/contrib/bind9/FAQ

https://bitbucket.org/freebsd/freebsd-head/ · #! · 893 lines · 644 code · 249 blank · 0 comment · 0 complexity · 7b0ccb9c4c6614187c04f54583083556 MD5 · raw file

  1. Frequently Asked Questions about BIND 9
  2. Copyright Š 2004-2010 Internet Systems Consortium, Inc. ("ISC")
  3. Copyright Š 2000-2003 Internet Software Consortium.
  4. -----------------------------------------------------------------------
  5. 1. Compilation and Installation Questions
  6. Q: I'm trying to compile BIND 9, and "make" is failing due to files not
  7. being found. Why?
  8. A: Using a parallel or distributed "make" to build BIND 9 is not
  9. supported, and doesn't work. If you are using one of these, use normal
  10. make or gmake instead.
  11. Q: Isn't "make install" supposed to generate a default named.conf?
  12. A: Short Answer: No.
  13. Long Answer: There really isn't a default configuration which fits any
  14. site perfectly. There are lots of decisions that need to be made and
  15. there is no consensus on what the defaults should be. For example
  16. FreeBSD uses /etc/namedb as the location where the configuration files
  17. for named are stored. Others use /var/named.
  18. What addresses to listen on? For a laptop on the move a lot you may
  19. only want to listen on the loop back interfaces.
  20. Who do you offer recursive service to? Is there are firewall to
  21. consider? If so is it stateless or stateful. Are you directly on the
  22. Internet? Are you on a private network? Are you on a NAT'd network? The
  23. answers to all these questions change how you configure even a caching
  24. name server.
  25. 2. Configuration and Setup Questions
  26. Q: Why does named log the warning message "no TTL specified - using SOA
  27. MINTTL instead"?
  28. A: Your zone file is illegal according to RFC1035. It must either have a
  29. line like:
  30. $TTL 86400
  31. at the beginning, or the first record in it must have a TTL field, like
  32. the "84600" in this example:
  33. example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )
  34. Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master
  35. file bar: ran out of space"?
  36. A: This is often caused by TXT records with missing close quotes. Check
  37. that all TXT records containing quoted strings have both open and close
  38. quotes.
  39. Q: How do I restrict people from looking up the server version?
  40. A: Put a "version" option containing something other than the real version
  41. in the "options" section of named.conf. Note doing this will not
  42. prevent attacks and may impede people trying to diagnose problems with
  43. your server. Also it is possible to "fingerprint" nameservers to
  44. determine their version.
  45. Q: How do I restrict only remote users from looking up the server version?
  46. A: The following view statement will intercept lookups as the internal
  47. view that holds the version information will be matched last. The
  48. caveats of the previous answer still apply, of course.
  49. view "chaos" chaos {
  50. match-clients { <those to be refused>; };
  51. allow-query { none; };
  52. zone "." {
  53. type hint;
  54. file "/dev/null"; // or any empty file
  55. };
  56. };
  57. Q: What do "no source of entropy found" or "could not open entropy source
  58. foo" mean?
  59. A: The server requires a source of entropy to perform certain operations,
  60. mostly DNSSEC related. These messages indicate that you have no source
  61. of entropy. On systems with /dev/random or an equivalent, it is used by
  62. default. A source of entropy can also be defined using the
  63. random-device option in named.conf.
  64. Q: I'm trying to use TSIG to authenticate dynamic updates or zone
  65. transfers. I'm sure I have the keys set up correctly, but the server is
  66. rejecting the TSIG. Why?
  67. A: This may be a clock skew problem. Check that the the clocks on the
  68. client and server are properly synchronised (e.g., using ntp).
  69. Q: I see a log message like the following. Why?
  70. couldn't open pid file '/var/run/named.pid': Permission denied
  71. A: You are most likely running named as a non-root user, and that user
  72. does not have permission to write in /var/run. The common ways of
  73. fixing this are to create a /var/run/named directory owned by the named
  74. user and set pid-file to "/var/run/named/named.pid", or set pid-file to
  75. "named.pid", which will put the file in the directory specified by the
  76. directory option (which, in this case, must be writable by the named
  77. user).
