/contrib/bind9/FAQ.xml
XML | 1612 lines | 1487 code | 102 blank | 23 comment | 0 complexity | 3b31a738b5b26fa12c870cacee0642d2 MD5 | raw file
1<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" 2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []> 3<!-- 4 - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") 5 - Copyright (C) 2000-2003 Internet Software Consortium. 6 - 7 - Permission to use, copy, modify, and/or distribute this software for any 8 - purpose with or without fee is hereby granted, provided that the above 9 - copyright notice and this permission notice appear in all copies. 10 - 11 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 12 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 13 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 14 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 15 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 16 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 17 - PERFORMANCE OF THIS SOFTWARE. 18--> 19 20<!-- $Id: FAQ.xml,v 1.54 2010/01/19 23:48:55 tbox Exp $ --> 21 22<article class="faq"> 23 <title>Frequently Asked Questions about BIND 9</title> 24 <articleinfo> 25 <copyright> 26 <year>2004</year> 27 <year>2005</year> 28 <year>2006</year> 29 <year>2007</year> 30 <year>2008</year> 31 <year>2009</year> 32 <year>2010</year> 33 <holder>Internet Systems Consortium, Inc. ("ISC")</holder> 34 </copyright> 35 <copyright> 36 <year>2000</year> 37 <year>2001</year> 38 <year>2002</year> 39 <year>2003</year> 40 <holder>Internet Software Consortium.</holder> 41 </copyright> 42 </articleinfo> 43 <qandaset defaultlabel='qanda'> 44 45 <qandadiv><title>Compilation and Installation Questions</title> 46 47 <qandaentry> 48 <question> 49 <para> 50 I'm trying to compile BIND 9, and "make" is failing due to 51 files not being found. Why? 52 </para> 53 </question> 54 <answer> 55 <para> 56 Using a parallel or distributed "make" to build BIND 9 is 57 not supported, and doesn't work. If you are using one of 58 these, use normal make or gmake instead. 59 </para> 60 </answer> 61 </qandaentry> 62 63 <qandaentry> 64 <question> 65 <para> 66 Isn't "make install" supposed to generate a default named.conf? 67 </para> 68 </question> 69 <answer> 70 <para> 71 Short Answer: No. 72 </para> 73 <para> 74 Long Answer: There really isn't a default configuration which fits 75 any site perfectly. There are lots of decisions that need to 76 be made and there is no consensus on what the defaults should be. 77 For example FreeBSD uses /etc/namedb as the location where the 78 configuration files for named are stored. Others use /var/named. 79 </para> 80 <para> 81 What addresses to listen on? For a laptop on the move a lot 82 you may only want to listen on the loop back interfaces. 83 </para> 84 <para> 85 Who do you offer recursive service to? Is there are firewall 86 to consider? If so is it stateless or stateful. Are you 87 directly on the Internet? Are you on a private network? Are 88 you on a NAT'd network? The answers 89 to all these questions change how you configure even a 90 caching name server. 91 </para> 92 </answer> 93 </qandaentry> 94 95 </qandadiv> <!-- Compilation and Installation Questions --> 96 97 <qandadiv><title>Configuration and Setup Questions</title> 98 99 <qandaentry> 100 <!-- configuration, log --> 101 <question> 102 <para> 103 Why does named log the warning message <quote>no TTL specified - 104 using SOA MINTTL instead</quote>? 105 </para> 106 </question> 107 <answer> 108 <para> 109 Your zone file is illegal according to RFC1035. It must either 110 have a line like: 111 </para> 112 <informalexample> 113 <programlisting> 114$TTL 86400</programlisting> 115 </informalexample> 116 <para> 117 at the beginning, or the first record in it must have a TTL field, 118 like the "84600" in this example: 119 </para> 120 <informalexample> 121 <programlisting> 122example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )</programlisting> 123 </informalexample> 124 </answer> 125 </qandaentry> 126 127 <qandaentry> 128 <!-- configuration --> 129 <question> 130 <para> 131 Why do I get errors like <quote>dns_zone_load: zone foo/IN: loading 132 master file bar: ran out of space</quote>? 133 </para> 134 </question> 135 <answer> 136 <para> 137 This is often caused by TXT records with missing close 138 quotes. Check that all TXT records containing quoted strings 139 have both open and close quotes. 140 </para> 141 </answer> 142 </qandaentry> 143 144 <qandaentry> 145 <!-- security --> 146 <question> 147 <para> 148 How do I restrict people from looking up the server version? 149 </para> 150 </question> 151 <answer> 152 <para> 153 Put a "version" option containing something other than the 154 real version in the "options" section of named.conf. Note 155 doing this will not prevent attacks and may impede people 156 trying to diagnose problems with your server. Also it is 157 possible to "fingerprint" nameservers to determine their 158 version. 159 </para> 160 </answer> 161 </qandaentry> 162 163 <qandaentry> 164 <!-- security --> 165 <question> 166 <para> 167 How do I restrict only remote users from looking up the 168 server version? 169 </para> 170 </question> 171 <answer> 172 <para> 173 The following view statement will intercept lookups as the 174 internal view that holds the version information will be 175 matched last. The caveats of the previous answer still 176 apply, of course. 177 </para> 178 <informalexample> 179 <programlisting> 180view "chaos" chaos { 181 match-clients { <those to be refused>; }; 182 allow-query { none; }; 183 zone "." { 184 type hint; 185 file "/dev/null"; // or any empty file 186 }; 187};</programlisting> 188 </informalexample> 189 </answer> 190 </qandaentry> 191 192 <qandaentry> 193 <!