1<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" 2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []> 3<!-- 4 - Copyright (C) 2004-2010, 2013, 2014 Internet Systems Consortium, Inc. ("ISC") 5 - Copyright (C) 2000-2003 Internet Software Consortium. 6 - 7 - Permission to use, copy, modify, and/or distribute this software for any 8 - purpose with or without fee is hereby granted, provided that the above 9 - copyright notice and this permission notice appear in all copies. 10 - 11 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 12 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 13 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 14 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 15 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 16 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 17 - PERFORMANCE OF THIS SOFTWARE. 18--> 19 20<!-- Id: FAQ.xml,v 1.54 2010/01/19 23:48:55 tbox Exp --> 21 22<article class="faq"> 23 <title>Frequently Asked Questions about BIND 9</title> 24 <articleinfo> 25 <copyright> 26 <year>2004</year> 27 <year>2005</year> 28 <year>2006</year> 29 <year>2007</year> 30 <year>2008</year> 31 <year>2009</year> 32 <year>2010</year> 33 <year>2013</year> 34 <year>2014</year> 35 <holder>Internet Systems Consortium, Inc. ("ISC")</holder> 36 </copyright> 37 <copyright> 38 <year>2000</year> 39 <year>2001</year> 40 <year>2002</year> 41 <year>2003</year> 42 <holder>Internet Software Consortium.</holder> 43 </copyright> 44 </articleinfo> 45 <qandaset defaultlabel='qanda'> 46 47 <qandadiv><title>Compilation and Installation Questions</title> 48 49 <qandaentry> 50 <question> 51 <para> 52 I'm trying to compile BIND 9, and "make" is failing due to 53 files not being found. Why? 54 </para> 55 </question> 56 <answer> 57 <para> 58 Using a parallel or distributed "make" to build BIND 9 is 59 not supported, and doesn't work. If you are using one of 60 these, use normal make or gmake instead. 61 </para> 62 </answer> 63 </qandaentry> 64 65 <qandaentry> 66 <question> 67 <para> 68 Isn't "make install" supposed to generate a default named.conf? 69 </para> 70 </question> 71 <answer> 72 <para> 73 Short Answer: No. 74 </para> 75 <para> 76 Long Answer: There really isn't a default configuration which fits 77 any site perfectly. There are lots of decisions that need to 78 be made and there is no consensus on what the defaults should be. 79 For example FreeBSD uses /etc/namedb as the location where the 80 configuration files for named are stored. Others use /var/named. 81 </para> 82 <para> 83 What addresses to listen on? For a laptop on the move a lot 84 you may only want to listen on the loop back interfaces. 85 </para> 86 <para> 87 To whom do you offer recursive service? Is there a firewall 88 to consider? If so, is it stateless or stateful? Are you 89 directly on the Internet? Are you on a private network? Are 90 you on a NAT'd network? The answers 91 to all these questions change how you configure even a 92 caching name server. 93 </para> 94 </answer> 95 </qandaentry> 96 97 </qandadiv> <!-- Compilation and Installation Questions --> 98 99 <qandadiv><title>Configuration and Setup Questions</title> 100 101 <qandaentry> 102 <!-- configuration, log --> 103 <question> 104 <para> 105 Why does named log the warning message <quote>no TTL specified - 106 using SOA MINTTL instead</quote>? 107 </para> 108 </question> 109 <answer> 110 <para> 111 Your zone file is illegal according to RFC1035. It must either 112 have a line like: 113 </para> 114 <informalexample> 115 <programlisting> 116$TTL 86400</programlisting> 117 </informalexample> 118 <para> 119 at the beginning, or the first record in it must have a TTL field, 120 like the "84600" in this example: 121 </para> 122 <informalexample> 123 <programlisting> 124example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )</programlisting> 125 </informalexample> 126 </answer> 127 </qandaentry> 128 129 <qandaentry> 130 <!-- configuration --> 131 <question> 132 <para> 133 Why do I get errors like <quote>dns_zone_load: zone foo/IN: loading 134 master file bar: ran out of space</quote>? 135 </para> 136 </question> 137 <answer> 138 <para> 139 This is often caused by TXT records with missing close 140 quotes. Check that all TXT records containing quoted strings 141 have both open and close quotes. 142 </para> 143 </answer> 144 </qandaentry> 145 146 <qandaentry> 147 <!-- security --> 148 <question> 149 <para> 150 How do I restrict people from looking up the server version? 151 </para> 152 </question> 153 <answer> 154 <para> 155 Put a "version" option containing something other than the 156 real version in the "options" section of named.conf. Note 157 doing this will not prevent attacks and may impede people 158 trying to diagnose problems with your server. Also it is 159 possible to "fingerprint" nameservers to determine their 160 version. 161 </para> 162 </answer> 163 </qandaentry> 164 165 <qandaentry> 166 <!-- security --> 167 <question> 168 <para> 169 How do I restrict only remote users from looking up the 170 server version? 171 </para> 172 </question> 173 <answer> 174 <para> 175 The following view statement will intercept lookups as the 176 internal view that holds the version information will be 177 matched last. The caveats of the previous answer still 178 apply, of course. 179 </para> 180 <informalexample> 181 <programlisting> 182view "chaos" chaos { 183 match-clients { <those to be refused>; }; 184 allow-query { none; }; 185 zone "." { 186 type hint; 187 file "/dev/null"; // or any empty file 188 }; 189};</programlisting> 190 </informalexample> 191 </answer> 192 </qandaentry> 193 194 <qandaentry> 195 <!