  78. Q: I can query the nameserver from the nameserver but not from other
  79. machines. Why?
  80. A: This is usually the result of the firewall configuration stopping the
  81. queries and / or the replies.
  82. Q: How can I make a server a slave for both an internal and an external
  83. view at the same time? When I tried, both views on the slave were
  84. transferred from the same view on the master.
  85. A: You will need to give the master and slave multiple IP addresses and
  86. use those to make sure you reach the correct view on the other machine.
  87. Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
  88. internal:
  89. match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
  90. notify-source 10.0.1.1;
  91. transfer-source 10.0.1.1;
  92. query-source address 10.0.1.1;
  93. external:
  94. match-clients { any; };
  95. recursion no; // don't offer recursion to the world
  96. notify-source 10.0.1.2;
  97. transfer-source 10.0.1.2;
  98. query-source address 10.0.1.2;
  99. Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
  100. internal:
  101. match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
  102. notify-source 10.0.1.3;
  103. transfer-source 10.0.1.3;
  104. query-source address 10.0.1.3;
  105. external:
  106. match-clients { any; };
  107. recursion no; // don't offer recursion to the world
  108. notify-source 10.0.1.4;
  109. transfer-source 10.0.1.4;
  110. query-source address 10.0.1.4;
  111. You put the external address on the alias so that all the other dns
  112. clients on these boxes see the internal view by default.
  113. A: BIND 9.3 and later: Use TSIG to select the appropriate view.
  114. Master 10.0.1.1:
  115. key "external" {
  116. algorithm hmac-sha256;
  117. secret "xxxxxxxxxxxxxxxxxxxxxxxx";
  118. };
  119. view "internal" {
  120. match-clients { !key external; // reject message ment for the
  121. // external view.
  122. 10.0.1/24; }; // accept from these addresses.
  123. ...
  124. };
  125. view "external" {
  126. match-clients { key external; any; };
  127. server 10.0.1.2 { keys external; }; // tag messages from the
  128. // external view to the
  129. // other servers for the
  130. // view.
  131. recursion no;
  132. ...
  133. };
  134. Slave 10.0.1.2:
  135. key "external" {
  136. algorithm hmac-sha256;
  137. secret "xxxxxxxxxxxxxxxxxxxxxxxx";
  138. };
  139. view "internal" {
  140. match-clients { !key external; 10.0.1/24; };
  141. ...
  142. };
  143. view "external" {
  144. match-clients { key external; any; };
  145. server 10.0.1.1 { keys external; };
  146. recursion no;
  147. ...
  148. };
  149. Q: I get error messages like "multiple RRs of singleton type" and "CNAME
  150. and other data" when transferring a zone. What does this mean?
  151. A: These indicate a malformed master zone. You can identify the exact
  152. records involved by transferring the zone using dig then running
  153. named-checkzone on it.
  154. dig axfr example.com @master-server > tmp
  155. named-checkzone example.com tmp
  156. A CNAME record cannot exist with the same name as another record except
  157. for the DNSSEC records which prove its existence (NSEC).
  158. RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other
  159. data should be present; this ensures that the data for a canonical name
  160. and its aliases cannot be different. This rule also insures that a
  161. cached CNAME can be used without checking with an authoritative server
  162. for other RR types."
  163. Q: I get error messages like "named.conf:99: unexpected end of input"
  164. where 99 is the last line of named.conf.
  165. A: There are unbalanced quotes in named.conf.
  166. A: Some text editors (notepad and wordpad) fail to put a line title
  167. indication (e.g. CR/LF) on the last line of a text file. This can be
  168. fixed by "adding" a blank line to the end of the file. Named expects to
  169. see EOF immediately after EOL and treats text files where this is not
  170. met as truncated.