-- configuration --> 194 <question> 195 <para> 196 What do <quote>no source of entropy found</quote> or <quote>could not 197 open entropy source foo</quote> mean? 198 </para> 199 </question> 200 <answer> 201 <para> 202 The server requires a source of entropy to perform certain 203 operations, mostly DNSSEC related. These messages indicate 204 that you have no source of entropy. On systems with 205 /dev/random or an equivalent, it is used by default. A 206 source of entropy can also be defined using the random-device 207 option in named.conf. 208 </para> 209 </answer> 210 </qandaentry> 211 212 <qandaentry> 213 <!-- configuration --> 214 <question> 215 <para> 216 I'm trying to use TSIG to authenticate dynamic updates or 217 zone transfers. I'm sure I have the keys set up correctly, 218 but the server is rejecting the TSIG. Why? 219 </para> 220 </question> 221 <answer> 222 <para> 223 This may be a clock skew problem. Check that the the clocks 224 on the client and server are properly synchronised (e.g., 225 using ntp). 226 </para> 227 </answer> 228 </qandaentry> 229 230 <qandaentry> 231 <question> 232 <para> 233 I see a log message like the following. Why? 234 </para> 235 <para> 236 couldn't open pid file '/var/run/named.pid': Permission denied 237 </para> 238 </question> 239 <answer> 240 <para> 241 You are most likely running named as a non-root user, and 242 that user does not have permission to write in /var/run. 243 The common ways of fixing this are to create a /var/run/named 244 directory owned by the named user and set pid-file to 245 "/var/run/named/named.pid", or set pid-file to "named.pid", 246 which will put the file in the directory specified by the 247 directory option (which, in this case, must be writable by 248 the named user). 249 </para> 250 </answer> 251 </qandaentry> 252 253 <qandaentry> 254 <question> 255 <para> 256 I can query the nameserver from the nameserver but not from other 257 machines. Why? 258 </para> 259 </question> 260 <answer> 261 <para> 262 This is usually the result of the firewall configuration stopping 263 the queries and / or the replies. 264 </para> 265 </answer> 266 </qandaentry> 267 268 <qandaentry> 269 <question> 270 <para> 271 How can I make a server a slave for both an internal and 272 an external view at the same time? When I tried, both views 273 on the slave were transferred from the same view on the master. 274 </para> 275 </question> 276 <answer> 277 <para> 278 You will need to give the master and slave multiple IP 279 addresses and use those to make sure you reach the correct 280 view on the other machine. 281 </para> 282 <informalexample> 283 <programlisting> 284Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias) 285 internal: 286 match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; }; 287 notify-source 10.0.1.1; 288 transfer-source 10.0.1.1; 289 query-source address 10.0.1.1; 290 external: 291 match-clients { any; }; 292 recursion no; // don't offer recursion to the world 293 notify-source 10.0.1.2; 294 transfer-source 10.0.1.2; 295 query-source address 10.0.1.2; 296 297Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias) 298 internal: 299 match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; }; 300 notify-source 10.0.1.3; 301 transfer-source 10.0.1.3; 302 query-source address 10.0.1.3; 303 external: 304 match-clients { any; }; 305 recursion no; // don't offer recursion to the world 306 notify-source 10.0.1.4; 307 transfer-source 10.0.1.4; 308 query-source address 10.0.1.4;</programlisting> 309 </informalexample> 310 <para> 311 You put the external address on the alias so that all the other 312 dns clients on these boxes see the internal view by default. 313 </para> 314 </answer> 315 <answer> 316 <para> 317 BIND 9.3 and later: Use TSIG to select the appropriate view. 318 </para> 319 <informalexample> 320 <programlisting> 321Master 10.0.1.1: 322 key "external" { 323 algorithm hmac-sha256; 324 secret "xxxxxxxxxxxxxxxxxxxxxxxx"; 325 }; 326 view "internal" { 327 match-clients { !key external; // reject message ment for the 328 // external view. 329 10.0.1/24; }; // accept from these addresses. 330 ... 331 }; 332 view "external" { 333 match-clients { key external; any; }; 334 server 10.0.1.2 { keys external; }; // tag messages from the 335 // external view to the 336 // other servers for the 337 // view. 338 recursion no; 339 ... 340 }; 341 342Slave 10.0.1.2: 343 key "external" { 344 algorithm hmac-sha256; 345 secret "xxxxxxxxxxxxxxxxxxxxxxxx"; 346 }; 347 view "internal" { 348 match-clients { !key external; 10.0.1/24; }; 349 ... 350 }; 351 view "external" { 352 match-clients { key external; any; }; 353 server 10.0.1.1 { keys external; }; 354 recursion no; 355 ... 356 };</programlisting> 357 </informalexample> 358 </answer> 359 </qandaentry> 360 361 <qandaentry> 362 <question> 363 <para> 364 I get error messages like <quote>multiple RRs of singleton type</quote> 365 and <quote>CNAME and other data</quote> when transferring a zone. What 366 does this mean? 367 </para> 368 </question> 369 <answer> 370 <para> 371 These indicate a malformed master zone. You can identify 372 the exact records involved by transferring the zone using 373 dig then running named-checkzone on it. 374 </para> 375 <informalexample> 376 <programlisting> 377dig axfr example.com @master-server > tmp 378named-checkzone example.com tmp</programlisting> 379 </informalexample> 380 <para> 381 A CNAME record cannot exist with the same name as another record 382 except for the DNSSEC records which prove its existence (NSEC). 383 </para> 384 <para> 385 RFC 1034, Section 3.6.2: <quote>If a CNAME RR is present at a node, 386 no other data should be present; this ensures that the data for a 387 canonical name and its aliases cannot be different. This rule also 388 insures that a cached CNAME can be used without checking with an 389 authoritative server for other RR types.