PageRenderTime 33ms CodeModel.GetById 16ms app.highlight 8ms RepoModel.GetById 1ms app.codeStats 0ms

/contrib/bind9/FAQ

https://bitbucket.org/freebsd/freebsd-head/
#! | 893 lines | 644 code | 249 blank | 0 comment | 0 complexity | 7b0ccb9c4c6614187c04f54583083556 MD5 | raw file
  1Frequently Asked Questions about BIND 9
  2
  3Copyright Š 2004-2010 Internet Systems Consortium, Inc. ("ISC")
  4
  5Copyright Š 2000-2003 Internet Software Consortium.
  6
  7-----------------------------------------------------------------------
  8
  91. Compilation and Installation Questions
 10
 11Q: I'm trying to compile BIND 9, and "make" is failing due to files not
 12   being found. Why?
 13
 14A: Using a parallel or distributed "make" to build BIND 9 is not
 15   supported, and doesn't work. If you are using one of these, use normal
 16   make or gmake instead.
 17
 18Q: Isn't "make install" supposed to generate a default named.conf?
 19
 20A: Short Answer: No.
 21
 22   Long Answer: There really isn't a default configuration which fits any
 23   site perfectly. There are lots of decisions that need to be made and
 24   there is no consensus on what the defaults should be. For example
 25   FreeBSD uses /etc/namedb as the location where the configuration files
 26   for named are stored. Others use /var/named.
 27
 28   What addresses to listen on? For a laptop on the move a lot you may
 29   only want to listen on the loop back interfaces.
 30
 31   Who do you offer recursive service to? Is there are firewall to
 32   consider? If so is it stateless or stateful. Are you directly on the
 33   Internet? Are you on a private network? Are you on a NAT'd network? The
 34   answers to all these questions change how you configure even a caching
 35   name server.
 36
 372. Configuration and Setup Questions
 38
 39Q: Why does named log the warning message "no TTL specified - using SOA
 40   MINTTL instead"?
 41
 42A: Your zone file is illegal according to RFC1035. It must either have a
 43   line like:
 44
 45   $TTL 86400
 46
 47   at the beginning, or the first record in it must have a TTL field, like
 48   the "84600" in this example:
 49
 50   example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )
 51
 52Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master
 53   file bar: ran out of space"?
 54
 55A: This is often caused by TXT records with missing close quotes. Check
 56   that all TXT records containing quoted strings have both open and close
 57   quotes.
 58
 59Q: How do I restrict people from looking up the server version?
 60
 61A: Put a "version" option containing something other than the real version
 62   in the "options" section of named.conf. Note doing this will not
 63   prevent attacks and may impede people trying to diagnose problems with
 64   your server. Also it is possible to "fingerprint" nameservers to
 65   determine their version.
 66
 67Q: How do I restrict only remote users from looking up the server version?
 68
 69A: The following view statement will intercept lookups as the internal
 70   view that holds the version information will be matched last. The
 71   caveats of the previous answer still apply, of course.
 72
 73   view "chaos" chaos {
 74           match-clients { <those to be refused>; };
 75           allow-query { none; };
 76           zone "." {
 77                   type hint;
 78                   file "/dev/null";  // or any empty file
 79           };
 80   };
 81
 82Q: What do "no source of entropy found" or "could not open entropy source
 83   foo" mean?
 84
 85A: The server requires a source of entropy to perform certain operations,
 86   mostly DNSSEC related. These messages indicate that you have no source
 87   of entropy. On systems with /dev/random or an equivalent, it is used by
 88   default. A source of entropy can also be defined using the
 89   random-device option in named.conf.
 90
 91Q: I'm trying to use TSIG to authenticate dynamic updates or zone
 92   transfers. I'm sure I have the keys set up correctly, but the server is
 93   rejecting the TSIG. Why?
 94
 95A: This may be a clock skew problem. Check that the the clocks on the
 96   client and server are properly synchronised (e.g., using ntp).
