/contrib/bind9/FAQ.xml

https://bitbucket.org/freebsd/freebsd-head/ · XML · 1612 lines · 1487 code · 102 blank · 23 comment · 0 complexity · 3b31a738b5b26fa12c870cacee0642d2 MD5 · raw file

  1. <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
  2. "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
  3. <!--
  4. - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
  5. - Copyright (C) 2000-2003 Internet Software Consortium.
  6. -
  7. - Permission to use, copy, modify, and/or distribute this software for any
  8. - purpose with or without fee is hereby granted, provided that the above
  9. - copyright notice and this permission notice appear in all copies.
  10. -
  11. - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  12. - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  13. - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  14. - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  15. - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  16. - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  17. - PERFORMANCE OF THIS SOFTWARE.
  18. -->
  19. <!-- $Id: FAQ.xml,v 1.54 2010/01/19 23:48:55 tbox Exp $ -->
  20. <article class="faq">
  21. <title>Frequently Asked Questions about BIND 9</title>
  22. <articleinfo>
  23. <copyright>
  24. <year>2004</year>
  25. <year>2005</year>
  26. <year>2006</year>
  27. <year>2007</year>
  28. <year>2008</year>
  29. <year>2009</year>
  30. <year>2010</year>
  31. <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
  32. </copyright>
  33. <copyright>
  34. <year>2000</year>
  35. <year>2001</year>
  36. <year>2002</year>
  37. <year>2003</year>
  38. <holder>Internet Software Consortium.</holder>
  39. </copyright>
  40. </articleinfo>
  41. <qandaset defaultlabel='qanda'>
  42. <qandadiv><title>Compilation and Installation Questions</title>
  43. <qandaentry>
  44. <question>
  45. <para>
  46. I'm trying to compile BIND 9, and "make" is failing due to
  47. files not being found. Why?
  48. </para>
  49. </question>
  50. <answer>
  51. <para>
  52. Using a parallel or distributed "make" to build BIND 9 is
  53. not supported, and doesn't work. If you are using one of
  54. these, use normal make or gmake instead.
  55. </para>
  56. </answer>
  57. </qandaentry>
  58. <qandaentry>
  59. <question>
  60. <para>
  61. Isn't "make install" supposed to generate a default named.conf?
  62. </para>
  63. </question>
  64. <answer>
  65. <para>
  66. Short Answer: No.
  67. </para>
  68. <para>
  69. Long Answer: There really isn't a default configuration which fits
  70. any site perfectly. There are lots of decisions that need to
  71. be made and there is no consensus on what the defaults should be.
  72. For example FreeBSD uses /etc/namedb as the location where the
  73. configuration files for named are stored. Others use /var/named.
  74. </para>
  75. <para>
  76. What addresses to listen on? For a laptop on the move a lot
  77. you may only want to listen on the loop back interfaces.
  78. </para>
  79. <para>
  80. Who do you offer recursive service to? Is there are firewall
  81. to consider? If so is it stateless or stateful. Are you
  82. directly on the Internet? Are you on a private network? Are
  83. you on a NAT'd network? The answers
  84. to all these questions change how you configure even a
  85. caching name server.
  86. </para>
  87. </answer>
  88. </qandaentry>
  89. </qandadiv> <!-- Compilation and Installation Questions -->
  90. <qandadiv><title>Configuration and Setup Questions</title>
  91. <qandaentry>
  92. <!-- configuration, log -->
  93. <question>
  94. <para>
  95. Why does named log the warning message <quote>no TTL specified -
  96. using SOA MINTTL instead</quote>?
  97. </para>
  98. </question>
  99. <answer>
  100. <para>
  101. Your zone file is illegal according to RFC1035. It must either
  102. have a line like:
  103. </para>
  104. <informalexample>
  105. <programlisting>
  106. $TTL 86400</programlisting>
  107. </informalexample>
  108. <para>
  109. at the beginning, or the first record in it must have a TTL field,
  110. like the "84600" in this example:
  111. </para>
  112. <informalexample>
  113. <programlisting>
  114. example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )</programlisting>
  115. </informalexample>
  116. </answer>
  117. </qandaentry>
  118. <qandaentry>
  119. <!-- configuration -->
  120. <question>
  121. <para>
  122. Why do I get errors like <quote>dns_zone_load: zone foo/IN: loading
  123. master file bar: ran out of space</quote>?
  124. </para>
  125. </question>
  126. <answer>
  127. <para>
  128. This is often caused by TXT records with missing close
  129. quotes. Check that all TXT records containing quoted strings
  130. have both open and close quotes.
  131. </para>
  132. </answer>
  133. </qandaentry>
  134. <qandaentry>
  135. <!-- security -->
  136. <question>
  137. <para>
  138. How do I restrict people from looking up the server version?
  139. </para>
  140. </question>
  141. <answer>
  142. <para>
  143. Put a "version" option containing something other than the
  144. real version in the "options" section of named.conf. Note
  145. doing this will not prevent attacks and may impede people
  146. trying to diagnose problems with your server. Also it is
  147. possible to "fingerprint" nameservers to determine their
  148. version.
  149. </para>
  150. </answer>
  151. </qandaentry>
  152. <qandaentry>
  153. <!-- security -->
  154. <question>
  155. <para>
  156. How do I restrict only remote users from looking up the
  157. server version?
  158. </para>
  159. </question>
  160. <answer>
  161. <para>
  162. The following view statement will intercept lookups as the
  163. internal view that holds the version information will be
  164. matched last. The caveats of the previous answer still
  165. apply, of course.
  166. </para>
  167. <informalexample>
  168. <programlisting>
  169. view "chaos" chaos {
  170. match-clients { &lt;those to be refused&gt;; };
  171. allow-query { none; };
  172. zone "." {
  173. type hint;
  174. file "/dev/null"; // or any empty file
  175. };
  176. };</programlisting>
  177. </informalexample>
  178. </answer>
  179. </qandaentry>
  180. <qandaentry>
  181. <!-- configuration -->
  182. <question>
  183. <para>
  184. What do <quote>no source of entropy found</quote> or <quote>could not
  185. open entropy source foo</quote> mean?
  186. </para>
  187. </question>
  188. <answer>
  189. <para>
  190. The server requires a source of entropy to perform certain
  191. operations, mostly DNSSEC related. These messages indicate
  192. that you have no source of entropy. On systems with
  193. /dev/random or an equivalent, it is used by default. A
  194. source of entropy can also be defined using the random-device
  195. option in named.conf.
