/contrib/bind9/FAQ
https://bitbucket.org/freebsd/freebsd-head/ · #! · 893 lines · 644 code · 249 blank · 0 comment · 0 complexity · 7b0ccb9c4c6614187c04f54583083556 MD5 · raw file
- Frequently Asked Questions about BIND 9
- Copyright Š 2004-2010 Internet Systems Consortium, Inc. ("ISC")
- Copyright Š 2000-2003 Internet Software Consortium.
- -----------------------------------------------------------------------
- 1. Compilation and Installation Questions
- Q: I'm trying to compile BIND 9, and "make" is failing due to files not
- being found. Why?
- A: Using a parallel or distributed "make" to build BIND 9 is not
- supported, and doesn't work. If you are using one of these, use normal
- make or gmake instead.
- Q: Isn't "make install" supposed to generate a default named.conf?
- A: Short Answer: No.
- Long Answer: There really isn't a default configuration which fits any
- site perfectly. There are lots of decisions that need to be made and
- there is no consensus on what the defaults should be. For example
- FreeBSD uses /etc/namedb as the location where the configuration files
- for named are stored. Others use /var/named.
- What addresses to listen on? For a laptop on the move a lot you may
- only want to listen on the loop back interfaces.
- Who do you offer recursive service to? Is there are firewall to
- consider? If so is it stateless or stateful. Are you directly on the
- Internet? Are you on a private network? Are you on a NAT'd network? The
- answers to all these questions change how you configure even a caching
- name server.
- 2. Configuration and Setup Questions
- Q: Why does named log the warning message "no TTL specified - using SOA
- MINTTL instead"?
- A: Your zone file is illegal according to RFC1035. It must either have a
- line like:
- $TTL 86400
- at the beginning, or the first record in it must have a TTL field, like
- the "84600" in this example:
- example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )
- Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master
- file bar: ran out of space"?
- A: This is often caused by TXT records with missing close quotes. Check
- that all TXT records containing quoted strings have both open and close
- quotes.
- Q: How do I restrict people from looking up the server version?
- A: Put a "version" option containing something other than the real version
- in the "options" section of named.conf. Note doing this will not
- prevent attacks and may impede people trying to diagnose problems with
- your server. Also it is possible to "fingerprint" nameservers to
- determine their version.
- Q: How do I restrict only remote users from looking up the server version?
- A: The following view statement will intercept lookups as the internal
- view that holds the version information will be matched last. The
- caveats of the previous answer still apply, of course.
- view "chaos" chaos {
- match-clients { <those to be refused>; };
- allow-query { none; };
- zone "." {
- type hint;
- file "/dev/null"; // or any empty file
- };
- };
- Q: What do "no source of entropy found" or "could not open entropy source
- foo" mean?
- A: The server requires a source of entropy to perform certain operations,
- mostly DNSSEC related. These messages indicate that you have no source
- of entropy. On systems with /dev/random or an equivalent, it is used by
- default. A source of entropy can also be defined using the
- random-device option in named.conf.
- Q: I'm trying to use TSIG to authenticate dynamic updates or zone
- transfers. I'm sure I have the keys set up correctly, but the server is
- rejecting the TSIG. Why?
- A: This may be a clock skew problem. Check that the the clocks on the
- client and server are properly synchronised (e.g., using ntp).
- Q: I see a log message like the following. Why?
- couldn't open pid file '/var/run/named.pid': Permission denied
- A: You are most likely running named as a non-root user, and that user
- does not have permission to write in /var/run. The common ways of
- fixing this are to create a /var/run/named directory owned by the named
- user and set pid-file to "/var/run/named/named.pid", or set pid-file to
- "named.pid", which will put the file in the directory specified by the
- directory option (which, in this case, must be writable by the named
- user).
- Q: I can query the nameserver from the nameserver but not from other
- machines. Why?
- A: This is usually the result of the firewall configuration stopping the
- queries and / or the replies.
- Q: How can I make a server a slave for both an internal and an external
- view at the same time? When I tried, both views on the slave were
- transferred from the same view on the master.
