/contrib/bind9/FAQ
#! | 893 lines | 644 code | 249 blank | 0 comment | 0 complexity | 7b0ccb9c4c6614187c04f54583083556 MD5 | raw file
1Frequently Asked Questions about BIND 9 2 3Copyright Š 2004-2010 Internet Systems Consortium, Inc. ("ISC") 4 5Copyright Š 2000-2003 Internet Software Consortium. 6 7----------------------------------------------------------------------- 8 91. Compilation and Installation Questions 10 11Q: I'm trying to compile BIND 9, and "make" is failing due to files not 12 being found. Why? 13 14A: Using a parallel or distributed "make" to build BIND 9 is not 15 supported, and doesn't work. If you are using one of these, use normal 16 make or gmake instead. 17 18Q: Isn't "make install" supposed to generate a default named.conf? 19 20A: Short Answer: No. 21 22 Long Answer: There really isn't a default configuration which fits any 23 site perfectly. There are lots of decisions that need to be made and 24 there is no consensus on what the defaults should be. For example 25 FreeBSD uses /etc/namedb as the location where the configuration files 26 for named are stored. Others use /var/named. 27 28 What addresses to listen on? For a laptop on the move a lot you may 29 only want to listen on the loop back interfaces. 30 31 Who do you offer recursive service to? Is there are firewall to 32 consider? If so is it stateless or stateful. Are you directly on the 33 Internet? Are you on a private network? Are you on a NAT'd network? The 34 answers to all these questions change how you configure even a caching 35 name server. 36 372. Configuration and Setup Questions 38 39Q: Why does named log the warning message "no TTL specified - using SOA 40 MINTTL instead"? 41 42A: Your zone file is illegal according to RFC1035. It must either have a 43 line like: 44 45 $TTL 86400 46 47 at the beginning, or the first record in it must have a TTL field, like 48 the "84600" in this example: 49 50 example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 ) 51 52Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master 53 file bar: ran out of space"? 54 55A: This is often caused by TXT records with missing close quotes. Check 56 that all TXT records containing quoted strings have both open and close 57 quotes. 58 59Q: How do I restrict people from looking up the server version? 60 61A: Put a "version" option containing something other than the real version 62 in the "options" section of named.conf. Note doing this will not 63 prevent attacks and may impede people trying to diagnose problems with 64 your server. Also it is possible to "fingerprint" nameservers to 65 determine their version. 66 67Q: How do I restrict only remote users from looking up the server version? 68 69A: The following view statement will intercept lookups as the internal 70 view that holds the version information will be matched last. The 71 caveats of the previous answer still apply, of course. 72 73 view "chaos" chaos { 74 match-clients { <those to be refused>; }; 75 allow-query { none; }; 76 zone "." { 77 type hint; 78 file "/dev/null"; // or any empty file 79 }; 80 }; 81 82Q: What do "no source of entropy found" or "could not open entropy source 83 foo" mean? 84 85A: The server requires a source of entropy to perform certain operations, 86 mostly DNSSEC related. These messages indicate that you have no source 87 of entropy. On systems with /dev/random or an equivalent, it is used by 88 default. A source of entropy can also be defined using the 89 random-device option in named.conf. 90 91Q: I'm trying to use TSIG to authenticate dynamic updates or zone 92 transfers. I'm sure I have the keys set up correctly, but the server is 93 rejecting the TSIG. Why? 94 95A: This may be a clock skew problem. Check that the the clocks on the 96 client and server are properly synchronised (e.g., using ntp). 97 98Q: I see a log message like the following. Why? 99 100 couldn't open pid file '/var/run/named.pid': Permission denied 101 102A: You are most likely running named as a non-root user, and that user 103 does not have permission to write in /var/run. The common ways of 104 fixing this are to create a /var/run/named directory owned by the named 105 user and set pid-file to "/var/run/named/named.pid", or set pid-file to 106 "named.pid", which will put the file in the directory specified by the 107 directory option (which, in this case, must be writable by the named 108 user). 109 110Q: I can query the nameserver from the nameserver but not from other 111 machines. Why? 112 113A: This is usually the result of the firewall configuration stopping the 114 queries and / or the replies. 115 116Q: How can I make a server a slave for both an internal and an external 117 view at the same time? When I tried, both views on the slave were 118 transferred from the same view on the master. 