-- configuration --> 196 <question> 197 <para> 198 What do <quote>no source of entropy found</quote> or <quote>could not 199 open entropy source foo</quote> mean? 200 </para> 201 </question> 202 <answer> 203 <para> 204 The server requires a source of entropy to perform certain 205 operations, mostly DNSSEC related. These messages indicate 206 that you have no source of entropy. On systems with 207 /dev/random or an equivalent, it is used by default. A 208 source of entropy can also be defined using the random-device 209 option in named.conf. 210 </para> 211 </answer> 212 </qandaentry> 213 214 <qandaentry> 215 <!-- configuration --> 216 <question> 217 <para> 218 I'm trying to use TSIG to authenticate dynamic updates or 219 zone transfers. I'm sure I have the keys set up correctly, 220 but the server is rejecting the TSIG. Why? 221 </para> 222 </question> 223 <answer> 224 <para> 225 This may be a clock skew problem. Check that the the clocks 226 on the client and server are properly synchronised (e.g., 227 using ntp). 228 </para> 229 </answer> 230 </qandaentry> 231 232 <qandaentry> 233 <question> 234 <para> 235 I see a log message like the following. Why? 236 </para> 237 <para> 238 couldn't open pid file '/var/run/named.pid': Permission denied 239 </para> 240 </question> 241 <answer> 242 <para> 243 You are most likely running named as a non-root user, and 244 that user does not have permission to write in /var/run. 245 The common ways of fixing this are to create a /var/run/named 246 directory owned by the named user and set pid-file to 247 "/var/run/named/named.pid", or set pid-file to "named.pid", 248 which will put the file in the directory specified by the 249 directory option (which, in this case, must be writable by 250 the user named is running as). 251 </para> 252 </answer> 253 </qandaentry> 254 255 <qandaentry> 256 <question> 257 <para> 258 I can query the nameserver from the nameserver but not from other 259 machines. Why? 260 </para> 261 </question> 262 <answer> 263 <para> 264 This is usually the result of the firewall configuration stopping 265 the queries and / or the replies. 266 </para> 267 </answer> 268 </qandaentry> 269 270 <qandaentry> 271 <question> 272 <para> 273 How can I make a server a slave for both an internal and 274 an external view at the same time? When I tried, both views 275 on the slave were transferred from the same view on the master. 276 </para> 277 </question> 278 <answer> 279 <para> 280 You will need to give the master and slave multiple IP 281 addresses and use those to make sure you reach the correct 282 view on the other machine. 283 </para> 284 <informalexample> 285 <programlisting> 286Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias) 287 internal: 288 match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; }; 289 notify-source 10.0.1.1; 290 transfer-source 10.0.1.1; 291 query-source address 10.0.1.1; 292 external: 293 match-clients { any; }; 294 recursion no; // don't offer recursion to the world 295 notify-source 10.0.1.2; 296 transfer-source 10.0.1.2; 297 query-source address 10.0.1.2; 298 299Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias) 300 internal: 301 match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; }; 302 notify-source 10.0.1.3; 303 transfer-source 10.0.1.3; 304 query-source address 10.0.1.3; 305 external: 306 match-clients { any; }; 307 recursion no; // don't offer recursion to the world 308 notify-source 10.0.1.4; 309 transfer-source 10.0.1.4; 310 query-source address 10.0.1.4;</programlisting> 311 </informalexample> 312 <para> 313 You put the external address on the alias so that all the other 314 dns clients on these boxes see the internal view by default. 315 </para> 316 </answer> 317 <answer> 318 <para> 319 BIND 9.3 and later: Use TSIG to select the appropriate view. 320 </para> 321 <informalexample> 322 <programlisting> 323Master 10.0.1.1: 324 key "external" { 325 algorithm hmac-sha256; 326 secret "xxxxxxxxxxxxxxxxxxxxxxxx"; 327 }; 328 view "internal" { 329 match-clients { !key external; // reject message ment for the 330 // external view. 331 10.0.1/24; }; // accept from these addresses. 332 ... 333 }; 334 view "external" { 335 match-clients { key external; any; }; 336 server 10.0.1.2 { keys external; }; // tag messages from the 337 // external view to the 338 // other servers for the 339 // view. 340 recursion no; 341 ... 342 }; 343 344Slave 10.0.1.2: 345 key "external" { 346 algorithm hmac-sha256; 347 secret "xxxxxxxxxxxxxxxxxxxxxxxx"; 348 }; 349 view "internal" { 350 match-clients { !key external; 10.0.1/24; }; 351 ... 352 }; 353 view "external" { 354 match-clients { key external; any; }; 355 server 10.0.1.1 { keys external; }; 356 recursion no; 357 ... 358 };</programlisting> 359 </informalexample> 360 </answer> 361 </qandaentry> 362 363 <qandaentry> 364 <question> 365 <para> 366 I get error messages like <quote>multiple RRs of singleton type</quote> 367 and <quote>CNAME and other data</quote> when transferring a zone. What 368 does this mean? 369 </para> 370 </question> 371 <answer> 372 <para> 373 These indicate a malformed master zone. You can identify 374 the exact records involved by transferring the zone using 375 dig then running named-checkzone on it. 376 </para> 377 <informalexample> 378 <programlisting> 379dig axfr example.com @master-server > tmp 380named-checkzone example.com tmp</programlisting> 381 </informalexample> 382 <para> 383 A CNAME record cannot exist with the same name as another record 384 except for the DNSSEC records which prove its existence (NSEC). 385 </para> 386 <para> 387 RFC 1034, Section 3.6.2: <quote>If a CNAME RR is present at a node, 388 no other data should be present; this ensures that the data for a 389 canonical name and its aliases cannot be different. This rule also 390 insures that a cached CNAME can be used without checking with an 391 authoritative server for other RR types.