| blob | 0f864ef753a2a09dda0f43c9e5d12bb5e42e22e9 |
1 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
3 <!--
4 - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
5 - Copyright (C) 2000-2003 Internet Software Consortium.
6 -
7 - Permission to use, copy, modify, and/or distribute this software for any
8 - purpose with or without fee is hereby granted, provided that the above
9 - copyright notice and this permission notice appear in all copies.
10 -
11 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
12 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
13 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
14 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
15 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
16 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
17 - PERFORMANCE OF THIS SOFTWARE.
18 -->
20 <!-- $Id: FAQ.xml,v 1.4.4.16 2007/10/31 02:14:07 marka Exp $ -->
22 <article class="faq">
23 <title>Frequently Asked Questions about BIND 9</title>
24 <articleinfo>
25 <copyright>
26 <year>2004</year>
27 <year>2005</year>
28 <year>2006</year>
29 <year>2007</year>
30 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
31 </copyright>
32 <copyright>
33 <year>2000</year>
34 <year>2001</year>
35 <year>2002</year>
36 <year>2003</year>
37 <holder>Internet Software Consortium.</holder>
38 </copyright>
39 </articleinfo>
40 <qandaset defaultlabel='qanda'>
42 <qandadiv><title>Compilation and Installation Questions</title>
44 <qandaentry>
45 <question>
46 <para>
47 I'm trying to compile BIND 9, and "make" is failing due to
48 files not being found. Why?
49 </para>
50 </question>
51 <answer>
52 <para>
53 Using a parallel or distributed "make" to build BIND 9 is
54 not supported, and doesn't work. If you are using one of
55 these, use normal make or gmake instead.
56 </para>
57 </answer>
58 </qandaentry>
60 <qandaentry>
61 <question>
62 <para>
63 Isn't "make install" supposed to generate a default named.conf?
64 </para>
65 </question>
66 <answer>
67 <para>
68 Short Answer: No.
69 </para>
70 <para>
71 Long Answer: There really isn't a default configuration which fits
72 any site perfectly. There are lots of decisions that need to
73 be made and there is no consensus on what the defaults should be.
74 For example FreeBSD uses /etc/namedb as the location where the
75 configuration files for named are stored. Others use /var/named.
76 </para>
77 <para>
78 What addresses to listen on? For a laptop on the move a lot
79 you may only want to listen on the loop back interfaces.
80 </para>
81 <para>
82 Who do you offer recursive service to? Is there are firewall
83 to consider? If so is it stateless or stateful. Are you
84 directly on the Internet? Are you on a private network? Are
85 you on a NAT'd network? The answers
86 to all these questions change how you configure even a
87 caching name server.
88 </para>
89 </answer>
90 </qandaentry>
92 </qandadiv> <!-- Compilation and Installation Questions -->
94 <qandadiv><title>Configuration and Setup Questions</title>
96 <qandaentry>
97 <!-- configuration, log -->
98 <question>
99 <para>
100 Why does named log the warning message <quote>no TTL specified -
101 using SOA MINTTL instead</quote>?
102 </para>
103 </question>
104 <answer>
105 <para>
106 Your zone file is illegal according to RFC1035. It must either
107 have a line like:
108 </para>
109 <informalexample>
110 <programlisting>
111 $TTL 86400</programlisting>
112 </informalexample>
113 <para>
114 at the beginning, or the first record in it must have a TTL field,
115 like the "84600" in this example:
116 </para>
117 <informalexample>
118 <programlisting>
119 example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )</programlisting>
120 </informalexample>
121 </answer>
122 </qandaentry>
124 <qandaentry>
125 <!-- configuration -->
126 <question>
127 <para>
128 Why do I get errors like <quote>dns_zone_load: zone foo/IN: loading
129 master file bar: ran out of space</quote>?
130 </para>
131 </question>
132 <answer>
133 <para>
134 This is often caused by TXT records with missing close
135 quotes. Check that all TXT records containing quoted strings
136 have both open and close quotes.
137 </para>
138 </answer>
139 </qandaentry>
141 <qandaentry>
142 <!-- security -->
143 <question>
144 <para>
145 How do I restrict people from looking up the server version?
146 </para>
147 </question>
148 <answer>
149 <para>
150 Put a "version" option containing something other than the
151 real version in the "options" section of named.conf. Note
152 doing this will not prevent attacks and may impede people
153 trying to diagnose problems with your server. Also it is
154 possible to "fingerprint" nameservers to determine their
155 version.
156 </para>
157 </answer>
158 </qandaentry>
160 <qandaentry>
161 <!-- security -->
162 <question>
163 <para>
164 How do I restrict only remote users from looking up the
165 server version?
166 </para>
167 </question>
168 <answer>
169 <para>
170 The following view statement will intercept lookups as the
171 internal view that holds the version information will be
172 matched last. The caveats of the previous answer still
173 apply, of course.
