PageRenderTime 65ms CodeModel.GetById 18ms app.highlight 29ms RepoModel.GetById 1ms app.codeStats 1ms

/contrib/bind9/FAQ.xml

https://bitbucket.org/freebsd/freebsd-head/
XML | 1612 lines | 1487 code | 102 blank | 23 comment | 0 complexity | 3b31a738b5b26fa12c870cacee0642d2 MD5 | raw file
   1<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
   2       "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
   3<!--
   4 - Copyright (C) 2004-2010  Internet Systems Consortium, Inc. ("ISC")
   5 - Copyright (C) 2000-2003  Internet Software Consortium.
   6 -
   7 - Permission to use, copy, modify, and/or distribute this software for any
   8 - purpose with or without fee is hereby granted, provided that the above
   9 - copyright notice and this permission notice appear in all copies.
  10 -
  11 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  12 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  13 - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  14 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  15 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  16 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  17 - PERFORMANCE OF THIS SOFTWARE.
  18-->
  19
  20<!-- $Id: FAQ.xml,v 1.54 2010/01/19 23:48:55 tbox Exp $ -->
  21
  22<article class="faq">
  23  <title>Frequently Asked Questions about BIND 9</title>
  24  <articleinfo>
  25    <copyright>
  26      <year>2004</year>
  27      <year>2005</year>
  28      <year>2006</year>
  29      <year>2007</year>
  30      <year>2008</year>
  31      <year>2009</year>
  32      <year>2010</year>
  33      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
  34    </copyright>
  35    <copyright>
  36      <year>2000</year>
  37      <year>2001</year>
  38      <year>2002</year>
  39      <year>2003</year>
  40      <holder>Internet Software Consortium.</holder>
  41    </copyright>
  42  </articleinfo>
  43  <qandaset defaultlabel='qanda'>
  44	  
  45    <qandadiv><title>Compilation and Installation Questions</title>	  
  46    
  47    <qandaentry>
  48      <question>
  49	<para>
  50	  I'm trying to compile BIND 9, and "make" is failing due to
  51	  files not being found.  Why?
  52	</para>
  53      </question>
  54      <answer>
  55	<para>
  56	  Using a parallel or distributed "make" to build BIND 9 is
  57	  not supported, and doesn't work.  If you are using one of
  58	  these, use normal make or gmake instead.
  59	</para>
  60      </answer>
  61    </qandaentry>
  62    
  63    <qandaentry>
  64      <question>
  65	<para>
  66	  Isn't "make install"  supposed to generate a default named.conf?
  67	</para>
  68      </question>
  69      <answer>
  70	<para>
  71	  Short Answer: No. 
  72	</para>
  73	<para>
  74	  Long Answer: There really isn't a default configuration which fits
  75	  any site perfectly.  There are lots of decisions that need to
  76	  be made and there is no consensus on what the defaults should be.
  77	  For example FreeBSD uses /etc/namedb as the location where the
  78	  configuration files for named are stored.  Others use /var/named.
  79	</para>
  80	<para>
  81	  What addresses to listen on?  For a laptop on the move a lot
  82	  you may only want to listen on the loop back interfaces.
  83	</para>
  84	<para>
  85	  Who do you offer recursive service to?  Is there are firewall
  86	  to consider?  If so is it stateless or stateful.  Are you
  87	  directly on the Internet?  Are you on a private network? Are
  88	  you on a NAT'd network? The answers
  89	  to all these questions change how you configure even a
  90	  caching name server.
  91	</para>
  92      </answer>
  93    </qandaentry>
  94    
  95    </qandadiv> <!-- Compilation and Installation Questions -->
  96	    
  97    <qandadiv><title>Configuration and Setup Questions</title>
  98
  99    <qandaentry>
 100      <!-- configuration, log -->
 101      <question>
 102	<para>
 103	  Why does named log the warning message <quote>no TTL specified -
 104	  using SOA MINTTL instead</quote>?
 105	</para>
 106      </question>
 107      <answer>
 108	<para>
 109	  Your zone file is illegal according to RFC1035.  It must either
 110	  have a line like:
 111	</para>
 112	<informalexample>
 113	  <programlisting>
 114$TTL 86400</programlisting>
 115	</informalexample>
 116	<para>
 117	  at the beginning, or the first record in it must have a TTL field,
 118	  like the "84600" in this example:
 119	</para>
 120	<informalexample>
 121	  <programlisting>
 122example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )</programlisting>
 123	</informalexample>
 124      </answer>
 125    </qandaentry>
 126    
 127    <qandaentry>
 128      <!-- configuration -->
 129      <question>
 130	<para>
 131	  Why do I get errors like <quote>dns_zone_load: zone foo/IN: loading
 132	  master file bar: ran out of space</quote>?
 133	</para>
 134      </question>
 135      <answer>
 136	<para>
 137	This is often caused by TXT records with missing close
 138	quotes.  Check that all TXT records containing quoted strings
 139	have both open and close quotes.
 140	</para>
 141      </answer>
 142    </qandaentry>
 143
 144    <qandaentry>
 145      <!-- security -->
 146      <question>
 147	<para>
 148	  How do I restrict people from looking up the server version?
 149	</para>
 150      </question>
 151      <answer>
 152	<para>
 153	  Put a "version" option containing something other than the
 154	  real version in the "options" section of named.conf.  Note
 155	  doing this will not prevent attacks and may impede people
 156	  trying to diagnose problems with your server.  Also it is
 157	  possible to "fingerprint" nameservers to determine their
 158	  version.
 159	</para>
 160      </answer>
 161    </qandaentry>
 162
 163    <qandaentry>
 164      <!-- security -->
 165      <question>
 166	<para>
 167	  How do I restrict only remote users from looking up the
 168	  server version?
 169	</para>
 170      </question>
 171      <answer>
 172	<para>
 173	  The following view statement will intercept lookups as the
 174	  internal view that holds the version information will be
 175	  matched last.  The caveats of the previous answer still
 176	  apply, of course.
 177	</para>
 178	<informalexample>
 179	  <programlisting>
 180view "chaos" chaos {
 181	match-clients { &lt;those to be refused&gt;; };
 182	allow-query { none; };
 183	zone "." {
 184		type hint;
 185		file "/dev/null";  // or any empty file
 186	};
 187};</programlisting>
 188	</informalexample>
 189      </answer>
 190    </qandaentry>
 191
 192    <qandaentry>
 193      <!-- configuration -->
 194      <question>
 195	<para>
 196	  What do <quote>no source of entropy found</quote> or <quote>could not
 197	  open entropy source foo</quote> mean?