  196. </para>
  197. </answer>
  198. </qandaentry>
  199. <qandaentry>
  200. <!-- configuration -->
  201. <question>
  202. <para>
  203. I'm trying to use TSIG to authenticate dynamic updates or
  204. zone transfers. I'm sure I have the keys set up correctly,
  205. but the server is rejecting the TSIG. Why?
  206. </para>
  207. </question>
  208. <answer>
  209. <para>
  210. This may be a clock skew problem. Check that the the clocks
  211. on the client and server are properly synchronised (e.g.,
  212. using ntp).
  213. </para>
  214. </answer>
  215. </qandaentry>
  216. <qandaentry>
  217. <question>
  218. <para>
  219. I see a log message like the following. Why?
  220. </para>
  221. <para>
  222. couldn't open pid file '/var/run/named.pid': Permission denied
  223. </para>
  224. </question>
  225. <answer>
  226. <para>
  227. You are most likely running named as a non-root user, and
  228. that user does not have permission to write in /var/run.
  229. The common ways of fixing this are to create a /var/run/named
  230. directory owned by the named user and set pid-file to
  231. "/var/run/named/named.pid", or set pid-file to "named.pid",
  232. which will put the file in the directory specified by the
  233. directory option (which, in this case, must be writable by
  234. the named user).
  235. </para>
  236. </answer>
  237. </qandaentry>
  238. <qandaentry>
  239. <question>
  240. <para>
  241. I can query the nameserver from the nameserver but not from other
  242. machines. Why?
  243. </para>
  244. </question>
  245. <answer>
  246. <para>
  247. This is usually the result of the firewall configuration stopping
  248. the queries and / or the replies.
  249. </para>
  250. </answer>
  251. </qandaentry>
  252. <qandaentry>
  253. <question>
  254. <para>
  255. How can I make a server a slave for both an internal and
  256. an external view at the same time? When I tried, both views
  257. on the slave were transferred from the same view on the master.
  258. </para>
  259. </question>
  260. <answer>
  261. <para>
  262. You will need to give the master and slave multiple IP
  263. addresses and use those to make sure you reach the correct
  264. view on the other machine.
  265. </para>
  266. <informalexample>
  267. <programlisting>
  268. Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
  269. internal:
  270. match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
  271. notify-source 10.0.1.1;
  272. transfer-source 10.0.1.1;
  273. query-source address 10.0.1.1;
  274. external:
  275. match-clients { any; };
  276. recursion no; // don't offer recursion to the world
  277. notify-source 10.0.1.2;
  278. transfer-source 10.0.1.2;
  279. query-source address 10.0.1.2;
  280. Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
  281. internal:
  282. match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
  283. notify-source 10.0.1.3;
  284. transfer-source 10.0.1.3;
  285. query-source address 10.0.1.3;
  286. external:
  287. match-clients { any; };
  288. recursion no; // don't offer recursion to the world
  289. notify-source 10.0.1.4;
  290. transfer-source 10.0.1.4;
  291. query-source address 10.0.1.4;</programlisting>
  292. </informalexample>
  293. <para>
  294. You put the external address on the alias so that all the other
  295. dns clients on these boxes see the internal view by default.
  296. </para>
  297. </answer>
  298. <answer>
  299. <para>
  300. BIND 9.3 and later: Use TSIG to select the appropriate view.
  301. </para>
  302. <informalexample>
  303. <programlisting>
  304. Master 10.0.1.1:
  305. key "external" {
  306. algorithm hmac-sha256;
  307. secret "xxxxxxxxxxxxxxxxxxxxxxxx";
  308. };
  309. view "internal" {
  310. match-clients { !key external; // reject message ment for the
  311. // external view.
  312. 10.0.1/24; }; // accept from these addresses.
  313. ...
  314. };
  315. view "external" {
  316. match-clients { key external; any; };
  317. server 10.0.1.2 { keys external; }; // tag messages from the
  318. // external view to the
  319. // other servers for the
  320. // view.
  321. recursion no;
  322. ...
  323. };
  324. Slave 10.0.1.2:
  325. key "external" {
  326. algorithm hmac-sha256;
  327. secret "xxxxxxxxxxxxxxxxxxxxxxxx";
  328. };
  329. view "internal" {
  330. match-clients { !key external; 10.0.1/24; };
  331. ...
  332. };
  333. view "external" {
  334. match-clients { key external; any; };
  335. server 10.0.1.1 { keys external; };
  336. recursion no;
  337. ...
  338. };</programlisting>
  339. </informalexample>
  340. </answer>
  341. </qandaentry>
  342. <qandaentry>
  343. <question>
  344. <para>
  345. I get error messages like <quote>multiple RRs of singleton type</quote>
  346. and <quote>CNAME and other data</quote> when transferring a zone. What
  347. does this mean?
  348. </para>
  349. </question>
  350. <answer>
  351. <para>
  352. These indicate a malformed master zone. You can identify
  353. the exact records involved by transferring the zone using
  354. dig then running named-checkzone on it.
  355. </para>
  356. <informalexample>
  357. <programlisting>
  358. dig axfr example.com @master-server &gt; tmp
  359. named-checkzone example.com tmp</programlisting>
  360. </informalexample>
  361. <para>
  362. A CNAME record cannot exist with the same name as another record
  363. except for the DNSSEC records which prove its existence (NSEC).
  364. </para>
  365. <para>
  366. RFC 1034, Section 3.6.2: <quote>If a CNAME RR is present at a node,
  367. no other data should be present; this ensures that the data for a
  368. canonical name and its aliases cannot be different. This rule also
  369. insures that a cached CNAME can be used without checking with an
  370. authoritative server for other RR types.</quote>
  371. </para>
  372. </answer>
  373. </qandaentry>
  374. <qandaentry>
  375. <question>
  376. <para>
  377. I get error messages like <quote>named.conf:99: unexpected end
  378. of input</quote> where 99 is the last line of named.conf.
  379. </para>
  380. </question>
  381. <answer>
  382. <para>
  383. There are unbalanced quotes in named.conf.
  384. </para>
  385. </answer>
  386. <answer>
  387. <para>
  388. Some text editors (notepad and wordpad) fail to put a line
  389. title indication (e.g. CR/LF) on the last line of a
  390. text file. This can be fixed by "adding" a blank line to
  391. the end of the file. Named expects to see EOF immediately
  392. after EOL and treats text files where this is not met as
  393. truncated.
