PageRenderTime 33ms CodeModel.GetById 16ms app.highlight 8ms RepoModel.GetById 1ms app.codeStats 0ms

#! | 893 lines | 644 code | 249 blank | 0 comment | 0 complexity | 7b0ccb9c4c6614187c04f54583083556 MD5 | raw file
  1Frequently Asked Questions about BIND 9
  3Copyright Š 2004-2010 Internet Systems Consortium, Inc. ("ISC")
  5Copyright Š 2000-2003 Internet Software Consortium.
  91. Compilation and Installation Questions
 11Q: I'm trying to compile BIND 9, and "make" is failing due to files not
 12   being found. Why?
 14A: Using a parallel or distributed "make" to build BIND 9 is not
 15   supported, and doesn't work. If you are using one of these, use normal
 16   make or gmake instead.
 18Q: Isn't "make install" supposed to generate a default named.conf?
 20A: Short Answer: No.
 22   Long Answer: There really isn't a default configuration which fits any
 23   site perfectly. There are lots of decisions that need to be made and
 24   there is no consensus on what the defaults should be. For example
 25   FreeBSD uses /etc/namedb as the location where the configuration files
 26   for named are stored. Others use /var/named.
 28   What addresses to listen on? For a laptop on the move a lot you may
 29   only want to listen on the loop back interfaces.
 31   Who do you offer recursive service to? Is there are firewall to
 32   consider? If so is it stateless or stateful. Are you directly on the
 33   Internet? Are you on a private network? Are you on a NAT'd network? The
 34   answers to all these questions change how you configure even a caching
 35   name server.
 372. Configuration and Setup Questions
 39Q: Why does named log the warning message "no TTL specified - using SOA
 40   MINTTL instead"?
 42A: Your zone file is illegal according to RFC1035. It must either have a
 43   line like:
 45   $TTL 86400
 47   at the beginning, or the first record in it must have a TTL field, like
 48   the "84600" in this example:
 50 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )
 52Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master
 53   file bar: ran out of space"?
 55A: This is often caused by TXT records with missing close quotes. Check
 56   that all TXT records containing quoted strings have both open and close
 59Q: How do I restrict people from looking up the server version?
 61A: Put a "version" option containing something other than the real version
 62   in the "options" section of named.conf. Note doing this will not
 63   prevent attacks and may impede people trying to diagnose problems with
 64   your server. Also it is possible to "fingerprint" nameservers to
 65   determine their version.
 67Q: How do I restrict only remote users from looking up the server version?
 69A: The following view statement will intercept lookups as the internal
 70   view that holds the version information will be matched last. The
 71   caveats of the previous answer still apply, of course.
 73   view "chaos" chaos {
 74           match-clients { <those to be refused>; };
 75           allow-query { none; };
 76           zone "." {
 77                   type hint;
 78                   file "/dev/null";  // or any empty file
 79           };
 80   };
 82Q: What do "no source of entropy found" or "could not open entropy source
 83   foo" mean?
 85A: The server requires a source of entropy to perform certain operations,
 86   mostly DNSSEC related. These messages indicate that you have no source
 87   of entropy. On systems with /dev/random or an equivalent, it is used by
 88   default. A source of entropy can also be defined using the
 89   random-device option in named.conf.
 91Q: I'm trying to use TSIG to authenticate dynamic updates or zone
 92   transfers. I'm sure I have the keys set up correctly, but the server is
 93   rejecting the TSIG. Why?
 95A: This may be a clock skew problem. Check that the the clocks on the
 96   client and server are properly synchronised (e.g., using ntp).
 98Q: I see a log message like the following. Why?
100   couldn't open pid file '/var/run/': Permission denied
102A: You are most likely running named as a non-root user, and that user
103   does not have permission to write in /var/run. The common ways of
104   fixing this are to create a /var/run/named directory owned by the named
105   user and set pid-file to "/var/run/named/", or set pid-file to
106   "", which will put the file in the directory specified by the
107   directory option (which, in this case, must be writable by the named
108   user).
110Q: I can query the nameserver from the nameserver but not from other
111   machines. Why?