174 </para>
175 <informalexample>
176 <programlisting>
177 view "chaos" chaos {
178 match-clients { <those to be refused>; };
179 allow-query { none; };
180 zone "." {
181 type hint;
182 file "/dev/null"; // or any empty file
183 };
184 };</programlisting>
185 </informalexample>
186 </answer>
187 </qandaentry>
189 <qandaentry>
190 <!-- configuration -->
191 <question>
192 <para>
193 What do <quote>no source of entropy found</quote> or <quote>could not
194 open entropy source foo</quote> mean?
195 </para>
196 </question>
197 <answer>
198 <para>
199 The server requires a source of entropy to perform certain
200 operations, mostly DNSSEC related. These messages indicate
201 that you have no source of entropy. On systems with
202 /dev/random or an equivalent, it is used by default. A
203 source of entropy can also be defined using the random-device
204 option in named.conf.
205 </para>
206 </answer>
207 </qandaentry>
209 <qandaentry>
210 <!-- configuration -->
211 <question>
212 <para>
213 I'm trying to use TSIG to authenticate dynamic updates or
214 zone transfers. I'm sure I have the keys set up correctly,
215 but the server is rejecting the TSIG. Why?
216 </para>
217 </question>
218 <answer>
219 <para>
220 This may be a clock skew problem. Check that the the clocks
221 on the client and server are properly synchronised (e.g.,
222 using ntp).
223 </para>
224 </answer>
225 </qandaentry>
227 <qandaentry>
228 <question>
229 <para>
230 I see a log message like the following. Why?
231 </para>
232 <para>
233 couldn't open pid file '/var/run/named.pid': Permission denied
234 </para>
235 </question>
236 <answer>
237 <para>
238 You are most likely running named as a non-root user, and
239 that user does not have permission to write in /var/run.
240 The common ways of fixing this are to create a /var/run/named
241 directory owned by the named user and set pid-file to
242 "/var/run/named/named.pid", or set pid-file to "named.pid",
243 which will put the file in the directory specified by the
244 directory option (which, in this case, must be writable by
245 the named user).
246 </para>
247 </answer>
248 </qandaentry>
250 <qandaentry>
251 <question>
252 <para>
253 I can query the nameserver from the nameserver but not from other
254 machines. Why?
255 </para>
256 </question>
257 <answer>
258 <para>
259 This is usually the result of the firewall configuration stopping
260 the queries and / or the replies.
261 </para>
262 </answer>
263 </qandaentry>
265 <qandaentry>
266 <question>
267 <para>
268 How can I make a server a slave for both an internal and
269 an external view at the same time? When I tried, both views
270 on the slave were transferred from the same view on the master.
271 </para>
272 </question>
273 <answer>
274 <para>
275 You will need to give the master and slave multiple IP
276 addresses and use those to make sure you reach the correct
277 view on the other machine.
278 </para>
279 <informalexample>
280 <programlisting>
281 Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
282 internal:
283 match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
284 notify-source 10.0.1.1;
285 transfer-source 10.0.1.1;
286 query-source address 10.0.1.1;
287 external:
288 match-clients { any; };
289 recursion no; // don't offer recursion to the world
290 notify-source 10.0.1.2;
291 transfer-source 10.0.1.2;
292 query-source address 10.0.1.2;
294 Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
295 internal:
296 match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
297 notify-source 10.0.1.3;
298 transfer-source 10.0.1.3;
299 query-source address 10.0.1.3;
300 external:
301 match-clients { any; };
302 recursion no; // don't offer recursion to the world
303 notify-source 10.0.1.4;
304 transfer-source 10.0.1.4;
305 query-source address 10.0.1.4;</programlisting>
306 </informalexample>
307 <para>
308 You put the external address on the alias so that all the other
309 dns clients on these boxes see the internal view by default.
310 </para>
311 </answer>
312 <answer>
313 <para>
314 BIND 9.3 and later: Use TSIG to select the appropriate view.
315 </para>
316 <informalexample>
317 <programlisting>
318 Master 10.0.1.1:
319 key "external" {
320 algorithm hmac-md5;
321 secret "xxxxxxxx";
322 };
323 view "internal" {
324 match-clients { !key external; 10.0.1/24; };
325 ...
326 };
327 view "external" {
328 match-clients { key external; any; };
329 server 10.0.1.2 { keys external; };
330 recursion no;
331 ...
332 };
334 Slave 10.0.1.2:
335 key "external" {
336 algorithm hmac-md5;
337 secret "xxxxxxxx";
338 };
339 view "internal" {
340 match-clients { !key external; 10.0.1/24; };
341 ...
342 };
343 view "external" {
344 match-clients { key external; any; };
345 server 10.0.1.1 { keys external; };
346 recursion no;
347 ...
348 };</programlisting>
349 </informalexample>
350 </answer>
351 </qandaentry>
353 <qandaentry>
354 <question>
355 <para>
356 I get error messages like <quote>multiple RRs of singleton type</quote>
357 and <quote>CNAME and other data</quote> when transferring a zone. What
358 does this mean?