</quote> 390 </para> 391 </answer> 392 </qandaentry> 393 394 <qandaentry> 395 <question> 396 <para> 397 I get error messages like <quote>named.conf:99: unexpected end 398 of input</quote> where 99 is the last line of named.conf. 399 </para> 400 </question> 401 <answer> 402 <para> 403 There are unbalanced quotes in named.conf. 404 </para> 405 </answer> 406 <answer> 407 <para> 408 Some text editors (notepad and wordpad) fail to put a line 409 title indication (e.g. CR/LF) on the last line of a 410 text file. This can be fixed by "adding" a blank line to 411 the end of the file. Named expects to see EOF immediately 412 after EOL and treats text files where this is not met as 413 truncated. 414 </para> 415 </answer> 416 </qandaentry> 417 418 <qandaentry> 419 <question> 420 <para> 421 How do I share a dynamic zone between multiple views? 422 </para> 423 </question> 424 <answer> 425 <para> 426 You choose one view to be master and the second a slave and 427 transfer the zone between views. 428 </para> 429 <informalexample> 430 <programlisting> 431Master 10.0.1.1: 432 key "external" { 433 algorithm hmac-sha256; 434 secret "xxxxxxxxxxxxxxxxxxxxxxxx"; 435 }; 436 437 key "mykey" { 438 algorithm hmac-sha256; 439 secret "yyyyyyyyyyyyyyyyyyyyyyyy"; 440 }; 441 442 view "internal" { 443 match-clients { !key external; 10.0.1/24; }; 444 server 10.0.1.1 { 445 /* Deliver notify messages to external view. */ 446 keys { external; }; 447 }; 448 zone "example.com" { 449 type master; 450 file "internal/example.db"; 451 allow-update { key mykey; }; 452 also-notify { 10.0.1.1; }; 453 }; 454 }; 455 456 view "external" { 457 match-clients { key external; any; }; 458 zone "example.com" { 459 type slave; 460 file "external/example.db"; 461 masters { 10.0.1.1; }; 462 transfer-source 10.0.1.1; 463 // allow-update-forwarding { any; }; 464 // allow-notify { ... }; 465 }; 466 };</programlisting> 467 </informalexample> 468 </answer> 469 </qandaentry> 470 471 <qandaentry> 472 <question> 473 <para> 474 I get a error message like <quote>zone wireless.ietf56.ietf.org/IN: 475 loading master file primaries/wireless.ietf56.ietf.org: no 476 owner</quote>. 477 </para> 478 </question> 479 <answer> 480 <para> 481 This error is produced when a line in the master file 482 contains leading white space (tab/space) but the is no 483 current record owner name to inherit the name from. Usually 484 this is the result of putting white space before a comment, 485 forgetting the "@" for the SOA record, or indenting the master 486 file. 487 </para> 488 </answer> 489 </qandaentry> 490 491 <qandaentry> 492 <question> 493 <para> 494 Why are my logs in GMT (UTC). 495 </para> 496 </question> 497 <answer> 498 <para> 499 You are running chrooted (-t) and have not supplied local timezone 500 information in the chroot area. 501 </para> 502 <simplelist> 503 <member>FreeBSD: /etc/localtime</member> 504 <member>Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo</member> 505 <member>OSF: /etc/zoneinfo/localtime</member> 506 </simplelist> 507 <para> 508 See also tzset(3) and zic(8). 509 </para> 510 </answer> 511 </qandaentry> 512 513 <qandaentry> 514 <question> 515 <para> 516 I get <quote>rndc: connect failed: connection refused</quote> when 517 I try to run rndc. 518 </para> 519 </question> 520 <answer> 521 <para> 522 This is usually a configuration error. 523 </para> 524 <para> 525 First ensure that named is running and no errors are being 526 reported at startup (/var/log/messages or equivalent). 527 Running "named -g <usual arguments>" from a title 528 can help at this point. 529 </para> 530 <para> 531 Secondly ensure that named is configured to use rndc either 532 by "rndc-confgen -a", rndc-confgen or manually. The 533 Administrators Reference manual has details on how to do 534 this. 535 </para> 536 <para> 537 Old versions of rndc-confgen used localhost rather than 538 127.0.0.1 in /etc/rndc.conf for the default server. Update 539 /etc/rndc.conf if necessary so that the default server 540 listed in /etc/rndc.conf matches the addresses used in 541 named.conf. "localhost" has two address (127.0.0.1 and 542 ::1). 543 </para> 544 <para> 545 If you use "rndc-confgen -a" and named is running with -t or -u 546 ensure that /etc/rndc.conf has the correct ownership and that 547 a copy is in the chroot area. You can do this by re-running 548 "rndc-confgen -a" with appropriate -t and -u arguments. 549 </para> 550 </answer> 551 </qandaentry> 552 553 <qandaentry> 554 <question> 555 <para> 556 I get <quote>transfer of 'example.net/IN' from 192.168.4.12#53: 557 failed while receiving responses: permission denied</quote> error 558 messages. 559 </para> 560 </question> 561 <answer> 562 <para> 563 These indicate a filesystem permission error preventing 564 named creating / renaming the temporary file. These will 565 usually also have other associated error messages like 566 </para> 567 <informalexample> 568 <programlisting> 569"dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"</programlisting> 570 </informalexample> 571 <para> 572 Named needs write permission on the directory containing 573 the file. Named writes the new cache file to a temporary 574 file then renames it to the name specified in named.conf 575 to ensure that the contents are always complete. This is 576 to prevent named loading a partial zone in the event of 577 power failure or similar interrupting the write of the 578 master file. 579 </para> 580 <para> 581 Note file names are relative to the directory specified in 582 options and any chroot directory ([<chroot 583 dir>/][<options dir>]). 584 </para> 585 <informalexample> 586 <para> 587 If named is invoked as "named -t /chroot/DNS" with 588 the following named.conf then "/chroot/DNS/var/named/sl" 589 needs to be writable by the user named is running as. 590 </para> 591 <programlisting> 592options { 593 directory "/var/named"; 594}; 595 596zone "example.net" { 597 type slave; 598 file "sl/example.net"; 599 masters { 192.168.4.12; }; 600};</programlisting> 601 </informalexample> 602 </answer> 603 </qandaentry> 604 605 <qandaentry> 606 <question> 607 <para> 608 I want to forward all DNS queries from my caching nameserver to 609 another server. But there are some domains which have to be 610 served locally, via rbldnsd. 