 198	</para>
 199      </question>
 200      <answer>
 201	<para>
 202	  The server requires a source of entropy to perform certain
 203	  operations, mostly DNSSEC related.  These messages indicate
 204	  that you have no source of entropy.  On systems with
 205	  /dev/random or an equivalent, it is used by default.  A
 206	  source of entropy can also be defined using the random-device
 207	  option in named.conf.
 208	</para>
 209      </answer>
 210    </qandaentry>
 211
 212    <qandaentry>
 213      <!-- configuration -->
 214      <question>
 215	<para>
 216	  I'm trying to use TSIG to authenticate dynamic updates or
 217	  zone transfers.  I'm sure I have the keys set up correctly,
 218	  but the server is rejecting the TSIG.  Why?
 219	</para>
 220      </question>
 221      <answer>
 222	<para>
 223	  This may be a clock skew problem.  Check that the the clocks
 224	  on the client and server are properly synchronised (e.g.,
 225	  using ntp).
 226	</para>
 227      </answer>
 228    </qandaentry>
 229
 230    <qandaentry>
 231      <question>
 232	<para>
 233	  I see a log message like the following.  Why?
 234	</para>
 235	<para>
 236	  couldn't open pid file '/var/run/named.pid': Permission denied
 237	</para>
 238      </question>
 239      <answer>
 240	<para>
 241	  You are most likely running named as a non-root user, and
 242	  that user does not have permission to write in /var/run.
 243	  The common ways of fixing this are to create a /var/run/named
 244	  directory owned by the named user and set pid-file to
 245	  "/var/run/named/named.pid", or set pid-file to "named.pid",
 246	  which will put the file in the directory specified by the
 247	  directory option (which, in this case, must be writable by
 248	  the named user).
 249	</para>
 250      </answer>
 251    </qandaentry>
 252    
 253    <qandaentry>
 254      <question>
 255	<para>
 256	  I can query the nameserver from the nameserver but not from other
 257	  machines.  Why?
 258	</para>
 259      </question>
 260      <answer>
 261	<para>
 262	  This is usually the result of the firewall configuration stopping
 263	  the queries and / or the replies.
 264	</para>
 265      </answer>
 266    </qandaentry>
 267    
 268    <qandaentry>
 269      <question>
 270	<para>
 271	  How can I make a server a slave for both an internal and
 272	  an external view at the same time?  When I tried, both views
 273	  on the slave were transferred from the same view on the master.
 274	</para>
 275      </question>
 276      <answer>
 277	<para>
 278	  You will need to give the master and slave multiple IP
 279	  addresses and use those to make sure you reach the correct
 280	  view on the other machine.
 281	</para>
 282	<informalexample>
 283	  <programlisting>
 284Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
 285    internal:
 286	match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
 287		notify-source 10.0.1.1;
 288		transfer-source 10.0.1.1;
 289		query-source address 10.0.1.1;
 290    external:
 291	match-clients { any; };
 292	recursion no;	// don't offer recursion to the world
 293	notify-source 10.0.1.2;
 294	transfer-source 10.0.1.2;
 295	query-source address 10.0.1.2;
 296
 297Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
 298    internal:
 299	match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
 300	notify-source 10.0.1.3;
 301	transfer-source 10.0.1.3;
 302	query-source address 10.0.1.3;
 303   external:
 304	match-clients { any; };
 305	recursion no;	// don't offer recursion to the world
 306	notify-source 10.0.1.4;
 307	transfer-source 10.0.1.4;
 308	query-source address 10.0.1.4;</programlisting>
 309	</informalexample>
 310	<para>
 311	  You put the external address on the alias so that all the other
 312	  dns clients on these boxes see the internal view by default.
 313	</para>
 314      </answer>
 315      <answer>
 316	<para>
 317	  BIND 9.3 and later: Use TSIG to select the appropriate view.
 318	</para>
 319	<informalexample>
 320	  <programlisting>
 321Master 10.0.1.1:
 322	key "external" {
 323		algorithm hmac-sha256;
 324		secret "xxxxxxxxxxxxxxxxxxxxxxxx";
 325	};
 326	view "internal" {
 327		match-clients { !key external; // reject message ment for the
 328					       // external view.
 329				10.0.1/24; };  // accept from these addresses.
 330		...
 331	};
 332	view "external" {
 333		match-clients { key external; any; };
 334		server 10.0.1.2 { keys external; };  // tag messages from the
 335						     // external view to the
 336						     // other servers for the
 337						     // view.
 338		recursion no;
 339		...
 340	};
 341
 342Slave 10.0.1.2:
 343	key "external" {
 344		algorithm hmac-sha256;
 345		secret "xxxxxxxxxxxxxxxxxxxxxxxx";
 346	};
 347	view "internal" {
 348		match-clients { !key external; 10.0.1/24; };
 349		...
 350	};
 351	view "external" {
 352		match-clients { key external; any; };
 353		server 10.0.1.1 { keys external; };
 354		recursion no;
 355		...
 356	};</programlisting>
 357	</informalexample>
 358      </answer>
 359    </qandaentry>
 360    
 361    <qandaentry>
 362      <question>
 363	<para>
 364	  I get error messages like <quote>multiple RRs of singleton type</quote>
 365	  and <quote>CNAME and other data</quote> when transferring a zone.  What
 366	  does this mean?
 367	</para>
 368      </question>
 369      <answer>
 370	<para>
 371	  These indicate a malformed master zone.  You can identify
 372	  the exact records involved by transferring the zone using
 373	  dig then running named-checkzone on it.
 374	</para>
 375	<informalexample>
 376	  <programlisting>
 377dig axfr example.com @master-server &gt; tmp
 378named-checkzone example.com tmp</programlisting>
 379	</informalexample>
 380	<para>
 381	  A CNAME record cannot exist with the same name as another record
 382	  except for the DNSSEC records which prove its existence (NSEC).
 383	</para>
 384	<para>
 385	  RFC 1034, Section 3.6.2: <quote>If a CNAME RR is present at a node,
 386	  no other data should be present; this ensures that the data for a
 387	  canonical name and its aliases cannot be different.  This rule also
 388	  insures that a cached CNAME can be used without checking with an
 389	  authoritative server for other RR types.</quote>
 390	</para>
 391      </answer>
 392    </qandaentry>
 393    
 394    <qandaentry>
 395      <question>
 396	<para>
 397	  I get error messages like <quote>named.conf:99: unexpected end
 398	  of input</quote> where 99 is the last line of named.conf.