  394. </para>
  395. </answer>
  396. </qandaentry>
  397. <qandaentry>
  398. <question>
  399. <para>
  400. How do I share a dynamic zone between multiple views?
  401. </para>
  402. </question>
  403. <answer>
  404. <para>
  405. You choose one view to be master and the second a slave and
  406. transfer the zone between views.
  407. </para>
  408. <informalexample>
  409. <programlisting>
  410. Master 10.0.1.1:
  411. key "external" {
  412. algorithm hmac-sha256;
  413. secret "xxxxxxxxxxxxxxxxxxxxxxxx";
  414. };
  415. key "mykey" {
  416. algorithm hmac-sha256;
  417. secret "yyyyyyyyyyyyyyyyyyyyyyyy";
  418. };
  419. view "internal" {
  420. match-clients { !key external; 10.0.1/24; };
  421. server 10.0.1.1 {
  422. /* Deliver notify messages to external view. */
  423. keys { external; };
  424. };
  425. zone "example.com" {
  426. type master;
  427. file "internal/example.db";
  428. allow-update { key mykey; };
  429. also-notify { 10.0.1.1; };
  430. };
  431. };
  432. view "external" {
  433. match-clients { key external; any; };
  434. zone "example.com" {
  435. type slave;
  436. file "external/example.db";
  437. masters { 10.0.1.1; };
  438. transfer-source 10.0.1.1;
  439. // allow-update-forwarding { any; };
  440. // allow-notify { ... };
  441. };
  442. };</programlisting>
  443. </informalexample>
  444. </answer>
  445. </qandaentry>
  446. <qandaentry>
  447. <question>
  448. <para>
  449. I get a error message like <quote>zone wireless.ietf56.ietf.org/IN:
  450. loading master file primaries/wireless.ietf56.ietf.org: no
  451. owner</quote>.
  452. </para>
  453. </question>
  454. <answer>
  455. <para>
  456. This error is produced when a line in the master file
  457. contains leading white space (tab/space) but the is no
  458. current record owner name to inherit the name from. Usually
  459. this is the result of putting white space before a comment,
  460. forgetting the "@" for the SOA record, or indenting the master
  461. file.
  462. </para>
  463. </answer>
  464. </qandaentry>
  465. <qandaentry>
  466. <question>
  467. <para>
  468. Why are my logs in GMT (UTC).
  469. </para>
  470. </question>
  471. <answer>
  472. <para>
  473. You are running chrooted (-t) and have not supplied local timezone
  474. information in the chroot area.
  475. </para>
  476. <simplelist>
  477. <member>FreeBSD: /etc/localtime</member>
  478. <member>Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo</member>
  479. <member>OSF: /etc/zoneinfo/localtime</member>
  480. </simplelist>
  481. <para>
  482. See also tzset(3) and zic(8).
  483. </para>
  484. </answer>
  485. </qandaentry>
  486. <qandaentry>
  487. <question>
  488. <para>
  489. I get <quote>rndc: connect failed: connection refused</quote> when
  490. I try to run rndc.
  491. </para>
  492. </question>
  493. <answer>
  494. <para>
  495. This is usually a configuration error.
  496. </para>
  497. <para>
  498. First ensure that named is running and no errors are being
  499. reported at startup (/var/log/messages or equivalent).
  500. Running "named -g &lt;usual arguments&gt;" from a title
  501. can help at this point.
  502. </para>
  503. <para>
  504. Secondly ensure that named is configured to use rndc either
  505. by "rndc-confgen -a", rndc-confgen or manually. The
  506. Administrators Reference manual has details on how to do
  507. this.
  508. </para>
  509. <para>
  510. Old versions of rndc-confgen used localhost rather than
  511. 127.0.0.1 in /etc/rndc.conf for the default server. Update
  512. /etc/rndc.conf if necessary so that the default server
  513. listed in /etc/rndc.conf matches the addresses used in
  514. named.conf. "localhost" has two address (127.0.0.1 and
  515. ::1).
  516. </para>
  517. <para>
  518. If you use "rndc-confgen -a" and named is running with -t or -u
  519. ensure that /etc/rndc.conf has the correct ownership and that
  520. a copy is in the chroot area. You can do this by re-running
  521. "rndc-confgen -a" with appropriate -t and -u arguments.
  522. </para>
  523. </answer>
  524. </qandaentry>
  525. <qandaentry>
  526. <question>
  527. <para>
  528. I get <quote>transfer of 'example.net/IN' from 192.168.4.12#53:
  529. failed while receiving responses: permission denied</quote> error
  530. messages.
  531. </para>
  532. </question>
  533. <answer>
  534. <para>
  535. These indicate a filesystem permission error preventing
  536. named creating / renaming the temporary file. These will
  537. usually also have other associated error messages like
  538. </para>
  539. <informalexample>
  540. <programlisting>
  541. "dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"</programlisting>
  542. </informalexample>
  543. <para>
  544. Named needs write permission on the directory containing
  545. the file. Named writes the new cache file to a temporary
  546. file then renames it to the name specified in named.conf
  547. to ensure that the contents are always complete. This is
  548. to prevent named loading a partial zone in the event of
  549. power failure or similar interrupting the write of the
  550. master file.
  551. </para>
  552. <para>
  553. Note file names are relative to the directory specified in
  554. options and any chroot directory ([&lt;chroot
  555. dir&gt;/][&lt;options dir&gt;]).
  556. </para>
  557. <informalexample>
  558. <para>
  559. If named is invoked as "named -t /chroot/DNS" with
  560. the following named.conf then "/chroot/DNS/var/named/sl"
  561. needs to be writable by the user named is running as.
  562. </para>
  563. <programlisting>
  564. options {
  565. directory "/var/named";
  566. };
  567. zone "example.net" {
  568. type slave;
  569. file "sl/example.net";
  570. masters { 192.168.4.12; };
  571. };</programlisting>
  572. </informalexample>
  573. </answer>
  574. </qandaentry>
  575. <qandaentry>
  576. <question>
  577. <para>
  578. I want to forward all DNS queries from my caching nameserver to
  579. another server. But there are some domains which have to be
  580. served locally, via rbldnsd.
  581. </para>
  582. <para>
  583. How do I achieve this ?
  584. </para>
  585. </question>
  586. <answer>
  587. <programlisting>
  588. options {
  589. forward only;
  590. forwarders { &lt;ip.of.primary.nameserver&gt;; };
  591. };
  592. zone "sbl-xbl.spamhaus.org" {
  593. type forward; forward only;
  594. forwarders { &lt;ip.of.rbldns.server&gt; port 530; };
  595. };
  596. zone "list.dsbl.org" {
  597. type forward; forward only;
  598. forwarders { &lt;ip.of.rbldns.server&gt; port 530; };
  599. };
  600. </programlisting>
  601. </answer>
  602. </qandaentry>
  603. <qandaentry>
  604. <question>
  605. <para>
  606. Can you help me understand how BIND 9 uses memory to store
  607. DNS zones?
  608. </para>
  609. <para>
  610. Some times it seems to take several times the amount of
  611. memory it needs to store the zone.
