summaryrefslogtreecommitdiff
path: root/usr.sbin/bind/FAQ
diff options
context:
space:
mode:
authorJakob Schlyter <jakob@cvs.openbsd.org>2006-04-05 17:36:37 +0000
committerJakob Schlyter <jakob@cvs.openbsd.org>2006-04-05 17:36:37 +0000
commit0505bad000912a66c4f92c91a72202b9250e4bd5 (patch)
tree00d8701ac1f3ee5feadd765c0274e9ff0a95aeac /usr.sbin/bind/FAQ
parent1da54ca1fd7764e567cd4bc055abd54d602773e1 (diff)
resolve conflicts
Diffstat (limited to 'usr.sbin/bind/FAQ')
-rw-r--r--usr.sbin/bind/FAQ759
1 files changed, 407 insertions, 352 deletions
diff --git a/usr.sbin/bind/FAQ b/usr.sbin/bind/FAQ
index f6ed41e422c..9b806cbde53 100644
--- a/usr.sbin/bind/FAQ
+++ b/usr.sbin/bind/FAQ
@@ -1,470 +1,525 @@
-
-
-
Frequently Asked Questions about BIND 9
+-------------------------------------------------------------------------------
Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-threads?
A: Linux threads do not fully implement the Posix threads (pthreads) standard.
-In particular, setuid() operates only on the current thread, not the full
-process. Because of this limitation, BIND 9 cannot use setuid() on Linux as it
-can on all other supported platforms. setuid() cannot be called before
-creating threads, since the server does not start listening on reserved ports
-until after threads have started.
+ In particular, setuid() operates only on the current thread, not the full
+ process. Because of this limitation, BIND 9 cannot use setuid() on Linux as
+ it can on all other supported platforms. setuid() cannot be called before
+ creating threads, since the server does not start listening on reserved
+ ports until after threads have started.
- In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to preserve
-capabilities across a setuid() call is present. This allows BIND 9 to call
-setuid() early, while retaining the ability to bind reserved ports. This is
-a Linux-specific hack.
+ In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to preserve
+ capabilities across a setuid() call is present. This allows BIND 9 to call
+ setuid() early, while retaining the ability to bind reserved ports. This is
+ a Linux-specific hack.
- On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less
-of a security risk than a root process that has not dropped privileges.
+ On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less
+ of a security risk than a root process that has not dropped privileges.
- If Linux threads ever work correctly, this restriction will go away.
+ If Linux threads ever work correctly, this restriction will go away.
- Configuring BIND9 with the --disable-threads option (the default) causes a
-non-threaded version to be built, which will allow -u to be used.
+ Configuring BIND9 with the --disable-threads option (the default) causes a
+ non-threaded version to be built, which will allow -u to be used.
+Q: Why does named log the warning message "no TTL specified - using SOA MINTTL
+ instead"?
-Q: Why does named log the warning message "no TTL specified - using SOA
-MINTTL instead"?
-
-A: Your zone file is illegal according to RFC1035. It must either
-have a line like
+A: Your zone file is illegal according to RFC1035. It must either have a line
+ like:
$TTL 86400
-at the beginning, or the first record in it must have a TTL field,
-like the "84600" in this example:
+ at the beginning, or the first record in it must have a TTL field, like the
+ "84600" in this example:
example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )
Q: Why do I see 5 (or more) copies of named on Linux?
-A: Linux threads each show up as a process under ps. The approximate
-number of threads running is n+4, where n is the number of CPUs. Note that
-the amount of memory used is not cumulative; if each process is using 10M of
-memory, only a total of 10M is used.
-
+A: Linux threads each show up as a process under ps. The approximate number of
+ threads running is n+4, where n is the number of CPUs. Note that the amount
+ of memory used is not cumulative; if each process is using 10M of memory,
+ only a total of 10M is used.
-Q: Why does BIND 9 log "permission denied" errors accessing its
-configuration files or zones on my Linux system even though it is running
-as root?
-
-A: On Linux, BIND 9 drops most of its root privileges on startup.
-This including the privilege to open files owned by other users.
-Therefore, if the server is running as root, the configuration files
-and zone files should also be owned by root.
+Q: Why does BIND 9 log "permission denied" errors accessing its configuration
+ files or zones on my Linux system even though it is running as root?
+A: On Linux, BIND 9 drops most of its root privileges on startup. This
+ including the privilege to open files owned by other users. Therefore, if
+ the server is running as root, the configuration files and zone files should
+ also be owned by root.
Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file
-bar: ran out of space"
-
-A: This is often caused by TXT records with missing close quotes. Check that
-all TXT records containing quoted strings have both open and close quotes.
+ bar: ran out of space"?
+A: This is often caused by TXT records with missing close quotes. Check that
+ all TXT records containing quoted strings have both open and close quotes.