359 </para>
360 </question>
361 <answer>
362 <para>
363 These indicate a malformed master zone. You can identify
364 the exact records involved by transferring the zone using
365 dig then running named-checkzone on it.
366 </para>
367 <informalexample>
368 <programlisting>
369 dig axfr example.com @master-server > tmp
370 named-checkzone example.com tmp</programlisting>
371 </informalexample>
372 <para>
373 A CNAME record cannot exist with the same name as another record
374 except for the DNSSEC records which prove its existence (NSEC).
375 </para>
376 <para>
377 RFC 1034, Section 3.6.2: <quote>If a CNAME RR is present at a node,
378 no other data should be present; this ensures that the data for a
379 canonical name and its aliases cannot be different. This rule also
380 insures that a cached CNAME can be used without checking with an
381 authoritative server for other RR types.</quote>
382 </para>
383 </answer>
384 </qandaentry>
386 <qandaentry>
387 <question>
388 <para>
389 I get error messages like <quote>named.conf:99: unexpected end
390 of input</quote> where 99 is the last line of named.conf.
391 </para>
392 </question>
393 <answer>
394 <para>
395 Some text editors (notepad and wordpad) fail to put a line
396 title indication (e.g. CR/LF) on the last line of a
397 text file. This can be fixed by "adding" a blank line to
398 the end of the file. Named expects to see EOF immediately
399 after EOL and treats text files where this is not met as
400 truncated.
401 </para>
402 </answer>
403 </qandaentry>
405 <qandaentry>
406 <question>
407 <para>
408 How do I share a dynamic zone between multiple views?
409 </para>
410 </question>
411 <answer>
412 <para>
413 You choose one view to be master and the second a slave and
414 transfer the zone between views.
415 </para>
416 <informalexample>
417 <programlisting>
418 Master 10.0.1.1:
419 key "external" {
420 algorithm hmac-md5;
421 secret "xxxxxxxx";
422 };
424 key "mykey" {
425 algorithm hmac-md5;
426 secret "yyyyyyyy";
427 };
429 view "internal" {
430 match-clients { !key external; 10.0.1/24; };
431 server 10.0.1.1 {
432 /* Deliver notify messages to external view. */
433 keys { external; };
434 };
435 zone "example.com" {
436 type master;
437 file "internal/example.db";
438 allow-update { key mykey; };
439 notify-also { 10.0.1.1; };
440 };
441 };
443 view "external" {
444 match-clients { key external; any; };
445 zone "example.com" {
446 type slave;
447 file "external/example.db";
448 masters { 10.0.1.1; };
449 transfer-source { 10.0.1.1; };
450 // allow-update-forwarding { any; };
451 // allow-notify { ... };
452 };
453 };</programlisting>
454 </informalexample>
455 </answer>
456 </qandaentry>
458 <qandaentry>
459 <question>
460 <para>
461 I get a error message like <quote>zone wireless.ietf56.ietf.org/IN:
462 loading master file primaries/wireless.ietf56.ietf.org: no
463 owner</quote>.
464 </para>
465 </question>
466 <answer>
467 <para>
468 This error is produced when a line in the master file
469 contains leading white space (tab/space) but the is no
470 current record owner name to inherit the name from. Usually
471 this is the result of putting white space before a comment,
472 forgetting the "@" for the SOA record, or indenting the master
473 file.
474 </para>
475 </answer>
476 </qandaentry>
478 <qandaentry>
479 <question>
480 <para>
481 Why are my logs in GMT (UTC).
482 </para>
483 </question>
484 <answer>
485 <para>
486 You are running chrooted (-t) and have not supplied local timezone
487 information in the chroot area.
488 </para>
489 <simplelist>
490 <member>FreeBSD: /etc/localtime</member>
491 <member>Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo</member>
492 <member>OSF: /etc/zoneinfo/localtime</member>
493 </simplelist>
494 <para>
495 See also tzset(3) and zic(8).
496 </para>
497 </answer>
498 </qandaentry>
500 <qandaentry>
501 <question>
502 <para>
503 I get <quote>rndc: connect failed: connection refused</quote> when
504 I try to run rndc.
505 </para>
506 </question>
507 <answer>
508 <para>
509 This is usually a configuration error.
510 </para>
511 <para>
512 First ensure that named is running and no errors are being
513 reported at startup (/var/log/messages or equivalent).
514 Running "named -g <usual arguments>" from a title
515 can help at this point.
516 </para>
517 <para>
518 Secondly ensure that named is configured to use rndc either
519 by "rndc-confgen -a", rndc-confgen or manually. The
520 Administrators Reference manual has details on how to do
521 this.