 399	</para>
 400      </question>
 401      <answer>
 402	<para>
 403	  There are unbalanced quotes in named.conf.
 404	</para>
 405      </answer>
 406      <answer>
 407	<para>
 408	  Some text editors (notepad and wordpad) fail to put a line
 409	  title indication (e.g. CR/LF) on the last line of a
 410	  text file.  This can be fixed by "adding" a blank line to
 411	  the end of the file.  Named expects to see EOF immediately
 412	  after EOL and treats text files where this is not met as
 413	  truncated.
 414	</para>
 415      </answer>
 416    </qandaentry>
 417    
 418    <qandaentry>
 419      <question>
 420	<para>
 421	  How do I share a dynamic zone between multiple views?
 422	</para>
 423      </question>
 424      <answer>
 425	<para>
 426	  You choose one view to be master and the second a slave and
 427	  transfer the zone between views.
 428	</para>
 429	<informalexample>
 430	  <programlisting>
 431Master 10.0.1.1:
 432	key "external" {
 433		algorithm hmac-sha256;
 434		secret "xxxxxxxxxxxxxxxxxxxxxxxx";
 435	};
 436
 437	key "mykey" {
 438		algorithm hmac-sha256;
 439		secret "yyyyyyyyyyyyyyyyyyyyyyyy";
 440	};
 441
 442	view "internal" {
 443		match-clients { !key external; 10.0.1/24; };
 444		server 10.0.1.1 {
 445			/* Deliver notify messages to external view. */
 446			keys { external; };
 447		};
 448		zone "example.com" {
 449			type master;
 450			file "internal/example.db";
 451			allow-update { key mykey; };
 452			also-notify { 10.0.1.1; };
 453		};
 454	};
 455
 456	view "external" {
 457		match-clients { key external; any; };
 458		zone "example.com" {
 459			type slave;
 460			file "external/example.db";
 461			masters { 10.0.1.1; };
 462			transfer-source 10.0.1.1;
 463			// allow-update-forwarding { any; };
 464			// allow-notify { ... };
 465		};
 466	};</programlisting>
 467	</informalexample>
 468      </answer>
 469    </qandaentry>
 470
 471    <qandaentry>
 472      <question>
 473	<para>
 474	  I get a error message like <quote>zone wireless.ietf56.ietf.org/IN:
 475	  loading master file primaries/wireless.ietf56.ietf.org: no
 476	  owner</quote>.
 477	</para>
 478      </question>
 479      <answer>
 480	<para>
 481	  This error is produced when a line in the master file
 482	  contains leading white space (tab/space) but the is no
 483	  current record owner name to inherit the name from.  Usually
 484	  this is the result of putting white space before a comment,
 485	  forgetting the "@" for the SOA record, or indenting the master
 486	  file.
 487	</para>
 488      </answer>
 489    </qandaentry>
 490
 491    <qandaentry>
 492      <question>
 493	<para>
 494	  Why are my logs in GMT (UTC).
 495	</para>
 496      </question>
 497      <answer>
 498	<para>
 499	  You are running chrooted (-t) and have not supplied local timezone
 500	  information in the chroot area.
 501	</para>
 502	<simplelist>
 503	  <member>FreeBSD: /etc/localtime</member>
 504	  <member>Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo</member>
 505	  <member>OSF: /etc/zoneinfo/localtime</member>
 506	  </simplelist>
 507	<para>
 508	  See also tzset(3) and zic(8).
 509	</para>
 510      </answer>
 511    </qandaentry>
 512    
 513    <qandaentry>
 514      <question>
 515	<para>
 516	  I get <quote>rndc: connect failed: connection refused</quote> when
 517	  I try to run rndc.
 518	</para>
 519      </question>
 520      <answer>
 521	<para>
 522	  This is usually a configuration error.
 523	</para>
 524	<para>
 525	  First ensure that named is running and no errors are being
 526	  reported at startup (/var/log/messages or equivalent).
 527	  Running "named -g &lt;usual arguments&gt;" from a title
 528	  can help at this point.
 529	</para>
 530	<para>
 531	  Secondly ensure that named is configured to use rndc either
 532	  by "rndc-confgen -a", rndc-confgen or manually.  The
 533	  Administrators Reference manual has details on how to do
 534	  this.
 535	</para>
 536	<para>
 537	  Old versions of rndc-confgen used localhost rather than
 538	  127.0.0.1 in /etc/rndc.conf for the default server.  Update
 539	  /etc/rndc.conf if necessary so that the default server
 540	  listed in /etc/rndc.conf matches the addresses used in
 541	  named.conf.  "localhost" has two address (127.0.0.1 and
 542	  ::1).
 543	</para>
 544	<para>
 545	  If you use "rndc-confgen -a" and named is running with -t or -u
 546	  ensure that /etc/rndc.conf has the correct ownership and that
 547	  a copy is in the chroot area.  You can do this by re-running
 548	  "rndc-confgen -a" with appropriate -t and -u arguments.
 549	</para>
 550      </answer>
 551    </qandaentry>
 552    
 553    <qandaentry>
 554      <question>
 555	<para>
 556	  I get <quote>transfer of 'example.net/IN' from 192.168.4.12#53:
 557	  failed while receiving responses: permission denied</quote> error
 558	  messages.
 559	</para>
 560      </question>
 561      <answer>
 562	<para>
 563	  These indicate a filesystem permission error preventing
 564	  named creating / renaming the temporary file.  These will
 565	  usually also have other associated error messages like
 566	</para>
 567	<informalexample>
 568	  <programlisting>
 569"dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"</programlisting>
 570	</informalexample>
 571	<para>
 572	  Named needs write permission on the directory containing
 573	  the file.  Named writes the new cache file to a temporary
 574	  file then renames it to the name specified in named.conf
 575	  to ensure that the contents are always complete.  This is
 576	  to prevent named loading a partial zone in the event of
 577	  power failure or similar interrupting the write of the
 578	  master file.
 579	</para>
 580	<para>
 581	  Note file names are relative to the directory specified in
 582	  options and any chroot directory  ([&lt;chroot
 583	  dir&gt;/][&lt;options dir&gt;]).
 584	</para>
 585	<informalexample>
 586	  <para>
 587	    If named is invoked as "named -t /chroot/DNS" with
 588	    the following named.conf then "/chroot/DNS/var/named/sl"
 589	    needs to be writable by the user named is running as.
 590	  </para>
 591	  <programlisting>
 592options {
 593	directory "/var/named";
 594};
 595
 596zone "example.net" {
 597	type slave;
 598	file "sl/example.net";
 599	masters { 192.168.4.12; };
 600};</programlisting>
 601	</informalexample>
 602      </answer>
 603    </qandaentry>
 604    
 605    <qandaentry>
 606      <question>
 607	<para>
 608	  I want to forward all DNS queries from my caching nameserver to
 609	  another server. But there are some domains which have to be
 610	  served locally, via rbldnsd.