611 </para> 612 <para> 613 How do I achieve this ? 614 </para> 615 </question> 616 <answer> 617 <programlisting> 618options { 619 forward only; 620 forwarders { <ip.of.primary.nameserver>; }; 621}; 622 623zone "sbl-xbl.spamhaus.org" { 624 type forward; forward only; 625 forwarders { <ip.of.rbldns.server> port 530; }; 626}; 627 628zone "list.dsbl.org" { 629 type forward; forward only; 630 forwarders { <ip.of.rbldns.server> port 530; }; 631}; 632 </programlisting> 633 </answer> 634 </qandaentry> 635 636 <qandaentry> 637 <question> 638 <para> 639 Can you help me understand how BIND 9 uses memory to store 640 DNS zones? 641 </para> 642 <para> 643 Some times it seems to take several times the amount of 644 memory it needs to store the zone. 645 </para> 646 </question> 647 <answer> 648 <para> 649 When reloading a zone named my have multiple copies of 650 the zone in memory at one time. The zone it is serving 651 and the one it is loading. If reloads are ultra fast it 652 can have more still. 653 </para> 654 <para> 655 e.g. Ones that are transferring out, the one that it is 656 serving and the one that is loading. 657 </para> 658 <para> 659 BIND 8 destroyed the zone before loading and also killed 660 off outgoing transfers of the zone. 661 </para> 662 <para> 663 The new strategy allows slaves to get copies of the new 664 zone regardless of how often the master is loaded compared 665 to the transfer time. The slave might skip some intermediate 666 versions but the transfers will complete and it will keep 667 reasonably in sync with the master. 668 </para> 669 <para> 670 The new strategy also allows the master to recover from 671 syntax and other errors in the master file as it still 672 has an in-core copy of the old contents. 673 </para> 674 </answer> 675 </qandaentry> 676 677 <qandaentry> 678 <question> 679 <para> 680 I want to use IPv6 locally but I don't have a external IPv6 681 connection. External lookups are slow. 682 </para> 683 </question> 684 <answer> 685 <para> 686 You can use server clauses to stop named making external lookups 687 over IPv6. 688 </para> 689 <programlisting> 690server fd81:ec6c:bd62::/48 { bogus no; }; // site ULA prefix 691server ::/0 { bogus yes; }; 692</programlisting> 693 </answer> 694 </qandaentry> 695 696 </qandadiv> <!-- Configuration and Setup Questions --> 697 698 <qandadiv><title>Operations Questions</title> 699 700 <qandaentry> 701 <question> 702 <para> 703 How to change the nameservers for a zone? 704 </para> 705 </question> 706 <answer> 707 <para> 708 Step 1: Ensure all nameservers, new and old, are serving the 709 same zone content. 710 </para> 711 <para> 712 Step 2: Work out the maximum TTL of the NS RRset in the parent and child 713 zones. This is the time it will take caches to be clear of a 714 particular version of the NS RRset. 715 If you are just removing nameservers you can skip to Step 6. 716 </para> 717 <para> 718 Step 3: Add new nameservers to the NS RRset for the zone and 719 wait until all the servers for the zone are answering with this 720 new NS RRset. 721 </para> 722 <para> 723 Step 4: Inform the parent zone of the new NS RRset then wait for all the 724 parent servers to be answering with the new NS RRset. 725 </para> 726 <para> 727 Step 5: Wait for cache to be clear of the old NS RRset. 728 See Step 2 for how long. 729 If you are just adding nameservers you are done. 730 </para> 731 <para> 732 Step 6: Remove any old nameservers from the zones NS RRset and 733 wait for all the servers for the zone to be serving the new NS RRset. 734 </para> 735 <para> 736 Step 7: Inform the parent zone of the new NS RRset then wait for all the 737 parent servers to be answering with the new NS RRset. 738 </para> 739 <para> 740 Step 8: Wait for cache to be clear of the old NS RRset. 741 See Step 2 for how long. 742 </para> 743 <para> 744 Step 9: Turn off the old nameservers or remove the zone entry from 745 the configuration of the old nameservers. 746 </para> 747 <para> 748 Step 10: Increment the serial number and wait for the change to 749 be visible in all nameservers for the zone. This ensures that 750 zone transfers are still working after the old servers are 751 decommissioned. 752 </para> 753 <para> 754 Note: the above procedure is designed to be transparent 755 to dns clients. Decommissioning the old servers too early 756 will result in some clients not being able to look up 757 answers in the zone. 758 </para> 759 <para> 760 Note: while it is possible to run the addition and removal 761 stages together it is not recommended. 762 </para> 763 </answer> 764 </qandaentry> 765 766 </qandadiv> <!-- Operations Questions --> 767 768 <qandadiv><title>General Questions</title> 769 770 <qandaentry> 771 <question> 772 <para> 773 I keep getting log messages like the following. Why? 774 </para> 775 <para> 776 Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 777 'example.com/IN': update failed: 'RRset exists (value 778 dependent)' prerequisite not satisfied (NXRRSET) 779 </para> 780 </question> 781 <answer> 782 <para> 783 DNS updates allow the update request to test to see if 784 certain conditions are met prior to proceeding with the 785 update. The message above is saying that conditions were 786 not met and the update is not proceeding. See doc/rfc/rfc2136.txt 787 for more details on prerequisites. 