522 </para>
523 <para>
524 Old versions of rndc-confgen used localhost rather than
525 127.0.0.1 in /etc/rndc.conf for the default server. Update
526 /etc/rndc.conf if necessary so that the default server
527 listed in /etc/rndc.conf matches the addresses used in
528 named.conf. "localhost" has two address (127.0.0.1 and
529 ::1).
530 </para>
531 <para>
532 If you use "rndc-confgen -a" and named is running with -t or -u
533 ensure that /etc/rndc.conf has the correct ownership and that
534 a copy is in the chroot area. You can do this by re-running
535 "rndc-confgen -a" with appropriate -t and -u arguments.
536 </para>
537 </answer>
538 </qandaentry>
540 <qandaentry>
541 <question>
542 <para>
543 I get <quote>transfer of 'example.net/IN' from 192.168.4.12#53:
544 failed while receiving responses: permission denied</quote> error
545 messages.
546 </para>
547 </question>
548 <answer>
549 <para>
550 These indicate a filesystem permission error preventing
551 named creating / renaming the temporary file. These will
552 usually also have other associated error messages like
553 </para>
554 <informalexample>
555 <programlisting>
556 "dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"</programlisting>
557 </informalexample>
558 <para>
559 Named needs write permission on the directory containing
560 the file. Named writes the new cache file to a temporary
561 file then renames it to the name specified in named.conf
562 to ensure that the contents are always complete. This is
563 to prevent named loading a partial zone in the event of
564 power failure or similar interrupting the write of the
565 master file.
566 </para>
567 <para>
568 Note file names are relative to the directory specified in
569 options and any chroot directory ([<chroot
570 dir>/][<options dir>]).
571 </para>
572 <informalexample>
573 <para>
574 If named is invoked as "named -t /chroot/DNS" with
575 the following named.conf then "/chroot/DNS/var/named/sl"
576 needs to be writable by the user named is running as.
577 </para>
578 <programlisting>
579 options {
580 directory "/var/named";
581 };
583 zone "example.net" {
584 type slave;
585 file "sl/example.net";
586 masters { 192.168.4.12; };
587 };</programlisting>
588 </informalexample>
589 </answer>
590 </qandaentry>
592 <qandaentry>
593 <question>
594 <para>
595 I want to forward all DNS queries from my caching nameserver to
596 another server. But there are some domains which have to be
597 served locally, via rbldnsd.
598 </para>
599 <para>
600 How do I achieve this ?
601 </para>
602 </question>
603 <answer>
604 <programlisting>
605 options {
606 forward only;
607 forwarders { <ip.of.primary.nameserver>; };
608 };
610 zone "sbl-xbl.spamhaus.org" {
611 type forward; forward only;
612 forwarders { <ip.of.rbldns.server> port 530; };
613 };
615 zone "list.dsbl.org" {
616 type forward; forward only;
617 forwarders { <ip.of.rbldns.server> port 530; };
618 };
619 </programlisting>
620 </answer>
621 </qandaentry>
623 <qandaentry>
624 <question>
625 <para>
626 Can you help me understand how BIND 9 uses memory to store
627 DNS zones?
628 </para>
629 <para>
630 Some times it seems to take several times the amount of
631 memory it needs to store the zone.
632 </para>
633 </question>
634 <answer>
635 <para>
636 When reloading a zone named my have multiple copies of
637 the zone in memory at one time. The zone it is serving
638 and the one it is loading. If reloads are ultra fast it
639 can have more still.
640 </para>
641 <para>
642 e.g. Ones that are transferring out, the one that it is
643 serving and the one that is loading.
644 </para>
645 <para>
646 BIND 8 destroyed the zone before loading and also killed
647 off outgoing transfers of the zone.
648 </para>
649 <para>
650 The new strategy allows slaves to get copies of the new
651 zone regardless of how often the master is loaded compared
652 to the transfer time. The slave might skip some intermediate
653 versions but the transfers will complete and it will keep
654 reasonably in sync with the master.
655 </para>
656 <para>
657 The new strategy also allows the master to recover from
658 syntax and other errors in the master file as it still
659 has an in-core copy of the old contents.
660 </para>
661 </answer>
662 </qandaentry>
664 </qandadiv> <!-- Configuration and Setup Questions -->
666 <qandadiv><title>General Questions</title>
668 <qandaentry>
669 <question>
670 <para>
671 I keep getting log messages like the following. Why?
672 </para>
673 <para>
674 Dec 4 23:47:59 client 10.0.0.1#1355: updating zone
675 'example.com/IN': update failed: 'RRset exists (value
676 dependent)' prerequisite not satisfied (NXRRSET)
677 </para>
678 </question>
679 <answer>
680 <para>
681 DNS updates allow the update request to test to see if
682 certain conditions are met prior to proceeding with the
683 update. The message above is saying that conditions were
684 not met and the update is not proceeding. See doc/rfc/rfc2136.txt
685 for more details on prerequisites.