</quote> 392 </para> 393 </answer> 394 </qandaentry> 395 396 <qandaentry> 397 <question> 398 <para> 399 I get error messages like <quote>named.conf:99: unexpected end 400 of input</quote> where 99 is the last line of named.conf. 401 </para> 402 </question> 403 <answer> 404 <para> 405 There are unbalanced quotes in named.conf. 406 </para> 407 </answer> 408 <answer> 409 <para> 410 Some text editors (notepad and wordpad) fail to put a line 411 title indication (e.g. CR/LF) on the last line of a 412 text file. This can be fixed by "adding" a blank line to 413 the end of the file. Named expects to see EOF immediately 414 after EOL and treats text files where this is not met as 415 truncated. 416 </para> 417 </answer> 418 </qandaentry> 419 420 <qandaentry> 421 <question> 422 <para> 423 How do I share a dynamic zone between multiple views? 424 </para> 425 </question> 426 <answer> 427 <para> 428 You choose one view to be master and the second a slave and 429 transfer the zone between views. 430 </para> 431 <informalexample> 432 <programlisting> 433Master 10.0.1.1: 434 key "external" { 435 algorithm hmac-sha256; 436 secret "xxxxxxxxxxxxxxxxxxxxxxxx"; 437 }; 438 439 key "mykey" { 440 algorithm hmac-sha256; 441 secret "yyyyyyyyyyyyyyyyyyyyyyyy"; 442 }; 443 444 view "internal" { 445 match-clients { !key external; 10.0.1/24; }; 446 server 10.0.1.1 { 447 /* Deliver notify messages to external view. */ 448 keys { external; }; 449 }; 450 zone "example.com" { 451 type master; 452 file "internal/example.db"; 453 allow-update { key mykey; }; 454 also-notify { 10.0.1.1; }; 455 }; 456 }; 457 458 view "external" { 459 match-clients { key external; any; }; 460 zone "example.com" { 461 type slave; 462 file "external/example.db"; 463 masters { 10.0.1.1; }; 464 transfer-source 10.0.1.1; 465 // allow-update-forwarding { any; }; 466 // allow-notify { ... }; 467 }; 468 };</programlisting> 469 </informalexample> 470 </answer> 471 </qandaentry> 472 473 <qandaentry> 474 <question> 475 <para> 476 I get a error message like <quote>zone wireless.ietf56.ietf.org/IN: 477 loading master file primaries/wireless.ietf56.ietf.org: no 478 owner</quote>. 479 </para> 480 </question> 481 <answer> 482 <para> 483 This error is produced when a line in the master file 484 contains leading white space (tab/space) but there is no 485 current record owner name to inherit the name from. Usually 486 this is the result of putting white space before a comment, 487 forgetting the "@" for the SOA record, or indenting the master 488 file. 489 </para> 490 </answer> 491 </qandaentry> 492 493 <qandaentry> 494 <question> 495 <para> 496 Why are my logs in GMT (UTC). 497 </para> 498 </question> 499 <answer> 500 <para> 501 You are running chrooted (-t) and have not supplied local timezone 502 information in the chroot area. 503 </para> 504 <simplelist> 505 <member>FreeBSD: /etc/localtime</member> 506 <member>Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo</member> 507 <member>OSF: /etc/zoneinfo/localtime</member> 508 </simplelist> 509 <para> 510 See also tzset(3) and zic(8). 511 </para> 512 </answer> 513 </qandaentry> 514 515 <qandaentry> 516 <question> 517 <para> 518 I get <quote>rndc: connect failed: connection refused</quote> when 519 I try to run rndc. 520 </para> 521 </question> 522 <answer> 523 <para> 524 This is usually a configuration error. 525 </para> 526 <para> 527 First ensure that named is running and no errors are being 528 reported at startup (/var/log/messages or equivalent). 529 Running "named -g <usual arguments>" from a title 530 can help at this point. 531 </para> 532 <para> 533 Secondly ensure that named is configured to use rndc either 534 by "rndc-confgen -a", rndc-confgen or manually. The 535 Administrators Reference manual has details on how to do 536 this. 537 </para> 538 <para> 539 Old versions of rndc-confgen used localhost rather than 540 127.0.0.1 in /etc/rndc.conf for the default server. Update 541 /etc/rndc.conf if necessary so that the default server 542 listed in /etc/rndc.conf matches the addresses used in 543 named.conf. "localhost" has two address (127.0.0.1 and 544 ::1). 545 </para> 546 <para> 547 If you use "rndc-confgen -a" and named is running with -t or -u 548 ensure that /etc/rndc.conf has the correct ownership and that 549 a copy is in the chroot area. You can do this by re-running 550 "rndc-confgen -a" with appropriate -t and -u arguments. 551 </para> 552 </answer> 553 </qandaentry> 554 555 <qandaentry> 556 <question> 557 <para> 558 I get <quote>transfer of 'example.net/IN' from 192.168.4.12#53: 559 failed while receiving responses: permission denied</quote> error 560 messages. 561 </para> 562 </question> 563 <answer> 564 <para> 565 These indicate a filesystem permission error preventing 566 named creating / renaming the temporary file. These will 567 usually also have other associated error messages like 568 </para> 569 <informalexample> 570 <programlisting> 571"dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"</programlisting> 572 </informalexample> 573 <para> 574 Named needs write permission on the directory containing 575 the file. Named writes the new cache file to a temporary 576 file then renames it to the name specified in named.conf 577 to ensure that the contents are always complete. This is 578 to prevent named loading a partial zone in the event of 579 power failure or similar interrupting the write of the 580 master file. 581 </para> 582 <para> 583 Note file names are relative to the directory specified in 584 options and any chroot directory ([<chroot 585 dir>/][<options dir>]). 586 </para> 587 <informalexample> 588 <para> 589 If named is invoked as "named -t /chroot/DNS" with 590 the following named.conf then "/chroot/DNS/var/named/sl" 591 needs to be writable by the user named is running as. 592 </para> 593 <programlisting> 594options { 595 directory "/var/named"; 596}; 597 598zone "example.net" { 599 type slave; 600 file "sl/example.net"; 601 masters { 192.168.4.12; }; 602};</programlisting> 603 </informalexample> 604 </answer> 605 </qandaentry> 606 607 <qandaentry> 608 <question> 609 <para> 610 I want to forward all DNS queries from my caching nameserver to 611 another server. But there are some domains which have to be 612 served locally, via rbldnsd. 