 611	</para>
 612	<para>
 613	  How do I achieve this ?
 614	</para>
 615      </question>
 616      <answer>
 617        <programlisting>
 618options {
 619	forward only;
 620	forwarders { &lt;ip.of.primary.nameserver&gt;; };
 621};
 622
 623zone "sbl-xbl.spamhaus.org" {
 624	type forward; forward only;
 625	forwarders { &lt;ip.of.rbldns.server&gt; port 530; };
 626};
 627
 628zone "list.dsbl.org" {
 629	type forward; forward only;
 630	forwarders { &lt;ip.of.rbldns.server&gt; port 530; };
 631};
 632        </programlisting>
 633      </answer>
 634    </qandaentry>
 635
 636    <qandaentry>
 637      <question>
 638	<para>
 639	  Can you help me understand how BIND 9 uses memory to store
 640	  DNS zones?
 641	</para>
 642	<para>
 643	  Some times it seems to take several times the amount of
 644	  memory it needs to store the zone.
 645	</para>
 646      </question>
 647      <answer>
 648	<para>
 649	  When reloading a zone named my have multiple copies of
 650	  the zone in memory at one time.  The zone it is serving
 651	  and the one it is loading.  If reloads are ultra fast it
 652	  can have more still.
 653	</para>
 654	<para>
 655	  e.g.  Ones that are transferring out, the one that it is
 656	  serving and the one that is loading.
 657	</para>
 658	<para>
 659	  BIND 8 destroyed the zone before loading and also killed
 660	  off outgoing transfers of the zone.
 661	</para>
 662	<para>
 663	  The new strategy allows slaves to get copies of the new
 664	  zone regardless of how often the master is loaded compared
 665	  to the transfer time.  The slave might skip some intermediate
 666	  versions but the transfers will complete and it will keep
 667	  reasonably in sync with the master.
 668	</para>
 669	<para>
 670	  The new strategy also allows the master to recover from
 671	  syntax and other errors in the master file as it still
 672	  has an in-core copy of the old contents.
 673	</para>
 674      </answer>
 675    </qandaentry>
 676
 677    <qandaentry>
 678      <question>
 679	<para>
 680	  I want to use IPv6 locally but I don't have a external IPv6
 681	  connection.  External lookups are slow.
 682	</para>
 683      </question>
 684      <answer>
 685	<para>
 686	  You can use server clauses to stop named making external lookups
 687	  over IPv6.
 688	</para>
 689        <programlisting>
 690server fd81:ec6c:bd62::/48 { bogus no; }; // site ULA prefix
 691server ::/0 { bogus yes; };
 692</programlisting>
 693      </answer>
 694    </qandaentry>
 695    
 696    </qandadiv> <!-- Configuration and Setup Questions -->
 697    
 698    <qandadiv><title>Operations Questions</title>
 699
 700    <qandaentry>
 701      <question>
 702	<para>
 703	  How to change the nameservers for a zone?
 704	</para>
 705      </question>
 706      <answer>
 707	<para>
 708	  Step 1: Ensure all nameservers, new and old, are serving the
 709	  same zone content.
 710	</para>
 711	<para>
 712	  Step 2: Work out the maximum TTL of the NS RRset in the parent and child
 713	  zones.  This is the time it will take caches to be clear of a
 714	  particular version of the NS RRset.
 715	  If you are just removing nameservers you can skip to Step 6.
 716	</para>
 717	<para>
 718	  Step 3: Add new nameservers to the NS RRset for the zone and
 719	  wait until all the servers for the zone are answering with this
 720	  new NS RRset.
 721	</para>
 722	<para>
 723	  Step 4: Inform the parent zone of the new NS RRset then wait for all the
 724	  parent servers to be answering with the new NS RRset.
 725	</para>
 726	<para>
 727	  Step 5: Wait for cache to be clear of the old NS RRset.
 728	  See Step 2 for how long.
 729	  If you are just adding nameservers you are done.
 730	</para>
 731	<para>
 732	  Step 6: Remove any old nameservers from the zones NS RRset and
 733	  wait for all the servers for the zone to be serving the new NS RRset.
 734	</para>
 735	<para>
 736	  Step 7: Inform the parent zone of the new NS RRset then wait for all the
 737	  parent servers to be answering with the new NS RRset.
 738	</para>
 739	<para>
 740	  Step 8: Wait for cache to be clear of the old NS RRset.
 741	  See Step 2 for how long.
 742	</para>
 743	<para>
 744	  Step 9: Turn off the old nameservers or remove the zone entry from
 745	  the configuration of the old nameservers.
 746	</para>
 747	<para>
 748	  Step 10: Increment the serial number and wait for the change to
 749	  be visible in all nameservers for the zone.  This ensures that
 750	  zone transfers are still working after the old servers are
 751	  decommissioned.
 752	</para>
 753	<para>
 754	  Note: the above procedure is designed to be transparent
 755	  to dns clients.  Decommissioning the old servers too early
 756	  will result in some clients not being able to look up
 757	  answers in the zone.
 758	</para>
 759	<para>
 760	  Note: while it is possible to run the addition and removal
 761	  stages together it is not recommended.
 762	</para>
 763      </answer>
 764    </qandaentry>
 765
 766    </qandadiv> <!-- Operations Questions -->
 767
 768    <qandadiv><title>General Questions</title>
 769	    
 770    <qandaentry>
 771      <question>
 772	<para>
 773	  I keep getting log messages like the following.  Why?
 774	</para>
 775	<para>
 776	  Dec  4 23:47:59 client 10.0.0.1#1355: updating zone
 777	  'example.com/IN': update failed: 'RRset exists (value
 778	  dependent)' prerequisite not satisfied (NXRRSET)
 779	</para>
 780      </question>
 781      <answer>
 782	<para>
 783	  DNS updates allow the update request to test to see if
 784	  certain conditions are met prior to proceeding with the
 785	  update.  The message above is saying that conditions were
 786	  not met and the update is not proceeding.  See doc/rfc/rfc2136.txt
 787	  for more details on prerequisites.
 788	</para>
 789      </answer>
 790    </qandaentry>
 791
 792    <qandaentry>
 793      <question>
 794	<para>
 795	  I keep getting log messages like the following.  Why?
 796	</para>
 797	<para>
 798	  Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
 799	</para>
 800      </question>
 801      <answer>
 802	<para>
 803	  Someone is trying to update your DNS data using the RFC2136
 804	  Dynamic Update protocol.  Windows 2000 machines have a habit
 805	  of sending dynamic update requests to DNS servers without
 806	  being specifically configured to do so.  If the update
 807	  requests are coming from a Windows 2000 machine, see
 808	  <ulink
 809	   url="http://support.microsoft.com/support/kb/articles/q246/8/04.asp">
 810  &lt;http://support.microsoft.com/support/kb/articles/q246/8/04.asp&gt;</ulink>
 811	  for information about how to turn them off.