686 </para>
687 </answer>
688 </qandaentry>
690 <qandaentry>
691 <question>
692 <para>
693 I keep getting log messages like the following. Why?
694 </para>
695 <para>
696 Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
697 </para>
698 </question>
699 <answer>
700 <para>
701 Someone is trying to update your DNS data using the RFC2136
702 Dynamic Update protocol. Windows 2000 machines have a habit
703 of sending dynamic update requests to DNS servers without
704 being specifically configured to do so. If the update
705 requests are coming from a Windows 2000 machine, see
706 <ulink
707 url="http://support.microsoft.com/support/kb/articles/q246/8/04.asp">
708 http://support.microsoft.com/support/kb/articles/q246/8/04.asp
709 </ulink>
710 for information about how to turn them off.
711 </para>
712 </answer>
713 </qandaentry>
715 <qandaentry>
716 <question>
717 <para>
718 When I do a "dig . ns", many of the A records for the root
719 servers are missing. Why?
720 </para>
721 </question>
722 <answer>
723 <para>
724 This is normal and harmless. It is a somewhat confusing
725 side effect of the way BIND 9 does RFC2181 trust ranking
726 and of the efforts BIND 9 makes to avoid promoting glue
727 into answers.
728 </para>
729 <para>
730 When BIND 9 first starts up and primes its cache, it receives
731 the root server addresses as additional data in an authoritative
732 response from a root server, and these records are eligible
733 for inclusion as additional data in responses. Subsequently
734 it receives a subset of the root server addresses as
735 additional data in a non-authoritative (referral) response
736 from a root server. This causes the addresses to now be
737 considered non-authoritative (glue) data, which is not
738 eligible for inclusion in responses.
739 </para>
740 <para>
741 The server does have a complete set of root server addresses
742 cached at all times, it just may not include all of them
743 as additional data, depending on whether they were last
744 received as answers or as glue. You can always look up the
745 addresses with explicit queries like "dig a.root-servers.net A".
746 </para>
747 </answer>
748 </qandaentry>
750 <qandaentry>
751 <question>
752 <para>
753 Why don't my zones reload when I do an "rndc reload" or SIGHUP?
754 </para>
755 </question>
756 <answer>
757 <para>
758 A zone can be updated either by editing zone files and
759 reloading the server or by dynamic update, but not both.
760 If you have enabled dynamic update for a zone using the
761 "allow-update" option, you are not supposed to edit the
762 zone file by hand, and the server will not attempt to reload
763 it.
764 </para>
765 </answer>
766 </qandaentry>
768 <qandaentry>
769 <question>
770 <para>
771 Why is named listening on UDP port other than 53?
772 </para>
773 </question>
774 <answer>
775 <para>
776 Named uses a system selected port to make queries of other
777 nameservers. This behaviour can be overridden by using
778 query-source to lock down the port and/or address. See
779 also notify-source and transfer-source.
780 </para>
781 </answer>
782 </qandaentry>
784 <qandaentry>
785 <question>
786 <para>
787 I get warning messages like <quote>zone example.com/IN: refresh:
788 failure trying master 1.2.3.4#53: timed out</quote>.
789 </para>
790 </question>
791 <answer>
792 <para>
793 Check that you can make UDP queries from the slave to the master
794 </para>
795 <informalexample>
796 <programlisting>
797 dig +norec example.com soa @1.2.3.4</programlisting>
798 </informalexample>
799 <para>
800 You could be generating queries faster than the slave can
801 cope with. Lower the serial query rate.
802 </para>
803 <informalexample>
804 <programlisting>
805 serial-query-rate 5; // default 20</programlisting>
806 </informalexample>
807 </answer>
808 </qandaentry>
810 <qandaentry>
811 <question>
812 <para>
813 I don't get RRSIG's returned when I use "dig +dnssec".
814 </para>
815 </question>
816 <answer>
817 <para>
818 You need to ensure DNSSEC is enabled (dnssec-enable yes;).
819 </para>
820 </answer>
821 </qandaentry>
823 <qandaentry>
824 <question>
825 <para>
826 Can a NS record refer to a CNAME.
827 </para>
828 </question>
829 <answer>
830 <para>
831 No. The rules for glue (copies of the *address* records
832 in the parent zones) and additional section processing do
833 not allow it to work.
834 </para>
835 <para>
836 You would have to add both the CNAME and address records
837 (A/AAAA) as glue to the parent zone and have CNAMEs be
838 followed when doing additional section processing to make
839 it work. No nameserver implementation supports either of
840 these requirements.
841 </para>
842 </answer>
843 </qandaentry>
845 <qandaentry>
846 <question>
847 <para>
848 What does <quote>RFC 1918 response from Internet for
849 0.0.0.10.IN-ADDR.ARPA</quote> mean?
850 </para>
851 </question>
852 <answer>
853 <para>
854 If the IN-ADDR.ARPA name covered refers to a internal address
855 space you are using then you have failed to follow RFC 1918
856 usage rules and are leaking queries to the Internet. You
857 should establish your own zones for these addresses to prevent
858 you querying the Internet's name servers for these addresses.