613 </para> 614 <para> 615 How do I achieve this ? 616 </para> 617 </question> 618 <answer> 619 <programlisting> 620options { 621 forward only; 622 forwarders { <ip.of.primary.nameserver>; }; 623}; 624 625zone "sbl-xbl.spamhaus.org" { 626 type forward; forward only; 627 forwarders { <ip.of.rbldns.server> port 530; }; 628}; 629 630zone "list.dsbl.org" { 631 type forward; forward only; 632 forwarders { <ip.of.rbldns.server> port 530; }; 633}; 634 </programlisting> 635 </answer> 636 </qandaentry> 637 638 <qandaentry> 639 <question> 640 <para> 641 Can you help me understand how BIND 9 uses memory to store 642 DNS zones? 643 </para> 644 <para> 645 Some times it seems to take several times the amount of 646 memory it needs to store the zone. 647 </para> 648 </question> 649 <answer> 650 <para> 651 When reloading a zone named my have multiple copies of 652 the zone in memory at one time. The zone it is serving 653 and the one it is loading. If reloads are ultra fast it 654 can have more still. 655 </para> 656 <para> 657 e.g. Ones that are transferring out, the one that it is 658 serving and the one that is loading. 659 </para> 660 <para> 661 BIND 8 destroyed the zone before loading and also killed 662 off outgoing transfers of the zone. 663 </para> 664 <para> 665 The new strategy allows slaves to get copies of the new 666 zone regardless of how often the master is loaded compared 667 to the transfer time. The slave might skip some intermediate 668 versions but the transfers will complete and it will keep 669 reasonably in sync with the master. 670 </para> 671 <para> 672 The new strategy also allows the master to recover from 673 syntax and other errors in the master file as it still 674 has an in-core copy of the old contents. 675 </para> 676 </answer> 677 </qandaentry> 678 679 <qandaentry> 680 <question> 681 <para> 682 I want to use IPv6 locally but I don't have a external IPv6 683 connection. External lookups are slow. 684 </para> 685 </question> 686 <answer> 687 <para> 688 You can use server clauses to stop named making external lookups 689 over IPv6. 690 </para> 691 <programlisting> 692server fd81:ec6c:bd62::/48 { bogus no; }; // site ULA prefix 693server ::/0 { bogus yes; }; 694</programlisting> 695 </answer> 696 </qandaentry> 697 698 </qandadiv> <!-- Configuration and Setup Questions --> 699 700 <qandadiv><title>Operations Questions</title> 701 702 <qandaentry> 703 <question> 704 <para> 705 How to change the nameservers for a zone? 706 </para> 707 </question> 708 <answer> 709 <para> 710 Step 1: Ensure all nameservers, new and old, are serving the 711 same zone content. 712 </para> 713 <para> 714 Step 2: Work out the maximum TTL of the NS RRset in the parent and child 715 zones. This is the time it will take caches to be clear of a 716 particular version of the NS RRset. 717 If you are just removing nameservers you can skip to Step 6. 718 </para> 719 <para> 720 Step 3: Add new nameservers to the NS RRset for the zone and 721 wait until all the servers for the zone are answering with this 722 new NS RRset. 723 </para> 724 <para> 725 Step 4: Inform the parent zone of the new NS RRset then wait for all the 726 parent servers to be answering with the new NS RRset. 727 </para> 728 <para> 729 Step 5: Wait for cache to be clear of the old NS RRset. 730 See Step 2 for how long. 731 If you are just adding nameservers you are done. 732 </para> 733 <para> 734 Step 6: Remove any old nameservers from the zones NS RRset and 735 wait for all the servers for the zone to be serving the new NS RRset. 736 </para> 737 <para> 738 Step 7: Inform the parent zone of the new NS RRset then wait for all the 739 parent servers to be answering with the new NS RRset. 740 </para> 741 <para> 742 Step 8: Wait for cache to be clear of the old NS RRset. 743 See Step 2 for how long. 744 </para> 745 <para> 746 Step 9: Turn off the old nameservers or remove the zone entry from 747 the configuration of the old nameservers. 748 </para> 749 <para> 750 Step 10: Increment the serial number and wait for the change to 751 be visible in all nameservers for the zone. This ensures that 752 zone transfers are still working after the old servers are 753 decommissioned. 754 </para> 755 <para> 756 Note: the above procedure is designed to be transparent 757 to dns clients. Decommissioning the old servers too early 758 will result in some clients not being able to look up 759 answers in the zone. 760 </para> 761 <para> 762 Note: while it is possible to run the addition and removal 763 stages together it is not recommended. 764 </para> 765 </answer> 766 </qandaentry> 767 768 </qandadiv> <!-- Operations Questions --> 769 770 <qandadiv><title>General Questions</title> 771 772 <qandaentry> 773 <question> 774 <para> 775 I keep getting log messages like the following. Why? 776 </para> 777 <para> 778 Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 779 'example.com/IN': update failed: 'RRset exists (value 780 dependent)' prerequisite not satisfied (NXRRSET) 781 </para> 782 </question> 783 <answer> 784 <para> 785 DNS updates allow the update request to test to see if 786 certain conditions are met prior to proceeding with the 787 update. The message above is saying that conditions were 788 not met and the update is not proceeding. See doc/rfc/rfc2136.txt 789 for more details on prerequisites. 790 </para> 791 </answer> 792 </qandaentry> 793 794 <qandaentry> 795 <question> 796 <para> 797 I keep getting log messages like the following. Why? 798 </para> 799 <para> 800 Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied 801 </para> 802 </question> 803 <answer> 804 <para> 805 Someone is trying to update your DNS data using the RFC2136 806 Dynamic Update protocol. Windows 2000 machines have a habit 807 of sending dynamic update requests to DNS servers without 808 being specifically configured to do so. If the update 809 requests are coming from a Windows 2000 machine, see 810 <ulink 811 url="http://support.microsoft.com/support/kb/articles/q246/8/04.asp"> 812 <http://support.microsoft.com/support/kb/articles/q246/8/04.asp></ulink> 813 for information about how to turn them off. 814 </para> 815 </answer> 816 </qandaentry> 817 818 <qandaentry> 819 <question> 820 <para> 821 When I do a "dig . ns", many of the A records for the root 822 servers are missing. Why? 823 </para> 824 </question> 825 <answer> 826 <para> 827 This is normal and harmless. It is a somewhat confusing 828 side effect of the way BIND 9 does RFC2181 trust ranking 829 and of the efforts BIND 9 makes to avoid promoting glue 830 into answers. 