788 </para> 789 </answer> 790 </qandaentry> 791 792 <qandaentry> 793 <question> 794 <para> 795 I keep getting log messages like the following. Why? 796 </para> 797 <para> 798 Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied 799 </para> 800 </question> 801 <answer> 802 <para> 803 Someone is trying to update your DNS data using the RFC2136 804 Dynamic Update protocol. Windows 2000 machines have a habit 805 of sending dynamic update requests to DNS servers without 806 being specifically configured to do so. If the update 807 requests are coming from a Windows 2000 machine, see 808 <ulink 809 url="http://support.microsoft.com/support/kb/articles/q246/8/04.asp"> 810 <http://support.microsoft.com/support/kb/articles/q246/8/04.asp></ulink> 811 for information about how to turn them off. 812 </para> 813 </answer> 814 </qandaentry> 815 816 <qandaentry> 817 <question> 818 <para> 819 When I do a "dig . ns", many of the A records for the root 820 servers are missing. Why? 821 </para> 822 </question> 823 <answer> 824 <para> 825 This is normal and harmless. It is a somewhat confusing 826 side effect of the way BIND 9 does RFC2181 trust ranking 827 and of the efforts BIND 9 makes to avoid promoting glue 828 into answers. 829 </para> 830 <para> 831 When BIND 9 first starts up and primes its cache, it receives 832 the root server addresses as additional data in an authoritative 833 response from a root server, and these records are eligible 834 for inclusion as additional data in responses. Subsequently 835 it receives a subset of the root server addresses as 836 additional data in a non-authoritative (referral) response 837 from a root server. This causes the addresses to now be 838 considered non-authoritative (glue) data, which is not 839 eligible for inclusion in responses. 840 </para> 841 <para> 842 The server does have a complete set of root server addresses 843 cached at all times, it just may not include all of them 844 as additional data, depending on whether they were last 845 received as answers or as glue. You can always look up the 846 addresses with explicit queries like "dig a.root-servers.net A". 847 </para> 848 </answer> 849 </qandaentry> 850 851 <qandaentry> 852 <question> 853 <para> 854 Why don't my zones reload when I do an "rndc reload" or SIGHUP? 855 </para> 856 </question> 857 <answer> 858 <para> 859 A zone can be updated either by editing zone files and 860 reloading the server or by dynamic update, but not both. 861 If you have enabled dynamic update for a zone using the 862 "allow-update" option, you are not supposed to edit the 863 zone file by hand, and the server will not attempt to reload 864 it. 865 </para> 866 </answer> 867 </qandaentry> 868 869 <qandaentry> 870 <question> 871 <para> 872 Why is named listening on UDP port other than 53? 873 </para> 874 </question> 875 <answer> 876 <para> 877 Named uses a system selected port to make queries of other 878 nameservers. This behaviour can be overridden by using 879 query-source to lock down the port and/or address. See 880 also notify-source and transfer-source. 881 </para> 882 </answer> 883 </qandaentry> 884 885 <qandaentry> 886 <question> 887 <para> 888 I get warning messages like <quote>zone example.com/IN: refresh: 889 failure trying master 1.2.3.4#53: timed out</quote>. 890 </para> 891 </question> 892 <answer> 893 <para> 894 Check that you can make UDP queries from the slave to the master 895 </para> 896 <informalexample> 897 <programlisting> 898dig +norec example.com soa @1.2.3.4</programlisting> 899 </informalexample> 900 <para> 901 You could be generating queries faster than the slave can 902 cope with. Lower the serial query rate. 903 </para> 904 <informalexample> 905 <programlisting> 906serial-query-rate 5; // default 20</programlisting> 907 </informalexample> 908 </answer> 909 </qandaentry> 910 911 <qandaentry> 912 <question> 913 <para> 914 I don't get RRSIG's returned when I use "dig +dnssec". 915 </para> 916 </question> 917 <answer> 918 <para> 919 You need to ensure DNSSEC is enabled (dnssec-enable yes;). 920 </para> 921 </answer> 922 </qandaentry> 923 924 <qandaentry> 925 <question> 926 <para> 927 Can a NS record refer to a CNAME. 928 </para> 929 </question> 930 <answer> 931 <para> 932 No. The rules for glue (copies of the *address* records 933 in the parent zones) and additional section processing do 934 not allow it to work. 935 </para> 936 <para> 937 You would have to add both the CNAME and address records 938 (A/AAAA) as glue to the parent zone and have CNAMEs be 939 followed when doing additional section processing to make 940 it work. No nameserver implementation supports either of 941 these requirements. 942 </para> 943 </answer> 944 </qandaentry> 945 946 <qandaentry> 947 <question> 948 <para> 949 What does <quote>RFC 1918 response from Internet for 950 0.0.0.10.IN-ADDR.ARPA</quote> mean? 951 </para> 952 </question> 953 <answer> 954 <para> 955 If the IN-ADDR.ARPA name covered refers to a internal address 956 space you are using then you have failed to follow RFC 1918 957 usage rules and are leaking queries to the Internet. You 958 should establish your own zones for these addresses to prevent 959 you querying the Internet's name servers for these addresses. 960 Please see <ulink url="http://as112.net/"><http://as112.net/></ulink> 961 for details of the problems you are causing and the counter 962 measures that have had to be deployed. 963 </para> 964 <para> 965 If you are not using these private addresses then a client 966 has queried for them. You can just ignore the messages, 967 get the offending client to stop sending you these messages 968 as they are most probably leaking them or setup your own zones 969 empty zones to serve answers to these queries. 970 </para> 971 <informalexample> 972 <programlisting> 973zone "10.IN-ADDR.ARPA" { 974 type master; 975 file "empty"; 976}; 977 978zone "16.172.IN-ADDR.ARPA" { 979 type master; 980 file "empty"; 981}; 982 983... 984 985zone "31.172.IN-ADDR.ARPA" { 986 type master; 987 file "empty"; 988}; 989 990zone "168.192.IN-ADDR.ARPA" { 991 type master; 992 file "empty"; 993}; 994 995empty: 996@ 10800 IN SOA <name-of-server>. <contact-email>. ( 997 1 3600 1200 604800 10800 ) 998@ 10800 IN NS <name-of-server>.</programlisting> 999 </informalexample> 1000 <para> 1001 <note> 1002 Future versions of named are likely to do this automatically. 