119 120A: You will need to give the master and slave multiple IP addresses and 121 use those to make sure you reach the correct view on the other machine. 122 123 Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias) 124 internal: 125 match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; }; 126 notify-source 10.0.1.1; 127 transfer-source 10.0.1.1; 128 query-source address 10.0.1.1; 129 external: 130 match-clients { any; }; 131 recursion no; // don't offer recursion to the world 132 notify-source 10.0.1.2; 133 transfer-source 10.0.1.2; 134 query-source address 10.0.1.2; 135 136 Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias) 137 internal: 138 match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; }; 139 notify-source 10.0.1.3; 140 transfer-source 10.0.1.3; 141 query-source address 10.0.1.3; 142 external: 143 match-clients { any; }; 144 recursion no; // don't offer recursion to the world 145 notify-source 10.0.1.4; 146 transfer-source 10.0.1.4; 147 query-source address 10.0.1.4; 148 149 You put the external address on the alias so that all the other dns 150 clients on these boxes see the internal view by default. 151 152A: BIND 9.3 and later: Use TSIG to select the appropriate view. 153 154 Master 10.0.1.1: 155 key "external" { 156 algorithm hmac-sha256; 157 secret "xxxxxxxxxxxxxxxxxxxxxxxx"; 158 }; 159 view "internal" { 160 match-clients { !key external; // reject message ment for the 161 // external view. 162 10.0.1/24; }; // accept from these addresses. 163 ... 164 }; 165 view "external" { 166 match-clients { key external; any; }; 167 server 10.0.1.2 { keys external; }; // tag messages from the 168 // external view to the 169 // other servers for the 170 // view. 171 recursion no; 172 ... 173 }; 174 175 Slave 10.0.1.2: 176 key "external" { 177 algorithm hmac-sha256; 178 secret "xxxxxxxxxxxxxxxxxxxxxxxx"; 179 }; 180 view "internal" { 181 match-clients { !key external; 10.0.1/24; }; 182 ... 183 }; 184 view "external" { 185 match-clients { key external; any; }; 186 server 10.0.1.1 { keys external; }; 187 recursion no; 188 ... 189 }; 190 191Q: I get error messages like "multiple RRs of singleton type" and "CNAME 192 and other data" when transferring a zone. What does this mean? 193 194A: These indicate a malformed master zone. You can identify the exact 195 records involved by transferring the zone using dig then running 196 named-checkzone on it. 197 198 dig axfr example.com @master-server > tmp 199 named-checkzone example.com tmp 200 201 A CNAME record cannot exist with the same name as another record except 202 for the DNSSEC records which prove its existence (NSEC). 203 204 RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other 205 data should be present; this ensures that the data for a canonical name 206 and its aliases cannot be different. This rule also insures that a 207 cached CNAME can be used without checking with an authoritative server 208 for other RR types." 209 210Q: I get error messages like "named.conf:99: unexpected end of input" 211 where 99 is the last line of named.conf. 212 213A: There are unbalanced quotes in named.conf. 214 215A: Some text editors (notepad and wordpad) fail to put a line title 216 indication (e.g. CR/LF) on the last line of a text file. This can be 217 fixed by "adding" a blank line to the end of the file. Named expects to 218 see EOF immediately after EOL and treats text files where this is not 219 met as truncated. 220 221Q: How do I share a dynamic zone between multiple views? 222 223A: You choose one view to be master and the second a slave and transfer 224 the zone between views. 225 226 Master 10.0.1.1: 227 key "external" { 228 algorithm hmac-sha256; 229 secret "xxxxxxxxxxxxxxxxxxxxxxxx"; 230 }; 231 232 key "mykey" { 233 algorithm hmac-sha256; 234 secret "yyyyyyyyyyyyyyyyyyyyyyyy"; 235 }; 236 237 view "internal" { 238 match-clients { !key external; 10.0.1/24; }; 239 server 10.0.1.1 { 240 /* Deliver notify messages to external view. */ 241 keys { external; }; 242 }; 243 zone "example.com" { 244 type master; 245 file "internal/example.db"; 246 allow-update { key mykey; }; 247 also-notify { 10.0.1.1; }; 248 }; 249 }; 250 251 view "external" { 252 match-clients { key external; any; }; 253 zone "example.com" { 254 type slave; 255 file "external/example.db"; 256 masters { 10.0.1.1; }; 257 transfer-source 10.0.1.1; 258 // allow-update-forwarding { any; }; 259 // allow-notify { ... }; 260 }; 261 }; 262 263Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading 264 master file primaries/wireless.ietf56.ietf.org: no owner". 