>CNAME and other data</quote> when transferring a zone. What
631 does this mean?
632 </para>
633 </question>
634 <answer>
635 <para>
636 These indicate a malformed master zone. You can identify
637 the exact records involved by transferring the zone using
638 dig then running named-checkzone on it.
639 </para>
640 <informalexample>
641 <programlisting>
642 dig axfr example.com @master-server > tmp
643 named-checkzone example.com tmp</programlisting>
644 </informalexample>
645 <para>
646 A CNAME record cannot exist with the same name as another record
647 except for the DNSSEC records which prove its existance (NSEC).
648 </para>
649 <para>
650 RFC 1034, Section 3.6.2: <quote>If a CNAME RR is present at a node,
651 no other data should be present; this ensures that the data for a
652 canonical name and its aliases cannot be different. This rule also
653 insures that a cached CNAME can be used without checking with an
654 authoritative server for other RR types.</quote>
655 </para>
656 </answer>
657 </qandaentry>
659 <qandaentry>
660 <question>
661 <para>
662 I get error messages like <quote>named.conf:99: unexpected end
663 of input</quote> where 99 is the last line of named.conf.
664 </para>
665 </question>
666 <answer>
667 <para>
668 Some text editors (notepad and wordpad) fail to put a line
669 title indication (e.g. CR/LF) on the last line of a
670 text file. This can be fixed by "adding" a blank line to
671 the end of the file. Named expects to see EOF immediately
672 after EOL and treats text files where this is not met as
673 truncated.
674 </para>
675 </answer>
676 </qandaentry>
678 <qandaentry>
679 <question>
680 <para>
681 I get warning messages like <quote>zone example.com/IN: refresh:
682 failure trying master 1.2.3.4#53: timed out</quote>.
683 </para>
684 </question>
685 <answer>
686 <para>
687 Check that you can make UDP queries from the slave to the master
688 </para>
689 <informalexample>
690 <programlisting>
691 dig +norec example.com soa @1.2.3.4</programlisting>
692 </informalexample>
693 <para>
694 You could be generating queries faster than the slave can
695 cope with. Lower the serial query rate.
696 </para>
697 <informalexample>
698 <programlisting>
699 serial-query-rate 5; // default 20</programlisting>
700 </informalexample>
701 </answer>
702 </qandaentry>
704 <qandaentry>
705 <question>
706 <para>
707 How do I share a dynamic zone between multiple views?
708 </para>
709 </question>
710 <answer>
711 <para>
712 You choose one view to be master and the second a slave and
713 transfer the zone between views.
714 </para>
715 <informalexample>
716 <programlisting>
717 Master 10.0.1.1:
718 key "external" {
719 algorithm hmac-md5;
720 secret "xxxxxxxx";
721 };
723 key "mykey" {
724 algorithm hmac-md5;
725 secret "yyyyyyyy";
726 };
728 view "internal" {
729 match-clients { !external; 10.0.1/24; };
730 server 10.0.1.1 {
731 /* Deliver notify messages to external view. */
732 keys { external; };
733 };
734 zone "example.com" {
735 type master;
736 file "internal/example.db";
737 allow-update { key mykey; };
738 notify-also { 10.0.1.1; };
739 };
740 };
742 view "external" {
743 match-clients { external; any; };
744 zone "example.com" {
745 type slave;
746 file "external/example.db";
747 masters { 10.0.1.1; };
748 transfer-source { 10.0.1.1; };
749 // allow-update-forwarding { any; };
750 // allow-notify { ... };
751 };
752 };</programlisting>
753 </informalexample>
754 </answer>
755 </qandaentry>
757 <qandaentry>
758 <question>
759 <para>
760 I get a error message like <quote>zone wireless.ietf56.ietf.org/IN:
761 loading master file primaries/wireless.ietf56.ietf.org: no
762 owner</quote>.
763 </para>
764 </question>
765 <answer>
766 <para>
767 This error is produced when a line in the master file
768 contains leading white space (tab/space) but the is no
769 current record owner name to inherit the name from. Usually
770 this is the result of putting white space before a comment.
771 Forgeting the "@" for the SOA record or indenting the master
772 file.
773 </para>
774 </answer>
775 </qandaentry>
777 <qandaentry>
778 <question>
779 <para>
780 Why are my logs in GMT (UTC).
781 </para>
782 </question>
783 <answer>
784 <para>
785 You are running chrooted (-t) and have not supplied local timzone
786 information in the chroot area.
787 </para>
788 <simplelist>
789 <member>FreeBSD: /etc/localtime</member>
790 <member>Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo</member>
791 <member>OSF: /etc/zoneinfo/localtime</member>
792 </simplelist>
793 <para>
794 See also tzset(3) and zic(8).
795 </para>
796 </answer>
797 </qandaentry>
799 <qandaentry>
800 <question>
801 <para>
802 I get the error message <quote>named: capset failed: Operation
803 not permitted</quote> when starting named.