113A: This is usually the result of the firewall configuration stopping the
114   queries and / or the replies.
116Q: How can I make a server a slave for both an internal and an external
117   view at the same time? When I tried, both views on the slave were
118   transferred from the same view on the master.
120A: You will need to give the master and slave multiple IP addresses and
121   use those to make sure you reach the correct view on the other machine.
123   Master: (internal), (external, IP alias)
124       internal:
125           match-clients { !; !; 10.0.1/24; };
126                   notify-source;
127                   transfer-source;
128                   query-source address;
129       external:
130           match-clients { any; };
131           recursion no;   // don't offer recursion to the world
132           notify-source;
133           transfer-source;
134           query-source address;
136   Slave: (internal), (external, IP alias)
137       internal:
138           match-clients { !; !; 10.0.1/24; };
139           notify-source;
140           transfer-source;
141           query-source address;
142      external:
143           match-clients { any; };
144           recursion no;   // don't offer recursion to the world
145           notify-source;
146           transfer-source;
147           query-source address;
149   You put the external address on the alias so that all the other dns
150   clients on these boxes see the internal view by default.
152A: BIND 9.3 and later: Use TSIG to select the appropriate view.
154   Master
155           key "external" {
156                   algorithm hmac-sha256;
157                   secret "xxxxxxxxxxxxxxxxxxxxxxxx";
158           };
159           view "internal" {
160                   match-clients { !key external; // reject message ment for the
161                                                  // external view.
162                                   10.0.1/24; };  // accept from these addresses.
163                   ...
164           };
165           view "external" {
166                   match-clients { key external; any; };
167                   server { keys external; };  // tag messages from the
168                                                        // external view to the
169                                                        // other servers for the
170                                                        // view.
171                   recursion no;
172                   ...
173           };
175   Slave
176           key "external" {
177                   algorithm hmac-sha256;
178                   secret "xxxxxxxxxxxxxxxxxxxxxxxx";
179           };
180           view "internal" {
181                   match-clients { !key external; 10.0.1/24; };
182                   ...
183           };
184           view "external" {
185                   match-clients { key external; any; };
186                   server { keys external; };
187                   recursion no;
188                   ...
189           };
191Q: I get error messages like "multiple RRs of singleton type" and "CNAME
192   and other data" when transferring a zone. What does this mean?
194A: These indicate a malformed master zone. You can identify the exact
195   records involved by transferring the zone using dig then running
196   named-checkzone on it.
198   dig axfr @master-server > tmp
199   named-checkzone tmp
201   A CNAME record cannot exist with the same name as another record except
202   for the DNSSEC records which prove its existence (NSEC).
204   RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other
205   data should be present; this ensures that the data for a canonical name
206   and its aliases cannot be different. This rule also insures that a
207   cached CNAME can be used without checking with an authoritative server
208   for other RR types."
210Q: I get error messages like "named.conf:99: unexpected end of input"
211   where 99 is the last line of named.conf.
213A: There are unbalanced quotes in named.conf.
215A: Some text editors (notepad and wordpad) fail to put a line title
216   indication (e.g. CR/LF) on the last line of a text file. This can be
217   fixed by "adding" a blank line to the end of the file. Named expects to
218   see EOF immediately after EOL and treats text files where this is not
219   met as truncated.
221Q: How do I share a dynamic zone between multiple views?
223A: You choose one view to be master and the second a slave and transfer
224   the zone between views.
226   Master
227           key "external" {
228                   algorithm hmac-sha256;
229                   secret "xxxxxxxxxxxxxxxxxxxxxxxx";
230           };
232           key "mykey" {
233                   algorithm hmac-sha256;
234                   secret "yyyyyyyyyyyyyyyyyyyyyyyy";
235           };
237           view "internal" {
238                   match-clients { !key external; 10.0.1/24; };
239                   server {
240                           /* Deliver notify messages to external view. */
241                           keys { external; };
242                   };
243                   zone "" {
244                           type master;
245                           file "internal/example.db";
246                           allow-update { key mykey; };
247                           also-notify {; };
248                   };
249           };
251           view "external" {
252                   match-clients { key external; any; };
253                   zone "" {
254                           type slave;
255                           file "external/example.db";
256                           masters {; };
257                           transfer-source;
258                           // allow-update-forwarding { any; };
259                           // allow-notify { ... };
260                   };
261           };
263Q: I get a error message like "zone loading
264   master file primaries/ no owner".