- A: You will need to give the master and slave multiple IP addresses and
- use those to make sure you reach the correct view on the other machine.
- Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
- internal:
- match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
- notify-source 10.0.1.1;
- transfer-source 10.0.1.1;
- query-source address 10.0.1.1;
- external:
- match-clients { any; };
- recursion no; // don't offer recursion to the world
- notify-source 10.0.1.2;
- transfer-source 10.0.1.2;
- query-source address 10.0.1.2;
- Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
- internal:
- match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
- notify-source 10.0.1.3;
- transfer-source 10.0.1.3;
- query-source address 10.0.1.3;
- external:
- match-clients { any; };
- recursion no; // don't offer recursion to the world
- notify-source 10.0.1.4;
- transfer-source 10.0.1.4;
- query-source address 10.0.1.4;
- You put the external address on the alias so that all the other dns
- clients on these boxes see the internal view by default.
- A: BIND 9.3 and later: Use TSIG to select the appropriate view.
- Master 10.0.1.1:
- key "external" {
- algorithm hmac-sha256;
- secret "xxxxxxxxxxxxxxxxxxxxxxxx";
- };
- view "internal" {
- match-clients { !key external; // reject message ment for the
- // external view.
- 10.0.1/24; }; // accept from these addresses.
- ...
- };
- view "external" {
- match-clients { key external; any; };
- server 10.0.1.2 { keys external; }; // tag messages from the
- // external view to the
- // other servers for the
- // view.
- recursion no;
- ...
- };
- Slave 10.0.1.2:
- key "external" {
- algorithm hmac-sha256;
- secret "xxxxxxxxxxxxxxxxxxxxxxxx";
- };
- view "internal" {
- match-clients { !key external; 10.0.1/24; };
- ...
- };
- view "external" {
- match-clients { key external; any; };
- server 10.0.1.1 { keys external; };
- recursion no;
- ...
- };
- Q: I get error messages like "multiple RRs of singleton type" and "CNAME
- and other data" when transferring a zone. What does this mean?
- A: These indicate a malformed master zone. You can identify the exact
- records involved by transferring the zone using dig then running
- named-checkzone on it.
- dig axfr example.com @master-server > tmp
- named-checkzone example.com tmp
- A CNAME record cannot exist with the same name as another record except
- for the DNSSEC records which prove its existence (NSEC).
- RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other
- data should be present; this ensures that the data for a canonical name
- and its aliases cannot be different. This rule also insures that a
- cached CNAME can be used without checking with an authoritative server
- for other RR types."
- Q: I get error messages like "named.conf:99: unexpected end of input"
- where 99 is the last line of named.conf.
- A: There are unbalanced quotes in named.conf.
- A: Some text editors (notepad and wordpad) fail to put a line title
- indication (e.g. CR/LF) on the last line of a text file. This can be
- fixed by "adding" a blank line to the end of the file. Named expects to
- see EOF immediately after EOL and treats text files where this is not
- met as truncated.
- Q: How do I share a dynamic zone between multiple views?
- A: You choose one view to be master and the second a slave and transfer
- the zone between views.
- Master 10.0.1.1:
- key "external" {
- algorithm hmac-sha256;
- secret "xxxxxxxxxxxxxxxxxxxxxxxx";
- };
- key "mykey" {
- algorithm hmac-sha256;
- secret "yyyyyyyyyyyyyyyyyyyyyyyy";
- };
- view "internal" {
- match-clients { !key external; 10.0.1/24; };
- server 10.0.1.1 {
- /* Deliver notify messages to external view. */
- keys { external; };
- };
- zone "example.com" {
- type master;
- file "internal/example.db";
- allow-update { key mykey; };
- also-notify { 10.0.1.1; };
- };
- };
- view "external" {
- match-clients { key external; any; };
- zone "example.com" {
- type slave;
- file "external/example.db";
- masters { 10.0.1.1; };
- transfer-source 10.0.1.1;
- // allow-update-forwarding { any; };
- // allow-notify { ... };
- };
- };
- Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading
- master file primaries/wireless.ietf56.ietf.org: no owner".