804 </para>
805 </question>
806 <answer>
807 <para>
808 The capability module, part of "Linux Security Modules/LSM",
809 has not been loaded into the kernel. See insmod(8).
810 </para>
811 </answer>
812 </qandaentry>
814 <qandaentry>
815 <question>
816 <para>
817 I get <quote>rndc: connect failed: connection refused</quote> when
818 I try to run rndc.
819 </para>
820 </question>
821 <answer>
822 <para>
823 This is usually a configuration error.
824 </para>
825 <para>
826 First ensure that named is running and no errors are being
827 reported at startup (/var/log/messages or equivalent).
828 Running "named -g <usual arguments>" from a title
829 can help at this point.
830 </para>
831 <para>
832 Secondly ensure that named is configured to use rndc either
833 by "rndc-confgen -a", rndc-confgen or manually. The
834 Administrators Reference manual has details on how to do
835 this.
836 </para>
837 <para>
838 Old versions of rndc-confgen used localhost rather than
839 127.0.0.1 in /etc/rndc.conf for the default server. Update
840 /etc/rndc.conf if necessary so that the default server
841 listed in /etc/rndc.conf matches the addresses used in
842 named.conf. "localhost" has two address (127.0.0.1 and
843 ::1).
844 </para>
845 <para>
846 If you use "rndc-confgen -a" and named is running with -t or -u
847 ensure that /etc/rndc.conf has the correct ownership and that
848 a copy is in the chroot area. You can do this by re-running
849 "rndc-confgen -a" with appropriate -t and -u arguments.
850 </para>
851 </answer>
852 </qandaentry>
854 <qandaentry>
855 <question>
856 <para>
857 I don't get RRSIG's returned when I use "dig +dnssec".
858 </para>
859 </question>
860 <answer>
861 <para>
862 You need to ensure DNSSEC is enabled (dnssec-enable yes;).
863 </para>
864 </answer>
865 </qandaentry>
867 <qandaentry>
868 <question>
869 <para>
870 I get <quote>Error 1067</quote> when starting named under Windows.
871 </para>
872 </question>
873 <answer>
874 <para>
875 This is the service manager saying that named exited. You
876 need to examine the Application log in the EventViewer to
877 find out why.
878 </para>
879 <para>
880 Common causes are that you failed to create "named.conf"
881 (usually "C:\windows\dns\etc\named.conf") or failed to
882 specify the directory in named.conf.
883 </para>
884 <informalexample>
885 <programlisting>
886 options {
887 Directory "C:\windows\dns\etc";
888 };</programlisting>
889 </informalexample>
890 </answer>
891 </qandaentry>
893 <qandaentry>
894 <question>
895 <para>
896 I get <quote>transfer of 'example.net/IN' from 192.168.4.12#53:
897 failed while receiving responses: permission denied</quote> error
898 messages.
899 </para>
900 </question>
901 <answer>
902 <para>
903 These indicate a filesystem permission error preventing
904 named creating / renaming the temporary file. These will
905 usually also have other associated error messages like
906 </para>
907 <informalexample>
908 <programlisting>
909 "dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"</programlisting>
910 </informalexample>
911 <para>
912 Named needs write permission on the directory containing
913 the file. Named writes the new cache file to a temporary
914 file then renames it to the name specified in named.conf
915 to ensure that the contents are always complete. This is
916 to prevent named loading a partial zone in the event of
917 power failure or similar interrupting the write of the
918 master file.
919 </para>
920 <para>
921 Note file names are relative to the directory specified in
922 options and any chroot directory ([<chroot
923 dir>/][<options dir>]).
924 </para>
925 <informalexample>
926 <para>
927 If named is invoked as "named -t /chroot/DNS" with
928 the following named.conf then "/chroot/DNS/var/named/sl"
929 needs to be writable by the user named is running as.
930 </para>
931 <programlisting>
932 options {
933 directory "/var/named";
934 };
936 zone "example.net" {
937 type slave;
938 file "sl/example.net";
939 masters { 192.168.4.12; };
940 };</programlisting>
941 </informalexample>
942 </answer>
943 </qandaentry>
945 <qandaentry>
946 <question>
947 <para>
948 How do I intergrate BIND 9 and Solaris SMF
949 </para>
950 </question>
951 <answer>
952 <para>
953 Sun has a blog entry describing how to do this.
954 </para>
955 <para>
956 <ulink
957 url="http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris">
958 http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris
959 </ulink>
960 </para>
961 </answer>
962 </qandaentry>
964 <qandaentry>
965 <question>
966 <para>
967 Can a NS record refer to a CNAME.
968 </para>
969 </question>
970 <answer>
971 <para>
972 No. The rules for glue (copies of the *address* records
973 in the parent zones) and additional section processing do
974 not allow it to work.