  171. Q: How do I share a dynamic zone between multiple views?
  172. A: You choose one view to be master and the second a slave and transfer
  173. the zone between views.
  174. Master 10.0.1.1:
  175. key "external" {
  176. algorithm hmac-sha256;
  177. secret "xxxxxxxxxxxxxxxxxxxxxxxx";
  178. };
  179. key "mykey" {
  180. algorithm hmac-sha256;
  181. secret "yyyyyyyyyyyyyyyyyyyyyyyy";
  182. };
  183. view "internal" {
  184. match-clients { !key external; 10.0.1/24; };
  185. server 10.0.1.1 {
  186. /* Deliver notify messages to external view. */
  187. keys { external; };
  188. };
  189. zone "example.com" {
  190. type master;
  191. file "internal/example.db";
  192. allow-update { key mykey; };
  193. also-notify { 10.0.1.1; };
  194. };
  195. };
  196. view "external" {
  197. match-clients { key external; any; };
  198. zone "example.com" {
  199. type slave;
  200. file "external/example.db";
  201. masters { 10.0.1.1; };
  202. transfer-source 10.0.1.1;
  203. // allow-update-forwarding { any; };
  204. // allow-notify { ... };
  205. };
  206. };
  207. Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading
  208. master file primaries/wireless.ietf56.ietf.org: no owner".
  209. A: This error is produced when a line in the master file contains leading
  210. white space (tab/space) but the is no current record owner name to
  211. inherit the name from. Usually this is the result of putting white
  212. space before a comment, forgetting the "@" for the SOA record, or
  213. indenting the master file.
  214. Q: Why are my logs in GMT (UTC).
  215. A: You are running chrooted (-t) and have not supplied local timezone
  216. information in the chroot area.
  217. FreeBSD: /etc/localtime
  218. Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
  219. OSF: /etc/zoneinfo/localtime
  220. See also tzset(3) and zic(8).
  221. Q: I get "rndc: connect failed: connection refused" when I try to run
  222. rndc.
  223. A: This is usually a configuration error.
  224. First ensure that named is running and no errors are being reported at
  225. startup (/var/log/messages or equivalent). Running "named -g <usual
  226. arguments>" from a title can help at this point.
  227. Secondly ensure that named is configured to use rndc either by
  228. "rndc-confgen -a", rndc-confgen or manually. The Administrators
  229. Reference manual has details on how to do this.
  230. Old versions of rndc-confgen used localhost rather than 127.0.0.1 in /
  231. etc/rndc.conf for the default server. Update /etc/rndc.conf if
  232. necessary so that the default server listed in /etc/rndc.conf matches
  233. the addresses used in named.conf. "localhost" has two address
  234. (127.0.0.1 and ::1).
  235. If you use "rndc-confgen -a" and named is running with -t or -u ensure
  236. that /etc/rndc.conf has the correct ownership and that a copy is in the
  237. chroot area. You can do this by re-running "rndc-confgen -a" with
  238. appropriate -t and -u arguments.
  239. Q: I get "transfer of 'example.net/IN' from 192.168.4.12#53: failed while
  240. receiving responses: permission denied" error messages.
  241. A: These indicate a filesystem permission error preventing named creating
  242. / renaming the temporary file. These will usually also have other
  243. associated error messages like
  244. "dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"
  245. Named needs write permission on the directory containing the file.
  246. Named writes the new cache file to a temporary file then renames it to
  247. the name specified in named.conf to ensure that the contents are always
  248. complete. This is to prevent named loading a partial zone in the event
  249. of power failure or similar interrupting the write of the master file.
  250. Note file names are relative to the directory specified in options and
  251. any chroot directory ([<chroot dir>/][<options dir>]).
  252. If named is invoked as "named -t /chroot/DNS" with the following
  253. named.conf then "/chroot/DNS/var/named/sl" needs to be writable by the
  254. user named is running as.