- A: This error is produced when a line in the master file contains leading
- white space (tab/space) but the is no current record owner name to
- inherit the name from. Usually this is the result of putting white
- space before a comment, forgetting the "@" for the SOA record, or
- indenting the master file.
- Q: Why are my logs in GMT (UTC).
- A: You are running chrooted (-t) and have not supplied local timezone
- information in the chroot area.
- FreeBSD: /etc/localtime
- Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
- OSF: /etc/zoneinfo/localtime
- See also tzset(3) and zic(8).
- Q: I get "rndc: connect failed: connection refused" when I try to run
- rndc.
- A: This is usually a configuration error.
- First ensure that named is running and no errors are being reported at
- startup (/var/log/messages or equivalent). Running "named -g <usual
- arguments>" from a title can help at this point.
- Secondly ensure that named is configured to use rndc either by
- "rndc-confgen -a", rndc-confgen or manually. The Administrators
- Reference manual has details on how to do this.
- Old versions of rndc-confgen used localhost rather than 127.0.0.1 in /
- etc/rndc.conf for the default server. Update /etc/rndc.conf if
- necessary so that the default server listed in /etc/rndc.conf matches
- the addresses used in named.conf. "localhost" has two address
- (127.0.0.1 and ::1).
- If you use "rndc-confgen -a" and named is running with -t or -u ensure
- that /etc/rndc.conf has the correct ownership and that a copy is in the
- chroot area. You can do this by re-running "rndc-confgen -a" with
- appropriate -t and -u arguments.
- Q: I get "transfer of 'example.net/IN' from 192.168.4.12#53: failed while
- receiving responses: permission denied" error messages.
- A: These indicate a filesystem permission error preventing named creating
- / renaming the temporary file. These will usually also have other
- associated error messages like
- "dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"
- Named needs write permission on the directory containing the file.
- Named writes the new cache file to a temporary file then renames it to
- the name specified in named.conf to ensure that the contents are always
- complete. This is to prevent named loading a partial zone in the event
- of power failure or similar interrupting the write of the master file.
- Note file names are relative to the directory specified in options and
- any chroot directory ([<chroot dir>/][<options dir>]).
- If named is invoked as "named -t /chroot/DNS" with the following
- named.conf then "/chroot/DNS/var/named/sl" needs to be writable by the
- user named is running as.
- options {
- directory "/var/named";
- };
- zone "example.net" {
- type slave;
- file "sl/example.net";
- masters { 192.168.4.12; };
- };
- Q: I want to forward all DNS queries from my caching nameserver to another
- server. But there are some domains which have to be served locally, via
- rbldnsd.
- How do I achieve this ?
- A: options {
- forward only;
- forwarders { <ip.of.primary.nameserver>; };
- };
- zone "sbl-xbl.spamhaus.org" {
- type forward; forward only;
- forwarders { <ip.of.rbldns.server> port 530; };
- };
- zone "list.dsbl.org" {
- type forward; forward only;
- forwarders { <ip.of.rbldns.server> port 530; };
- };
- Q: Can you help me understand how BIND 9 uses memory to store DNS zones?
- Some times it seems to take several times the amount of memory it needs
- to store the zone.
- A: When reloading a zone named my have multiple copies of the zone in
- memory at one time. The zone it is serving and the one it is loading.
- If reloads are ultra fast it can have more still.
- e.g. Ones that are transferring out, the one that it is serving and the
- one that is loading.
- BIND 8 destroyed the zone before loading and also killed off outgoing
- transfers of the zone.
- The new strategy allows slaves to get copies of the new zone regardless
- of how often the master is loaded compared to the transfer time. The
- slave might skip some intermediate versions but the transfers will
- complete and it will keep reasonably in sync with the master.
- The new strategy also allows the master to recover from syntax and
- other errors in the master file as it still has an in-core copy of the
- old contents.
- Q: I want to use IPv6 locally but I don't have a external IPv6 connection.