975 </para>
976 <para>
977 You would have to add both the CNAME and address records
978 (A/AAAA) as glue to the parent zone and have CNAMEs be
979 followed when doing additional section processing to make
980 it work. No namesever implementation supports either of
981 these requirements.
982 </para>
983 </answer>
984 </qandaentry>
986 <qandaentry>
987 <question>
988 <para>
989 What does <quote>RFC 1918 response from Internet for
990 0.0.0.10.IN-ADDR.ARPA</quote> mean?
991 </para>
992 </question>
993 <answer>
994 <para>
995 If the IN-ADDR.ARPA name covered refers to a internal address
996 space you are using then you have failed to follow RFC 1918
997 usage rules and are leaking queries to the Internet. You
998 should establish your own zones for these addresses to prevent
999 you quering the Internet's name servers for these addresses.
1000 Please see <ulink url="http://as112.net/">http://as112.net/</ulink>
1001 for details of the problems you are causing and the counter
1002 measures that have had to be deployed.
1003 </para>
1004 <para>
1005 If you are not using these private addresses then a client
1006 has queried for them. You can just ignore the messages,
1007 get the offending client to stop sending you these messages
1008 as they are most probably leaking them or setup your own zones
1009 empty zones to serve answers to these queries.
1010 </para>
1011 <informalexample>
1012 <programlisting>
1013 zone "10.IN-ADDR.ARPA" {
1014 type master;
1015 file "empty";
1016 };
1018 zone "16.172.IN-ADDR.ARPA" {
1019 type master;
1020 file "empty";
1021 };
1023 ...
1025 zone "31.172.IN-ADDR.ARPA" {
1026 type master;
1027 file "empty";
1028 };
1030 zone "168.192.IN-ADDR.ARPA" {
1031 type master;
1032 file "empty";
1033 };
1035 empty:
1036 @ 10800 IN SOA <name-of-server>. <contact-email>. (
1037 1 3600 1200 604800 10800 )
1038 @ 10800 IN NS <name-of-server>.</programlisting>
1039 </informalexample>
1040 <para>
1041 <note>
1042 Future versions of named are likely to do this automatically.
1043 </note>
1044 </para>
1045 </answer>
1046 </qandaentry>
1048 <qandaentry>
1049 <question>
1050 <para>
1051 I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
1052 </para>
1053 <para>
1054 Why can't named update slave zone database files?
1055 </para>
1056 <para>
1057 Why can't named create DDNS journal files or update
1058 the master zones from journals?
1059 </para>
1060 <para>
1061 Why can't named create custom log files?
1062 </para>
1063 </question>
1065 <answer>
1066 <para>
1067 Red Hat Security Enhanced Linux (SELinux) policy security
1068 protections :
1069 </para>
1071 <para>
1072 Red Hat have adopted the National Security Agency's
1073 SELinux security policy ( see http://www.nsa.gov/selinux
1074 ) and recommendations for BIND security , which are more
1075 secure than running named in a chroot and make use of
1076 the bind-chroot environment unecessary .
1077 </para>
1079 <para>
1080 By default, named is not allowed by the SELinux policy
1081 to write, create or delete any files EXCEPT in these
1082 directories:
1083 <informalexample>
1084 <programlisting>
1085 $ROOTDIR/var/named/slaves
1086 $ROOTDIR/var/named/data
1087 $ROOTDIR/var/tmp
1088 </programlisting>
1089 </informalexample>
1090 where $ROOTDIR may be set in /etc/sysconfig/named if
1091 bind-chroot is installed.
1092 </para>
1094 <para>
1095 The SELinux policy particularly does NOT allow named to modify
1096 the $ROOTDIR/var/named directory, the default location for master
1097 zone database files.
1098 </para>
1100 <para>
1101 SELinux policy overrules file access permissions - so
1102 even if all the files under /var/named have ownership
1103 named:named and mode rw-rw-r--, named will still not be
1104 able to write or create files except in the directories
1105 above, with SELinux in Enforcing mode.
1106 </para>
1108 <para>
1109 So, to allow named to update slave or DDNS zone files,
1110 it is best to locate them in $ROOTDIR/var/named/slaves,
1111 with named.conf zone statements such as:
1112 <informalexample>
1113 <programlisting>
1114 zone "slave.zone." IN {
1115 type slave;
1116 file "slaves/slave.zone.db";
1117 ...