266A: This error is produced when a line in the master file contains leading
267   white space (tab/space) but the is no current record owner name to
268   inherit the name from. Usually this is the result of putting white
269   space before a comment, forgetting the "@" for the SOA record, or
270   indenting the master file.
272Q: Why are my logs in GMT (UTC).
274A: You are running chrooted (-t) and have not supplied local timezone
275   information in the chroot area.
277   FreeBSD: /etc/localtime
278   Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
279   OSF: /etc/zoneinfo/localtime
281   See also tzset(3) and zic(8).
283Q: I get "rndc: connect failed: connection refused" when I try to run
284   rndc.
286A: This is usually a configuration error.
288   First ensure that named is running and no errors are being reported at
289   startup (/var/log/messages or equivalent). Running "named -g <usual
290   arguments>" from a title can help at this point.
292   Secondly ensure that named is configured to use rndc either by
293   "rndc-confgen -a", rndc-confgen or manually. The Administrators
294   Reference manual has details on how to do this.
296   Old versions of rndc-confgen used localhost rather than in /
297   etc/rndc.conf for the default server. Update /etc/rndc.conf if
298   necessary so that the default server listed in /etc/rndc.conf matches
299   the addresses used in named.conf. "localhost" has two address
300   ( and ::1).
302   If you use "rndc-confgen -a" and named is running with -t or -u ensure
303   that /etc/rndc.conf has the correct ownership and that a copy is in the
304   chroot area. You can do this by re-running "rndc-confgen -a" with
305   appropriate -t and -u arguments.
307Q: I get "transfer of '' from failed while
308   receiving responses: permission denied" error messages.
310A: These indicate a filesystem permission error preventing named creating
311   / renaming the temporary file. These will usually also have other
312   associated error messages like
314   "dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"
316   Named needs write permission on the directory containing the file.
317   Named writes the new cache file to a temporary file then renames it to
318   the name specified in named.conf to ensure that the contents are always
319   complete. This is to prevent named loading a partial zone in the event
320   of power failure or similar interrupting the write of the master file.
322   Note file names are relative to the directory specified in options and
323   any chroot directory ([<chroot dir>/][<options dir>]).
325   If named is invoked as "named -t /chroot/DNS" with the following
326   named.conf then "/chroot/DNS/var/named/sl" needs to be writable by the
327   user named is running as.
329   options {
330           directory "/var/named";
331   };
333   zone "" {
334           type slave;
335           file "sl/";
336           masters {; };
337   };
339Q: I want to forward all DNS queries from my caching nameserver to another
340   server. But there are some domains which have to be served locally, via
341   rbldnsd.
343   How do I achieve this ?
345A: options {
346           forward only;
347           forwarders { <ip.of.primary.nameserver>; };
348   };
350   zone "" {
351           type forward; forward only;
352           forwarders { <ip.of.rbldns.server> port 530; };
353   };
355   zone "" {
356           type forward; forward only;
357           forwarders { <ip.of.rbldns.server> port 530; };
358   };
361Q: Can you help me understand how BIND 9 uses memory to store DNS zones?
363   Some times it seems to take several times the amount of memory it needs
364   to store the zone.
366A: When reloading a zone named my have multiple copies of the zone in
367   memory at one time. The zone it is serving and the one it is loading.
368   If reloads are ultra fast it can have more still.
370   e.g. Ones that are transferring out, the one that it is serving and the
371   one that is loading.
373   BIND 8 destroyed the zone before loading and also killed off outgoing
374   transfers of the zone.
376   The new strategy allows slaves to get copies of the new zone regardless
377   of how often the master is loaded compared to the transfer time. The
378   slave might skip some intermediate versions but the transfers will
379   complete and it will keep reasonably in sync with the master.
381   The new strategy also allows the master to recover from syntax and
382   other errors in the master file as it still has an in-core copy of the
383   old contents.