 97
 98Q: I see a log message like the following. Why?
 99
100   couldn't open pid file '/var/run/named.pid': Permission denied
101
102A: You are most likely running named as a non-root user, and that user
103   does not have permission to write in /var/run. The common ways of
104   fixing this are to create a /var/run/named directory owned by the named
105   user and set pid-file to "/var/run/named/named.pid", or set pid-file to
106   "named.pid", which will put the file in the directory specified by the
107   directory option (which, in this case, must be writable by the named
108   user).
109
110Q: I can query the nameserver from the nameserver but not from other
111   machines. Why?
112
113A: This is usually the result of the firewall configuration stopping the
114   queries and / or the replies.
115
116Q: How can I make a server a slave for both an internal and an external
117   view at the same time? When I tried, both views on the slave were
118   transferred from the same view on the master.
119
120A: You will need to give the master and slave multiple IP addresses and
121   use those to make sure you reach the correct view on the other machine.
122
123   Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
124       internal:
125           match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
126                   notify-source 10.0.1.1;
127                   transfer-source 10.0.1.1;
128                   query-source address 10.0.1.1;
129       external:
130           match-clients { any; };
131           recursion no;   // don't offer recursion to the world
132           notify-source 10.0.1.2;
133           transfer-source 10.0.1.2;
134           query-source address 10.0.1.2;
135
136   Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
137       internal:
138           match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
139           notify-source 10.0.1.3;
140           transfer-source 10.0.1.3;
141           query-source address 10.0.1.3;
142      external:
143           match-clients { any; };
144           recursion no;   // don't offer recursion to the world
145           notify-source 10.0.1.4;
146           transfer-source 10.0.1.4;
147           query-source address 10.0.1.4;
148
149   You put the external address on the alias so that all the other dns
150   clients on these boxes see the internal view by default.
151
152A: BIND 9.3 and later: Use TSIG to select the appropriate view.
153
154   Master 10.0.1.1:
155           key "external" {
156                   algorithm hmac-sha256;
157                   secret "xxxxxxxxxxxxxxxxxxxxxxxx";
158           };
159           view "internal" {
160                   match-clients { !key external; // reject message ment for the
161                                                  // external view.
162                                   10.0.1/24; };  // accept from these addresses.
163                   ...
164           };
165           view "external" {
166                   match-clients { key external; any; };
167                   server 10.0.1.2 { keys external; };  // tag messages from the
168                                                        // external view to the
169                                                        // other servers for the
170                                                        // view.
171                   recursion no;
172                   ...
173           };
174
175   Slave 10.0.1.2:
176           key "external" {
177                   algorithm hmac-sha256;
178                   secret "xxxxxxxxxxxxxxxxxxxxxxxx";
179           };
180           view "internal" {
181                   match-clients { !key external; 10.0.1/24; };
182                   ...
183           };
184           view "external" {
185                   match-clients { key external; any; };
186                   server 10.0.1.1 { keys external; };
187                   recursion no;
188                   ...
189           };
190
191Q: I get error messages like "multiple RRs of singleton type" and "CNAME
192   and other data" when transferring a zone. What does this mean?
193
194A: These indicate a malformed master zone. You can identify the exact
195   records involved by transferring the zone using dig then running
196   named-checkzone on it.
197
198   dig axfr example.com @master-server > tmp
199   named-checkzone example.com tmp
200
201   A CNAME record cannot exist with the same name as another record except
202   for the DNSSEC records which prove its existence (NSEC).
203
204   RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other
205   data should be present; this ensures that the data for a canonical name
206   and its aliases cannot be different. This rule also insures that a
207   cached CNAME can be used without checking with an authoritative server
208   for other RR types."
209
210Q: I get error messages like "named.conf:99: unexpected end of input"
211   where 99 is the last line of named.conf.
212
213A: There are unbalanced quotes in named.conf.