  255. options {
  256. directory "/var/named";
  257. };
  258. zone "example.net" {
  259. type slave;
  260. file "sl/example.net";
  261. masters { 192.168.4.12; };
  262. };
  263. Q: I want to forward all DNS queries from my caching nameserver to another
  264. server. But there are some domains which have to be served locally, via
  265. rbldnsd.
  266. How do I achieve this ?
  267. A: options {
  268. forward only;
  269. forwarders { <ip.of.primary.nameserver>; };
  270. };
  271. zone "sbl-xbl.spamhaus.org" {
  272. type forward; forward only;
  273. forwarders { <ip.of.rbldns.server> port 530; };
  274. };
  275. zone "list.dsbl.org" {
  276. type forward; forward only;
  277. forwarders { <ip.of.rbldns.server> port 530; };
  278. };
  279. Q: Can you help me understand how BIND 9 uses memory to store DNS zones?
  280. Some times it seems to take several times the amount of memory it needs
  281. to store the zone.
  282. A: When reloading a zone named my have multiple copies of the zone in
  283. memory at one time. The zone it is serving and the one it is loading.
  284. If reloads are ultra fast it can have more still.
  285. e.g. Ones that are transferring out, the one that it is serving and the
  286. one that is loading.
  287. BIND 8 destroyed the zone before loading and also killed off outgoing
  288. transfers of the zone.
  289. The new strategy allows slaves to get copies of the new zone regardless
  290. of how often the master is loaded compared to the transfer time. The
  291. slave might skip some intermediate versions but the transfers will
  292. complete and it will keep reasonably in sync with the master.
  293. The new strategy also allows the master to recover from syntax and
  294. other errors in the master file as it still has an in-core copy of the
  295. old contents.
  296. Q: I want to use IPv6 locally but I don't have a external IPv6 connection.
  297. External lookups are slow.
  298. A: You can use server clauses to stop named making external lookups over
  299. IPv6.
  300. server fd81:ec6c:bd62::/48 { bogus no; }; // site ULA prefix
  301. server ::/0 { bogus yes; };
  302. 3. Operations Questions
  303. Q: How to change the nameservers for a zone?
  304. A: Step 1: Ensure all nameservers, new and old, are serving the same zone
  305. content.
  306. Step 2: Work out the maximum TTL of the NS RRset in the parent and
  307. child zones. This is the time it will take caches to be clear of a
  308. particular version of the NS RRset. If you are just removing
  309. nameservers you can skip to Step 6.
  310. Step 3: Add new nameservers to the NS RRset for the zone and wait until
  311. all the servers for the zone are answering with this new NS RRset.
  312. Step 4: Inform the parent zone of the new NS RRset then wait for all
  313. the parent servers to be answering with the new NS RRset.
  314. Step 5: Wait for cache to be clear of the old NS RRset. See Step 2 for
  315. how long. If you are just adding nameservers you are done.
  316. Step 6: Remove any old nameservers from the zones NS RRset and wait for
  317. all the servers for the zone to be serving the new NS RRset.
  318. Step 7: Inform the parent zone of the new NS RRset then wait for all
  319. the parent servers to be answering with the new NS RRset.
  320. Step 8: Wait for cache to be clear of the old NS RRset. See Step 2 for
  321. how long.
  322. Step 9: Turn off the old nameservers or remove the zone entry from the
  323. configuration of the old nameservers.
  324. Step 10: Increment the serial number and wait for the change to be
  325. visible in all nameservers for the zone. This ensures that zone
  326. transfers are still working after the old servers are decommissioned.
  327. Note: the above procedure is designed to be transparent to dns clients.
  328. Decommissioning the old servers too early will result in some clients
  329. not being able to look up answers in the zone.
  330. Note: while it is possible to run the addition and removal stages
  331. together it is not recommended.