859 Please see <ulink url="http://as112.net/">http://as112.net/</ulink>
860 for details of the problems you are causing and the counter
861 measures that have had to be deployed.
862 </para>
863 <para>
864 If you are not using these private addresses then a client
865 has queried for them. You can just ignore the messages,
866 get the offending client to stop sending you these messages
867 as they are most probably leaking them or setup your own zones
868 empty zones to serve answers to these queries.
869 </para>
870 <informalexample>
871 <programlisting>
872 zone "10.IN-ADDR.ARPA" {
873 type master;
874 file "empty";
875 };
877 zone "16.172.IN-ADDR.ARPA" {
878 type master;
879 file "empty";
880 };
882 ...
884 zone "31.172.IN-ADDR.ARPA" {
885 type master;
886 file "empty";
887 };
889 zone "168.192.IN-ADDR.ARPA" {
890 type master;
891 file "empty";
892 };
894 empty:
895 @ 10800 IN SOA <name-of-server>. <contact-email>. (
896 1 3600 1200 604800 10800 )
897 @ 10800 IN NS <name-of-server>.</programlisting>
898 </informalexample>
899 <para>
900 <note>
901 Future versions of named are likely to do this automatically.
902 </note>
903 </para>
904 </answer>
905 </qandaentry>
907 <qandaentry>
908 <question>
909 <para>
910 Will named be affected by the 2007 changes to daylight savings
911 rules in the US.
912 </para>
913 </question>
914 <answer>
915 <para>
916 No, so long as the machines internal clock (as reported
917 by "date -u") remains at UTC. The only visible change
918 if you fail to upgrade your OS, if you are in a affected
919 area, will be that log messages will be a hour out during
920 the period where the old rules do not match the new rules.
921 </para>
922 <para>
923 For most OS's this change just means that you need to
924 update the conversion rules from UTC to local time.
925 Normally this involves updating a file in /etc (which
926 sets the default timezone for the machine) and possibly
927 a directory which has all the conversion rules for the
928 world (e.g. /usr/share/zoneinfo). When updating the OS
929 do not forget to update any chroot areas as well.
930 See your OS's documentation for more details.
931 </para>
932 <para>
933 The local timezone conversion rules can also be done on
934 a individual basis by setting the TZ environment variable
935 appropriately. See your OS's documentation for more
936 details.
937 </para>
938 </answer>
939 </qandaentry>
941 <qandaentry>
942 <question>
943 <para>
944 Is there a bugzilla (or other tool) database that mere
945 mortals can have (read-only) access to for bind?
946 </para>
947 </question>
948 <answer>
949 <para>
950 No. The BIND 9 bug database is kept closed for a number
951 of reasons. These include, but are not limited to, that
952 the database contains proprietory information from people
953 reporting bugs. The database has in the past and may in
954 future contain unfixed bugs which are capable of bringing
955 down most of the Internet's DNS infrastructure.
956 </para>
957 <para>
958 The release pages for each version contain up to date
959 lists of bugs that have been fixed post release. That
960 is as close as we can get to providing a bug database.
961 </para>
962 </answer>
963 </qandaentry>
965 </qandadiv> <!-- General Questions -->
967 <qandadiv><title>Operating-System Specific Questions</title>
969 <qandadiv><title>HPUX</title>
971 <qandaentry>
972 <question>
973 <para>I get the following error trying to configure BIND:
974 <programlisting>checking if unistd.h or sys/types.h defines fd_set... no
975 configure: error: need either working unistd.h or sys/select.h</programlisting>
976 </para>
977 </question>
978 <answer>
979 <para>
980 You have attempted to configure BIND with the bundled C compiler.
981 This compiler does not meet the minimum compiler requirements to
982 for building BIND. You need to install a ANSI C compiler and / or
983 teach configure how to find the ANSI C compiler. The later can
984 be done by adjusting the PATH environment variable and / or
985 specifying the compiler via CC.
986 </para>
987 <informalexample>
988 <programlisting>./configure CC=<compiler> ...</programlisting>
989 </informalexample>
990 </answer>
991 </qandaentry>
993 </qandadiv> <!-- HPUX -->
995 <qandadiv><title>Linux</title>
997 <qandaentry>
998 <question>
999 <para>
1000 Why do I get the following errors:
1001 <programlisting>general: errno2result.c:109: unexpected error:
1002 general: unable to convert errno to isc_result: 14: Bad address
1003 client: UDP client handler shutting down due to fatal receive error: unexpected error</programlisting>
1004 </para>
1005 </question>
1006 <answer>
1007 <para>
1008 This is the result of a Linux kernel bug.
1009 </para>
1010 <para>
1011 See:
1012 <ulink url="http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2">http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2</ulink>
1013 </para>
1014 </answer>
1015 </qandaentry>
1017 <qandaentry>
1018 <question>
1019 <para>
1020 Why do I see 5 (or more) copies of named on Linux?
1021 </para>
1022 </question>
1023 <answer>
1024 <para>
1025 Linux threads each show up as a process under ps. The
1026 approximate number of threads running is n+4, where n is
1027 the number of CPUs. Note that the amount of memory used
1028 is not cumulative; if each process is using 10M of memory,
1029 only a total of 10M is used.