265 266A: This error is produced when a line in the master file contains leading 267 white space (tab/space) but the is no current record owner name to 268 inherit the name from. Usually this is the result of putting white 269 space before a comment, forgetting the "@" for the SOA record, or 270 indenting the master file. 271 272Q: Why are my logs in GMT (UTC). 273 274A: You are running chrooted (-t) and have not supplied local timezone 275 information in the chroot area. 276 277 FreeBSD: /etc/localtime 278 Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo 279 OSF: /etc/zoneinfo/localtime 280 281 See also tzset(3) and zic(8). 282 283Q: I get "rndc: connect failed: connection refused" when I try to run 284 rndc. 285 286A: This is usually a configuration error. 287 288 First ensure that named is running and no errors are being reported at 289 startup (/var/log/messages or equivalent). Running "named -g <usual 290 arguments>" from a title can help at this point. 291 292 Secondly ensure that named is configured to use rndc either by 293 "rndc-confgen -a", rndc-confgen or manually. The Administrators 294 Reference manual has details on how to do this. 295 296 Old versions of rndc-confgen used localhost rather than 127.0.0.1 in / 297 etc/rndc.conf for the default server. Update /etc/rndc.conf if 298 necessary so that the default server listed in /etc/rndc.conf matches 299 the addresses used in named.conf. "localhost" has two address 300 (127.0.0.1 and ::1). 301 302 If you use "rndc-confgen -a" and named is running with -t or -u ensure 303 that /etc/rndc.conf has the correct ownership and that a copy is in the 304 chroot area. You can do this by re-running "rndc-confgen -a" with 305 appropriate -t and -u arguments. 306 307Q: I get "transfer of 'example.net/IN' from 192.168.4.12#53: failed while 308 receiving responses: permission denied" error messages. 309 310A: These indicate a filesystem permission error preventing named creating 311 / renaming the temporary file. These will usually also have other 312 associated error messages like 313 314 "dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied" 315 316 Named needs write permission on the directory containing the file. 317 Named writes the new cache file to a temporary file then renames it to 318 the name specified in named.conf to ensure that the contents are always 319 complete. This is to prevent named loading a partial zone in the event 320 of power failure or similar interrupting the write of the master file. 321 322 Note file names are relative to the directory specified in options and 323 any chroot directory ([<chroot dir>/][<options dir>]). 324 325 If named is invoked as "named -t /chroot/DNS" with the following 326 named.conf then "/chroot/DNS/var/named/sl" needs to be writable by the 327 user named is running as. 328 329 options { 330 directory "/var/named"; 331 }; 332 333 zone "example.net" { 334 type slave; 335 file "sl/example.net"; 336 masters { 192.168.4.12; }; 337 }; 338 339Q: I want to forward all DNS queries from my caching nameserver to another 340 server. But there are some domains which have to be served locally, via 341 rbldnsd. 342 343 How do I achieve this ? 344 345A: options { 346 forward only; 347 forwarders { <ip.of.primary.nameserver>; }; 348 }; 349 350 zone "sbl-xbl.spamhaus.org" { 351 type forward; forward only; 352 forwarders { <ip.of.rbldns.server> port 530; }; 353 }; 354 355 zone "list.dsbl.org" { 356 type forward; forward only; 357 forwarders { <ip.of.rbldns.server> port 530; }; 358 }; 359 360 361Q: Can you help me understand how BIND 9 uses memory to store DNS zones? 362 363 Some times it seems to take several times the amount of memory it needs 364 to store the zone. 365 366A: When reloading a zone named my have multiple copies of the zone in 367 memory at one time. The zone it is serving and the one it is loading. 368 If reloads are ultra fast it can have more still. 369 370 e.g. Ones that are transferring out, the one that it is serving and the 371 one that is loading. 372 373 BIND 8 destroyed the zone before loading and also killed off outgoing 374 transfers of the zone. 375 376 The new strategy allows slaves to get copies of the new zone regardless 377 of how often the master is loaded compared to the transfer time. The 378 slave might skip some intermediate versions but the transfers will 379 complete and it will keep reasonably in sync with the master. 380 381 The new strategy also allows the master to recover from syntax and 382 other errors in the master file as it still has an in-core copy of the 383 old contents. 384 385Q: I want to use IPv6 locally but I don't have a external IPv6 connection. 386 External lookups are slow. 387 388A: You can use server clauses to stop named making external lookups over 389 IPv6. 