1003 </note> 1004 </para> 1005 </answer> 1006 </qandaentry> 1007 1008 <qandaentry> 1009 <question> 1010 <para> 1011 Will named be affected by the 2007 changes to daylight savings 1012 rules in the US. 1013 </para> 1014 </question> 1015 <answer> 1016 <para> 1017 No, so long as the machines internal clock (as reported 1018 by "date -u") remains at UTC. The only visible change 1019 if you fail to upgrade your OS, if you are in a affected 1020 area, will be that log messages will be a hour out during 1021 the period where the old rules do not match the new rules. 1022 </para> 1023 <para> 1024 For most OS's this change just means that you need to 1025 update the conversion rules from UTC to local time. 1026 Normally this involves updating a file in /etc (which 1027 sets the default timezone for the machine) and possibly 1028 a directory which has all the conversion rules for the 1029 world (e.g. /usr/share/zoneinfo). When updating the OS 1030 do not forget to update any chroot areas as well. 1031 See your OS's documentation for more details. 1032 </para> 1033 <para> 1034 The local timezone conversion rules can also be done on 1035 a individual basis by setting the TZ environment variable 1036 appropriately. See your OS's documentation for more 1037 details. 1038 </para> 1039 </answer> 1040 </qandaentry> 1041 1042 <qandaentry> 1043 <question> 1044 <para> 1045 Is there a bugzilla (or other tool) database that mere 1046 mortals can have (read-only) access to for bind? 1047 </para> 1048 </question> 1049 <answer> 1050 <para> 1051 No. The BIND 9 bug database is kept closed for a number 1052 of reasons. These include, but are not limited to, that 1053 the database contains proprietory information from people 1054 reporting bugs. The database has in the past and may in 1055 future contain unfixed bugs which are capable of bringing 1056 down most of the Internet's DNS infrastructure. 1057 </para> 1058 <para> 1059 The release pages for each version contain up to date 1060 lists of bugs that have been fixed post release. That 1061 is as close as we can get to providing a bug database. 1062 </para> 1063 </answer> 1064 </qandaentry> 1065 1066 <qandaentry> 1067 <question> 1068 <para> 1069 Why do queries for NSEC3 records fail to return the NSEC3 record? 1070 </para> 1071 </question> 1072 <answer> 1073 <para> 1074 NSEC3 records are strictly meta data and can only be 1075 returned in the authority section. This is done so that 1076 signing the zone using NSEC3 records does not bring names 1077 into existence that do not exist in the unsigned version 1078 of the zone. 1079 </para> 1080 </answer> 1081 </qandaentry> 1082 1083 </qandadiv> <!-- General Questions --> 1084 1085 <qandadiv><title>Operating-System Specific Questions</title> 1086 1087 <qandadiv><title>HPUX</title> 1088 1089 <qandaentry> 1090 <question> 1091 <para>I get the following error trying to configure BIND: 1092<programlisting>checking if unistd.h or sys/types.h defines fd_set... no 1093configure: error: need either working unistd.h or sys/select.h</programlisting> 1094 </para> 1095 </question> 1096 <answer> 1097 <para> 1098 You have attempted to configure BIND with the bundled C compiler. 1099 This compiler does not meet the minimum compiler requirements to 1100 for building BIND. You need to install a ANSI C compiler and / or 1101 teach configure how to find the ANSI C compiler. The later can 1102 be done by adjusting the PATH environment variable and / or 1103 specifying the compiler via CC. 1104 </para> 1105 <informalexample> 1106 <programlisting>./configure CC=<compiler> ...</programlisting> 1107 </informalexample> 1108 </answer> 1109 </qandaentry> 1110 1111 </qandadiv> <!-- HPUX --> 1112 1113 <qandadiv><title>Linux</title> 1114 1115 <qandaentry> 1116 <question> 1117 <para> 1118 Why do I get the following errors: 1119<programlisting>general: errno2result.c:109: unexpected error: 1120general: unable to convert errno to isc_result: 14: Bad address 1121client: UDP client handler shutting down due to fatal receive error: unexpected error</programlisting> 1122 </para> 1123 </question> 1124 <answer> 1125 <para> 1126 This is the result of a Linux kernel bug. 1127 </para> 1128 <para> 1129 See: 1130 <ulink url="http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2"><http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2></ulink> 1131 </para> 1132 </answer> 1133 </qandaentry> 1134 1135 <qandaentry> 1136 <question> 1137 <para> 1138 Why does named lock up when it attempts to connect over IPSEC tunnels? 1139 </para> 1140 </question> 1141 <answer> 1142 <para> 1143 This is due to a kernel bug where the fact that a socket is marked 1144 non-blocking is ignored. It is reported that setting 1145 xfrm_larval_drop to 1 helps but this may have negative side effects. 1146 See: 1147<ulink url="https://bugzilla.redhat.com/show_bug.cgi?id=427629"><https://bugzilla.redhat.com/show_bug.cgi?id=427629></ulink> 1148 and 1149<ulink url="http://lkml.org/lkml/2007/12/4/260"><http://lkml.org/lkml/2007/12/4/260></ulink>. 1150 </para> 1151 <para> 1152 xfrm_larval_drop can be set to 1 by the following procedure: 1153<programlisting> 1154echo "1" > proc/sys/net/core/xfrm_larval_drop</programlisting> 1155 </para> 1156 </answer> 1157 </qandaentry> 1158 1159 <qandaentry> 1160 <question> 1161 <para> 1162 Why do I see 5 (or more) copies of named on Linux? 1163 </para> 1164 </question> 1165 <answer> 1166 <para> 1167 Linux threads each show up as a process under ps. The 1168 approximate number of threads running is n+4, where n is 1169 the number of CPUs. Note that the amount of memory used 1170 is not cumulative; if each process is using 10M of memory, 1171 only a total of 10M is used. 1172 </para> 1173 <para> 1174 Newer versions of Linux's ps command hide the individual threads 1175 and require -L to display them. 1176 </para> 1177 </answer> 1178 </qandaentry> 1179 1180 <qandaentry> 1181 <question> 1182 <para> 1183 Why does BIND 9 log <quote>permission denied</quote> errors accessing 1184 its configuration files or zones on my Linux system even 1185 though it is running as root? 1186 </para> 1187 </question> 1188 <answer> 1189 <para> 1190 On Linux, BIND 9 drops most of its root privileges on 1191 startup. This including the privilege to open files owned 1192 by other users. Therefore, if the server is running as 1193 root, the configuration files and zone files should also 1194 be owned by root. 1195 </para> 1196 </answer> 1197 </qandaentry> 1198 1199 <qandaentry> 1200 <question> 1201 <para> 1202 I get the error message <quote>named: capset failed: Operation 1203 not permitted</quote> when starting named. 