  612. </para>
  613. </question>
  614. <answer>
  615. <para>
  616. When reloading a zone named my have multiple copies of
  617. the zone in memory at one time. The zone it is serving
  618. and the one it is loading. If reloads are ultra fast it
  619. can have more still.
  620. </para>
  621. <para>
  622. e.g. Ones that are transferring out, the one that it is
  623. serving and the one that is loading.
  624. </para>
  625. <para>
  626. BIND 8 destroyed the zone before loading and also killed
  627. off outgoing transfers of the zone.
  628. </para>
  629. <para>
  630. The new strategy allows slaves to get copies of the new
  631. zone regardless of how often the master is loaded compared
  632. to the transfer time. The slave might skip some intermediate
  633. versions but the transfers will complete and it will keep
  634. reasonably in sync with the master.
  635. </para>
  636. <para>
  637. The new strategy also allows the master to recover from
  638. syntax and other errors in the master file as it still
  639. has an in-core copy of the old contents.
  640. </para>
  641. </answer>
  642. </qandaentry>
  643. <qandaentry>
  644. <question>
  645. <para>
  646. I want to use IPv6 locally but I don't have a external IPv6
  647. connection. External lookups are slow.
  648. </para>
  649. </question>
  650. <answer>
  651. <para>
  652. You can use server clauses to stop named making external lookups
  653. over IPv6.
  654. </para>
  655. <programlisting>
  656. server fd81:ec6c:bd62::/48 { bogus no; }; // site ULA prefix
  657. server ::/0 { bogus yes; };
  658. </programlisting>
  659. </answer>
  660. </qandaentry>
  661. </qandadiv> <!-- Configuration and Setup Questions -->
  662. <qandadiv><title>Operations Questions</title>
  663. <qandaentry>
  664. <question>
  665. <para>
  666. How to change the nameservers for a zone?
  667. </para>
  668. </question>
  669. <answer>
  670. <para>
  671. Step 1: Ensure all nameservers, new and old, are serving the
  672. same zone content.
  673. </para>
  674. <para>
  675. Step 2: Work out the maximum TTL of the NS RRset in the parent and child
  676. zones. This is the time it will take caches to be clear of a
  677. particular version of the NS RRset.
  678. If you are just removing nameservers you can skip to Step 6.
  679. </para>
  680. <para>
  681. Step 3: Add new nameservers to the NS RRset for the zone and
  682. wait until all the servers for the zone are answering with this
  683. new NS RRset.
  684. </para>
  685. <para>
  686. Step 4: Inform the parent zone of the new NS RRset then wait for all the
  687. parent servers to be answering with the new NS RRset.
  688. </para>
  689. <para>
  690. Step 5: Wait for cache to be clear of the old NS RRset.
  691. See Step 2 for how long.
  692. If you are just adding nameservers you are done.
  693. </para>
  694. <para>
  695. Step 6: Remove any old nameservers from the zones NS RRset and
  696. wait for all the servers for the zone to be serving the new NS RRset.
  697. </para>
  698. <para>
  699. Step 7: Inform the parent zone of the new NS RRset then wait for all the
  700. parent servers to be answering with the new NS RRset.
  701. </para>
  702. <para>
  703. Step 8: Wait for cache to be clear of the old NS RRset.
  704. See Step 2 for how long.
  705. </para>
  706. <para>
  707. Step 9: Turn off the old nameservers or remove the zone entry from
  708. the configuration of the old nameservers.
  709. </para>
  710. <para>
  711. Step 10: Increment the serial number and wait for the change to
  712. be visible in all nameservers for the zone. This ensures that
  713. zone transfers are still working after the old servers are
  714. decommissioned.
  715. </para>
  716. <para>
  717. Note: the above procedure is designed to be transparent
  718. to dns clients. Decommissioning the old servers too early
  719. will result in some clients not being able to look up
  720. answers in the zone.
  721. </para>
  722. <para>
  723. Note: while it is possible to run the addition and removal
  724. stages together it is not recommended.
  725. </para>
  726. </answer>
  727. </qandaentry>
  728. </qandadiv> <!-- Operations Questions -->
  729. <qandadiv><title>General Questions</title>
  730. <qandaentry>
  731. <question>
  732. <para>
  733. I keep getting log messages like the following. Why?
  734. </para>
  735. <para>
  736. Dec 4 23:47:59 client 10.0.0.1#1355: updating zone
  737. 'example.com/IN': update failed: 'RRset exists (value
  738. dependent)' prerequisite not satisfied (NXRRSET)
  739. </para>
  740. </question>
  741. <answer>
  742. <para>
  743. DNS updates allow the update request to test to see if
  744. certain conditions are met prior to proceeding with the
  745. update. The message above is saying that conditions were
  746. not met and the update is not proceeding. See doc/rfc/rfc2136.txt
  747. for more details on prerequisites.
  748. </para>
  749. </answer>
  750. </qandaentry>
  751. <qandaentry>
  752. <question>
  753. <para>
  754. I keep getting log messages like the following. Why?
  755. </para>
  756. <para>
  757. Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
  758. </para>
  759. </question>
  760. <answer>
  761. <para>
  762. Someone is trying to update your DNS data using the RFC2136
  763. Dynamic Update protocol. Windows 2000 machines have a habit
  764. of sending dynamic update requests to DNS servers without
  765. being specifically configured to do so. If the update
  766. requests are coming from a Windows 2000 machine, see
  767. <ulink
  768. url="http://support.microsoft.com/support/kb/articles/q246/8/04.asp">
  769. &lt;http://support.microsoft.com/support/kb/articles/q246/8/04.asp&gt;</ulink>
  770. for information about how to turn them off.
  771. </para>
  772. </answer>
  773. </qandaentry>
  774. <qandaentry>
  775. <question>
  776. <para>
  777. When I do a "dig . ns", many of the A records for the root
  778. servers are missing. Why?
  779. </para>
  780. </question>
  781. <answer>
  782. <para>
  783. This is normal and harmless. It is a somewhat confusing
  784. side effect of the way BIND 9 does RFC2181 trust ranking
  785. and of the efforts BIND 9 makes to avoid promoting glue
  786. into answers.