390 391 server fd81:ec6c:bd62::/48 { bogus no; }; // site ULA prefix 392 server ::/0 { bogus yes; }; 393 3943. Operations Questions 395 396Q: How to change the nameservers for a zone? 397 398A: Step 1: Ensure all nameservers, new and old, are serving the same zone 399 content. 400 401 Step 2: Work out the maximum TTL of the NS RRset in the parent and 402 child zones. This is the time it will take caches to be clear of a 403 particular version of the NS RRset. If you are just removing 404 nameservers you can skip to Step 6. 405 406 Step 3: Add new nameservers to the NS RRset for the zone and wait until 407 all the servers for the zone are answering with this new NS RRset. 408 409 Step 4: Inform the parent zone of the new NS RRset then wait for all 410 the parent servers to be answering with the new NS RRset. 411 412 Step 5: Wait for cache to be clear of the old NS RRset. See Step 2 for 413 how long. If you are just adding nameservers you are done. 414 415 Step 6: Remove any old nameservers from the zones NS RRset and wait for 416 all the servers for the zone to be serving the new NS RRset. 417 418 Step 7: Inform the parent zone of the new NS RRset then wait for all 419 the parent servers to be answering with the new NS RRset. 420 421 Step 8: Wait for cache to be clear of the old NS RRset. See Step 2 for 422 how long. 423 424 Step 9: Turn off the old nameservers or remove the zone entry from the 425 configuration of the old nameservers. 426 427 Step 10: Increment the serial number and wait for the change to be 428 visible in all nameservers for the zone. This ensures that zone 429 transfers are still working after the old servers are decommissioned. 430 431 Note: the above procedure is designed to be transparent to dns clients. 432 Decommissioning the old servers too early will result in some clients 433 not being able to look up answers in the zone. 434 435 Note: while it is possible to run the addition and removal stages 436 together it is not recommended. 437 4384. General Questions 439 440Q: I keep getting log messages like the following. Why? 441 442 Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN': 443 update failed: 'RRset exists (value dependent)' prerequisite not 444 satisfied (NXRRSET) 445 446A: DNS updates allow the update request to test to see if certain 447 conditions are met prior to proceeding with the update. The message 448 above is saying that conditions were not met and the update is not 449 proceeding. See doc/rfc/rfc2136.txt for more details on prerequisites. 450 451Q: I keep getting log messages like the following. Why? 452 453 Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied 454 455A: Someone is trying to update your DNS data using the RFC2136 Dynamic 456 Update protocol. Windows 2000 machines have a habit of sending dynamic 457 update requests to DNS servers without being specifically configured to 458 do so. If the update requests are coming from a Windows 2000 machine, 459 see <http://support.microsoft.com/support/kb/articles/q246/8/04.asp> 460 for information about how to turn them off. 461 462Q: When I do a "dig . ns", many of the A records for the root servers are 463 missing. Why? 464 465A: This is normal and harmless. It is a somewhat confusing side effect of 466 the way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 467 makes to avoid promoting glue into answers. 468 469 When BIND 9 first starts up and primes its cache, it receives the root 470 server addresses as additional data in an authoritative response from a 471 root server, and these records are eligible for inclusion as additional 472 data in responses. Subsequently it receives a subset of the root server 473 addresses as additional data in a non-authoritative (referral) response 474 from a root server. This causes the addresses to now be considered 475 non-authoritative (glue) data, which is not eligible for inclusion in 476 responses. 477 478 The server does have a complete set of root server addresses cached at 479 all times, it just may not include all of them as additional data, 480 depending on whether they were last received as answers or as glue. You 481 can always look up the addresses with explicit queries like "dig 482 a.root-servers.net A". 483 484Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP? 485 486A: A zone can be updated either by editing zone files and reloading the 487 server or by dynamic update, but not both. If you have enabled dynamic 488 update for a zone using the "allow-update" option, you are not supposed 489 to edit the zone file by hand, and the server will not attempt to 490 reload it. 491 492Q: Why is named listening on UDP port other than 53? 493 494A: Named uses a system selected port to make queries of other nameservers. 495 This behaviour can be overridden by using query-source to lock down the 496 port and/or address. See also notify-source and transfer-source. 