385Q: I want to use IPv6 locally but I don't have a external IPv6 connection.
386   External lookups are slow.
388A: You can use server clauses to stop named making external lookups over
389   IPv6.
391   server fd81:ec6c:bd62::/48 { bogus no; }; // site ULA prefix
392   server ::/0 { bogus yes; };
3943. Operations Questions
396Q: How to change the nameservers for a zone?
398A: Step 1: Ensure all nameservers, new and old, are serving the same zone
399   content.
401   Step 2: Work out the maximum TTL of the NS RRset in the parent and
402   child zones. This is the time it will take caches to be clear of a
403   particular version of the NS RRset. If you are just removing
404   nameservers you can skip to Step 6.
406   Step 3: Add new nameservers to the NS RRset for the zone and wait until
407   all the servers for the zone are answering with this new NS RRset.
409   Step 4: Inform the parent zone of the new NS RRset then wait for all
410   the parent servers to be answering with the new NS RRset.
412   Step 5: Wait for cache to be clear of the old NS RRset. See Step 2 for
413   how long. If you are just adding nameservers you are done.
415   Step 6: Remove any old nameservers from the zones NS RRset and wait for
416   all the servers for the zone to be serving the new NS RRset.
418   Step 7: Inform the parent zone of the new NS RRset then wait for all
419   the parent servers to be answering with the new NS RRset.
421   Step 8: Wait for cache to be clear of the old NS RRset. See Step 2 for
422   how long.
424   Step 9: Turn off the old nameservers or remove the zone entry from the
425   configuration of the old nameservers.
427   Step 10: Increment the serial number and wait for the change to be
428   visible in all nameservers for the zone. This ensures that zone
429   transfers are still working after the old servers are decommissioned.
431   Note: the above procedure is designed to be transparent to dns clients.
432   Decommissioning the old servers too early will result in some clients
433   not being able to look up answers in the zone.
435   Note: while it is possible to run the addition and removal stages
436   together it is not recommended.
4384. General Questions
440Q: I keep getting log messages like the following. Why?
442   Dec 4 23:47:59 client updating zone '':
443   update failed: 'RRset exists (value dependent)' prerequisite not
444   satisfied (NXRRSET)
446A: DNS updates allow the update request to test to see if certain
447   conditions are met prior to proceeding with the update. The message
448   above is saying that conditions were not met and the update is not
449   proceeding. See doc/rfc/rfc2136.txt for more details on prerequisites.
451Q: I keep getting log messages like the following. Why?
453   Jun 21 12:00:00.000 client update denied
455A: Someone is trying to update your DNS data using the RFC2136 Dynamic
456   Update protocol. Windows 2000 machines have a habit of sending dynamic
457   update requests to DNS servers without being specifically configured to
458   do so. If the update requests are coming from a Windows 2000 machine,
459   see <>
460   for information about how to turn them off.
462Q: When I do a "dig . ns", many of the A records for the root servers are
463   missing. Why?
465A: This is normal and harmless. It is a somewhat confusing side effect of
466   the way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9
467   makes to avoid promoting glue into answers.
469   When BIND 9 first starts up and primes its cache, it receives the root
470   server addresses as additional data in an authoritative response from a
471   root server, and these records are eligible for inclusion as additional
472   data in responses. Subsequently it receives a subset of the root server
473   addresses as additional data in a non-authoritative (referral) response
474   from a root server. This causes the addresses to now be considered
475   non-authoritative (glue) data, which is not eligible for inclusion in
476   responses.
478   The server does have a complete set of root server addresses cached at
479   all times, it just may not include all of them as additional data,
480   depending on whether they were last received as answers or as glue. You
481   can always look up the addresses with explicit queries like "dig
482 A".
484Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?
486A: A zone can be updated either by editing zone files and reloading the
487   server or by dynamic update, but not both. If you have enabled dynamic
488   update for a zone using the "allow-update" option, you are not supposed
489   to edit the zone file by hand, and the server will not attempt to
490   reload it.
492Q: Why is named listening on UDP port other than 53?
494A: Named uses a system selected port to make queries of other nameservers.