831 </para> 832 <para> 833 When BIND 9 first starts up and primes its cache, it receives 834 the root server addresses as additional data in an authoritative 835 response from a root server, and these records are eligible 836 for inclusion as additional data in responses. Subsequently 837 it receives a subset of the root server addresses as 838 additional data in a non-authoritative (referral) response 839 from a root server. This causes the addresses to now be 840 considered non-authoritative (glue) data, which is not 841 eligible for inclusion in responses. 842 </para> 843 <para> 844 The server does have a complete set of root server addresses 845 cached at all times, it just may not include all of them 846 as additional data, depending on whether they were last 847 received as answers or as glue. You can always look up the 848 addresses with explicit queries like "dig a.root-servers.net A". 849 </para> 850 </answer> 851 </qandaentry> 852 853 <qandaentry> 854 <question> 855 <para> 856 Why don't my zones reload when I do an "rndc reload" or SIGHUP? 857 </para> 858 </question> 859 <answer> 860 <para> 861 A zone can be updated either by editing zone files and 862 reloading the server or by dynamic update, but not both. 863 If you have enabled dynamic update for a zone using the 864 "allow-update" option, you are not supposed to edit the 865 zone file by hand, and the server will not attempt to reload 866 it. 867 </para> 868 </answer> 869 </qandaentry> 870 871 <qandaentry> 872 <question> 873 <para> 874 Why is named listening on UDP port other than 53? 875 </para> 876 </question> 877 <answer> 878 <para> 879 Named uses a system selected port to make queries of other 880 nameservers. This behaviour can be overridden by using 881 query-source to lock down the port and/or address. See 882 also notify-source and transfer-source. 883 </para> 884 </answer> 885 </qandaentry> 886 887 <qandaentry> 888 <question> 889 <para> 890 I get warning messages like <quote>zone example.com/IN: refresh: 891 failure trying master 1.2.3.4#53: timed out</quote>. 892 </para> 893 </question> 894 <answer> 895 <para> 896 Check that you can make UDP queries from the slave to the master 897 </para> 898 <informalexample> 899 <programlisting> 900dig +norec example.com soa @1.2.3.4</programlisting> 901 </informalexample> 902 <para> 903 You could be generating queries faster than the slave can 904 cope with. Lower the serial query rate. 905 </para> 906 <informalexample> 907 <programlisting> 908serial-query-rate 5; // default 20</programlisting> 909 </informalexample> 910 </answer> 911 </qandaentry> 912 913 <qandaentry> 914 <question> 915 <para> 916 I don't get RRSIG's returned when I use "dig +dnssec". 917 </para> 918 </question> 919 <answer> 920 <para> 921 You need to ensure DNSSEC is enabled (dnssec-enable yes;). 922 </para> 923 </answer> 924 </qandaentry> 925 926 <qandaentry> 927 <question> 928 <para> 929 Can a NS record refer to a CNAME. 930 </para> 931 </question> 932 <answer> 933 <para> 934 No. The rules for glue (copies of the *address* records 935 in the parent zones) and additional section processing do 936 not allow it to work. 937 </para> 938 <para> 939 You would have to add both the CNAME and address records 940 (A/AAAA) as glue to the parent zone and have CNAMEs be 941 followed when doing additional section processing to make 942 it work. No nameserver implementation supports either of 943 these requirements. 944 </para> 945 </answer> 946 </qandaentry> 947 948 <qandaentry> 949 <question> 950 <para> 951 What does <quote>RFC 1918 response from Internet for 952 0.0.0.10.IN-ADDR.ARPA</quote> mean? 953 </para> 954 </question> 955 <answer> 956 <para> 957 If the IN-ADDR.ARPA name covered refers to a internal address 958 space you are using then you have failed to follow RFC 1918 959 usage rules and are leaking queries to the Internet. You 960 should establish your own zones for these addresses to prevent 961 you querying the Internet's name servers for these addresses. 962 Please see <ulink url="http://as112.net/"><http://as112.net/></ulink> 963 for details of the problems you are causing and the counter 964 measures that have had to be deployed. 965 </para> 966 <para> 967 If you are not using these private addresses then a client 968 has queried for them. You can just ignore the messages, 969 get the offending client to stop sending you these messages 970 as they are most probably leaking them or setup your own zones 971 empty zones to serve answers to these queries. 972 </para> 973 <informalexample> 974 <programlisting> 975zone "10.IN-ADDR.ARPA" { 976 type master; 977 file "empty"; 978}; 979 980zone "16.172.IN-ADDR.ARPA" { 981 type master; 982 file "empty"; 983}; 984 985... 986 987zone "31.172.IN-ADDR.ARPA" { 988 type master; 989 file "empty"; 990}; 991 992zone "168.192.IN-ADDR.ARPA" { 993 type master; 994 file "empty"; 995}; 996 997empty: 998@ 10800 IN SOA <name-of-server>. <contact-email>. ( 999 1 3600 1200 604800 10800 ) 1000@ 10800 IN NS <name-of-server>.</programlisting> 1001 </informalexample> 1002 <para> 1003 <note> 1004 Future versions of named are likely to do this automatically. 