497 498Q: I get warning messages like "zone example.com/IN: refresh: failure 499 trying master 1.2.3.4#53: timed out". 500 501A: Check that you can make UDP queries from the slave to the master 502 503 dig +norec example.com soa @1.2.3.4 504 505 You could be generating queries faster than the slave can cope with. 506 Lower the serial query rate. 507 508 serial-query-rate 5; // default 20 509 510Q: I don't get RRSIG's returned when I use "dig +dnssec". 511 512A: You need to ensure DNSSEC is enabled (dnssec-enable yes;). 513 514Q: Can a NS record refer to a CNAME. 515 516A: No. The rules for glue (copies of the *address* records in the parent 517 zones) and additional section processing do not allow it to work. 518 519 You would have to add both the CNAME and address records (A/AAAA) as 520 glue to the parent zone and have CNAMEs be followed when doing 521 additional section processing to make it work. No nameserver 522 implementation supports either of these requirements. 523 524Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA" 525 mean? 526 527A: If the IN-ADDR.ARPA name covered refers to a internal address space you 528 are using then you have failed to follow RFC 1918 usage rules and are 529 leaking queries to the Internet. You should establish your own zones 530 for these addresses to prevent you querying the Internet's name servers 531 for these addresses. Please see <http://as112.net/> for details of the 532 problems you are causing and the counter measures that have had to be 533 deployed. 534 535 If you are not using these private addresses then a client has queried 536 for them. You can just ignore the messages, get the offending client to 537 stop sending you these messages as they are most probably leaking them 538 or setup your own zones empty zones to serve answers to these queries. 539 540 zone "10.IN-ADDR.ARPA" { 541 type master; 542 file "empty"; 543 }; 544 545 zone "16.172.IN-ADDR.ARPA" { 546 type master; 547 file "empty"; 548 }; 549 550 ... 551 552 zone "31.172.IN-ADDR.ARPA" { 553 type master; 554 file "empty"; 555 }; 556 557 zone "168.192.IN-ADDR.ARPA" { 558 type master; 559 file "empty"; 560 }; 561 562 empty: 563 @ 10800 IN SOA <name-of-server>. <contact-email>. ( 564 1 3600 1200 604800 10800 ) 565 @ 10800 IN NS <name-of-server>. 566 567 Note 568 569 Future versions of named are likely to do this automatically. 570 571Q: Will named be affected by the 2007 changes to daylight savings rules in 572 the US. 573 574A: No, so long as the machines internal clock (as reported by "date -u") 575 remains at UTC. The only visible change if you fail to upgrade your OS, 576 if you are in a affected area, will be that log messages will be a hour 577 out during the period where the old rules do not match the new rules. 578 579 For most OS's this change just means that you need to update the 580 conversion rules from UTC to local time. Normally this involves 581 updating a file in /etc (which sets the default timezone for the 582 machine) and possibly a directory which has all the conversion rules 583 for the world (e.g. /usr/share/zoneinfo). When updating the OS do not 584 forget to update any chroot areas as well. See your OS's documentation 585 for more details. 586 587 The local timezone conversion rules can also be done on a individual 588 basis by setting the TZ environment variable appropriately. See your 589 OS's documentation for more details. 590 591Q: Is there a bugzilla (or other tool) database that mere mortals can have 592 (read-only) access to for bind? 593 594A: No. The BIND 9 bug database is kept closed for a number of reasons. 595 These include, but are not limited to, that the database contains 596 proprietory information from people reporting bugs. The database has in 597 the past and may in future contain unfixed bugs which are capable of 598 bringing down most of the Internet's DNS infrastructure. 599 600 The release pages for each version contain up to date lists of bugs 601 that have been fixed post release. That is as close as we can get to 602 providing a bug database. 603 604Q: Why do queries for NSEC3 records fail to return the NSEC3 record? 605 606A: NSEC3 records are strictly meta data and can only be returned in the 607 authority section. This is done so that signing the zone using NSEC3 608 records does not bring names into existence that do not exist in the 609 unsigned version of the zone. 610 6115. Operating-System Specific Questions 612 6135.1. HPUX 614 615Q: I get the following error trying to configure BIND: 616 617 checking if unistd.h or sys/types.h defines fd_set... no 618 configure: error: need either working unistd.h or sys/select.h 619 620A: You have attempted to configure BIND with the bundled C compiler. This 621 compiler does not meet the minimum compiler requirements to for 622 building BIND. You need to install a ANSI C compiler and / or teach 623 configure how to find the ANSI C compiler. The later can be done by 624 adjusting the PATH environment variable and / or specifying the 625 compiler via CC. 626 627 ./configure CC=<compiler> ... 