  332. 4. General Questions
  333. Q: I keep getting log messages like the following. Why?
  334. Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN':
  335. update failed: 'RRset exists (value dependent)' prerequisite not
  336. satisfied (NXRRSET)
  337. A: DNS updates allow the update request to test to see if certain
  338. conditions are met prior to proceeding with the update. The message
  339. above is saying that conditions were not met and the update is not
  340. proceeding. See doc/rfc/rfc2136.txt for more details on prerequisites.
  341. Q: I keep getting log messages like the following. Why?
  342. Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
  343. A: Someone is trying to update your DNS data using the RFC2136 Dynamic
  344. Update protocol. Windows 2000 machines have a habit of sending dynamic
  345. update requests to DNS servers without being specifically configured to
  346. do so. If the update requests are coming from a Windows 2000 machine,
  347. see <http://support.microsoft.com/support/kb/articles/q246/8/04.asp>
  348. for information about how to turn them off.
  349. Q: When I do a "dig . ns", many of the A records for the root servers are
  350. missing. Why?
  351. A: This is normal and harmless. It is a somewhat confusing side effect of
  352. the way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9
  353. makes to avoid promoting glue into answers.
  354. When BIND 9 first starts up and primes its cache, it receives the root
  355. server addresses as additional data in an authoritative response from a
  356. root server, and these records are eligible for inclusion as additional
  357. data in responses. Subsequently it receives a subset of the root server
  358. addresses as additional data in a non-authoritative (referral) response
  359. from a root server. This causes the addresses to now be considered
  360. non-authoritative (glue) data, which is not eligible for inclusion in
  361. responses.
  362. The server does have a complete set of root server addresses cached at
  363. all times, it just may not include all of them as additional data,
  364. depending on whether they were last received as answers or as glue. You
  365. can always look up the addresses with explicit queries like "dig
  366. a.root-servers.net A".
  367. Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?
  368. A: A zone can be updated either by editing zone files and reloading the
  369. server or by dynamic update, but not both. If you have enabled dynamic
  370. update for a zone using the "allow-update" option, you are not supposed
  371. to edit the zone file by hand, and the server will not attempt to
  372. reload it.
  373. Q: Why is named listening on UDP port other than 53?
  374. A: Named uses a system selected port to make queries of other nameservers.
  375. This behaviour can be overridden by using query-source to lock down the
  376. port and/or address. See also notify-source and transfer-source.
  377. Q: I get warning messages like "zone example.com/IN: refresh: failure
  378. trying master 1.2.3.4#53: timed out".
  379. A: Check that you can make UDP queries from the slave to the master
  380. dig +norec example.com soa @1.2.3.4
  381. You could be generating queries faster than the slave can cope with.
  382. Lower the serial query rate.
  383. serial-query-rate 5; // default 20
  384. Q: I don't get RRSIG's returned when I use "dig +dnssec".
  385. A: You need to ensure DNSSEC is enabled (dnssec-enable yes;).
  386. Q: Can a NS record refer to a CNAME.
  387. A: No. The rules for glue (copies of the *address* records in the parent
  388. zones) and additional section processing do not allow it to work.
  389. You would have to add both the CNAME and address records (A/AAAA) as
  390. glue to the parent zone and have CNAMEs be followed when doing
  391. additional section processing to make it work. No nameserver
  392. implementation supports either of these requirements.
  393. Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA"
  394. mean?
  395. A: If the IN-ADDR.ARPA name covered refers to a internal address space you
  396. are using then you have failed to follow RFC 1918 usage rules and are
  397. leaking queries to the Internet. You should establish your own zones
  398. for these addresses to prevent you querying the Internet's name servers
  399. for these addresses. Please see <http://as112.net/> for details of the
  400. problems you are causing and the counter measures that have had to be
  401. deployed.
  402. If you are not using these private addresses then a client has queried
  403. for them. You can just ignore the messages, get the offending client to
  404. stop sending you these messages as they are most probably leaking them
  405. or setup your own zones empty zones to serve answers to these queries.