214
215A: Some text editors (notepad and wordpad) fail to put a line title
216   indication (e.g. CR/LF) on the last line of a text file. This can be
217   fixed by "adding" a blank line to the end of the file. Named expects to
218   see EOF immediately after EOL and treats text files where this is not
219   met as truncated.
220
221Q: How do I share a dynamic zone between multiple views?
222
223A: You choose one view to be master and the second a slave and transfer
224   the zone between views.
225
226   Master 10.0.1.1:
227           key "external" {
228                   algorithm hmac-sha256;
229                   secret "xxxxxxxxxxxxxxxxxxxxxxxx";
230           };
231
232           key "mykey" {
233                   algorithm hmac-sha256;
234                   secret "yyyyyyyyyyyyyyyyyyyyyyyy";
235           };
236
237           view "internal" {
238                   match-clients { !key external; 10.0.1/24; };
239                   server 10.0.1.1 {
240                           /* Deliver notify messages to external view. */
241                           keys { external; };
242                   };
243                   zone "example.com" {
244                           type master;
245                           file "internal/example.db";
246                           allow-update { key mykey; };
247                           also-notify { 10.0.1.1; };
248                   };
249           };
250
251           view "external" {
252                   match-clients { key external; any; };
253                   zone "example.com" {
254                           type slave;
255                           file "external/example.db";
256                           masters { 10.0.1.1; };
257                           transfer-source 10.0.1.1;
258                           // allow-update-forwarding { any; };
259                           // allow-notify { ... };
260                   };
261           };
262
263Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading
264   master file primaries/wireless.ietf56.ietf.org: no owner".
265
266A: This error is produced when a line in the master file contains leading
267   white space (tab/space) but the is no current record owner name to
268   inherit the name from. Usually this is the result of putting white
269   space before a comment, forgetting the "@" for the SOA record, or
270   indenting the master file.
271
272Q: Why are my logs in GMT (UTC).
273
274A: You are running chrooted (-t) and have not supplied local timezone
275   information in the chroot area.
276
277   FreeBSD: /etc/localtime
278   Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
279   OSF: /etc/zoneinfo/localtime
280
281   See also tzset(3) and zic(8).
282
283Q: I get "rndc: connect failed: connection refused" when I try to run
284   rndc.
285
286A: This is usually a configuration error.
287
288   First ensure that named is running and no errors are being reported at
289   startup (/var/log/messages or equivalent). Running "named -g <usual
290   arguments>" from a title can help at this point.
291
292   Secondly ensure that named is configured to use rndc either by
293   "rndc-confgen -a", rndc-confgen or manually. The Administrators
294   Reference manual has details on how to do this.
295
296   Old versions of rndc-confgen used localhost rather than 127.0.0.1 in /
297   etc/rndc.conf for the default server. Update /etc/rndc.conf if
298   necessary so that the default server listed in /etc/rndc.conf matches
299   the addresses used in named.conf. "localhost" has two address
300   (127.0.0.1 and ::1).
301
302   If you use "rndc-confgen -a" and named is running with -t or -u ensure
303   that /etc/rndc.conf has the correct ownership and that a copy is in the
304   chroot area. You can do this by re-running "rndc-confgen -a" with
305   appropriate -t and -u arguments.
306
307Q: I get "transfer of 'example.net/IN' from 192.168.4.12#53: failed while
308   receiving responses: permission denied" error messages.
309
310A: These indicate a filesystem permission error preventing named creating
311   / renaming the temporary file. These will usually also have other
312   associated error messages like
313
314   "dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"
315
316   Named needs write permission on the directory containing the file.
317   Named writes the new cache file to a temporary file then renames it to
318   the name specified in named.conf to ensure that the contents are always
319   complete. This is to prevent named loading a partial zone in the event
320   of power failure or similar interrupting the write of the master file.
321
322   Note file names are relative to the directory specified in options and
323   any chroot directory ([<chroot dir>/][<options dir>]).