628 6295.2. Linux 630 631Q: Why do I get the following errors: 632 633 general: errno2result.c:109: unexpected error: 634 general: unable to convert errno to isc_result: 14: Bad address 635 client: UDP client handler shutting down due to fatal receive error: unexpected error 636 637A: This is the result of a Linux kernel bug. 638 639 See: <http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w= 640 2> 641 642Q: Why does named lock up when it attempts to connect over IPSEC tunnels? 643 644A: This is due to a kernel bug where the fact that a socket is marked 645 non-blocking is ignored. It is reported that setting xfrm_larval_drop 646 to 1 helps but this may have negative side effects. See: <https:// 647 bugzilla.redhat.com/show_bug.cgi?id=427629> and <http://lkml.org/lkml/ 648 2007/12/4/260>. 649 650 xfrm_larval_drop can be set to 1 by the following procedure: 651 652 echo "1" > proc/sys/net/core/xfrm_larval_drop 653 654Q: Why do I see 5 (or more) copies of named on Linux? 655 656A: Linux threads each show up as a process under ps. The approximate 657 number of threads running is n+4, where n is the number of CPUs. Note 658 that the amount of memory used is not cumulative; if each process is 659 using 10M of memory, only a total of 10M is used. 660 661 Newer versions of Linux's ps command hide the individual threads and 662 require -L to display them. 663 664Q: Why does BIND 9 log "permission denied" errors accessing its 665 configuration files or zones on my Linux system even though it is 666 running as root? 667 668A: On Linux, BIND 9 drops most of its root privileges on startup. This 669 including the privilege to open files owned by other users. Therefore, 670 if the server is running as root, the configuration files and zone 671 files should also be owned by root. 672 673Q: I get the error message "named: capset failed: Operation not permitted" 674 when starting named. 675 676A: The capability module, part of "Linux Security Modules/LSM", has not 677 been loaded into the kernel. See insmod(8), modprobe(8). 678 679 The relevant modules can be loaded by running: 680 681 modprobe commoncap 682 modprobe capability 683 684Q: I'm running BIND on Red Hat Enterprise Linux or Fedora Core - 685 686 Why can't named update slave zone database files? 687 688 Why can't named create DDNS journal files or update the master zones 689 from journals? 690 691 Why can't named create custom log files? 692 693A: Red Hat Security Enhanced Linux (SELinux) policy security protections : 694 695 Red Hat have adopted the National Security Agency's SELinux security 696 policy (see <http://www.nsa.gov/selinux>) and recommendations for BIND 697 security , which are more secure than running named in a chroot and 698 make use of the bind-chroot environment unnecessary . 699 700 By default, named is not allowed by the SELinux policy to write, create 701 or delete any files EXCEPT in these directories: 702 703 $ROOTDIR/var/named/slaves 704 $ROOTDIR/var/named/data 705 $ROOTDIR/var/tmp 706 707 708 where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is 709 installed. 710 711 The SELinux policy particularly does NOT allow named to modify the 712 $ROOTDIR/var/named directory, the default location for master zone 713 database files. 714 715 SELinux policy overrules file access permissions - so even if all the 716 files under /var/named have ownership named:named and mode rw-rw-r--, 717 named will still not be able to write or create files except in the 718 directories above, with SELinux in Enforcing mode. 719 720 So, to allow named to update slave or DDNS zone files, it is best to 721 locate them in $ROOTDIR/var/named/slaves, with named.conf zone 722 statements such as: 723 724 zone "slave.zone." IN { 725 type slave; 726 file "slaves/slave.zone.db"; 727 ... 728 }; 729 zone "ddns.zone." IN { 730 type master; 731 allow-updates {...}; 732 file "slaves/ddns.zone.db"; 733 }; 734 735 736 To allow named to create its cache dump and statistics files, for 737 example, you could use named.conf options statements such as: 738 739 options { 740 ... 741 dump-file "/var/named/data/cache_dump.db"; 742 statistics-file "/var/named/data/named_stats.txt"; 743 ... 744 }; 745 746 747 You can also tell SELinux to allow named to update any zone database 748 files, by setting the SELinux tunable boolean parameter 749 'named_write_master_zones=1', using the system-config-securitylevel 750 GUI, using the 'setsebool' command, or in /etc/selinux/targeted/ 751 booleans. 