  406. zone "10.IN-ADDR.ARPA" {
  407. type master;
  408. file "empty";
  409. };
  410. zone "16.172.IN-ADDR.ARPA" {
  411. type master;
  412. file "empty";
  413. };
  414. ...
  415. zone "31.172.IN-ADDR.ARPA" {
  416. type master;
  417. file "empty";
  418. };
  419. zone "168.192.IN-ADDR.ARPA" {
  420. type master;
  421. file "empty";
  422. };
  423. empty:
  424. @ 10800 IN SOA <name-of-server>. <contact-email>. (
  425. 1 3600 1200 604800 10800 )
  426. @ 10800 IN NS <name-of-server>.
  427. Note
  428. Future versions of named are likely to do this automatically.
  429. Q: Will named be affected by the 2007 changes to daylight savings rules in
  430. the US.
  431. A: No, so long as the machines internal clock (as reported by "date -u")
  432. remains at UTC. The only visible change if you fail to upgrade your OS,
  433. if you are in a affected area, will be that log messages will be a hour
  434. out during the period where the old rules do not match the new rules.
  435. For most OS's this change just means that you need to update the
  436. conversion rules from UTC to local time. Normally this involves
  437. updating a file in /etc (which sets the default timezone for the
  438. machine) and possibly a directory which has all the conversion rules
  439. for the world (e.g. /usr/share/zoneinfo). When updating the OS do not
  440. forget to update any chroot areas as well. See your OS's documentation
  441. for more details.
  442. The local timezone conversion rules can also be done on a individual
  443. basis by setting the TZ environment variable appropriately. See your
  444. OS's documentation for more details.
  445. Q: Is there a bugzilla (or other tool) database that mere mortals can have
  446. (read-only) access to for bind?
  447. A: No. The BIND 9 bug database is kept closed for a number of reasons.
  448. These include, but are not limited to, that the database contains
  449. proprietory information from people reporting bugs. The database has in
  450. the past and may in future contain unfixed bugs which are capable of
  451. bringing down most of the Internet's DNS infrastructure.
  452. The release pages for each version contain up to date lists of bugs
  453. that have been fixed post release. That is as close as we can get to
  454. providing a bug database.
  455. Q: Why do queries for NSEC3 records fail to return the NSEC3 record?
  456. A: NSEC3 records are strictly meta data and can only be returned in the
  457. authority section. This is done so that signing the zone using NSEC3
  458. records does not bring names into existence that do not exist in the
  459. unsigned version of the zone.
  460. 5. Operating-System Specific Questions
  461. 5.1. HPUX
  462. Q: I get the following error trying to configure BIND:
  463. checking if unistd.h or sys/types.h defines fd_set... no
  464. configure: error: need either working unistd.h or sys/select.h
  465. A: You have attempted to configure BIND with the bundled C compiler. This
  466. compiler does not meet the minimum compiler requirements to for
  467. building BIND. You need to install a ANSI C compiler and / or teach
  468. configure how to find the ANSI C compiler. The later can be done by
  469. adjusting the PATH environment variable and / or specifying the
  470. compiler via CC.
  471. ./configure CC=<compiler> ...
  472. 5.2. Linux
  473. Q: Why do I get the following errors:
  474. general: errno2result.c:109: unexpected error:
  475. general: unable to convert errno to isc_result: 14: Bad address
  476. client: UDP client handler shutting down due to fatal receive error: unexpected error
  477. A: This is the result of a Linux kernel bug.
  478. See: <http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=
  479. 2>
  480. Q: Why does named lock up when it attempts to connect over IPSEC tunnels?
  481. A: This is due to a kernel bug where the fact that a socket is marked
  482. non-blocking is ignored. It is reported that setting xfrm_larval_drop
  483. to 1 helps but this may have negative side effects. See: <https://
  484. bugzilla.redhat.com/show_bug.cgi?id=427629> and <http://lkml.org/lkml/
  485. 2007/12/4/260>.