- External lookups are slow.
- A: You can use server clauses to stop named making external lookups over
- IPv6.
- server fd81:ec6c:bd62::/48 { bogus no; }; // site ULA prefix
- server ::/0 { bogus yes; };
- 3. Operations Questions
- Q: How to change the nameservers for a zone?
- A: Step 1: Ensure all nameservers, new and old, are serving the same zone
- content.
- Step 2: Work out the maximum TTL of the NS RRset in the parent and
- child zones. This is the time it will take caches to be clear of a
- particular version of the NS RRset. If you are just removing
- nameservers you can skip to Step 6.
- Step 3: Add new nameservers to the NS RRset for the zone and wait until
- all the servers for the zone are answering with this new NS RRset.
- Step 4: Inform the parent zone of the new NS RRset then wait for all
- the parent servers to be answering with the new NS RRset.
- Step 5: Wait for cache to be clear of the old NS RRset. See Step 2 for
- how long. If you are just adding nameservers you are done.
- Step 6: Remove any old nameservers from the zones NS RRset and wait for
- all the servers for the zone to be serving the new NS RRset.
- Step 7: Inform the parent zone of the new NS RRset then wait for all
- the parent servers to be answering with the new NS RRset.
- Step 8: Wait for cache to be clear of the old NS RRset. See Step 2 for
- how long.
- Step 9: Turn off the old nameservers or remove the zone entry from the
- configuration of the old nameservers.
- Step 10: Increment the serial number and wait for the change to be
- visible in all nameservers for the zone. This ensures that zone
- transfers are still working after the old servers are decommissioned.
- Note: the above procedure is designed to be transparent to dns clients.
- Decommissioning the old servers too early will result in some clients
- not being able to look up answers in the zone.
- Note: while it is possible to run the addition and removal stages
- together it is not recommended.
- 4. General Questions
- Q: I keep getting log messages like the following. Why?
- Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN':
- update failed: 'RRset exists (value dependent)' prerequisite not
- satisfied (NXRRSET)
- A: DNS updates allow the update request to test to see if certain
- conditions are met prior to proceeding with the update. The message
- above is saying that conditions were not met and the update is not
- proceeding. See doc/rfc/rfc2136.txt for more details on prerequisites.
- Q: I keep getting log messages like the following. Why?
- Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
- A: Someone is trying to update your DNS data using the RFC2136 Dynamic
- Update protocol. Windows 2000 machines have a habit of sending dynamic
- update requests to DNS servers without being specifically configured to
- do so. If the update requests are coming from a Windows 2000 machine,
- see <http://support.microsoft.com/support/kb/articles/q246/8/04.asp>
- for information about how to turn them off.
- Q: When I do a "dig . ns", many of the A records for the root servers are
- missing. Why?
- A: This is normal and harmless. It is a somewhat confusing side effect of
- the way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9
- makes to avoid promoting glue into answers.
- When BIND 9 first starts up and primes its cache, it receives the root
- server addresses as additional data in an authoritative response from a
- root server, and these records are eligible for inclusion as additional
- data in responses. Subsequently it receives a subset of the root server
- addresses as additional data in a non-authoritative (referral) response
- from a root server. This causes the addresses to now be considered
- non-authoritative (glue) data, which is not eligible for inclusion in
- responses.
- The server does have a complete set of root server addresses cached at
- all times, it just may not include all of them as additional data,
- depending on whether they were last received as answers or as glue. You
- can always look up the addresses with explicit queries like "dig
- a.root-servers.net A".
- Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?
- A: A zone can be updated either by editing zone files and reloading the
- server or by dynamic update, but not both. If you have enabled dynamic
- update for a zone using the "allow-update" option, you are not supposed
- to edit the zone file by hand, and the server will not attempt to
- reload it.
- Q: Why is named listening on UDP port other than 53?
- A: Named uses a system selected port to make queries of other nameservers.
- This behaviour can be overridden by using query-source to lock down the
- port and/or address. See also notify-source and transfer-source.