324
325   If named is invoked as "named -t /chroot/DNS" with the following
326   named.conf then "/chroot/DNS/var/named/sl" needs to be writable by the
327   user named is running as.
328
329   options {
330           directory "/var/named";
331   };
332
333   zone "example.net" {
334           type slave;
335           file "sl/example.net";
336           masters { 192.168.4.12; };
337   };
338
339Q: I want to forward all DNS queries from my caching nameserver to another
340   server. But there are some domains which have to be served locally, via
341   rbldnsd.
342
343   How do I achieve this ?
344
345A: options {
346           forward only;
347           forwarders { <ip.of.primary.nameserver>; };
348   };
349
350   zone "sbl-xbl.spamhaus.org" {
351           type forward; forward only;
352           forwarders { <ip.of.rbldns.server> port 530; };
353   };
354
355   zone "list.dsbl.org" {
356           type forward; forward only;
357           forwarders { <ip.of.rbldns.server> port 530; };
358   };
359
360
361Q: Can you help me understand how BIND 9 uses memory to store DNS zones?
362
363   Some times it seems to take several times the amount of memory it needs
364   to store the zone.
365
366A: When reloading a zone named my have multiple copies of the zone in
367   memory at one time. The zone it is serving and the one it is loading.
368   If reloads are ultra fast it can have more still.
369
370   e.g. Ones that are transferring out, the one that it is serving and the
371   one that is loading.
372
373   BIND 8 destroyed the zone before loading and also killed off outgoing
374   transfers of the zone.
375
376   The new strategy allows slaves to get copies of the new zone regardless
377   of how often the master is loaded compared to the transfer time. The
378   slave might skip some intermediate versions but the transfers will
379   complete and it will keep reasonably in sync with the master.
380
381   The new strategy also allows the master to recover from syntax and
382   other errors in the master file as it still has an in-core copy of the
383   old contents.
384
385Q: I want to use IPv6 locally but I don't have a external IPv6 connection.
386   External lookups are slow.
387
388A: You can use server clauses to stop named making external lookups over
389   IPv6.
390
391   server fd81:ec6c:bd62::/48 { bogus no; }; // site ULA prefix
392   server ::/0 { bogus yes; };
393
3943. Operations Questions
395
396Q: How to change the nameservers for a zone?
397
398A: Step 1: Ensure all nameservers, new and old, are serving the same zone
399   content.
400
401   Step 2: Work out the maximum TTL of the NS RRset in the parent and
402   child zones. This is the time it will take caches to be clear of a
403   particular version of the NS RRset. If you are just removing
404   nameservers you can skip to Step 6.
405
406   Step 3: Add new nameservers to the NS RRset for the zone and wait until
407   all the servers for the zone are answering with this new NS RRset.
408
409   Step 4: Inform the parent zone of the new NS RRset then wait for all
410   the parent servers to be answering with the new NS RRset.
411
412   Step 5: Wait for cache to be clear of the old NS RRset. See Step 2 for
413   how long. If you are just adding nameservers you are done.
414
415   Step 6: Remove any old nameservers from the zones NS RRset and wait for
416   all the servers for the zone to be serving the new NS RRset.
417
418   Step 7: Inform the parent zone of the new NS RRset then wait for all
419   the parent servers to be answering with the new NS RRset.
420
421   Step 8: Wait for cache to be clear of the old NS RRset. See Step 2 for
422   how long.
423
424   Step 9: Turn off the old nameservers or remove the zone entry from the
425   configuration of the old nameservers.
426
427   Step 10: Increment the serial number and wait for the change to be
428   visible in all nameservers for the zone. This ensures that zone
429   transfers are still working after the old servers are decommissioned.
430
431   Note: the above procedure is designed to be transparent to dns clients.
432   Decommissioning the old servers too early will result in some clients
433   not being able to look up answers in the zone.
434
435   Note: while it is possible to run the addition and removal stages
436   together it is not recommended.