 812	</para>
 813      </answer>
 814    </qandaentry>
 815	    
 816    <qandaentry>
 817      <question>
 818	<para>
 819	  When I do a "dig . ns", many of the A records for the root
 820	  servers are missing.  Why?
 821	</para>
 822      </question>
 823      <answer>
 824	<para>
 825	  This is normal and harmless.  It is a somewhat confusing
 826	  side effect of the way BIND 9 does RFC2181 trust ranking
 827	  and of the efforts BIND 9 makes to avoid promoting glue
 828	  into answers.
 829	</para>
 830	<para>
 831	 When BIND 9 first starts up and primes its cache, it receives
 832	 the root server addresses as additional data in an authoritative
 833	 response from a root server, and these records are eligible
 834	 for inclusion as additional data in responses.  Subsequently
 835	 it receives a subset of the root server addresses as
 836	 additional data in a non-authoritative (referral) response
 837	 from a root server.  This causes the addresses to now be
 838	 considered non-authoritative (glue) data, which is not
 839	 eligible for inclusion in responses.
 840	</para>
 841	<para>
 842	 The server does have a complete set of root server addresses
 843	 cached at all times, it just may not include all of them
 844	 as additional data, depending on whether they were last
 845	 received as answers or as glue.  You can always look up the
 846	 addresses with explicit queries like "dig a.root-servers.net A".
 847	</para>
 848      </answer>
 849    </qandaentry>
 850    
 851    <qandaentry>
 852      <question>
 853	<para>
 854	  Why don't my zones reload when I do an "rndc reload" or SIGHUP?
 855	</para>
 856      </question>
 857      <answer>
 858	<para>
 859	  A zone can be updated either by editing zone files and
 860	  reloading the server or by dynamic update, but not both.
 861	  If you have enabled dynamic update for a zone using the
 862	  "allow-update" option, you are not supposed to edit the
 863	  zone file by hand, and the server will not attempt to reload
 864	  it.
 865	</para>
 866      </answer>
 867    </qandaentry>
 868    
 869    <qandaentry>
 870      <question>
 871	<para>
 872	  Why is named listening on UDP port other than 53?
 873	</para>
 874      </question>
 875      <answer>
 876	<para>
 877	  Named uses a system selected port to make queries of other
 878	  nameservers.  This behaviour can be overridden by using
 879	  query-source to lock down the port and/or address.  See
 880	  also notify-source and transfer-source.
 881	</para>
 882      </answer>
 883    </qandaentry>
 884    
 885    <qandaentry>
 886      <question>
 887	<para>
 888	  I get warning messages like <quote>zone example.com/IN: refresh:
 889	  failure trying master 1.2.3.4#53: timed out</quote>.
 890	</para>
 891      </question>
 892      <answer>
 893	<para>
 894	Check that you can make UDP queries from the slave to the master
 895	</para>
 896	<informalexample>
 897	  <programlisting>
 898dig +norec example.com soa @1.2.3.4</programlisting>
 899	</informalexample>
 900	<para>
 901	  You could be generating queries faster than the slave can
 902	  cope with.  Lower the serial query rate.
 903	</para>
 904	<informalexample>
 905	  <programlisting>
 906serial-query-rate 5; // default 20</programlisting>
 907	</informalexample>
 908      </answer>
 909    </qandaentry>
 910
 911    <qandaentry>	    
 912      <question>
 913	<para>
 914	  I don't get RRSIG's returned when I use "dig +dnssec".
 915	</para>
 916      </question>
 917      <answer>
 918	<para>
 919	  You need to ensure DNSSEC is enabled (dnssec-enable yes;).
 920	</para>
 921      </answer>
 922    </qandaentry>
 923    
 924    <qandaentry>
 925      <question>
 926	<para>
 927	  Can a NS record refer to a CNAME.
 928	</para>
 929      </question>
 930      <answer>
 931	<para>
 932	  No.  The rules for glue (copies of the *address* records
 933	  in the parent zones) and additional section processing do
 934	  not allow it to work.
 935	</para>
 936	<para>
 937	  You would have to add both the CNAME and address records
 938	  (A/AAAA) as glue to the parent zone and have CNAMEs be
 939	  followed when doing additional section processing to make
 940	  it work.  No nameserver implementation supports either of
 941	  these requirements.
 942	</para>
 943      </answer>
 944    </qandaentry>
 945
 946    <qandaentry>
 947      <question>
 948	<para>
 949	  What does <quote>RFC 1918 response from Internet for
 950	  0.0.0.10.IN-ADDR.ARPA</quote> mean?
 951	</para>
 952      </question>
 953      <answer>
 954	<para>
 955	  If the IN-ADDR.ARPA name covered refers to a internal address
 956	  space you are using then you have failed to follow RFC 1918
 957	  usage rules and are leaking queries to the Internet.  You
 958	  should establish your own zones for these addresses to prevent
 959	  you querying the Internet's name servers for these addresses.
 960	  Please see <ulink url="http://as112.net/">&lt;http://as112.net/&gt;</ulink>
 961	  for details of the problems you are causing and the counter
 962	  measures that have had to be deployed.
 963	</para>
 964	<para>
 965	  If you are not using these private addresses then a client
 966	  has queried for them.  You can just ignore the messages,
 967	  get the offending client to stop sending you these messages
 968	  as they are most probably leaking them or setup your own zones
 969	  empty zones to serve answers to these queries.
 970	</para>
 971	<informalexample>
 972	  <programlisting>
 973zone "10.IN-ADDR.ARPA" {
 974	type master;
 975	file "empty";
 976};
 977
 978zone "16.172.IN-ADDR.ARPA" {
 979	type master;
 980	file "empty";
 981};
 982
 983...
 984
 985zone "31.172.IN-ADDR.ARPA" {
 986	type master;
 987	file "empty";
 988};
 989
 990zone "168.192.IN-ADDR.ARPA" {
 991	type master;
 992	file "empty";
 993};
 994
 995empty:
 996@ 10800 IN SOA &lt;name-of-server&gt;. &lt;contact-email&gt;. (
 997	       1 3600 1200 604800 10800 )
 998@ 10800 IN NS &lt;name-of-server&gt;.</programlisting>
 999	</informalexample>
1000	<para>
1001	<note>
1002	  Future versions of named are likely to do this automatically.
1003	</note>
1004	</para>
1005      </answer>
1006    </qandaentry>
1007    
1008    <qandaentry>
1009      <question>
1010	<para>
1011	  Will named be affected by the 2007 changes to daylight savings
1012	  rules in the US.