  486. xfrm_larval_drop can be set to 1 by the following procedure:
  487. echo "1" > proc/sys/net/core/xfrm_larval_drop
  488. Q: Why do I see 5 (or more) copies of named on Linux?
  489. A: Linux threads each show up as a process under ps. The approximate
  490. number of threads running is n+4, where n is the number of CPUs. Note
  491. that the amount of memory used is not cumulative; if each process is
  492. using 10M of memory, only a total of 10M is used.
  493. Newer versions of Linux's ps command hide the individual threads and
  494. require -L to display them.
  495. Q: Why does BIND 9 log "permission denied" errors accessing its
  496. configuration files or zones on my Linux system even though it is
  497. running as root?
  498. A: On Linux, BIND 9 drops most of its root privileges on startup. This
  499. including the privilege to open files owned by other users. Therefore,
  500. if the server is running as root, the configuration files and zone
  501. files should also be owned by root.
  502. Q: I get the error message "named: capset failed: Operation not permitted"
  503. when starting named.
  504. A: The capability module, part of "Linux Security Modules/LSM", has not
  505. been loaded into the kernel. See insmod(8), modprobe(8).
  506. The relevant modules can be loaded by running:
  507. modprobe commoncap
  508. modprobe capability
  509. Q: I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
  510. Why can't named update slave zone database files?
  511. Why can't named create DDNS journal files or update the master zones
  512. from journals?
  513. Why can't named create custom log files?
  514. A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
  515. Red Hat have adopted the National Security Agency's SELinux security
  516. policy (see <http://www.nsa.gov/selinux>) and recommendations for BIND
  517. security , which are more secure than running named in a chroot and
  518. make use of the bind-chroot environment unnecessary .
  519. By default, named is not allowed by the SELinux policy to write, create
  520. or delete any files EXCEPT in these directories:
  521. $ROOTDIR/var/named/slaves
  522. $ROOTDIR/var/named/data
  523. $ROOTDIR/var/tmp
  524. where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is
  525. installed.
  526. The SELinux policy particularly does NOT allow named to modify the
  527. $ROOTDIR/var/named directory, the default location for master zone
  528. database files.
  529. SELinux policy overrules file access permissions - so even if all the
  530. files under /var/named have ownership named:named and mode rw-rw-r--,
  531. named will still not be able to write or create files except in the
  532. directories above, with SELinux in Enforcing mode.
  533. So, to allow named to update slave or DDNS zone files, it is best to
  534. locate them in $ROOTDIR/var/named/slaves, with named.conf zone
  535. statements such as:
  536. zone "slave.zone." IN {
  537. type slave;
  538. file "slaves/slave.zone.db";
  539. ...
  540. };
  541. zone "ddns.zone." IN {
  542. type master;
  543. allow-updates {...};
  544. file "slaves/ddns.zone.db";
  545. };
  546. To allow named to create its cache dump and statistics files, for
  547. example, you could use named.conf options statements such as:
  548. options {
  549. ...
  550. dump-file "/var/named/data/cache_dump.db";
  551. statistics-file "/var/named/data/named_stats.txt";
  552. ...
  553. };
  554. You can also tell SELinux to allow named to update any zone database
  555. files, by setting the SELinux tunable boolean parameter
  556. 'named_write_master_zones=1', using the system-config-securitylevel
  557. GUI, using the 'setsebool' command, or in /etc/selinux/targeted/
  558. booleans.
  559. You can disable SELinux protection for named entirely by setting the
  560. 'named_disable_trans=1' SELinux tunable boolean parameter.
  561. The SELinux named policy defines these SELinux contexts for named:
  562. named_zone_t : for zone database files - $ROOTDIR/var/named/*
  563. named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
  564. named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
  565. If you want to retain use of the SELinux policy for named, and put
  566. named files in different locations, you can do so by changing the
  567. context of the custom file locations .