437
4384. General Questions
439
440Q: I keep getting log messages like the following. Why?
441
442   Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN':
443   update failed: 'RRset exists (value dependent)' prerequisite not
444   satisfied (NXRRSET)
445
446A: DNS updates allow the update request to test to see if certain
447   conditions are met prior to proceeding with the update. The message
448   above is saying that conditions were not met and the update is not
449   proceeding. See doc/rfc/rfc2136.txt for more details on prerequisites.
450
451Q: I keep getting log messages like the following. Why?
452
453   Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
454
455A: Someone is trying to update your DNS data using the RFC2136 Dynamic
456   Update protocol. Windows 2000 machines have a habit of sending dynamic
457   update requests to DNS servers without being specifically configured to
458   do so. If the update requests are coming from a Windows 2000 machine,
459   see <http://support.microsoft.com/support/kb/articles/q246/8/04.asp>
460   for information about how to turn them off.
461
462Q: When I do a "dig . ns", many of the A records for the root servers are
463   missing. Why?
464
465A: This is normal and harmless. It is a somewhat confusing side effect of
466   the way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9
467   makes to avoid promoting glue into answers.
468
469   When BIND 9 first starts up and primes its cache, it receives the root
470   server addresses as additional data in an authoritative response from a
471   root server, and these records are eligible for inclusion as additional
472   data in responses. Subsequently it receives a subset of the root server
473   addresses as additional data in a non-authoritative (referral) response
474   from a root server. This causes the addresses to now be considered
475   non-authoritative (glue) data, which is not eligible for inclusion in
476   responses.
477
478   The server does have a complete set of root server addresses cached at
479   all times, it just may not include all of them as additional data,
480   depending on whether they were last received as answers or as glue. You
481   can always look up the addresses with explicit queries like "dig
482   a.root-servers.net A".
483
484Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?
485
486A: A zone can be updated either by editing zone files and reloading the
487   server or by dynamic update, but not both. If you have enabled dynamic
488   update for a zone using the "allow-update" option, you are not supposed
489   to edit the zone file by hand, and the server will not attempt to
490   reload it.
491
492Q: Why is named listening on UDP port other than 53?
493
494A: Named uses a system selected port to make queries of other nameservers.
495   This behaviour can be overridden by using query-source to lock down the
496   port and/or address. See also notify-source and transfer-source.
497
498Q: I get warning messages like "zone example.com/IN: refresh: failure
499   trying master 1.2.3.4#53: timed out".
500
501A: Check that you can make UDP queries from the slave to the master
502
503   dig +norec example.com soa @1.2.3.4
504
505   You could be generating queries faster than the slave can cope with.
506   Lower the serial query rate.
507
508   serial-query-rate 5; // default 20
509
510Q: I don't get RRSIG's returned when I use "dig +dnssec".
511
512A: You need to ensure DNSSEC is enabled (dnssec-enable yes;).
513
514Q: Can a NS record refer to a CNAME.
515
516A: No. The rules for glue (copies of the *address* records in the parent
517   zones) and additional section processing do not allow it to work.
518
519   You would have to add both the CNAME and address records (A/AAAA) as
520   glue to the parent zone and have CNAMEs be followed when doing
521   additional section processing to make it work. No nameserver
522   implementation supports either of these requirements.
523
524Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA"
525   mean?
526
527A: If the IN-ADDR.ARPA name covered refers to a internal address space you
528   are using then you have failed to follow RFC 1918 usage rules and are
529   leaking queries to the Internet. You should establish your own zones
530   for these addresses to prevent you querying the Internet's name servers
531   for these addresses. Please see <http://as112.net/> for details of the
532   problems you are causing and the counter measures that have had to be
533   deployed.
534
535   If you are not using these private addresses then a client has queried
536   for them. You can just ignore the messages, get the offending client to
537   stop sending you these messages as they are most probably leaking them
538   or setup your own zones empty zones to serve answers to these queries.