1013	</para>
1014      </question>
1015      <answer>
1016	<para>
1017	  No, so long as the machines internal clock (as reported
1018	  by "date -u") remains at UTC.  The only visible change
1019	  if you fail to upgrade your OS, if you are in a affected
1020	  area, will be that log messages will be a hour out during
1021	  the period where the old rules do not match the new rules.
1022	</para>
1023	<para>
1024	  For most OS's this change just means that you need to
1025	  update the conversion rules from UTC to local time.
1026	  Normally this involves updating a file in /etc (which
1027	  sets the default timezone for the machine) and possibly
1028	  a directory which has all the conversion rules for the
1029	  world (e.g. /usr/share/zoneinfo).  When updating the OS
1030	  do not forget to update any chroot areas as well.
1031	  See your OS's documentation for more details.
1032	</para>
1033	<para>
1034	  The local timezone conversion rules can also be done on
1035	  a individual basis by setting the TZ environment variable
1036	  appropriately.  See your OS's documentation for more
1037	  details.
1038	</para>
1039      </answer>
1040    </qandaentry>
1041
1042    <qandaentry>
1043      <question>
1044	<para>
1045	  Is there a bugzilla (or other tool) database that mere
1046	  mortals can have (read-only) access to for bind?
1047	</para>
1048      </question>
1049      <answer>
1050	<para>
1051	  No.  The BIND 9 bug database is kept closed for a number
1052	  of reasons.  These include, but are not limited to, that
1053	  the database contains proprietory information from people
1054	  reporting bugs.  The database has in the past and may in
1055	  future contain unfixed bugs which are capable of bringing
1056	  down most of the Internet's DNS infrastructure.
1057	</para>
1058	<para>
1059	  The release pages for each version contain up to date
1060	  lists of bugs that have been fixed post release.  That
1061	  is as close as we can get to providing a bug database.
1062	</para>
1063      </answer>
1064    </qandaentry>
1065
1066    <qandaentry>
1067      <question>
1068	<para>
1069	  Why do queries for NSEC3 records fail to return the NSEC3 record?
1070	</para>
1071      </question>
1072      <answer>
1073	<para>
1074	  NSEC3 records are strictly meta data and can only be
1075	  returned in the authority section.  This is done so that
1076	  signing the zone using NSEC3 records does not bring names
1077	  into existence that do not exist in the unsigned version
1078	  of the zone.
1079	</para>
1080      </answer>
1081    </qandaentry>
1082
1083    </qandadiv> <!-- General Questions -->
1084    
1085    <qandadiv><title>Operating-System Specific Questions</title>
1086	    
1087    <qandadiv><title>HPUX</title>
1088
1089    <qandaentry>
1090      <question>
1091	<para>I get the following error trying to configure BIND:
1092<programlisting>checking if unistd.h or sys/types.h defines fd_set... no
1093configure: error: need either working unistd.h or sys/select.h</programlisting>
1094	</para>
1095      </question>
1096      <answer>
1097	<para>
1098	  You have attempted to configure BIND with the bundled C compiler.
1099	  This compiler does not meet the minimum compiler requirements to
1100	  for building BIND.  You need to install a ANSI C compiler and / or
1101	  teach configure how to find the ANSI C compiler.  The later can
1102	  be done by adjusting the PATH environment variable and / or
1103	  specifying the compiler via CC.
1104	</para>
1105	<informalexample>
1106	  <programlisting>./configure CC=&lt;compiler&gt; ...</programlisting>
1107	</informalexample>
1108      </answer>
1109    </qandaentry>
1110
1111    </qandadiv> <!-- HPUX -->
1112
1113    <qandadiv><title>Linux</title>
1114	    
1115    <qandaentry>
1116      <question> 
1117	<para>
1118	  Why do I get the following errors:
1119<programlisting>general: errno2result.c:109: unexpected error:
1120general: unable to convert errno to isc_result: 14: Bad address
1121client: UDP client handler shutting down due to fatal receive error: unexpected error</programlisting>
1122	</para>
1123      </question>
1124      <answer>
1125	<para>
1126	  This is the result of a Linux kernel bug.
1127	</para>
1128	<para>
1129	  See:
1130	  <ulink url="http://marc.theaimsgroup.com/?l=linux-netdev&amp;m=113081708031466&amp;w=2">&lt;http://marc.theaimsgroup.com/?l=linux-netdev&amp;m=113081708031466&amp;w=2&gt;</ulink>
1131	</para>
1132      </answer>
1133    </qandaentry>
1134
1135    <qandaentry>
1136      <question>
1137	<para>
1138	  Why does named lock up when it attempts to connect over IPSEC tunnels?
1139	</para>
1140      </question>
1141      <answer>
1142	<para>
1143	  This is due to a kernel bug where the fact that a socket is marked
1144	  non-blocking is ignored.  It is reported that setting
1145	  xfrm_larval_drop to 1 helps but this may have negative side effects.
1146	  See:
1147<ulink url="https://bugzilla.redhat.com/show_bug.cgi?id=427629">&lt;https://bugzilla.redhat.com/show_bug.cgi?id=427629&gt;</ulink>
1148	  and
1149<ulink url="http://lkml.org/lkml/2007/12/4/260">&lt;http://lkml.org/lkml/2007/12/4/260&gt;</ulink>.
1150	</para>
1151	<para>
1152	xfrm_larval_drop can be set to 1 by the following procedure:
1153<programlisting>
1154echo "1" &gt; proc/sys/net/core/xfrm_larval_drop</programlisting>
1155	</para>
1156      </answer>
1157    </qandaentry>
1158
1159    <qandaentry>
1160      <question>
1161	<para>
1162	  Why do I see 5 (or more) copies of named on Linux?
1163	</para>
1164      </question>
1165      <answer>
1166	<para>
1167	  Linux threads each show up as a process under ps.  The
1168	  approximate number of threads running is n+4, where n is
1169	  the number of CPUs.  Note that the amount of memory used
1170	  is not cumulative; if each process is using 10M of memory,
1171	  only a total of 10M is used.
1172	</para>
1173	<para>
1174	  Newer versions of Linux's ps command hide the individual threads
1175	  and require -L to display them.
1176	</para>
1177      </answer>
1178    </qandaentry>
1179    
1180    <qandaentry>
1181      <question>
1182	<para>
1183	  Why does BIND 9 log <quote>permission denied</quote> errors accessing
1184	  its configuration files or zones on my Linux system even
1185	  though it is running as root?