495   This behaviour can be overridden by using query-source to lock down the
496   port and/or address. See also notify-source and transfer-source.
498Q: I get warning messages like "zone refresh: failure
499   trying master timed out".
501A: Check that you can make UDP queries from the slave to the master
503   dig +norec soa @
505   You could be generating queries faster than the slave can cope with.
506   Lower the serial query rate.
508   serial-query-rate 5; // default 20
510Q: I don't get RRSIG's returned when I use "dig +dnssec".
512A: You need to ensure DNSSEC is enabled (dnssec-enable yes;).
514Q: Can a NS record refer to a CNAME.
516A: No. The rules for glue (copies of the *address* records in the parent
517   zones) and additional section processing do not allow it to work.
519   You would have to add both the CNAME and address records (A/AAAA) as
520   glue to the parent zone and have CNAMEs be followed when doing
521   additional section processing to make it work. No nameserver
522   implementation supports either of these requirements.
524Q: What does "RFC 1918 response from Internet for"
525   mean?
527A: If the IN-ADDR.ARPA name covered refers to a internal address space you
528   are using then you have failed to follow RFC 1918 usage rules and are
529   leaking queries to the Internet. You should establish your own zones
530   for these addresses to prevent you querying the Internet's name servers
531   for these addresses. Please see <> for details of the
532   problems you are causing and the counter measures that have had to be
533   deployed.
535   If you are not using these private addresses then a client has queried
536   for them. You can just ignore the messages, get the offending client to
537   stop sending you these messages as they are most probably leaking them
538   or setup your own zones empty zones to serve answers to these queries.
540   zone "10.IN-ADDR.ARPA" {
541           type master;
542           file "empty";
543   };
545   zone "16.172.IN-ADDR.ARPA" {
546           type master;
547           file "empty";
548   };
550   ...
552   zone "31.172.IN-ADDR.ARPA" {
553           type master;
554           file "empty";
555   };
557   zone "168.192.IN-ADDR.ARPA" {
558           type master;
559           file "empty";
560   };
562   empty:
563   @ 10800 IN SOA <name-of-server>. <contact-email>. (
564                  1 3600 1200 604800 10800 )
565   @ 10800 IN NS <name-of-server>.
567   Note
569   Future versions of named are likely to do this automatically.
571Q: Will named be affected by the 2007 changes to daylight savings rules in
572   the US.
574A: No, so long as the machines internal clock (as reported by "date -u")
575   remains at UTC. The only visible change if you fail to upgrade your OS,
576   if you are in a affected area, will be that log messages will be a hour
577   out during the period where the old rules do not match the new rules.
579   For most OS's this change just means that you need to update the
580   conversion rules from UTC to local time. Normally this involves
581   updating a file in /etc (which sets the default timezone for the
582   machine) and possibly a directory which has all the conversion rules
583   for the world (e.g. /usr/share/zoneinfo). When updating the OS do not
584   forget to update any chroot areas as well. See your OS's documentation
585   for more details.
587   The local timezone conversion rules can also be done on a individual
588   basis by setting the TZ environment variable appropriately. See your
589   OS's documentation for more details.
591Q: Is there a bugzilla (or other tool) database that mere mortals can have
592   (read-only) access to for bind?
594A: No. The BIND 9 bug database is kept closed for a number of reasons.
595   These include, but are not limited to, that the database contains
596   proprietory information from people reporting bugs. The database has in
597   the past and may in future contain unfixed bugs which are capable of
598   bringing down most of the Internet's DNS infrastructure.
600   The release pages for each version contain up to date lists of bugs
601   that have been fixed post release. That is as close as we can get to
602   providing a bug database.
604Q: Why do queries for NSEC3 records fail to return the NSEC3 record?
606A: NSEC3 records are strictly meta data and can only be returned in the
607   authority section. This is done so that signing the zone using NSEC3
608   records does not bring names into existence that do not exist in the
609   unsigned version of the zone.