752 753 You can disable SELinux protection for named entirely by setting the 754 'named_disable_trans=1' SELinux tunable boolean parameter. 755 756 The SELinux named policy defines these SELinux contexts for named: 757 758 named_zone_t : for zone database files - $ROOTDIR/var/named/* 759 named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.* 760 named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}} 761 762 763 If you want to retain use of the SELinux policy for named, and put 764 named files in different locations, you can do so by changing the 765 context of the custom file locations . 766 767 To create a custom configuration file location, e.g. '/root/ 768 named.conf', to use with the 'named -c' option, do: 769 770 # chcon system_u:object_r:named_conf_t /root/named.conf 771 772 773 To create a custom modifiable named data location, e.g. '/var/log/ 774 named' for a log file, do: 775 776 # chcon system_u:object_r:named_cache_t /var/log/named 777 778 779 To create a custom zone file location, e.g. /root/zones/, do: 780 781 # chcon system_u:object_r:named_zone_t /root/zones/{.,*} 782 783 784 See these man-pages for more information : selinux(8), named_selinux 785 (8), chcon(1), setsebool(8) 786 787Q: I'm running BIND on Ubuntu - 788 789 Why can't named update slave zone database files? 790 791 Why can't named create DDNS journal files or update the master zones 792 from journals? 793 794 Why can't named create custom log files? 795 796A: Ubuntu uses AppArmor <http://en.wikipedia.org/wiki/AppArmor> in 797 addition to normal file system permissions to protect the system. 798 799 Adjust the paths to use those specified in /etc/apparmor.d/ 800 usr.sbin.named or adjust /etc/apparmor.d/usr.sbin.named to allow named 801 to write at the location specified in named.conf. 802 803Q: Listening on individual IPv6 interfaces does not work. 804 805A: This is usually due to "/proc/net/if_inet6" not being available in the 806 chroot file system. Mount another instance of "proc" in the chroot file 807 system. 808 809 This can be be made permanent by adding a second instance to /etc/ 810 fstab. 811 812 proc /proc proc defaults 0 0 813 proc /var/named/proc proc defaults 0 0 814 8155.3. Windows 816 817Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail. 818 Why? 819 820A: This may be caused by a bug in the Windows 2000 DNS server where DNS 821 messages larger than 16K are not handled properly. This can be worked 822 around by setting the option "transfer-format one-answer;". Also check 823 whether your zone contains domain names with embedded spaces or other 824 special characters, like "John\032Doe\213s\032Computer", since such 825 names have been known to cause Windows 2000 slaves to incorrectly 826 reject the zone. 827 828Q: I get "Error 1067" when starting named under Windows. 829 830A: This is the service manager saying that named exited. You need to 831 examine the Application log in the EventViewer to find out why. 832 833 Common causes are that you failed to create "named.conf" (usually "C:\ 834 windows\dns\etc\named.conf") or failed to specify the directory in 835 named.conf. 836 837 options { 838 Directory "C:\windows\dns\etc"; 839 }; 840 8415.4. FreeBSD 842 843Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there. 844 845A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to 846 use certain interrupts as a source of random events. You can make this 847 permanent by setting rand_irqs in /etc/rc.conf. 848 849 rand_irqs="3 14 15" 850 851 See also <http://people.freebsd.org/~dougb/randomness.html>. 852 8535.5. Solaris 854 855Q: How do I integrate BIND 9 and Solaris SMF 856 857A: Sun has a blog entry describing how to do this. 858 859 <http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris> 860 8615.6. Apple Mac OS X 862 863Q: How do I run BIND 9 on Apple Mac OS X? 864 865A: If you run Tiger(Mac OS 10.4) or later then this is all you need to do: 866 867 % sudo rndc-confgen > /etc/rndc.conf 868 869 Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.: 870 871 key "rndc-key" { 872 algorithm hmac-md5; 873 secret "uvceheVuqf17ZwIcTydddw=="; 874 }; 875 876 Then start the relevant service: 877 878 % sudo service org.isc.named start 879 880 This is persistent upon a reboot, so you will have to do it only once. 881 882A: Alternatively you can just generate /etc/rndc.key by running: 883 884 % sudo rndc-confgen -a 885 886 Then start the relevant service: 887 888 % sudo service org.isc.named start 889 890 Named will look for /etc/rndc.key when it starts if it doesn't have a 891 controls section or the existing controls are missing keys sub-clauses. 892 This is persistent upon a reboot, so you will have to do it only once. 893