1186	</para>
1187      </question>
1188      <answer>
1189	<para>
1190	  On Linux, BIND 9 drops most of its root privileges on
1191	  startup.  This including the privilege to open files owned
1192	  by other users.  Therefore, if the server is running as
1193	  root, the configuration files and zone files should also
1194	  be owned by root.
1195	</para>
1196      </answer>
1197    </qandaentry>
1198    
1199    <qandaentry>
1200      <question>
1201	<para>
1202	  I get the error message <quote>named: capset failed: Operation
1203	  not permitted</quote> when starting named.
1204	</para>
1205      </question>
1206      <answer>
1207	<para>
1208	  The capability module, part of "Linux Security Modules/LSM",
1209	  has not been loaded into the kernel.  See insmod(8), modprobe(8).
1210	</para>
1211	<para>
1212	  The relevant modules can be loaded by running:
1213<programlisting>
1214modprobe commoncap
1215modprobe capability</programlisting>
1216	</para>
1217      </answer>
1218    </qandaentry>
1219    
1220    <qandaentry>
1221      <question>
1222	<para>
1223	   I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
1224	</para>
1225	<para>
1226	  Why can't named update slave zone database files?
1227	</para>
1228	<para>
1229	  Why can't named create DDNS journal files or update
1230	  the master zones from journals?
1231	</para>
1232	<para>
1233	  Why can't named create custom log files?
1234	</para>
1235      </question>
1236
1237      <answer>
1238	<para>
1239	  Red Hat Security Enhanced Linux (SELinux) policy security
1240	  protections :
1241	</para>
1242
1243	<para>
1244	   Red Hat have adopted the National Security Agency's
1245	   SELinux security policy (see <ulink
1246   url="http://www.nsa.gov/selinux">&lt;http://www.nsa.gov/selinux&gt;</ulink>)
1247	   and recommendations for BIND security , which are more
1248	   secure than running named in a chroot and make use of
1249	   the bind-chroot environment unnecessary .
1250	</para>
1251
1252	<para>
1253	  By default, named is not allowed by the SELinux policy
1254	  to write, create or delete any files EXCEPT in these
1255	  directories:
1256	  <informalexample>
1257	    <programlisting>
1258$ROOTDIR/var/named/slaves
1259$ROOTDIR/var/named/data
1260$ROOTDIR/var/tmp
1261	    </programlisting>
1262	  </informalexample>
1263	  where $ROOTDIR may be set in /etc/sysconfig/named if
1264	  bind-chroot is installed.
1265	</para>
1266
1267	<para>
1268	  The SELinux policy particularly does NOT allow named to modify
1269	  the $ROOTDIR/var/named directory, the default location for master
1270	  zone database files.
1271	</para>
1272
1273	<para>
1274	  SELinux policy overrules file access permissions - so
1275	  even if all the files under /var/named have ownership
1276	  named:named and mode rw-rw-r--, named will still not be
1277	  able to write or create files except in the directories
1278	  above, with SELinux in Enforcing mode.
1279	</para>
1280  
1281	<para>
1282	  So, to allow named to update slave or DDNS zone files,
1283	  it is best to locate them in $ROOTDIR/var/named/slaves,
1284	  with named.conf zone statements such as:
1285	  <informalexample>
1286	    <programlisting>
1287zone "slave.zone." IN {
1288	type slave;
1289	file "slaves/slave.zone.db";
1290	...
1291};   
1292zone "ddns.zone." IN  {
1293	type master;
1294	allow-updates {...};
1295	file "slaves/ddns.zone.db";
1296};
1297	    </programlisting>
1298	  </informalexample>
1299	</para>
1300
1301	<para>
1302	  To allow named to create its cache dump and statistics
1303	  files, for example, you could use named.conf options
1304	  statements such as:
1305	  <informalexample>
1306	    <programlisting>
1307options {
1308	...
1309	dump-file "/var/named/data/cache_dump.db";
1310	statistics-file "/var/named/data/named_stats.txt";
1311	...
1312};
1313	    </programlisting>
1314	  </informalexample>
1315	</para>
1316
1317	<para>
1318	  You can also tell SELinux to allow named to update any
1319	  zone database files, by setting the SELinux tunable boolean
1320	  parameter 'named_write_master_zones=1', using the
1321	  system-config-securitylevel GUI, using the 'setsebool'
1322	  command, or in /etc/selinux/targeted/booleans.
1323	</para>
1324  
1325	<para>
1326	  You can disable SELinux protection for named entirely by
1327	  setting the 'named_disable_trans=1' SELinux tunable boolean
1328	  parameter.
1329	</para>
1330    
1331	<para>
1332	  The SELinux named policy defines these SELinux contexts for named:
1333	  <informalexample>
1334	    <programlisting>
1335named_zone_t : for zone database files       - $ROOTDIR/var/named/*
1336named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
1337named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
1338	    </programlisting>
1339	  </informalexample>
1340	</para>
1341   
1342	<para>
1343	  If you want to retain use of the SELinux policy for named,
1344	  and put named files in different locations, you can do
1345	  so by changing the context of the custom file locations
1346	  .
1347	</para>
1348
1349	<para>
1350	  To create a custom configuration file location, e.g.
1351	  '/root/named.conf', to use with the 'named -c' option,
1352	  do:
1353	  <informalexample>
1354	    <programlisting>
1355# chcon system_u:object_r:named_conf_t /root/named.conf
1356	    </programlisting>
1357	  </informalexample>
1358	</para>
1359  
1360	<para>
1361	  To create a custom modifiable named data location, e.g.
1362	  '/var/log/named' for a log file, do:
1363	  <informalexample>
1364	    <programlisting>
1365# chcon system_u:object_r:named_cache_t /var/log/named
1366	    </programlisting>
1367	  </informalexample>
1368	</para>
1369   
1370	<para>
1371   To create a custom zone file location, e.g. /root/zones/, do:
1372	  <informalexample>
1373	    <programlisting>
1374# chcon system_u:object_r:named_zone_t /root/zones/{.,*}
1375	    </programlisting>
1376	  </informalexample>
1377	</para>
1378  
1379	<para>
1380	  See these man-pages for more information : selinux(8),
1381	  named_selinux(8), chcon(1), setsebool(8)
1382	</para>
1383      </answer>
1384    </qandaentry>
1385
1386    <qandaentry>
1387      <question>
1388	<para>
1389	   I'm running BIND on Ubuntu -
1390	</para>
1391	<para>
1392	  Why can't named update slave zone database files?
1393	</para>
1394	<para>
1395	  Why can't named create DDNS journal files or update
1396	  the master zones from journals?