  787. </para>
  788. <para>
  789. When BIND 9 first starts up and primes its cache, it receives
  790. the root server addresses as additional data in an authoritative
  791. response from a root server, and these records are eligible
  792. for inclusion as additional data in responses. Subsequently
  793. it receives a subset of the root server addresses as
  794. additional data in a non-authoritative (referral) response
  795. from a root server. This causes the addresses to now be
  796. considered non-authoritative (glue) data, which is not
  797. eligible for inclusion in responses.
  798. </para>
  799. <para>
  800. The server does have a complete set of root server addresses
  801. cached at all times, it just may not include all of them
  802. as additional data, depending on whether they were last
  803. received as answers or as glue. You can always look up the
  804. addresses with explicit queries like "dig a.root-servers.net A".
  805. </para>
  806. </answer>
  807. </qandaentry>
  808. <qandaentry>
  809. <question>
  810. <para>
  811. Why don't my zones reload when I do an "rndc reload" or SIGHUP?
  812. </para>
  813. </question>
  814. <answer>
  815. <para>
  816. A zone can be updated either by editing zone files and
  817. reloading the server or by dynamic update, but not both.
  818. If you have enabled dynamic update for a zone using the
  819. "allow-update" option, you are not supposed to edit the
  820. zone file by hand, and the server will not attempt to reload
  821. it.
  822. </para>
  823. </answer>
  824. </qandaentry>
  825. <qandaentry>
  826. <question>
  827. <para>
  828. Why is named listening on UDP port other than 53?
  829. </para>
  830. </question>
  831. <answer>
  832. <para>
  833. Named uses a system selected port to make queries of other
  834. nameservers. This behaviour can be overridden by using
  835. query-source to lock down the port and/or address. See
  836. also notify-source and transfer-source.
  837. </para>
  838. </answer>
  839. </qandaentry>
  840. <qandaentry>
  841. <question>
  842. <para>
  843. I get warning messages like <quote>zone example.com/IN: refresh:
  844. failure trying master 1.2.3.4#53: timed out</quote>.
  845. </para>
  846. </question>
  847. <answer>
  848. <para>
  849. Check that you can make UDP queries from the slave to the master
  850. </para>
  851. <informalexample>
  852. <programlisting>
  853. dig +norec example.com soa @1.2.3.4</programlisting>
  854. </informalexample>
  855. <para>
  856. You could be generating queries faster than the slave can
  857. cope with. Lower the serial query rate.
  858. </para>
  859. <informalexample>
  860. <programlisting>
  861. serial-query-rate 5; // default 20</programlisting>
  862. </informalexample>
  863. </answer>
  864. </qandaentry>
  865. <qandaentry>
  866. <question>
  867. <para>
  868. I don't get RRSIG's returned when I use "dig +dnssec".
  869. </para>
  870. </question>
  871. <answer>
  872. <para>
  873. You need to ensure DNSSEC is enabled (dnssec-enable yes;).
  874. </para>
  875. </answer>
  876. </qandaentry>
  877. <qandaentry>
  878. <question>
  879. <para>
  880. Can a NS record refer to a CNAME.
  881. </para>
  882. </question>
  883. <answer>
  884. <para>
  885. No. The rules for glue (copies of the *address* records
  886. in the parent zones) and additional section processing do
  887. not allow it to work.
  888. </para>
  889. <para>
  890. You would have to add both the CNAME and address records
  891. (A/AAAA) as glue to the parent zone and have CNAMEs be
  892. followed when doing additional section processing to make
  893. it work. No nameserver implementation supports either of
  894. these requirements.
  895. </para>
  896. </answer>
  897. </qandaentry>
  898. <qandaentry>
  899. <question>
  900. <para>
  901. What does <quote>RFC 1918 response from Internet for
  902. 0.0.0.10.IN-ADDR.ARPA</quote> mean?
  903. </para>
  904. </question>
  905. <answer>
  906. <para>
  907. If the IN-ADDR.ARPA name covered refers to a internal address
  908. space you are using then you have failed to follow RFC 1918
  909. usage rules and are leaking queries to the Internet. You
  910. should establish your own zones for these addresses to prevent
  911. you querying the Internet's name servers for these addresses.
  912. Please see <ulink url="http://as112.net/">&lt;http://as112.net/&gt;</ulink>
  913. for details of the problems you are causing and the counter
  914. measures that have had to be deployed.
  915. </para>
  916. <para>
  917. If you are not using these private addresses then a client
  918. has queried for them. You can just ignore the messages,
  919. get the offending client to stop sending you these messages
  920. as they are most probably leaking them or setup your own zones
  921. empty zones to serve answers to these queries.
  922. </para>
  923. <informalexample>
  924. <programlisting>
  925. zone "10.IN-ADDR.ARPA" {
  926. type master;
  927. file "empty";
  928. };
  929. zone "16.172.IN-ADDR.ARPA" {
  930. type master;
  931. file "empty";
  932. };
  933. ...
  934. zone "31.172.IN-ADDR.ARPA" {
  935. type master;
  936. file "empty";
  937. };
  938. zone "168.192.IN-ADDR.ARPA" {
  939. type master;
  940. file "empty";
  941. };
  942. empty:
  943. @ 10800 IN SOA &lt;name-of-server&gt;. &lt;contact-email&gt;. (
  944. 1 3600 1200 604800 10800 )
  945. @ 10800 IN NS &lt;name-of-server&gt;.</programlisting>
  946. </informalexample>
  947. <para>
  948. <note>
  949. Future versions of named are likely to do this automatically.
  950. </note>
  951. </para>
  952. </answer>
  953. </qandaentry>
  954. <qandaentry>
  955. <question>
  956. <para>
  957. Will named be affected by the 2007 changes to daylight savings
  958. rules in the US.
  959. </para>
  960. </question>
  961. <answer>
  962. <para>
  963. No, so long as the machines internal clock (as reported
  964. by "date -u") remains at UTC. The only visible change
  965. if you fail to upgrade your OS, if you are in a affected
  966. area, will be that log messages will be a hour out during
  967. the period where the old rules do not match the new rules.
  968. </para>
  969. <para>
  970. For most OS's this change just means that you need to
  971. update the conversion rules from UTC to local time.
  972. Normally this involves updating a file in /etc (which
  973. sets the default timezone for the machine) and possibly
  974. a directory which has all the conversion rules for the
  975. world (e.g. /usr/share/zoneinfo). When updating the OS
  976. do not forget to update any chroot areas as well.