539
540   zone "10.IN-ADDR.ARPA" {
541           type master;
542           file "empty";
543   };
544
545   zone "16.172.IN-ADDR.ARPA" {
546           type master;
547           file "empty";
548   };
549
550   ...
551
552   zone "31.172.IN-ADDR.ARPA" {
553           type master;
554           file "empty";
555   };
556
557   zone "168.192.IN-ADDR.ARPA" {
558           type master;
559           file "empty";
560   };
561
562   empty:
563   @ 10800 IN SOA <name-of-server>. <contact-email>. (
564                  1 3600 1200 604800 10800 )
565   @ 10800 IN NS <name-of-server>.
566
567   Note
568
569   Future versions of named are likely to do this automatically.
570
571Q: Will named be affected by the 2007 changes to daylight savings rules in
572   the US.
573
574A: No, so long as the machines internal clock (as reported by "date -u")
575   remains at UTC. The only visible change if you fail to upgrade your OS,
576   if you are in a affected area, will be that log messages will be a hour
577   out during the period where the old rules do not match the new rules.
578
579   For most OS's this change just means that you need to update the
580   conversion rules from UTC to local time. Normally this involves
581   updating a file in /etc (which sets the default timezone for the
582   machine) and possibly a directory which has all the conversion rules
583   for the world (e.g. /usr/share/zoneinfo). When updating the OS do not
584   forget to update any chroot areas as well. See your OS's documentation
585   for more details.
586
587   The local timezone conversion rules can also be done on a individual
588   basis by setting the TZ environment variable appropriately. See your
589   OS's documentation for more details.
590
591Q: Is there a bugzilla (or other tool) database that mere mortals can have
592   (read-only) access to for bind?
593
594A: No. The BIND 9 bug database is kept closed for a number of reasons.
595   These include, but are not limited to, that the database contains
596   proprietory information from people reporting bugs. The database has in
597   the past and may in future contain unfixed bugs which are capable of
598   bringing down most of the Internet's DNS infrastructure.
599
600   The release pages for each version contain up to date lists of bugs
601   that have been fixed post release. That is as close as we can get to
602   providing a bug database.
603
604Q: Why do queries for NSEC3 records fail to return the NSEC3 record?
605
606A: NSEC3 records are strictly meta data and can only be returned in the
607   authority section. This is done so that signing the zone using NSEC3
608   records does not bring names into existence that do not exist in the
609   unsigned version of the zone.
610
6115. Operating-System Specific Questions
612
6135.1. HPUX
614
615Q: I get the following error trying to configure BIND:
616
617   checking if unistd.h or sys/types.h defines fd_set... no
618   configure: error: need either working unistd.h or sys/select.h
619
620A: You have attempted to configure BIND with the bundled C compiler. This
621   compiler does not meet the minimum compiler requirements to for
622   building BIND. You need to install a ANSI C compiler and / or teach
623   configure how to find the ANSI C compiler. The later can be done by
624   adjusting the PATH environment variable and / or specifying the
625   compiler via CC.
626
627   ./configure CC=<compiler> ...
628
6295.2. Linux
630
631Q: Why do I get the following errors:
632
633   general: errno2result.c:109: unexpected error:
634   general: unable to convert errno to isc_result: 14: Bad address
635   client: UDP client handler shutting down due to fatal receive error: unexpected error
636
637A: This is the result of a Linux kernel bug.
638
639   See: <http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=
640   2>
641
642Q: Why does named lock up when it attempts to connect over IPSEC tunnels?
643
644A: This is due to a kernel bug where the fact that a socket is marked
645   non-blocking is ignored. It is reported that setting xfrm_larval_drop
646   to 1 helps but this may have negative side effects. See: <https://
647   bugzilla.redhat.com/show_bug.cgi?id=427629> and <http://lkml.org/lkml/
648   2007/12/4/260>.