1397	</para>
1398	<para>
1399	  Why can't named create custom log files?
1400	</para>
1401      </question>
1402      <answer>
1403	<para>
1404	  Ubuntu uses AppArmor <ulink url="http://en.wikipedia.org/wiki/AppArmor">
1405          &lt;http://en.wikipedia.org/wiki/AppArmor&gt;</ulink> in
1406	  addition to normal file system permissions to protect the system.
1407	</para>
1408	<para>
1409	  Adjust the paths to use those specified in /etc/apparmor.d/usr.sbin.named
1410	  or adjust /etc/apparmor.d/usr.sbin.named to allow named to write at the
1411	  location specified in named.conf.
1412	</para>
1413      </answer>
1414    </qandaentry>
1415
1416    <qandaentry>
1417      <question>
1418	<para>
1419	  Listening on individual IPv6 interfaces does not work.
1420	</para>
1421      </question>
1422      <answer>
1423	<para>
1424	  This is usually due to "/proc/net/if_inet6" not being available
1425	  in the chroot file system.  Mount another instance of "proc"
1426	  in the chroot file system.
1427	</para>
1428	<para>
1429	  This can be be made permanent by adding a second instance to
1430	  /etc/fstab.
1431	  <informalexample>
1432	    <programlisting>
1433proc /proc           proc defaults 0 0
1434proc /var/named/proc proc defaults 0 0</programlisting>
1435	  </informalexample>
1436	</para>
1437      </answer>
1438    </qandaentry>
1439    
1440    </qandadiv> <!-- Linux -->
1441    
1442    <qandadiv><title>Windows</title>
1443	    
1444    <qandaentry>
1445      <question>
1446	<para>
1447	  Zone transfers from my BIND 9 master to my Windows 2000
1448	  slave fail.  Why?
1449	</para>
1450      </question>
1451      <answer>
1452	<para>
1453	  This may be caused by a bug in the Windows 2000 DNS server
1454	  where DNS messages larger than 16K are not handled properly.
1455	  This can be worked around by setting the option "transfer-format
1456	  one-answer;".  Also check whether your zone contains domain
1457	  names with embedded spaces or other special characters,
1458	  like "John\032Doe\213s\032Computer", since such names have
1459	  been known to cause Windows 2000 slaves to incorrectly
1460	  reject the zone.
1461	</para>
1462      </answer>
1463    </qandaentry>
1464    
1465    <qandaentry>
1466      <question>
1467	<para>
1468	  I get <quote>Error 1067</quote> when starting named under Windows.
1469	</para>
1470      </question>
1471      <answer>
1472	<para>
1473	  This is the service manager saying that named exited.   You
1474	  need to examine the Application log in the EventViewer to
1475	  find out why.
1476	</para>
1477	<para>
1478	  Common causes are that you failed to create "named.conf"
1479	  (usually "C:\windows\dns\etc\named.conf") or failed to
1480	  specify the directory in named.conf.
1481	</para>
1482	<informalexample>
1483	  <programlisting>
1484options {
1485	Directory "C:\windows\dns\etc";
1486};</programlisting>
1487	</informalexample>
1488      </answer>
1489    </qandaentry>
1490	    
1491    </qandadiv> <!-- Windows -->
1492    
1493    <qandadiv><title>FreeBSD</title>
1494	    
1495    <qandaentry>
1496      <question>
1497	<para>
1498	  I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
1499	</para>
1500      </question>
1501      <answer>
1502	<para>
1503	  /dev/random is not configured.  Use rndcontrol(8) to tell
1504	  the kernel to use certain interrupts as a source of random
1505	  events.  You can make this permanent by setting rand_irqs
1506	  in /etc/rc.conf.
1507	</para>
1508	<informalexample>
1509	  <programlisting>
1510rand_irqs="3 14 15"</programlisting>
1511	</informalexample>
1512	<para>
1513	  See also
1514	  <ulink url="http://people.freebsd.org/~dougb/randomness.html">
1515	  &lt;http://people.freebsd.org/~dougb/randomness.html&gt;</ulink>.
1516	</para>
1517      </answer>
1518    </qandaentry>
1519    
1520    </qandadiv> <!-- FreeBSD -->
1521    
1522    <qandadiv><title>Solaris</title>
1523	    
1524    <qandaentry>
1525      <question>
1526	<para>
1527	  How do I integrate BIND 9 and Solaris SMF
1528	</para>
1529      </question>
1530      <answer>
1531	<para>
1532	  Sun has a blog entry describing how to do this.
1533	</para>
1534	<para>
1535	  <ulink
1536	  url="http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris">
1537	 &lt;http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris&gt;
1538	  </ulink>
1539	</para>
1540      </answer>
1541    </qandaentry>
1542    
1543    </qandadiv>
1544
1545    <qandadiv><title>Apple Mac OS X</title>
1546
1547    <qandaentry>
1548      <question>
1549	<para>
1550	  How do I run BIND 9 on Apple Mac OS X?
1551	</para>
1552      </question>
1553      <answer>
1554	<para>
1555	 If you run Tiger(Mac OS 10.4) or later then this is all you need to do:
1556	</para>
1557	<informalexample>
1558	  <programlisting>
1559% sudo rndc-confgen  > /etc/rndc.conf</programlisting>
1560	</informalexample>
1561	<para>
1562	  Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.:
1563	</para>
1564	<informalexample>
1565	  <programlisting>
1566key "rndc-key" {
1567	algorithm hmac-md5;
1568	secret "uvceheVuqf17ZwIcTydddw==";
1569};</programlisting>
1570	</informalexample>
1571	<para>
1572	  Then start the relevant service:
1573	</para>
1574	<informalexample>
1575	  <programlisting>
1576% sudo service org.isc.named start</programlisting>
1577	</informalexample>
1578	<para>
1579	  This is persistent upon a reboot, so you will have to do it only once.
1580	</para>
1581      </answer>
1582
1583      <answer>
1584	<para>
1585	 Alternatively you can just generate /etc/rndc.key by running:
1586	</para>
1587	<informalexample>
1588	  <programlisting>
1589% sudo rndc-confgen -a</programlisting>
1590	</informalexample>
1591	<para>
1592	  Then start the relevant service:
1593	</para>
1594	<informalexample>
1595	  <programlisting>
1596% sudo service org.isc.named start</programlisting>
1597	</informalexample>
1598	<para>
1599	  Named will look for /etc/rndc.key when it starts if it
1600	  doesn't have a controls section or the existing controls are
1601	  missing keys sub-clauses.  This is persistent upon a
1602	  reboot, so you will have to do it only once.
1603	</para>
1604      </answer>
1605    </qandaentry>
1606
1607    </qandadiv>
1608    
1609    </qandadiv> <!-- Operating-System Specific Questions -->
1610
1611  </qandaset>
1612</article>