  977. See your OS's documentation for more details.
  978. </para>
  979. <para>
  980. The local timezone conversion rules can also be done on
  981. a individual basis by setting the TZ environment variable
  982. appropriately. See your OS's documentation for more
  983. details.
  984. </para>
  985. </answer>
  986. </qandaentry>
  987. <qandaentry>
  988. <question>
  989. <para>
  990. Is there a bugzilla (or other tool) database that mere
  991. mortals can have (read-only) access to for bind?
  992. </para>
  993. </question>
  994. <answer>
  995. <para>
  996. No. The BIND 9 bug database is kept closed for a number
  997. of reasons. These include, but are not limited to, that
  998. the database contains proprietory information from people
  999. reporting bugs. The database has in the past and may in
  1000. future contain unfixed bugs which are capable of bringing
  1001. down most of the Internet's DNS infrastructure.
  1002. </para>
  1003. <para>
  1004. The release pages for each version contain up to date
  1005. lists of bugs that have been fixed post release. That
  1006. is as close as we can get to providing a bug database.
  1007. </para>
  1008. </answer>
  1009. </qandaentry>
  1010. <qandaentry>
  1011. <question>
  1012. <para>
  1013. Why do queries for NSEC3 records fail to return the NSEC3 record?
  1014. </para>
  1015. </question>
  1016. <answer>
  1017. <para>
  1018. NSEC3 records are strictly meta data and can only be
  1019. returned in the authority section. This is done so that
  1020. signing the zone using NSEC3 records does not bring names
  1021. into existence that do not exist in the unsigned version
  1022. of the zone.
  1023. </para>
  1024. </answer>
  1025. </qandaentry>
  1026. </qandadiv> <!-- General Questions -->
  1027. <qandadiv><title>Operating-System Specific Questions</title>
  1028. <qandadiv><title>HPUX</title>
  1029. <qandaentry>
  1030. <question>
  1031. <para>I get the following error trying to configure BIND:
  1032. <programlisting>checking if unistd.h or sys/types.h defines fd_set... no
  1033. configure: error: need either working unistd.h or sys/select.h</programlisting>
  1034. </para>
  1035. </question>
  1036. <answer>
  1037. <para>
  1038. You have attempted to configure BIND with the bundled C compiler.
  1039. This compiler does not meet the minimum compiler requirements to
  1040. for building BIND. You need to install a ANSI C compiler and / or
  1041. teach configure how to find the ANSI C compiler. The later can
  1042. be done by adjusting the PATH environment variable and / or
  1043. specifying the compiler via CC.
  1044. </para>
  1045. <informalexample>
  1046. <programlisting>./configure CC=&lt;compiler&gt; ...</programlisting>
  1047. </informalexample>
  1048. </answer>
  1049. </qandaentry>
  1050. </qandadiv> <!-- HPUX -->
  1051. <qandadiv><title>Linux</title>
  1052. <qandaentry>
  1053. <question>
  1054. <para>
  1055. Why do I get the following errors:
  1056. <programlisting>general: errno2result.c:109: unexpected error:
  1057. general: unable to convert errno to isc_result: 14: Bad address
  1058. client: UDP client handler shutting down due to fatal receive error: unexpected error</programlisting>
  1059. </para>
  1060. </question>
  1061. <answer>
  1062. <para>
  1063. This is the result of a Linux kernel bug.
  1064. </para>
  1065. <para>
  1066. See:
  1067. <ulink url="http://marc.theaimsgroup.com/?l=linux-netdev&amp;m=113081708031466&amp;w=2">&lt;http://marc.theaimsgroup.com/?l=linux-netdev&amp;m=113081708031466&amp;w=2&gt;</ulink>
  1068. </para>
  1069. </answer>
  1070. </qandaentry>
  1071. <qandaentry>
  1072. <question>
  1073. <para>
  1074. Why does named lock up when it attempts to connect over IPSEC tunnels?
  1075. </para>
  1076. </question>
  1077. <answer>
  1078. <para>
  1079. This is due to a kernel bug where the fact that a socket is marked
  1080. non-blocking is ignored. It is reported that setting
  1081. xfrm_larval_drop to 1 helps but this may have negative side effects.
  1082. See:
  1083. <ulink url="https://bugzilla.redhat.com/show_bug.cgi?id=427629">&lt;https://bugzilla.redhat.com/show_bug.cgi?id=427629&gt;</ulink>
  1084. and
  1085. <ulink url="http://lkml.org/lkml/2007/12/4/260">&lt;http://lkml.org/lkml/2007/12/4/260&gt;</ulink>.
  1086. </para>
  1087. <para>
  1088. xfrm_larval_drop can be set to 1 by the following procedure:
  1089. <programlisting>
  1090. echo "1" &gt; proc/sys/net/core/xfrm_larval_drop</programlisting>
  1091. </para>
  1092. </answer>
  1093. </qandaentry>
  1094. <qandaentry>
  1095. <question>
  1096. <para>
  1097. Why do I see 5 (or more) copies of named on Linux?
  1098. </para>
  1099. </question>
  1100. <answer>
  1101. <para>
  1102. Linux threads each show up as a process under ps. The
  1103. approximate number of threads running is n+4, where n is
  1104. the number of CPUs. Note that the amount of memory used
  1105. is not cumulative; if each process is using 10M of memory,
  1106. only a total of 10M is used.
  1107. </para>
  1108. <para>
  1109. Newer versions of Linux's ps command hide the individual threads
  1110. and require -L to display them.
  1111. </para>
  1112. </answer>
  1113. </qandaentry>
  1114. <qandaentry>
  1115. <question>
  1116. <para>
  1117. Why does BIND 9 log <quote>permission denied</quote> errors accessing
  1118. its configuration files or zones on my Linux system even
  1119. though it is running as root?
  1120. </para>
  1121. </question>
  1122. <answer>
  1123. <para>
  1124. On Linux, BIND 9 drops most of its root privileges on
  1125. startup. This including the privilege to open files owned
  1126. by other users. Therefore, if the server is running as
  1127. root, the configuration files and zone files should also
  1128. be owned by root.
  1129. </para>
  1130. </answer>
  1131. </qandaentry>
  1132. <qandaentry>
  1133. <question>
  1134. <para>
  1135. I get the error message <quote>named: capset failed: Operation
  1136. not permitted</quote> when starting named.
  1137. </para>
  1138. </question>
  1139. <answer>
  1140. <para>
  1141. The capability module, part of "Linux Security Modules/LSM",
  1142. has not been loaded into the kernel. See insmod(8), modprobe(8).