649
650   xfrm_larval_drop can be set to 1 by the following procedure:
651
652   echo "1" > proc/sys/net/core/xfrm_larval_drop
653
654Q: Why do I see 5 (or more) copies of named on Linux?
655
656A: Linux threads each show up as a process under ps. The approximate
657   number of threads running is n+4, where n is the number of CPUs. Note
658   that the amount of memory used is not cumulative; if each process is
659   using 10M of memory, only a total of 10M is used.
660
661   Newer versions of Linux's ps command hide the individual threads and
662   require -L to display them.
663
664Q: Why does BIND 9 log "permission denied" errors accessing its
665   configuration files or zones on my Linux system even though it is
666   running as root?
667
668A: On Linux, BIND 9 drops most of its root privileges on startup. This
669   including the privilege to open files owned by other users. Therefore,
670   if the server is running as root, the configuration files and zone
671   files should also be owned by root.
672
673Q: I get the error message "named: capset failed: Operation not permitted"
674   when starting named.
675
676A: The capability module, part of "Linux Security Modules/LSM", has not
677   been loaded into the kernel. See insmod(8), modprobe(8).
678
679   The relevant modules can be loaded by running:
680
681   modprobe commoncap
682   modprobe capability
683
684Q: I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
685
686   Why can't named update slave zone database files?
687
688   Why can't named create DDNS journal files or update the master zones
689   from journals?
690
691   Why can't named create custom log files?
692
693A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
694
695   Red Hat have adopted the National Security Agency's SELinux security
696   policy (see <http://www.nsa.gov/selinux>) and recommendations for BIND
697   security , which are more secure than running named in a chroot and
698   make use of the bind-chroot environment unnecessary .
699
700   By default, named is not allowed by the SELinux policy to write, create
701   or delete any files EXCEPT in these directories:
702
703   $ROOTDIR/var/named/slaves
704   $ROOTDIR/var/named/data
705   $ROOTDIR/var/tmp
706
707
708   where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is
709   installed.
710
711   The SELinux policy particularly does NOT allow named to modify the
712   $ROOTDIR/var/named directory, the default location for master zone
713   database files.
714
715   SELinux policy overrules file access permissions - so even if all the
716   files under /var/named have ownership named:named and mode rw-rw-r--,
717   named will still not be able to write or create files except in the
718   directories above, with SELinux in Enforcing mode.
719
720   So, to allow named to update slave or DDNS zone files, it is best to
721   locate them in $ROOTDIR/var/named/slaves, with named.conf zone
722   statements such as:
723
724   zone "slave.zone." IN {
725           type slave;
726           file "slaves/slave.zone.db";
727           ...
728   };
729   zone "ddns.zone." IN  {
730           type master;
731           allow-updates {...};
732           file "slaves/ddns.zone.db";
733   };
734
735
736   To allow named to create its cache dump and statistics files, for
737   example, you could use named.conf options statements such as:
738
739   options {
740           ...
741           dump-file "/var/named/data/cache_dump.db";
742           statistics-file "/var/named/data/named_stats.txt";
743           ...
744   };
745
746
747   You can also tell SELinux to allow named to update any zone database
748   files, by setting the SELinux tunable boolean parameter
749   'named_write_master_zones=1', using the system-config-securitylevel
750   GUI, using the 'setsebool' command, or in /etc/selinux/targeted/
751   booleans.
752
753   You can disable SELinux protection for named entirely by setting the
754   'named_disable_trans=1' SELinux tunable boolean parameter.
755
756   The SELinux named policy defines these SELinux contexts for named:
757
758   named_zone_t : for zone database files       - $ROOTDIR/var/named/*
759   named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
760   named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
761
762
763   If you want to retain use of the SELinux policy for named, and put
764   named files in different locations, you can do so by changing the
765   context of the custom file locations .