1005 </note> 1006 </para> 1007 </answer> 1008 </qandaentry> 1009 1010 <qandaentry> 1011 <question> 1012 <para> 1013 Will named be affected by the 2007 changes to daylight savings 1014 rules in the US. 1015 </para> 1016 </question> 1017 <answer> 1018 <para> 1019 No, so long as the machines internal clock (as reported 1020 by "date -u") remains at UTC. The only visible change 1021 if you fail to upgrade your OS, if you are in a affected 1022 area, will be that log messages will be a hour out during 1023 the period where the old rules do not match the new rules. 1024 </para> 1025 <para> 1026 For most OS's this change just means that you need to 1027 update the conversion rules from UTC to local time. 1028 Normally this involves updating a file in /etc (which 1029 sets the default timezone for the machine) and possibly 1030 a directory which has all the conversion rules for the 1031 world (e.g. /usr/share/zoneinfo). When updating the OS 1032 do not forget to update any chroot areas as well. 1033 See your OS's documentation for more details. 1034 </para> 1035 <para> 1036 The local timezone conversion rules can also be done on 1037 a individual basis by setting the TZ environment variable 1038 appropriately. See your OS's documentation for more 1039 details. 1040 </para> 1041 </answer> 1042 </qandaentry> 1043 1044 <qandaentry> 1045 <question> 1046 <para> 1047 Is there a bugzilla (or other tool) database that mere 1048 mortals can have (read-only) access to for bind? 1049 </para> 1050 </question> 1051 <answer> 1052 <para> 1053 No. The BIND 9 bug database is kept closed for a number 1054 of reasons. These include, but are not limited to, that 1055 the database contains proprietory information from people 1056 reporting bugs. The database has in the past and may in 1057 future contain unfixed bugs which are capable of bringing 1058 down most of the Internet's DNS infrastructure. 1059 </para> 1060 <para> 1061 The release pages for each version contain up to date 1062 lists of bugs that have been fixed post release. That 1063 is as close as we can get to providing a bug database. 1064 </para> 1065 </answer> 1066 </qandaentry> 1067 1068 <qandaentry> 1069 <question> 1070 <para> 1071 Why do queries for NSEC3 records fail to return the NSEC3 record? 1072 </para> 1073 </question> 1074 <answer> 1075 <para> 1076 NSEC3 records are strictly meta data and can only be 1077 returned in the authority section. This is done so that 1078 signing the zone using NSEC3 records does not bring names 1079 into existence that do not exist in the unsigned version 1080 of the zone. 1081 </para> 1082 </answer> 1083 </qandaentry> 1084 1085 </qandadiv> <!-- General Questions --> 1086 1087 <qandadiv><title>Operating-System Specific Questions</title> 1088 1089 <qandadiv><title>HPUX</title> 1090 1091 <qandaentry> 1092 <question> 1093 <para>I get the following error trying to configure BIND: 1094<programlisting>checking if unistd.h or sys/types.h defines fd_set... no 1095configure: error: need either working unistd.h or sys/select.h</programlisting> 1096 </para> 1097 </question> 1098 <answer> 1099 <para> 1100 You have attempted to configure BIND with the bundled C compiler. 1101 This compiler does not meet the minimum compiler requirements to 1102 for building BIND. You need to install a ANSI C compiler and / or 1103 teach configure how to find the ANSI C compiler. The later can 1104 be done by adjusting the PATH environment variable and / or 1105 specifying the compiler via CC. 1106 </para> 1107 <informalexample> 1108 <programlisting>./configure CC=<compiler> ...</programlisting> 1109 </informalexample> 1110 </answer> 1111 </qandaentry> 1112 1113 </qandadiv> <!-- HPUX --> 1114 1115 <qandadiv><title>Linux</title> 1116 1117 <qandaentry> 1118 <question> 1119 <para> 1120 Why do I get the following errors: 1121<programlisting>general: errno2result.c:109: unexpected error: 1122general: unable to convert errno to isc_result: 14: Bad address 1123client: UDP client handler shutting down due to fatal receive error: unexpected error</programlisting> 1124 </para> 1125 </question> 1126 <answer> 1127 <para> 1128 This is the result of a Linux kernel bug. 1129 </para> 1130 <para> 1131 See: 1132 <ulink url="http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2"><http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2></ulink> 1133 </para> 1134 </answer> 1135 </qandaentry> 1136 1137 <qandaentry> 1138 <question> 1139 <para> 1140 Why does named lock up when it attempts to connect over IPSEC tunnels? 1141 </para> 1142 </question> 1143 <answer> 1144 <para> 1145 This is due to a kernel bug where the fact that a socket is marked 1146 non-blocking is ignored. It is reported that setting 1147 xfrm_larval_drop to 1 helps but this may have negative side effects. 1148 See: 1149<ulink url="https://bugzilla.redhat.com/show_bug.cgi?id=427629"><https://bugzilla.redhat.com/show_bug.cgi?id=427629></ulink> 1150 and 1151<ulink url="http://lkml.org/lkml/2007/12/4/260"><http://lkml.org/lkml/2007/12/4/260></ulink>. 1152 </para> 1153 <para> 1154 xfrm_larval_drop can be set to 1 by the following procedure: 1155<programlisting> 1156echo "1" > proc/sys/net/core/xfrm_larval_drop</programlisting> 1157 </para> 1158 </answer> 1159 </qandaentry> 1160 1161 <qandaentry> 1162 <question> 1163 <para> 1164 Why do I see 5 (or more) copies of named on Linux? 1165 </para> 1166 </question> 1167 <answer> 1168 <para> 1169 Linux threads each show up as a process under ps. The 1170 approximate number of threads running is n+4, where n is 1171 the number of CPUs. Note that the amount of memory used 1172 is not cumulative; if each process is using 10M of memory, 1173 only a total of 10M is used. 1174 </para> 1175 <para> 1176 Newer versions of Linux's ps command hide the individual threads 1177 and require -L to display them. 1178 </para> 1179 </answer> 1180 </qandaentry> 1181 1182 <qandaentry> 1183 <question> 1184 <para> 1185 Why does BIND 9 log <quote>permission denied</quote> errors accessing 1186 its configuration files or zones on my Linux system even 1187 though it is running as root? 1188 </para> 1189 </question> 1190 <answer> 1191 <para> 1192 On Linux, BIND 9 drops most of its root privileges on 1193 startup. This including the privilege to open files owned 1194 by other users. Therefore, if the server is running as 1195 root, the configuration files and zone files should also 1196 be owned by root. 1197 </para> 1198 </answer> 1199 </qandaentry> 1200 1201 <qandaentry> 1202 <question> 1203 <para> 1204 I get the error message <quote>named: capset failed: Operation 1205 not permitted</quote> when starting named. 