  1143. </para>
  1144. <para>
  1145. The relevant modules can be loaded by running:
  1146. <programlisting>
  1147. modprobe commoncap
  1148. modprobe capability</programlisting>
  1149. </para>
  1150. </answer>
  1151. </qandaentry>
  1152. <qandaentry>
  1153. <question>
  1154. <para>
  1155. I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
  1156. </para>
  1157. <para>
  1158. Why can't named update slave zone database files?
  1159. </para>
  1160. <para>
  1161. Why can't named create DDNS journal files or update
  1162. the master zones from journals?
  1163. </para>
  1164. <para>
  1165. Why can't named create custom log files?
  1166. </para>
  1167. </question>
  1168. <answer>
  1169. <para>
  1170. Red Hat Security Enhanced Linux (SELinux) policy security
  1171. protections :
  1172. </para>
  1173. <para>
  1174. Red Hat have adopted the National Security Agency's
  1175. SELinux security policy (see <ulink
  1176. url="http://www.nsa.gov/selinux">&lt;http://www.nsa.gov/selinux&gt;</ulink>)
  1177. and recommendations for BIND security , which are more
  1178. secure than running named in a chroot and make use of
  1179. the bind-chroot environment unnecessary .
  1180. </para>
  1181. <para>
  1182. By default, named is not allowed by the SELinux policy
  1183. to write, create or delete any files EXCEPT in these
  1184. directories:
  1185. <informalexample>
  1186. <programlisting>
  1187. $ROOTDIR/var/named/slaves
  1188. $ROOTDIR/var/named/data
  1189. $ROOTDIR/var/tmp
  1190. </programlisting>
  1191. </informalexample>
  1192. where $ROOTDIR may be set in /etc/sysconfig/named if
  1193. bind-chroot is installed.
  1194. </para>
  1195. <para>
  1196. The SELinux policy particularly does NOT allow named to modify
  1197. the $ROOTDIR/var/named directory, the default location for master
  1198. zone database files.
  1199. </para>
  1200. <para>
  1201. SELinux policy overrules file access permissions - so
  1202. even if all the files under /var/named have ownership
  1203. named:named and mode rw-rw-r--, named will still not be
  1204. able to write or create files except in the directories
  1205. above, with SELinux in Enforcing mode.
  1206. </para>
  1207. <para>
  1208. So, to allow named to update slave or DDNS zone files,
  1209. it is best to locate them in $ROOTDIR/var/named/slaves,
  1210. with named.conf zone statements such as:
  1211. <informalexample>
  1212. <programlisting>
  1213. zone "slave.zone." IN {
  1214. type slave;
  1215. file "slaves/slave.zone.db";
  1216. ...
  1217. };
  1218. zone "ddns.zone." IN {
  1219. type master;
  1220. allow-updates {...};
  1221. file "slaves/ddns.zone.db";
  1222. };
  1223. </programlisting>
  1224. </informalexample>
  1225. </para>
  1226. <para>
  1227. To allow named to create its cache dump and statistics
  1228. files, for example, you could use named.conf options
  1229. statements such as:
  1230. <informalexample>
  1231. <programlisting>
  1232. options {
  1233. ...
  1234. dump-file "/var/named/data/cache_dump.db";
  1235. statistics-file "/var/named/data/named_stats.txt";
  1236. ...
  1237. };
  1238. </programlisting>
  1239. </informalexample>
  1240. </para>
  1241. <para>
  1242. You can also tell SELinux to allow named to update any
  1243. zone database files, by setting the SELinux tunable boolean
  1244. parameter 'named_write_master_zones=1', using the
  1245. system-config-securitylevel GUI, using the 'setsebool'
  1246. command, or in /etc/selinux/targeted/booleans.
  1247. </para>
  1248. <para>
  1249. You can disable SELinux protection for named entirely by
  1250. setting the 'named_disable_trans=1' SELinux tunable boolean
  1251. parameter.
  1252. </para>
  1253. <para>
  1254. The SELinux named policy defines these SELinux contexts for named:
  1255. <informalexample>
  1256. <programlisting>
  1257. named_zone_t : for zone database files - $ROOTDIR/var/named/*
  1258. named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
  1259. named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
  1260. </programlisting>
  1261. </informalexample>
  1262. </para>
  1263. <para>
  1264. If you want to retain use of the SELinux policy for named,
  1265. and put named files in different locations, you can do
  1266. so by changing the context of the custom file locations
  1267. .
  1268. </para>
  1269. <para>
  1270. To create a custom configuration file location, e.g.
  1271. '/root/named.conf', to use with the 'named -c' option,
  1272. do:
  1273. <informalexample>
  1274. <programlisting>
  1275. # chcon system_u:object_r:named_conf_t /root/named.conf
  1276. </programlisting>
  1277. </informalexample>
  1278. </para>
  1279. <para>
  1280. To create a custom modifiable named data location, e.g.
  1281. '/var/log/named' for a log file, do:
  1282. <informalexample>
  1283. <programlisting>
  1284. # chcon system_u:object_r:named_cache_t /var/log/named
  1285. </programlisting>
  1286. </informalexample>
  1287. </para>
  1288. <para>
  1289. To create a custom zone file location, e.g. /root/zones/, do:
  1290. <informalexample>
  1291. <programlisting>
  1292. # chcon system_u:object_r:named_zone_t /root/zones/{.,*}
  1293. </programlisting>
  1294. </informalexample>
  1295. </para>
  1296. <para>
  1297. See these man-pages for more information : selinux(8),
  1298. named_selinux(8), chcon(1), setsebool(8)
  1299. </para>
  1300. </answer>
  1301. </qandaentry>
  1302. <qandaentry>
  1303. <question>
  1304. <para>
  1305. I'm running BIND on Ubuntu -
  1306. </para>
  1307. <para>
  1308. Why can't named update slave zone database files?
  1309. </para>
  1310. <para>
  1311. Why can't named create DDNS journal files or update
  1312. the master zones from journals?
  1313. </para>
  1314. <para>
  1315. Why can't named create custom log files?
  1316. </para>
  1317. </question>
  1318. <answer>
  1319. <para>
  1320. Ubuntu uses AppArmor <ulink url="http://en.wikipedia.org/wiki/AppArmor">
  1321. &lt;http://en.wikipedia.org/wiki/AppArmor&gt;</ulink> in
  1322. addition to normal file system permissions to protect the system.