1204 </para> 1205 </question> 1206 <answer> 1207 <para> 1208 The capability module, part of "Linux Security Modules/LSM", 1209 has not been loaded into the kernel. See insmod(8), modprobe(8). 1210 </para> 1211 <para> 1212 The relevant modules can be loaded by running: 1213<programlisting> 1214modprobe commoncap 1215modprobe capability</programlisting> 1216 </para> 1217 </answer> 1218 </qandaentry> 1219 1220 <qandaentry> 1221 <question> 1222 <para> 1223 I'm running BIND on Red Hat Enterprise Linux or Fedora Core - 1224 </para> 1225 <para> 1226 Why can't named update slave zone database files? 1227 </para> 1228 <para> 1229 Why can't named create DDNS journal files or update 1230 the master zones from journals? 1231 </para> 1232 <para> 1233 Why can't named create custom log files? 1234 </para> 1235 </question> 1236 1237 <answer> 1238 <para> 1239 Red Hat Security Enhanced Linux (SELinux) policy security 1240 protections : 1241 </para> 1242 1243 <para> 1244 Red Hat have adopted the National Security Agency's 1245 SELinux security policy (see <ulink 1246 url="http://www.nsa.gov/selinux"><http://www.nsa.gov/selinux></ulink>) 1247 and recommendations for BIND security , which are more 1248 secure than running named in a chroot and make use of 1249 the bind-chroot environment unnecessary . 1250 </para> 1251 1252 <para> 1253 By default, named is not allowed by the SELinux policy 1254 to write, create or delete any files EXCEPT in these 1255 directories: 1256 <informalexample> 1257 <programlisting> 1258$ROOTDIR/var/named/slaves 1259$ROOTDIR/var/named/data 1260$ROOTDIR/var/tmp 1261 </programlisting> 1262 </informalexample> 1263 where $ROOTDIR may be set in /etc/sysconfig/named if 1264 bind-chroot is installed. 1265 </para> 1266 1267 <para> 1268 The SELinux policy particularly does NOT allow named to modify 1269 the $ROOTDIR/var/named directory, the default location for master 1270 zone database files. 1271 </para> 1272 1273 <para> 1274 SELinux policy overrules file access permissions - so 1275 even if all the files under /var/named have ownership 1276 named:named and mode rw-rw-r--, named will still not be 1277 able to write or create files except in the directories 1278 above, with SELinux in Enforcing mode. 1279 </para> 1280 1281 <para> 1282 So, to allow named to update slave or DDNS zone files, 1283 it is best to locate them in $ROOTDIR/var/named/slaves, 1284 with named.conf zone statements such as: 1285 <informalexample> 1286 <programlisting> 1287zone "slave.zone." IN { 1288 type slave; 1289 file "slaves/slave.zone.db"; 1290 ... 1291}; 1292zone "ddns.zone." IN { 1293 type master; 1294 allow-updates {...}; 1295 file "slaves/ddns.zone.db"; 1296}; 1297 </programlisting> 1298 </informalexample> 1299 </para> 1300 1301 <para> 1302 To allow named to create its cache dump and statistics 1303 files, for example, you could use named.conf options 1304 statements such as: 1305 <informalexample> 1306 <programlisting> 1307options { 1308 ... 1309 dump-file "/var/named/data/cache_dump.db"; 1310 statistics-file "/var/named/data/named_stats.txt"; 1311 ... 1312}; 1313 </programlisting> 1314 </informalexample> 1315 </para> 1316 1317 <para> 1318 You can also tell SELinux to allow named to update any 1319 zone database files, by setting the SELinux tunable boolean 1320 parameter 'named_write_master_zones=1', using the 1321 system-config-securitylevel GUI, using the 'setsebool' 1322 command, or in /etc/selinux/targeted/booleans. 1323 </para> 1324 1325 <para> 1326 You can disable SELinux protection for named entirely by 1327 setting the 'named_disable_trans=1' SELinux tunable boolean 1328 parameter. 1329 </para> 1330 1331 <para> 1332 The SELinux named policy defines these SELinux contexts for named: 1333 <informalexample> 1334 <programlisting> 1335named_zone_t : for zone database files - $ROOTDIR/var/named/* 1336named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.* 1337named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}} 1338 </programlisting> 1339 </informalexample> 1340 </para> 1341 1342 <para> 1343 If you want to retain use of the SELinux policy for named, 1344 and put named files in different locations, you can do 1345 so by changing the context of the custom file locations 1346 . 1347 </para> 1348 1349 <para> 1350 To create a custom configuration file location, e.g. 1351 '/root/named.conf', to use with the 'named -c' option, 1352 do: 1353 <informalexample> 1354 <programlisting> 1355# chcon system_u:object_r:named_conf_t /root/named.conf 1356 </programlisting> 1357 </informalexample> 1358 </para> 1359 1360 <para> 1361 To create a custom modifiable named data location, e.g. 1362 '/var/log/named' for a log file, do: 1363 <informalexample> 1364 <programlisting> 1365# chcon system_u:object_r:named_cache_t /var/log/named 1366 </programlisting> 1367 </informalexample> 1368 </para> 1369 1370 <para> 1371 To create a custom zone file location, e.g. /root/zones/, do: 1372 <informalexample> 1373 <programlisting> 1374# chcon system_u:object_r:named_zone_t /root/zones/{.,*} 1375 </programlisting> 1376 </informalexample> 1377 </para> 1378 1379 <para> 1380 See these man-pages for more information : selinux(8), 1381 named_selinux(8), chcon(1), setsebool(8) 1382 </para> 1383 </answer> 1384 </qandaentry> 1385 1386 <qandaentry> 1387 <question> 1388 <para> 1389 I'm running BIND on Ubuntu - 1390 </para> 1391 <para> 1392 Why can't named update slave zone database files? 