- Q: I get warning messages like "zone example.com/IN: refresh: failure
- trying master 1.2.3.4#53: timed out".
- A: Check that you can make UDP queries from the slave to the master
- dig +norec example.com soa @1.2.3.4
- You could be generating queries faster than the slave can cope with.
- Lower the serial query rate.
- serial-query-rate 5; // default 20
- Q: I don't get RRSIG's returned when I use "dig +dnssec".
- A: You need to ensure DNSSEC is enabled (dnssec-enable yes;).
- Q: Can a NS record refer to a CNAME.
- A: No. The rules for glue (copies of the *address* records in the parent
- zones) and additional section processing do not allow it to work.
- You would have to add both the CNAME and address records (A/AAAA) as
- glue to the parent zone and have CNAMEs be followed when doing
- additional section processing to make it work. No nameserver
- implementation supports either of these requirements.
- Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA"
- mean?
- A: If the IN-ADDR.ARPA name covered refers to a internal address space you
- are using then you have failed to follow RFC 1918 usage rules and are
- leaking queries to the Internet. You should establish your own zones
- for these addresses to prevent you querying the Internet's name servers
- for these addresses. Please see <http://as112.net/> for details of the
- problems you are causing and the counter measures that have had to be
- deployed.
- If you are not using these private addresses then a client has queried
- for them. You can just ignore the messages, get the offending client to
- stop sending you these messages as they are most probably leaking them
- or setup your own zones empty zones to serve answers to these queries.
- zone "10.IN-ADDR.ARPA" {
- type master;
- file "empty";
- };
- zone "16.172.IN-ADDR.ARPA" {
- type master;
- file "empty";
- };
- ...
- zone "31.172.IN-ADDR.ARPA" {
- type master;
- file "empty";
- };
- zone "168.192.IN-ADDR.ARPA" {
- type master;
- file "empty";
- };
- empty:
- @ 10800 IN SOA <name-of-server>. <contact-email>. (
- 1 3600 1200 604800 10800 )
- @ 10800 IN NS <name-of-server>.
- Note
- Future versions of named are likely to do this automatically.
- Q: Will named be affected by the 2007 changes to daylight savings rules in
- the US.
- A: No, so long as the machines internal clock (as reported by "date -u")
- remains at UTC. The only visible change if you fail to upgrade your OS,
- if you are in a affected area, will be that log messages will be a hour
- out during the period where the old rules do not match the new rules.
- For most OS's this change just means that you need to update the
- conversion rules from UTC to local time. Normally this involves
- updating a file in /etc (which sets the default timezone for the
- machine) and possibly a directory which has all the conversion rules
- for the world (e.g. /usr/share/zoneinfo). When updating the OS do not
- forget to update any chroot areas as well. See your OS's documentation
- for more details.
- The local timezone conversion rules can also be done on a individual
- basis by setting the TZ environment variable appropriately. See your
- OS's documentation for more details.
- Q: Is there a bugzilla (or other tool) database that mere mortals can have
- (read-only) access to for bind?
- A: No. The BIND 9 bug database is kept closed for a number of reasons.
- These include, but are not limited to, that the database contains
- proprietory information from people reporting bugs. The database has in
- the past and may in future contain unfixed bugs which are capable of
- bringing down most of the Internet's DNS infrastructure.
- The release pages for each version contain up to date lists of bugs
- that have been fixed post release. That is as close as we can get to
- providing a bug database.
- Q: Why do queries for NSEC3 records fail to return the NSEC3 record?
- A: NSEC3 records are strictly meta data and can only be returned in the
- authority section. This is done so that signing the zone using NSEC3
- records does not bring names into existence that do not exist in the
- unsigned version of the zone.
- 5. Operating-System Specific Questions
- 5.1. HPUX
- Q: I get the following error trying to configure BIND:
- checking if unistd.h or sys/types.h defines fd_set... no
- configure: error: need either working unistd.h or sys/select.h
- A: You have attempted to configure BIND with the bundled C compiler. This
- compiler does not meet the minimum compiler requirements to for
- building BIND. You need to install a ANSI C compiler and / or teach
- configure how to find the ANSI C compiler. The later can be done by
- adjusting the PATH environment variable and / or specifying the
- compiler via CC.