1118 };
1119 zone "ddns.zone." IN {
1120 type master;
1121 allow-updates {...};
1122 file "slaves/ddns.zone.db";
1123 };
1124 </programlisting>
1125 </informalexample>
1126 </para>
1128 <para>
1129 To allow named to create its cache dump and statistics
1130 files, for example, you could use named.conf options
1131 statements such as:
1132 <informalexample>
1133 <programlisting>
1134 options {
1135 ...
1136 dump-file "/var/named/data/cache_dump.db";
1137 statistics-file "/var/named/data/named_stats.txt";
1138 ...
1139 };
1140 </programlisting>
1141 </informalexample>
1142 </para>
1144 <para>
1145 You can also tell SELinux to allow named to update any
1146 zone database files, by setting the SELinux tunable boolean
1147 parameter 'named_write_master_zones=1', using the
1148 system-config-securitylevel GUI, using the 'setsebool'
1149 command, or in /etc/selinux/targeted/booleans.
1150 </para>
1152 <para>
1153 You can disable SELinux protection for named entirely by
1154 setting the 'named_disable_trans=1' SELinux tunable boolean
1155 parameter.
1156 </para>
1158 <para>
1159 The SELinux named policy defines these SELinux contexts for named:
1160 <informalexample>
1161 <programlisting>
1162 named_zone_t : for zone database files - $ROOTDIR/var/named/*
1163 named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
1164 named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
1165 </programlisting>
1166 </informalexample>
1167 </para>
1169 <para>
1170 If you want to retain use of the SELinux policy for named,
1171 and put named files in different locations, you can do
1172 so by changing the context of the custom file locations
1173 .
1174 </para>
1176 <para>
1177 To create a custom configuration file location, eg.
1178 '/root/named.conf', to use with the 'named -c' option,
1179 do:
1180 <informalexample>
1181 <programlisting>
1182 # chcon system_u:object_r:named_conf_t /root/named.conf
1183 </programlisting>
1184 </informalexample>
1185 </para>
1187 <para>
1188 To create a custom modifiable named data location, eg.
1189 '/var/log/named' for a log file, do:
1190 <informalexample>
1191 <programlisting>
1192 # chcon system_u:object_r:named_cache_t /var/log/named
1193 </programlisting>
1194 </informalexample>
1195 </para>
1197 <para>
1198 To create a custom zone file location, eg. /root/zones/, do:
1199 <informalexample>
1200 <programlisting>
1201 # chcon system_u:object_r:named_zone_t /root/zones/{.,*}
1202 </programlisting>
1203 </informalexample>
1204 </para>
1206 <para>
1207 See these man-pages for more information : selinux(8),
1208 named_selinux(8), chcon(1), setsebool(8)
1209 </para>
1210 </answer>
1211 </qandaentry>
1212 <qandaentry>
1213 <question>
1214 <para>
1215 I want to forward all DNS queries from my caching nameserver to
1216 another server. But there are some domains which have to be
1217 served locally, via rbldnsd.
1218 </para>
1219 <para>
1220 How do I achieve this ?
1221 </para>
1222 </question>
1223 <answer>
1224 <programlisting>
1225 options {
1226 forward only;
1227 forwarders { <ip.of.primary.nameserver>; };
1228 };
1230 zone "sbl-xbl.spamhaus.org" {
1231 type forward; forward only;
1232 forwarders { <ip.of.rbldns.server> port 530; };
1233 };
1235 zone "list.dsbl.org" {
1236 type forward; forward only;
1237 forwarders { <ip.of.rbldns.server> port 530; };
1238 };
1239 </programlisting>
1240 </answer>
1241 </qandaentry>
1242 <qandaentry>
1243 <question>
1244 <para>
1245 Will named be affected by the 2007 changes to daylight savings
1246 rules in the US.
1247 </para>
1248 </question>
1249 <answer>
1250 <para>
1251 No, so long as the machines internal clock (as reported
1252 by "date -u") remains at UTC. The only visible change
1253 if you fail to upgrade your OS, if you are in a affected
1254 area, will be that log messages will be a hour out during
1255 the period where the old rules do not match the new rules.
1256 </para>
1257 <para>
1258 For most OS's this change just means that you need to
1259 update the conversion rules from UTC to local time.
1260 Normally this involves updating a file in /etc (which
1261 sets the default timezone for the machine) and possibly
1262 a directory which has all the conversion rules for the
1263 world (e.g. /usr/share/zoneinfo). When updating the OS
1264 do not forget to update any chroot areas as well.
1265 See your OS's documetation for more details.
1266 </para>
1267 <para>
1268 The local timezone conversion rules can also be done on
1269 a individual basis by setting the TZ envirionment variable
1270 appropriately. See your OS's documentation for more
1271 details.
1272 </para>
1273 </answer>
1274 </qandaentry>
1275 </qandaset>
1276 </article>