1393 </para> 1394 <para> 1395 Why can't named create DDNS journal files or update 1396 the master zones from journals? 1397 </para> 1398 <para> 1399 Why can't named create custom log files? 1400 </para> 1401 </question> 1402 <answer> 1403 <para> 1404 Ubuntu uses AppArmor <ulink url="http://en.wikipedia.org/wiki/AppArmor"> 1405 <http://en.wikipedia.org/wiki/AppArmor></ulink> in 1406 addition to normal file system permissions to protect the system. 1407 </para> 1408 <para> 1409 Adjust the paths to use those specified in /etc/apparmor.d/usr.sbin.named 1410 or adjust /etc/apparmor.d/usr.sbin.named to allow named to write at the 1411 location specified in named.conf. 1412 </para> 1413 </answer> 1414 </qandaentry> 1415 1416 <qandaentry> 1417 <question> 1418 <para> 1419 Listening on individual IPv6 interfaces does not work. 1420 </para> 1421 </question> 1422 <answer> 1423 <para> 1424 This is usually due to "/proc/net/if_inet6" not being available 1425 in the chroot file system. Mount another instance of "proc" 1426 in the chroot file system. 1427 </para> 1428 <para> 1429 This can be be made permanent by adding a second instance to 1430 /etc/fstab. 1431 <informalexample> 1432 <programlisting> 1433proc /proc proc defaults 0 0 1434proc /var/named/proc proc defaults 0 0</programlisting> 1435 </informalexample> 1436 </para> 1437 </answer> 1438 </qandaentry> 1439 1440 </qandadiv> <!-- Linux --> 1441 1442 <qandadiv><title>Windows</title> 1443 1444 <qandaentry> 1445 <question> 1446 <para> 1447 Zone transfers from my BIND 9 master to my Windows 2000 1448 slave fail. Why? 1449 </para> 1450 </question> 1451 <answer> 1452 <para> 1453 This may be caused by a bug in the Windows 2000 DNS server 1454 where DNS messages larger than 16K are not handled properly. 1455 This can be worked around by setting the option "transfer-format 1456 one-answer;". Also check whether your zone contains domain 1457 names with embedded spaces or other special characters, 1458 like "John\032Doe\213s\032Computer", since such names have 1459 been known to cause Windows 2000 slaves to incorrectly 1460 reject the zone. 1461 </para> 1462 </answer> 1463 </qandaentry> 1464 1465 <qandaentry> 1466 <question> 1467 <para> 1468 I get <quote>Error 1067</quote> when starting named under Windows. 1469 </para> 1470 </question> 1471 <answer> 1472 <para> 1473 This is the service manager saying that named exited. You 1474 need to examine the Application log in the EventViewer to 1475 find out why. 1476 </para> 1477 <para> 1478 Common causes are that you failed to create "named.conf" 1479 (usually "C:\windows\dns\etc\named.conf") or failed to 1480 specify the directory in named.conf. 1481 </para> 1482 <informalexample> 1483 <programlisting> 1484options { 1485 Directory "C:\windows\dns\etc"; 1486};</programlisting> 1487 </informalexample> 1488 </answer> 1489 </qandaentry> 1490 1491 </qandadiv> <!-- Windows --> 1492 1493 <qandadiv><title>FreeBSD</title> 1494 1495 <qandaentry> 1496 <question> 1497 <para> 1498 I have FreeBSD 4.x and "rndc-confgen -a" just sits there. 1499 </para> 1500 </question> 1501 <answer> 1502 <para> 1503 /dev/random is not configured. Use rndcontrol(8) to tell 1504 the kernel to use certain interrupts as a source of random 1505 events. You can make this permanent by setting rand_irqs 1506 in /etc/rc.conf. 1507 </para> 1508 <informalexample> 1509 <programlisting> 1510rand_irqs="3 14 15"</programlisting> 1511 </informalexample> 1512 <para> 1513 See also 1514 <ulink url="http://people.freebsd.org/~dougb/randomness.html"> 1515 <http://people.freebsd.org/~dougb/randomness.html></ulink>. 1516 </para> 1517 </answer> 1518 </qandaentry> 1519 1520 </qandadiv> <!-- FreeBSD --> 1521 1522 <qandadiv><title>Solaris</title> 1523 1524 <qandaentry> 1525 <question> 1526 <para> 1527 How do I integrate BIND 9 and Solaris SMF 1528 </para> 1529 </question> 1530 <answer> 1531 <para> 1532 Sun has a blog entry describing how to do this. 1533 </para> 1534 <para> 1535 <ulink 1536 url="http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris"> 1537 <http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris> 1538 </ulink> 1539 </para> 1540 </answer> 1541 </qandaentry> 1542 1543 </qandadiv> 1544 1545 <qandadiv><title>Apple Mac OS X</title> 1546 1547 <qandaentry> 1548 <question> 1549 <para> 1550 How do I run BIND 9 on Apple Mac OS X? 1551 </para> 1552 </question> 1553 <answer> 1554 <para> 1555 If you run Tiger(Mac OS 10.4) or later then this is all you need to do: 1556 </para> 1557 <informalexample> 1558 <programlisting> 1559% sudo rndc-confgen > /etc/rndc.conf</programlisting> 1560 </informalexample> 1561 <para> 1562 Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.: 1563 </para> 1564 <informalexample> 1565 <programlisting> 1566key "rndc-key" { 1567 algorithm hmac-md5; 1568 secret "uvceheVuqf17ZwIcTydddw=="; 1569};</programlisting> 1570 </informalexample> 1571 <para> 1572 Then start the relevant service: 1573 </para> 1574 <informalexample> 1575 <programlisting> 1576% sudo service org.isc.named start</programlisting> 1577 </informalexample> 1578 <para> 1579 This is persistent upon a reboot, so you will have to do it only once. 1580 </para> 1581 </answer> 1582 1583 <answer> 1584 <para> 1585 Alternatively you can just generate /etc/rndc.key by running: 1586 </para> 1587 <informalexample> 1588 <programlisting> 1589% sudo rndc-confgen -a</programlisting> 1590 </informalexample> 1591 <para> 1592 Then start the relevant service: 1593 </para> 1594 <informalexample> 1595 <programlisting> 1596% sudo service org.isc.named start</programlisting> 1597 </informalexample> 1598 <para> 1599 Named will look for /etc/rndc.key when it starts if it 1600 doesn't have a controls section or the existing controls are 1601 missing keys sub-clauses. This is persistent upon a 1602 reboot, so you will have to do it only once. 1603 </para> 1604 </answer> 1605 </qandaentry> 1606 1607 </qandadiv> 1608 1609 </qandadiv> <!-- Operating-System Specific Questions --> 1610 1611 </qandaset> 1612</article>