1030 </para>
1031 <para>
1032 Newer versions of Linux's ps command hide the individual threads
1033 and require -L to display them.
1034 </para>
1035 </answer>
1036 </qandaentry>
1038 <qandaentry>
1039 <question>
1040 <para>
1041 Why does BIND 9 log <quote>permission denied</quote> errors accessing
1042 its configuration files or zones on my Linux system even
1043 though it is running as root?
1044 </para>
1045 </question>
1046 <answer>
1047 <para>
1048 On Linux, BIND 9 drops most of its root privileges on
1049 startup. This including the privilege to open files owned
1050 by other users. Therefore, if the server is running as
1051 root, the configuration files and zone files should also
1052 be owned by root.
1053 </para>
1054 </answer>
1055 </qandaentry>
1057 <qandaentry>
1058 <question>
1059 <para>
1060 I get the error message <quote>named: capset failed: Operation
1061 not permitted</quote> when starting named.
1062 </para>
1063 </question>
1064 <answer>
1065 <para>
1066 The capability module, part of "Linux Security Modules/LSM",
1067 has not been loaded into the kernel. See insmod(8).
1068 </para>
1069 </answer>
1070 </qandaentry>
1072 <qandaentry>
1073 <question>
1074 <para>
1075 I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
1076 </para>
1077 <para>
1078 Why can't named update slave zone database files?
1079 </para>
1080 <para>
1081 Why can't named create DDNS journal files or update
1082 the master zones from journals?
1083 </para>
1084 <para>
1085 Why can't named create custom log files?
1086 </para>
1087 </question>
1089 <answer>
1090 <para>
1091 Red Hat Security Enhanced Linux (SELinux) policy security
1092 protections :
1093 </para>
1095 <para>
1096 Red Hat have adopted the National Security Agency's
1097 SELinux security policy ( see http://www.nsa.gov/selinux
1098 ) and recommendations for BIND security , which are more
1099 secure than running named in a chroot and make use of
1100 the bind-chroot environment unnecessary .
1101 </para>
1103 <para>
1104 By default, named is not allowed by the SELinux policy
1105 to write, create or delete any files EXCEPT in these
1106 directories:
1107 <informalexample>
1108 <programlisting>
1109 $ROOTDIR/var/named/slaves
1110 $ROOTDIR/var/named/data
1111 $ROOTDIR/var/tmp
1112 </programlisting>
1113 </informalexample>
1114 where $ROOTDIR may be set in /etc/sysconfig/named if
1115 bind-chroot is installed.
1116 </para>
1118 <para>
1119 The SELinux policy particularly does NOT allow named to modify
1120 the $ROOTDIR/var/named directory, the default location for master
1121 zone database files.
1122 </para>
1124 <para>
1125 SELinux policy overrules file access permissions - so
1126 even if all the files under /var/named have ownership
1127 named:named and mode rw-rw-r--, named will still not be
1128 able to write or create files except in the directories
1129 above, with SELinux in Enforcing mode.
1130 </para>
1132 <para>
1133 So, to allow named to update slave or DDNS zone files,
1134 it is best to locate them in $ROOTDIR/var/named/slaves,
1135 with named.conf zone statements such as:
1136 <informalexample>
1137 <programlisting>
1138 zone "slave.zone." IN {
1139 type slave;
1140 file "slaves/slave.zone.db";
1141 ...
1142 };
1143 zone "ddns.zone." IN {
1144 type master;
1145 allow-updates {...};
1146 file "slaves/ddns.zone.db";
1147 };
1148 </programlisting>
1149 </informalexample>
1150 </para>
1152 <para>
1153 To allow named to create its cache dump and statistics
1154 files, for example, you could use named.conf options
1155 statements such as:
1156 <informalexample>
1157 <programlisting>
1158 options {
1159 ...
1160 dump-file "/var/named/data/cache_dump.db";
1161 statistics-file "/var/named/data/named_stats.txt";
1162 ...
1163 };
1164 </programlisting>
1165 </informalexample>
1166 </para>
1168 <para>
1169 You can also tell SELinux to allow named to update any
1170 zone database files, by setting the SELinux tunable boolean
1171 parameter 'named_write_master_zones=1', using the
1172 system-config-securitylevel GUI, using the 'setsebool'
1173 command, or in /etc/selinux/targeted/booleans.
1174 </para>
1176 <para>
1177 You can disable SELinux protection for named entirely by
1178 setting the 'named_disable_trans=1' SELinux tunable boolean
1179 parameter.