  568. To create a custom configuration file location, e.g. '/root/
  569. named.conf', to use with the 'named -c' option, do:
  570. # chcon system_u:object_r:named_conf_t /root/named.conf
  571. To create a custom modifiable named data location, e.g. '/var/log/
  572. named' for a log file, do:
  573. # chcon system_u:object_r:named_cache_t /var/log/named
  574. To create a custom zone file location, e.g. /root/zones/, do:
  575. # chcon system_u:object_r:named_zone_t /root/zones/{.,*}
  576. See these man-pages for more information : selinux(8), named_selinux
  577. (8), chcon(1), setsebool(8)
  578. Q: I'm running BIND on Ubuntu -
  579. Why can't named update slave zone database files?
  580. Why can't named create DDNS journal files or update the master zones
  581. from journals?
  582. Why can't named create custom log files?
  583. A: Ubuntu uses AppArmor <http://en.wikipedia.org/wiki/AppArmor> in
  584. addition to normal file system permissions to protect the system.
  585. Adjust the paths to use those specified in /etc/apparmor.d/
  586. usr.sbin.named or adjust /etc/apparmor.d/usr.sbin.named to allow named
  587. to write at the location specified in named.conf.
  588. Q: Listening on individual IPv6 interfaces does not work.
  589. A: This is usually due to "/proc/net/if_inet6" not being available in the
  590. chroot file system. Mount another instance of "proc" in the chroot file
  591. system.
  592. This can be be made permanent by adding a second instance to /etc/
  593. fstab.
  594. proc /proc proc defaults 0 0
  595. proc /var/named/proc proc defaults 0 0
  596. 5.3. Windows
  597. Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail.
  598. Why?
  599. A: This may be caused by a bug in the Windows 2000 DNS server where DNS
  600. messages larger than 16K are not handled properly. This can be worked
  601. around by setting the option "transfer-format one-answer;". Also check
  602. whether your zone contains domain names with embedded spaces or other
  603. special characters, like "John\032Doe\213s\032Computer", since such
  604. names have been known to cause Windows 2000 slaves to incorrectly
  605. reject the zone.
  606. Q: I get "Error 1067" when starting named under Windows.
  607. A: This is the service manager saying that named exited. You need to
  608. examine the Application log in the EventViewer to find out why.
  609. Common causes are that you failed to create "named.conf" (usually "C:\
  610. windows\dns\etc\named.conf") or failed to specify the directory in
  611. named.conf.
  612. options {
  613. Directory "C:\windows\dns\etc";
  614. };
  615. 5.4. FreeBSD
  616. Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
  617. A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to
  618. use certain interrupts as a source of random events. You can make this
  619. permanent by setting rand_irqs in /etc/rc.conf.
  620. rand_irqs="3 14 15"
  621. See also <http://people.freebsd.org/~dougb/randomness.html>.
  622. 5.5. Solaris
  623. Q: How do I integrate BIND 9 and Solaris SMF
  624. A: Sun has a blog entry describing how to do this.
  625. <http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris>
  626. 5.6. Apple Mac OS X
  627. Q: How do I run BIND 9 on Apple Mac OS X?
  628. A: If you run Tiger(Mac OS 10.4) or later then this is all you need to do:
  629. % sudo rndc-confgen > /etc/rndc.conf
  630. Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.:
  631. key "rndc-key" {
  632. algorithm hmac-md5;
  633. secret "uvceheVuqf17ZwIcTydddw==";
  634. };
  635. Then start the relevant service:
  636. % sudo service org.isc.named start
  637. This is persistent upon a reboot, so you will have to do it only once.
  638. A: Alternatively you can just generate /etc/rndc.key by running:
  639. % sudo rndc-confgen -a
  640. Then start the relevant service:
  641. % sudo service org.isc.named start
  642. Named will look for /etc/rndc.key when it starts if it doesn't have a
  643. controls section or the existing controls are missing keys sub-clauses.
  644. This is persistent upon a reboot, so you will have to do it only once.