1206 </para> 1207 </question> 1208 <answer> 1209 <para> 1210 The capability module, part of "Linux Security Modules/LSM", 1211 has not been loaded into the kernel. See insmod(8), modprobe(8). 1212 </para> 1213 <para> 1214 The relevant modules can be loaded by running: 1215<programlisting> 1216modprobe commoncap 1217modprobe capability</programlisting> 1218 </para> 1219 </answer> 1220 </qandaentry> 1221 1222 <qandaentry> 1223 <question> 1224 <para> 1225 I'm running BIND on Red Hat Enterprise Linux or Fedora Core - 1226 </para> 1227 <para> 1228 Why can't named update slave zone database files? 1229 </para> 1230 <para> 1231 Why can't named create DDNS journal files or update 1232 the master zones from journals? 1233 </para> 1234 <para> 1235 Why can't named create custom log files? 1236 </para> 1237 </question> 1238 1239 <answer> 1240 <para> 1241 Red Hat Security Enhanced Linux (SELinux) policy security 1242 protections : 1243 </para> 1244 1245 <para> 1246 Red Hat have adopted the National Security Agency's 1247 SELinux security policy (see <ulink 1248 url="http://www.nsa.gov/selinux"><http://www.nsa.gov/selinux></ulink>) 1249 and recommendations for BIND security , which are more 1250 secure than running named in a chroot and make use of 1251 the bind-chroot environment unnecessary . 1252 </para> 1253 1254 <para> 1255 By default, named is not allowed by the SELinux policy 1256 to write, create or delete any files EXCEPT in these 1257 directories: 1258 <informalexample> 1259 <programlisting> 1260$ROOTDIR/var/named/slaves 1261$ROOTDIR/var/named/data 1262$ROOTDIR/var/tmp 1263 </programlisting> 1264 </informalexample> 1265 where $ROOTDIR may be set in /etc/sysconfig/named if 1266 bind-chroot is installed. 1267 </para> 1268 1269 <para> 1270 The SELinux policy particularly does NOT allow named to modify 1271 the $ROOTDIR/var/named directory, the default location for master 1272 zone database files. 1273 </para> 1274 1275 <para> 1276 SELinux policy overrules file access permissions - so 1277 even if all the files under /var/named have ownership 1278 named:named and mode rw-rw-r--, named will still not be 1279 able to write or create files except in the directories 1280 above, with SELinux in Enforcing mode. 1281 </para> 1282 1283 <para> 1284 So, to allow named to update slave or DDNS zone files, 1285 it is best to locate them in $ROOTDIR/var/named/slaves, 1286 with named.conf zone statements such as: 1287 <informalexample> 1288 <programlisting> 1289zone "slave.zone." IN { 1290 type slave; 1291 file "slaves/slave.zone.db"; 1292 ... 1293}; 1294zone "ddns.zone." IN { 1295 type master; 1296 allow-updates {...}; 1297 file "slaves/ddns.zone.db"; 1298}; 1299 </programlisting> 1300 </informalexample> 1301 </para> 1302 1303 <para> 1304 To allow named to create its cache dump and statistics 1305 files, for example, you could use named.conf options 1306 statements such as: 1307 <informalexample> 1308 <programlisting> 1309options { 1310 ... 1311 dump-file "/var/named/data/cache_dump.db"; 1312 statistics-file "/var/named/data/named_stats.txt"; 1313 ... 1314}; 1315 </programlisting> 1316 </informalexample> 1317 </para> 1318 1319 <para> 1320 You can also tell SELinux to allow named to update any 1321 zone database files, by setting the SELinux tunable boolean 1322 parameter 'named_write_master_zones=1', using the 1323 system-config-securitylevel GUI, using the 'setsebool' 1324 command, or in /etc/selinux/targeted/booleans. 1325 </para> 1326 1327 <para> 1328 You can disable SELinux protection for named entirely by 1329 setting the 'named_disable_trans=1' SELinux tunable boolean 1330 parameter. 1331 </para> 1332 1333 <para> 1334 The SELinux named policy defines these SELinux contexts for named: 1335 <informalexample> 1336 <programlisting> 1337named_zone_t : for zone database files - $ROOTDIR/var/named/* 1338named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.* 1339named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}} 1340 </programlisting> 1341 </informalexample> 1342 </para> 1343 1344 <para> 1345 If you want to retain use of the SELinux policy for named, 1346 and put named files in different locations, you can do 1347 so by changing the context of the custom file locations 1348 . 1349 </para> 1350 1351 <para> 1352 To create a custom configuration file location, e.g. 1353 '/root/named.conf', to use with the 'named -c' option, 1354 do: 1355 <informalexample> 1356 <programlisting> 1357# chcon system_u:object_r:named_conf_t /root/named.conf 1358 </programlisting> 1359 </informalexample> 1360 </para> 1361 1362 <para> 1363 To create a custom modifiable named data location, e.g. 1364 '/var/log/named' for a log file, do: 1365 <informalexample> 1366 <programlisting> 1367# chcon system_u:object_r:named_cache_t /var/log/named 1368 </programlisting> 1369 </informalexample> 1370 </para> 1371 1372 <para> 1373 To create a custom zone file location, e.g. /root/zones/, do: 1374 <informalexample> 1375 <programlisting> 1376# chcon system_u:object_r:named_zone_t /root/zones/{.,*} 1377 </programlisting> 1378 </informalexample> 1379 </para> 1380 1381 <para> 1382 See these man-pages for more information : selinux(8), 1383 named_selinux(8), chcon(1), setsebool(8) 1384 </para> 1385 </answer> 1386 </qandaentry> 1387 1388 <qandaentry> 1389 <question> 1390 <para> 1391 I'm running BIND on Ubuntu - 1392 </para> 1393 <para> 1394 Why can't named update slave zone database files? 1395 </para> 1396 <para> 1397 Why can't named create DDNS journal files or update 1398 the master zones from journals? 