1180 </para>
1182 <para>
1183 The SELinux named policy defines these SELinux contexts for named:
1184 <informalexample>
1185 <programlisting>
1186 named_zone_t : for zone database files - $ROOTDIR/var/named/*
1187 named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
1188 named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
1189 </programlisting>
1190 </informalexample>
1191 </para>
1193 <para>
1194 If you want to retain use of the SELinux policy for named,
1195 and put named files in different locations, you can do
1196 so by changing the context of the custom file locations
1197 .
1198 </para>
1200 <para>
1201 To create a custom configuration file location, e.g.
1202 '/root/named.conf', to use with the 'named -c' option,
1203 do:
1204 <informalexample>
1205 <programlisting>
1206 # chcon system_u:object_r:named_conf_t /root/named.conf
1207 </programlisting>
1208 </informalexample>
1209 </para>
1211 <para>
1212 To create a custom modifiable named data location, e.g.
1213 '/var/log/named' for a log file, do:
1214 <informalexample>
1215 <programlisting>
1216 # chcon system_u:object_r:named_cache_t /var/log/named
1217 </programlisting>
1218 </informalexample>
1219 </para>
1221 <para>
1222 To create a custom zone file location, e.g. /root/zones/, do:
1223 <informalexample>
1224 <programlisting>
1225 # chcon system_u:object_r:named_zone_t /root/zones/{.,*}
1226 </programlisting>
1227 </informalexample>
1228 </para>
1230 <para>
1231 See these man-pages for more information : selinux(8),
1232 named_selinux(8), chcon(1), setsebool(8)
1233 </para>
1234 </answer>
1235 </qandaentry>
1237 </qandadiv> <!-- Linux -->
1239 <qandadiv><title>Windows</title>
1241 <qandaentry>
1242 <question>
1243 <para>
1244 Zone transfers from my BIND 9 master to my Windows 2000
1245 slave fail. Why?
1246 </para>
1247 </question>
1248 <answer>
1249 <para>
1250 This may be caused by a bug in the Windows 2000 DNS server
1251 where DNS messages larger than 16K are not handled properly.
1252 This can be worked around by setting the option "transfer-format
1253 one-answer;". Also check whether your zone contains domain
1254 names with embedded spaces or other special characters,
1255 like "John\032Doe\213s\032Computer", since such names have
1256 been known to cause Windows 2000 slaves to incorrectly
1257 reject the zone.
1258 </para>
1259 </answer>
1260 </qandaentry>
1262 <qandaentry>
1263 <question>
1264 <para>
1265 I get <quote>Error 1067</quote> when starting named under Windows.
1266 </para>
1267 </question>
1268 <answer>
1269 <para>
1270 This is the service manager saying that named exited. You
1271 need to examine the Application log in the EventViewer to
1272 find out why.
1273 </para>
1274 <para>
1275 Common causes are that you failed to create "named.conf"
1276 (usually "C:\windows\dns\etc\named.conf") or failed to
1277 specify the directory in named.conf.
1278 </para>
1279 <informalexample>
1280 <programlisting>
1281 options {
1282 Directory "C:\windows\dns\etc";
1283 };</programlisting>
1284 </informalexample>
1285 </answer>
1286 </qandaentry>
1288 </qandadiv> <!-- Windows -->
1290 <qandadiv><title>FreeBSD</title>
1292 <qandaentry>
1293 <question>
1294 <para>
1295 I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
1296 </para>
1297 </question>
1298 <answer>
1299 <para>
1300 /dev/random is not configured. Use rndcontrol(8) to tell
1301 the kernel to use certain interrupts as a source of random
1302 events. You can make this permanent by setting rand_irqs
1303 in /etc/rc.conf.
1304 </para>
1305 <informalexample>
1306 <programlisting>
1307 /etc/rc.conf
1308 rand_irqs="3 14 15"</programlisting>
1309 </informalexample>
1310 <para>
1311 See also
1312 <ulink url="http://people.freebsd.org/~dougb/randomness.html">
1313 http://people.freebsd.org/~dougb/randomness.html
1314 </ulink>
1315 </para>
1316 </answer>
1317 </qandaentry>
1319 </qandadiv> <!-- FreeBSD -->
1321 <qandadiv><title>Solaris</title>
1323 <qandaentry>
1324 <question>
1325 <para>
1326 How do I integrate BIND 9 and Solaris SMF
1327 </para>
1328 </question>
1329 <answer>
1330 <para>
1331 Sun has a blog entry describing how to do this.
1332 </para>
1333 <para>
1334 <ulink
1335 url="http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris">
1336 http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris
1337 </ulink>
1338 </para>
1339 </answer>
1340 </qandaentry>
1342 </qandadiv>
1344 </qandadiv> <!-- Operating-System Specific Questions -->
1346 </qandaset>
1347 </article>