- ./configure CC=<compiler> ...
- 5.2. Linux
- Q: Why do I get the following errors:
- general: errno2result.c:109: unexpected error:
- general: unable to convert errno to isc_result: 14: Bad address
- client: UDP client handler shutting down due to fatal receive error: unexpected error
- A: This is the result of a Linux kernel bug.
- See: <http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=
- 2>
- Q: Why does named lock up when it attempts to connect over IPSEC tunnels?
- A: This is due to a kernel bug where the fact that a socket is marked
- non-blocking is ignored. It is reported that setting xfrm_larval_drop
- to 1 helps but this may have negative side effects. See: <https://
- bugzilla.redhat.com/show_bug.cgi?id=427629> and <http://lkml.org/lkml/
- 2007/12/4/260>.
- xfrm_larval_drop can be set to 1 by the following procedure:
- echo "1" > proc/sys/net/core/xfrm_larval_drop
- Q: Why do I see 5 (or more) copies of named on Linux?
- A: Linux threads each show up as a process under ps. The approximate
- number of threads running is n+4, where n is the number of CPUs. Note
- that the amount of memory used is not cumulative; if each process is
- using 10M of memory, only a total of 10M is used.
- Newer versions of Linux's ps command hide the individual threads and
- require -L to display them.
- Q: Why does BIND 9 log "permission denied" errors accessing its
- configuration files or zones on my Linux system even though it is
- running as root?
- A: On Linux, BIND 9 drops most of its root privileges on startup. This
- including the privilege to open files owned by other users. Therefore,
- if the server is running as root, the configuration files and zone
- files should also be owned by root.
- Q: I get the error message "named: capset failed: Operation not permitted"
- when starting named.
- A: The capability module, part of "Linux Security Modules/LSM", has not
- been loaded into the kernel. See insmod(8), modprobe(8).
- The relevant modules can be loaded by running:
- modprobe commoncap
- modprobe capability
- Q: I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
- Why can't named update slave zone database files?
- Why can't named create DDNS journal files or update the master zones
- from journals?
- Why can't named create custom log files?
- A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
- Red Hat have adopted the National Security Agency's SELinux security
- policy (see <http://www.nsa.gov/selinux>) and recommendations for BIND
- security , which are more secure than running named in a chroot and
- make use of the bind-chroot environment unnecessary .
- By default, named is not allowed by the SELinux policy to write, create
- or delete any files EXCEPT in these directories:
- $ROOTDIR/var/named/slaves
- $ROOTDIR/var/named/data
- $ROOTDIR/var/tmp
- where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is
- installed.
- The SELinux policy particularly does NOT allow named to modify the
- $ROOTDIR/var/named directory, the default location for master zone
- database files.
- SELinux policy overrules file access permissions - so even if all the
- files under /var/named have ownership named:named and mode rw-rw-r--,
- named will still not be able to write or create files except in the
- directories above, with SELinux in Enforcing mode.
- So, to allow named to update slave or DDNS zone files, it is best to
- locate them in $ROOTDIR/var/named/slaves, with named.conf zone
- statements such as:
- zone "slave.zone." IN {
- type slave;
- file "slaves/slave.zone.db";
- ...
- };
- zone "ddns.zone." IN {
- type master;
- allow-updates {...};
- file "slaves/ddns.zone.db";
- };
- To allow named to create its cache dump and statistics files, for
- example, you could use named.conf options statements such as:
- options {
- ...
- dump-file "/var/named/data/cache_dump.db";
- statistics-file "/var/named/data/named_stats.txt";
- ...
- };
- You can also tell SELinux to allow named to update any zone database
- files, by setting the SELinux tunable boolean parameter
- 'named_write_master_zones=1', using the system-config-securitylevel
- GUI, using the 'setsebool' command, or in /etc/selinux/targeted/
- booleans.