  1323. </para>
  1324. <para>
  1325. Adjust the paths to use those specified in /etc/apparmor.d/usr.sbin.named
  1326. or adjust /etc/apparmor.d/usr.sbin.named to allow named to write at the
  1327. location specified in named.conf.
  1328. </para>
  1329. </answer>
  1330. </qandaentry>
  1331. <qandaentry>
  1332. <question>
  1333. <para>
  1334. Listening on individual IPv6 interfaces does not work.
  1335. </para>
  1336. </question>
  1337. <answer>
  1338. <para>
  1339. This is usually due to "/proc/net/if_inet6" not being available
  1340. in the chroot file system. Mount another instance of "proc"
  1341. in the chroot file system.
  1342. </para>
  1343. <para>
  1344. This can be be made permanent by adding a second instance to
  1345. /etc/fstab.
  1346. <informalexample>
  1347. <programlisting>
  1348. proc /proc proc defaults 0 0
  1349. proc /var/named/proc proc defaults 0 0</programlisting>
  1350. </informalexample>
  1351. </para>
  1352. </answer>
  1353. </qandaentry>
  1354. </qandadiv> <!-- Linux -->
  1355. <qandadiv><title>Windows</title>
  1356. <qandaentry>
  1357. <question>
  1358. <para>
  1359. Zone transfers from my BIND 9 master to my Windows 2000
  1360. slave fail. Why?
  1361. </para>
  1362. </question>
  1363. <answer>
  1364. <para>
  1365. This may be caused by a bug in the Windows 2000 DNS server
  1366. where DNS messages larger than 16K are not handled properly.
  1367. This can be worked around by setting the option "transfer-format
  1368. one-answer;". Also check whether your zone contains domain
  1369. names with embedded spaces or other special characters,
  1370. like "John\032Doe\213s\032Computer", since such names have
  1371. been known to cause Windows 2000 slaves to incorrectly
  1372. reject the zone.
  1373. </para>
  1374. </answer>
  1375. </qandaentry>
  1376. <qandaentry>
  1377. <question>
  1378. <para>
  1379. I get <quote>Error 1067</quote> when starting named under Windows.
  1380. </para>
  1381. </question>
  1382. <answer>
  1383. <para>
  1384. This is the service manager saying that named exited. You
  1385. need to examine the Application log in the EventViewer to
  1386. find out why.
  1387. </para>
  1388. <para>
  1389. Common causes are that you failed to create "named.conf"
  1390. (usually "C:\windows\dns\etc\named.conf") or failed to
  1391. specify the directory in named.conf.
  1392. </para>
  1393. <informalexample>
  1394. <programlisting>
  1395. options {
  1396. Directory "C:\windows\dns\etc";
  1397. };</programlisting>
  1398. </informalexample>
  1399. </answer>
  1400. </qandaentry>
  1401. </qandadiv> <!-- Windows -->
  1402. <qandadiv><title>FreeBSD</title>
  1403. <qandaentry>
  1404. <question>
  1405. <para>
  1406. I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
  1407. </para>
  1408. </question>
  1409. <answer>
  1410. <para>
  1411. /dev/random is not configured. Use rndcontrol(8) to tell
  1412. the kernel to use certain interrupts as a source of random
  1413. events. You can make this permanent by setting rand_irqs
  1414. in /etc/rc.conf.
  1415. </para>
  1416. <informalexample>
  1417. <programlisting>
  1418. rand_irqs="3 14 15"</programlisting>
  1419. </informalexample>
  1420. <para>
  1421. See also
  1422. <ulink url="http://people.freebsd.org/~dougb/randomness.html">
  1423. &lt;http://people.freebsd.org/~dougb/randomness.html&gt;</ulink>.
  1424. </para>
  1425. </answer>
  1426. </qandaentry>
  1427. </qandadiv> <!-- FreeBSD -->
  1428. <qandadiv><title>Solaris</title>
  1429. <qandaentry>
  1430. <question>
  1431. <para>
  1432. How do I integrate BIND 9 and Solaris SMF
  1433. </para>
  1434. </question>
  1435. <answer>
  1436. <para>
  1437. Sun has a blog entry describing how to do this.
  1438. </para>
  1439. <para>
  1440. <ulink
  1441. url="http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris">
  1442. &lt;http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris&gt;
  1443. </ulink>
  1444. </para>
  1445. </answer>
  1446. </qandaentry>
  1447. </qandadiv>
  1448. <qandadiv><title>Apple Mac OS X</title>
  1449. <qandaentry>
  1450. <question>
  1451. <para>
  1452. How do I run BIND 9 on Apple Mac OS X?
  1453. </para>
  1454. </question>
  1455. <answer>
  1456. <para>
  1457. If you run Tiger(Mac OS 10.4) or later then this is all you need to do:
  1458. </para>
  1459. <informalexample>
  1460. <programlisting>
  1461. % sudo rndc-confgen > /etc/rndc.conf</programlisting>
  1462. </informalexample>
  1463. <para>
  1464. Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.:
  1465. </para>
  1466. <informalexample>
  1467. <programlisting>
  1468. key "rndc-key" {
  1469. algorithm hmac-md5;
  1470. secret "uvceheVuqf17ZwIcTydddw==";
  1471. };</programlisting>
  1472. </informalexample>
  1473. <para>
  1474. Then start the relevant service:
  1475. </para>
  1476. <informalexample>
  1477. <programlisting>
  1478. % sudo service org.isc.named start</programlisting>
  1479. </informalexample>
  1480. <para>
  1481. This is persistent upon a reboot, so you will have to do it only once.
  1482. </para>
  1483. </answer>
  1484. <answer>
  1485. <para>
  1486. Alternatively you can just generate /etc/rndc.key by running:
  1487. </para>
  1488. <informalexample>
  1489. <programlisting>
  1490. % sudo rndc-confgen -a</programlisting>
  1491. </informalexample>
  1492. <para>
  1493. Then start the relevant service:
  1494. </para>
  1495. <informalexample>
  1496. <programlisting>
  1497. % sudo service org.isc.named start</programlisting>
  1498. </informalexample>
  1499. <para>
  1500. Named will look for /etc/rndc.key when it starts if it
  1501. doesn't have a controls section or the existing controls are
  1502. missing keys sub-clauses. This is persistent upon a
  1503. reboot, so you will have to do it only once.
  1504. </para>
  1505. </answer>
  1506. </qandaentry>
  1507. </qandadiv>
  1508. </qandadiv> <!-- Operating-System Specific Questions -->
  1509. </qandaset>
  1510. </article>