766
767   To create a custom configuration file location, e.g. '/root/
768   named.conf', to use with the 'named -c' option, do:
769
770   # chcon system_u:object_r:named_conf_t /root/named.conf
771
772
773   To create a custom modifiable named data location, e.g. '/var/log/
774   named' for a log file, do:
775
776   # chcon system_u:object_r:named_cache_t /var/log/named
777
778
779   To create a custom zone file location, e.g. /root/zones/, do:
780
781   # chcon system_u:object_r:named_zone_t /root/zones/{.,*}
782
783
784   See these man-pages for more information : selinux(8), named_selinux
785   (8), chcon(1), setsebool(8)
786
787Q: I'm running BIND on Ubuntu -
788
789   Why can't named update slave zone database files?
790
791   Why can't named create DDNS journal files or update the master zones
792   from journals?
793
794   Why can't named create custom log files?
795
796A: Ubuntu uses AppArmor <http://en.wikipedia.org/wiki/AppArmor> in
797   addition to normal file system permissions to protect the system.
798
799   Adjust the paths to use those specified in /etc/apparmor.d/
800   usr.sbin.named or adjust /etc/apparmor.d/usr.sbin.named to allow named
801   to write at the location specified in named.conf.
802
803Q: Listening on individual IPv6 interfaces does not work.
804
805A: This is usually due to "/proc/net/if_inet6" not being available in the
806   chroot file system. Mount another instance of "proc" in the chroot file
807   system.
808
809   This can be be made permanent by adding a second instance to /etc/
810   fstab.
811
812   proc /proc           proc defaults 0 0
813   proc /var/named/proc proc defaults 0 0
814
8155.3. Windows
816
817Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail.
818   Why?
819
820A: This may be caused by a bug in the Windows 2000 DNS server where DNS
821   messages larger than 16K are not handled properly. This can be worked
822   around by setting the option "transfer-format one-answer;". Also check
823   whether your zone contains domain names with embedded spaces or other
824   special characters, like "John\032Doe\213s\032Computer", since such
825   names have been known to cause Windows 2000 slaves to incorrectly
826   reject the zone.
827
828Q: I get "Error 1067" when starting named under Windows.
829
830A: This is the service manager saying that named exited. You need to
831   examine the Application log in the EventViewer to find out why.
832
833   Common causes are that you failed to create "named.conf" (usually "C:\
834   windows\dns\etc\named.conf") or failed to specify the directory in
835   named.conf.
836
837   options {
838           Directory "C:\windows\dns\etc";
839   };
840
8415.4. FreeBSD
842
843Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
844
845A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to
846   use certain interrupts as a source of random events. You can make this
847   permanent by setting rand_irqs in /etc/rc.conf.
848
849   rand_irqs="3 14 15"
850
851   See also <http://people.freebsd.org/~dougb/randomness.html>.
852
8535.5. Solaris
854
855Q: How do I integrate BIND 9 and Solaris SMF
856
857A: Sun has a blog entry describing how to do this.
858
859   <http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris>
860
8615.6. Apple Mac OS X
862
863Q: How do I run BIND 9 on Apple Mac OS X?
864
865A: If you run Tiger(Mac OS 10.4) or later then this is all you need to do:
866
867   % sudo rndc-confgen  > /etc/rndc.conf
868
869   Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.:
870
871   key "rndc-key" {
872           algorithm hmac-md5;
873           secret "uvceheVuqf17ZwIcTydddw==";
874   };
875
876   Then start the relevant service:
877
878   % sudo service org.isc.named start
879
880   This is persistent upon a reboot, so you will have to do it only once.
881
882A: Alternatively you can just generate /etc/rndc.key by running:
883
884   % sudo rndc-confgen -a
885
886   Then start the relevant service:
887
888   % sudo service org.isc.named start
889
890   Named will look for /etc/rndc.key when it starts if it doesn't have a
891   controls section or the existing controls are missing keys sub-clauses.
892   This is persistent upon a reboot, so you will have to do it only once.
893