- You can disable SELinux protection for named entirely by setting the
- 'named_disable_trans=1' SELinux tunable boolean parameter.
- The SELinux named policy defines these SELinux contexts for named:
- named_zone_t : for zone database files - $ROOTDIR/var/named/*
- named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
- named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
- If you want to retain use of the SELinux policy for named, and put
- named files in different locations, you can do so by changing the
- context of the custom file locations .
- To create a custom configuration file location, e.g. '/root/
- named.conf', to use with the 'named -c' option, do:
- # chcon system_u:object_r:named_conf_t /root/named.conf
- To create a custom modifiable named data location, e.g. '/var/log/
- named' for a log file, do:
- # chcon system_u:object_r:named_cache_t /var/log/named
- To create a custom zone file location, e.g. /root/zones/, do:
- # chcon system_u:object_r:named_zone_t /root/zones/{.,*}
- See these man-pages for more information : selinux(8), named_selinux
- (8), chcon(1), setsebool(8)
- Q: I'm running BIND on Ubuntu -
- Why can't named update slave zone database files?
- Why can't named create DDNS journal files or update the master zones
- from journals?
- Why can't named create custom log files?
- A: Ubuntu uses AppArmor <http://en.wikipedia.org/wiki/AppArmor> in
- addition to normal file system permissions to protect the system.
- Adjust the paths to use those specified in /etc/apparmor.d/
- usr.sbin.named or adjust /etc/apparmor.d/usr.sbin.named to allow named
- to write at the location specified in named.conf.
- Q: Listening on individual IPv6 interfaces does not work.
- A: This is usually due to "/proc/net/if_inet6" not being available in the
- chroot file system. Mount another instance of "proc" in the chroot file
- system.
- This can be be made permanent by adding a second instance to /etc/
- fstab.
- proc /proc proc defaults 0 0
- proc /var/named/proc proc defaults 0 0
- 5.3. Windows
- Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail.
- Why?
- A: This may be caused by a bug in the Windows 2000 DNS server where DNS
- messages larger than 16K are not handled properly. This can be worked
- around by setting the option "transfer-format one-answer;". Also check
- whether your zone contains domain names with embedded spaces or other
- special characters, like "John\032Doe\213s\032Computer", since such
- names have been known to cause Windows 2000 slaves to incorrectly
- reject the zone.
- Q: I get "Error 1067" when starting named under Windows.
- A: This is the service manager saying that named exited. You need to
- examine the Application log in the EventViewer to find out why.
- Common causes are that you failed to create "named.conf" (usually "C:\
- windows\dns\etc\named.conf") or failed to specify the directory in
- named.conf.
- options {
- Directory "C:\windows\dns\etc";
- };
- 5.4. FreeBSD
- Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
- A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to
- use certain interrupts as a source of random events. You can make this
- permanent by setting rand_irqs in /etc/rc.conf.
- rand_irqs="3 14 15"
- See also <http://people.freebsd.org/~dougb/randomness.html>.
- 5.5. Solaris
- Q: How do I integrate BIND 9 and Solaris SMF
- A: Sun has a blog entry describing how to do this.
- <http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris>
- 5.6. Apple Mac OS X
- Q: How do I run BIND 9 on Apple Mac OS X?
- A: If you run Tiger(Mac OS 10.4) or later then this is all you need to do:
- % sudo rndc-confgen > /etc/rndc.conf
- Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.:
- key "rndc-key" {
- algorithm hmac-md5;
- secret "uvceheVuqf17ZwIcTydddw==";
- };
- Then start the relevant service:
- % sudo service org.isc.named start
- This is persistent upon a reboot, so you will have to do it only once.
- A: Alternatively you can just generate /etc/rndc.key by running:
- % sudo rndc-confgen -a
- Then start the relevant service:
- % sudo service org.isc.named start
- Named will look for /etc/rndc.key when it starts if it doesn't have a
- controls section or the existing controls are missing keys sub-clauses.
- This is persistent upon a reboot, so you will have to do it only once.