6115. Operating-System Specific Questions
6135.1. HPUX
615Q: I get the following error trying to configure BIND:
617   checking if unistd.h or sys/types.h defines fd_set... no
618   configure: error: need either working unistd.h or sys/select.h
620A: You have attempted to configure BIND with the bundled C compiler. This
621   compiler does not meet the minimum compiler requirements to for
622   building BIND. You need to install a ANSI C compiler and / or teach
623   configure how to find the ANSI C compiler. The later can be done by
624   adjusting the PATH environment variable and / or specifying the
625   compiler via CC.
627   ./configure CC=<compiler> ...
6295.2. Linux
631Q: Why do I get the following errors:
633   general: errno2result.c:109: unexpected error:
634   general: unable to convert errno to isc_result: 14: Bad address
635   client: UDP client handler shutting down due to fatal receive error: unexpected error
637A: This is the result of a Linux kernel bug.
639   See: <
640   2>
642Q: Why does named lock up when it attempts to connect over IPSEC tunnels?
644A: This is due to a kernel bug where the fact that a socket is marked
645   non-blocking is ignored. It is reported that setting xfrm_larval_drop
646   to 1 helps but this may have negative side effects. See: <https://
647> and <
648   2007/12/4/260>.
650   xfrm_larval_drop can be set to 1 by the following procedure:
652   echo "1" > proc/sys/net/core/xfrm_larval_drop
654Q: Why do I see 5 (or more) copies of named on Linux?
656A: Linux threads each show up as a process under ps. The approximate
657   number of threads running is n+4, where n is the number of CPUs. Note
658   that the amount of memory used is not cumulative; if each process is
659   using 10M of memory, only a total of 10M is used.
661   Newer versions of Linux's ps command hide the individual threads and
662   require -L to display them.
664Q: Why does BIND 9 log "permission denied" errors accessing its
665   configuration files or zones on my Linux system even though it is
666   running as root?
668A: On Linux, BIND 9 drops most of its root privileges on startup. This
669   including the privilege to open files owned by other users. Therefore,
670   if the server is running as root, the configuration files and zone
671   files should also be owned by root.
673Q: I get the error message "named: capset failed: Operation not permitted"
674   when starting named.
676A: The capability module, part of "Linux Security Modules/LSM", has not
677   been loaded into the kernel. See insmod(8), modprobe(8).
679   The relevant modules can be loaded by running:
681   modprobe commoncap
682   modprobe capability
684Q: I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
686   Why can't named update slave zone database files?
688   Why can't named create DDNS journal files or update the master zones
689   from journals?
691   Why can't named create custom log files?
693A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
695   Red Hat have adopted the National Security Agency's SELinux security
696   policy (see <>) and recommendations for BIND
697   security , which are more secure than running named in a chroot and
698   make use of the bind-chroot environment unnecessary .
700   By default, named is not allowed by the SELinux policy to write, create
701   or delete any files EXCEPT in these directories:
703   $ROOTDIR/var/named/slaves
704   $ROOTDIR/var/named/data
705   $ROOTDIR/var/tmp
708   where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is
709   installed.
711   The SELinux policy particularly does NOT allow named to modify the
712   $ROOTDIR/var/named directory, the default location for master zone
713   database files.
715   SELinux policy overrules file access permissions - so even if all the
716   files under /var/named have ownership named:named and mode rw-rw-r--,
717   named will still not be able to write or create files except in the
718   directories above, with SELinux in Enforcing mode.
720   So, to allow named to update slave or DDNS zone files, it is best to
721   locate them in $ROOTDIR/var/named/slaves, with named.conf zone
722   statements such as:
724   zone "" IN {
725           type slave;
726           file "slaves/";
727           ...
728   };
729   zone "" IN  {
730           type master;
731           allow-updates {...};
732           file "slaves/";
733   };
736   To allow named to create its cache dump and statistics files, for
737   example, you could use named.conf options statements such as:
739   options {
740           ...
741           dump-file "/var/named/data/cache_dump.db";
742           statistics-file "/var/named/data/named_stats.txt";
743           ...
744   };
747   You can also tell SELinux to allow named to update any zone database
748   files, by setting the SELinux tunable boolean parameter
749   'named_write_master_zones=1', using the system-config-securitylevel
750   GUI, using the 'setsebool' command, or in /etc/selinux/targeted/
751   booleans.