1399 </para> 1400 <para> 1401 Why can't named create custom log files? 1402 </para> 1403 </question> 1404 <answer> 1405 <para> 1406 Ubuntu uses AppArmor <ulink url="http://en.wikipedia.org/wiki/AppArmor"> 1407 <http://en.wikipedia.org/wiki/AppArmor></ulink> in 1408 addition to normal file system permissions to protect the system. 1409 </para> 1410 <para> 1411 Adjust the paths to use those specified in /etc/apparmor.d/usr.sbin.named 1412 or adjust /etc/apparmor.d/usr.sbin.named to allow named to write at the 1413 location specified in named.conf. 1414 </para> 1415 </answer> 1416 </qandaentry> 1417 1418 <qandaentry> 1419 <question> 1420 <para> 1421 Listening on individual IPv6 interfaces does not work. 1422 </para> 1423 </question> 1424 <answer> 1425 <para> 1426 This is usually due to "/proc/net/if_inet6" not being available 1427 in the chroot file system. Mount another instance of "proc" 1428 in the chroot file system. 1429 </para> 1430 <para> 1431 This can be be made permanent by adding a second instance to 1432 /etc/fstab. 1433 <informalexample> 1434 <programlisting> 1435proc /proc proc defaults 0 0 1436proc /var/named/proc proc defaults 0 0</programlisting> 1437 </informalexample> 1438 </para> 1439 </answer> 1440 </qandaentry> 1441 1442 </qandadiv> <!-- Linux --> 1443 1444 <qandadiv><title>Windows</title> 1445 1446 <qandaentry> 1447 <question> 1448 <para> 1449 Zone transfers from my BIND 9 master to my Windows 2000 1450 slave fail. Why? 1451 </para> 1452 </question> 1453 <answer> 1454 <para> 1455 This may be caused by a bug in the Windows 2000 DNS server 1456 where DNS messages larger than 16K are not handled properly. 1457 This can be worked around by setting the option "transfer-format 1458 one-answer;". Also check whether your zone contains domain 1459 names with embedded spaces or other special characters, 1460 like "John\032Doe\213s\032Computer", since such names have 1461 been known to cause Windows 2000 slaves to incorrectly 1462 reject the zone. 1463 </para> 1464 </answer> 1465 </qandaentry> 1466 1467 <qandaentry> 1468 <question> 1469 <para> 1470 I get <quote>Error 1067</quote> when starting named under Windows. 1471 </para> 1472 </question> 1473 <answer> 1474 <para> 1475 This is the service manager saying that named exited. You 1476 need to examine the Application log in the EventViewer to 1477 find out why. 1478 </para> 1479 <para> 1480 Common causes are that you failed to create "named.conf" 1481 (usually "C:\windows\dns\etc\named.conf") or failed to 1482 specify the directory in named.conf. 1483 </para> 1484 <informalexample> 1485 <programlisting> 1486options { 1487 Directory "C:\windows\dns\etc"; 1488};</programlisting> 1489 </informalexample> 1490 </answer> 1491 </qandaentry> 1492 1493 </qandadiv> <!-- Windows --> 1494 1495 <qandadiv><title>FreeBSD</title> 1496 1497 <qandaentry> 1498 <question> 1499 <para> 1500 I have FreeBSD 4.x and "rndc-confgen -a" just sits there. 1501 </para> 1502 </question> 1503 <answer> 1504 <para> 1505 /dev/random is not configured. Use rndcontrol(8) to tell 1506 the kernel to use certain interrupts as a source of random 1507 events. You can make this permanent by setting rand_irqs 1508 in /etc/rc.conf. 1509 </para> 1510 <informalexample> 1511 <programlisting> 1512rand_irqs="3 14 15"</programlisting> 1513 </informalexample> 1514 <para> 1515 See also 1516 <ulink url="http://people.freebsd.org/~dougb/randomness.html"> 1517 <http://people.freebsd.org/~dougb/randomness.html></ulink>. 1518 </para> 1519 </answer> 1520 </qandaentry> 1521 1522 </qandadiv> <!-- FreeBSD --> 1523 1524 <qandadiv><title>Solaris</title> 1525 1526 <qandaentry> 1527 <question> 1528 <para> 1529 How do I integrate BIND 9 and Solaris SMF 1530 </para> 1531 </question> 1532 <answer> 1533 <para> 1534 Sun has a blog entry describing how to do this. 1535 </para> 1536 <para> 1537 <ulink 1538 url="http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris"> 1539 <http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris> 1540 </ulink> 1541 </para> 1542 </answer> 1543 </qandaentry> 1544 1545 </qandadiv> 1546 1547 <qandadiv><title>Apple Mac OS X</title> 1548 1549 <qandaentry> 1550 <question> 1551 <para> 1552 How do I run BIND 9 on Apple Mac OS X? 1553 </para> 1554 </question> 1555 <answer> 1556 <para> 1557 If you run Tiger(Mac OS 10.4) or later then this is all you need to do: 1558 </para> 1559 <informalexample> 1560 <programlisting> 1561% sudo rndc-confgen > /etc/rndc.conf</programlisting> 1562 </informalexample> 1563 <para> 1564 Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.: 1565 </para> 1566 <informalexample> 1567 <programlisting> 1568key "rndc-key" { 1569 algorithm hmac-sha256; 1570 secret "uvceheVuqf17ZwIcTydddw=="; 1571};</programlisting> 1572 </informalexample> 1573 <para> 1574 Then start the relevant service: 1575 </para> 1576 <informalexample> 1577 <programlisting> 1578% sudo service org.isc.named start</programlisting> 1579 </informalexample> 1580 <para> 1581 This is persistent upon a reboot, so you will have to do it only once. 1582 </para> 1583 </answer> 1584 1585 <answer> 1586 <para> 1587 Alternatively you can just generate /etc/rndc.key by running: 1588 </para> 1589 <informalexample> 1590 <programlisting> 1591% sudo rndc-confgen -a</programlisting> 1592 </informalexample> 1593 <para> 1594 Then start the relevant service: 1595 </para> 1596 <informalexample> 1597 <programlisting> 1598% sudo service org.isc.named start</programlisting> 1599 </informalexample> 1600 <para> 1601 Named will look for /etc/rndc.key when it starts if it 1602 doesn't have a controls section or the existing controls are 1603 missing keys sub-clauses. This is persistent upon a 1604 reboot, so you will have to do it only once. 1605 </para> 1606 </answer> 1607 </qandaentry> 1608 1609 </qandadiv> 1610 1611 </qandadiv> <!-- Operating-System Specific Questions --> 1612 1613 </qandaset> 1614</article> 1615