753   You can disable SELinux protection for named entirely by setting the
754   'named_disable_trans=1' SELinux tunable boolean parameter.
756   The SELinux named policy defines these SELinux contexts for named:
758   named_zone_t : for zone database files       - $ROOTDIR/var/named/*
759   named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
760   named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
763   If you want to retain use of the SELinux policy for named, and put
764   named files in different locations, you can do so by changing the
765   context of the custom file locations .
767   To create a custom configuration file location, e.g. '/root/
768   named.conf', to use with the 'named -c' option, do:
770   # chcon system_u:object_r:named_conf_t /root/named.conf
773   To create a custom modifiable named data location, e.g. '/var/log/
774   named' for a log file, do:
776   # chcon system_u:object_r:named_cache_t /var/log/named
779   To create a custom zone file location, e.g. /root/zones/, do:
781   # chcon system_u:object_r:named_zone_t /root/zones/{.,*}
784   See these man-pages for more information : selinux(8), named_selinux
785   (8), chcon(1), setsebool(8)
787Q: I'm running BIND on Ubuntu -
789   Why can't named update slave zone database files?
791   Why can't named create DDNS journal files or update the master zones
792   from journals?
794   Why can't named create custom log files?
796A: Ubuntu uses AppArmor <> in
797   addition to normal file system permissions to protect the system.
799   Adjust the paths to use those specified in /etc/apparmor.d/
800   usr.sbin.named or adjust /etc/apparmor.d/usr.sbin.named to allow named
801   to write at the location specified in named.conf.
803Q: Listening on individual IPv6 interfaces does not work.
805A: This is usually due to "/proc/net/if_inet6" not being available in the
806   chroot file system. Mount another instance of "proc" in the chroot file
807   system.
809   This can be be made permanent by adding a second instance to /etc/
810   fstab.
812   proc /proc           proc defaults 0 0
813   proc /var/named/proc proc defaults 0 0
8155.3. Windows
817Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail.
818   Why?
820A: This may be caused by a bug in the Windows 2000 DNS server where DNS
821   messages larger than 16K are not handled properly. This can be worked
822   around by setting the option "transfer-format one-answer;". Also check
823   whether your zone contains domain names with embedded spaces or other
824   special characters, like "John\032Doe\213s\032Computer", since such
825   names have been known to cause Windows 2000 slaves to incorrectly
826   reject the zone.
828Q: I get "Error 1067" when starting named under Windows.
830A: This is the service manager saying that named exited. You need to
831   examine the Application log in the EventViewer to find out why.
833   Common causes are that you failed to create "named.conf" (usually "C:\
834   windows\dns\etc\named.conf") or failed to specify the directory in
835   named.conf.
837   options {
838           Directory "C:\windows\dns\etc";
839   };
8415.4. FreeBSD
843Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
845A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to
846   use certain interrupts as a source of random events. You can make this
847   permanent by setting rand_irqs in /etc/rc.conf.
849   rand_irqs="3 14 15"
851   See also <>.
8535.5. Solaris
855Q: How do I integrate BIND 9 and Solaris SMF
857A: Sun has a blog entry describing how to do this.
859   <>
8615.6. Apple Mac OS X
863Q: How do I run BIND 9 on Apple Mac OS X?
865A: If you run Tiger(Mac OS 10.4) or later then this is all you need to do:
867   % sudo rndc-confgen  > /etc/rndc.conf
869   Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.:
871   key "rndc-key" {
872           algorithm hmac-md5;
873           secret "uvceheVuqf17ZwIcTydddw==";
874   };
876   Then start the relevant service:
878   % sudo service org.isc.named start
880   This is persistent upon a reboot, so you will have to do it only once.
882A: Alternatively you can just generate /etc/rndc.key by running:
884   % sudo rndc-confgen -a
886   Then start the relevant service:
888   % sudo service org.isc.named start
890   Named will look for /etc/rndc.key when it starts if it doesn't have a
891   controls section or the existing controls are missing keys sub-clauses.
892   This is persistent upon a reboot, so you will have to do it only once.