Q: How do I produce a usable core file from a multithreaded named on Linux?
-A: If the Linux kernel is 2.4.7 or newer, multithreaded core dumps
-are usable (that is, the correct thread is dumped). Otherwise, if using
-a 2.2 kernel, apply the kernel patch found in contrib/linux/coredump-patch
-and rebuild the kernel. This patch will cause multithreaded programs to dump
-the correct thread.
-
+A: If the Linux kernel is 2.4.7 or newer, multithreaded core dumps are usable
+ (that is, the correct thread is dumped). Otherwise, if using a 2.2 kernel,
+ apply the kernel patch found in contrib/linux/coredump-patch and rebuild the
+ kernel. This patch will cause multithreaded programs to dump the correct
+ thread.
Q: How do I restrict people from looking up the server version?
-A: Put a "version" option containing something other than the real
-version in the "options" section of named.conf. Note doing this will
-not prevent attacks and may impede people trying to diagnose problems
-with your server. Also it is possible to "fingerprint" nameservers to
-determine their version.
-
-
-Q: How do I restrict only remote users from looking up the server
-version?
+A: Put a "version" option containing something other than the real version in
+ the "options" section of named.conf. Note doing this will not prevent
+ attacks and may impede people trying to diagnose problems with your server.
+ Also it is possible to "fingerprint" nameservers to determine their version.
-A: The following view statement will intercept lookups as the internal
-view that holds the version information will be matched last. The
-caveats of the previous answer still apply, of course.
+Q: How do I restrict only remote users from looking up the server version?
- view "chaos" chaos {
- match-clients { <those to be refused>; };
- allow-query { none; };
- zone "." {
- type hint;
- file "/dev/null"; // or any empty file
- };
- };
+A: The following view statement will intercept lookups as the internal view
+ that holds the version information will be matched last. The caveats of the
+ previous answer still apply, of course.
+ view "chaos" chaos {
+ match-clients { <those to be refused>; };
+ allow-query { none; };
+ zone "." {
+ type hint;
+ file "/dev/null"; // or any empty file
+ };
+ };
Q: What do "no source of entropy found" or "could not open entropy source foo"
-mean?
+ mean?
A: The server requires a source of entropy to perform certain operations,
-mostly DNSSEC related. These messages indicate that you have no source
-of entropy. On systems with /dev/random or an equivalent, it is used by
-default. A source of entropy can also be defined using the random-device
-option in named.conf.
+ mostly DNSSEC related. These messages indicate that you have no source of
+ entropy. On systems with /dev/random or an equivalent, it is used by
+ default. A source of entropy can also be defined using the random-device
+ option in named.conf.
+Q: I installed BIND 9 and restarted named, but it's still BIND 8. Why?
-Q: I installed BIND 9 and restarted named, but it's still BIND 8. Why?
+A: BIND 9 is installed under /usr/local by default. BIND 8 is often installed
+ under /usr. Check that the correct named is running.
-A: BIND 9 is installed under /usr/local by default. BIND 8 is often
-installed under /usr. Check that the correct named is running.
+Q: I'm trying to use TSIG to authenticate dynamic updates or zone transfers.
+ I'm sure I have the keys set up correctly, but the server is rejecting the
+ TSIG. Why?
+A: This may be a clock skew problem. Check that the the clocks on the client
+ and server are properly synchronised (e.g., using ntp).
-Q: I'm trying to use TSIG to authenticate dynamic updates or zone
-transfers. I'm sure I have the keys set up correctly, but the server
-is rejecting the TSIG. Why?
+Q: I'm trying to compile BIND 9, and "make" is failing due to files not being
+ found. Why?
-A: This may be a clock skew problem. Check that the the clocks on
-the client and server are properly synchronized (e.g., using ntp).
+A: Using a parallel or distributed "make" to build BIND 9 is not supported, and
+ doesn't work. If you are using one of these, use normal make or gmake
+ instead.
+Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is logging
+ error messages like "notify to 10.0.0.1#53 failed: unexpected end of input".
+ What's wrong?
-Q: I'm trying to compile BIND 9, and "make" is failing due to files not
-being found. Why?
+A: This error message is caused by a known bug in BIND 8.2.3 and is fixed in
+ BIND 8.2.4. It can be safely ignored - the notify has been acted on by the
+ slave despite the error message.
-A: Using a parallel or distributed "make" to build BIND 9 is not
-supported, and doesn't work. If you are using one of these, use
-normal make or gmake instead.
+Q: I keep getting log messages like the following. Why?
+ Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN': update
+ failed: 'RRset exists (value dependent)' prerequisite not satisfied
+ (NXRRSET)
-Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is
-logging error messages like "notify to 10.0.0.1#53 failed: unexpected
-end of input". What's wrong?
+A: DNS updates allow the update request to test to see if certain conditions
+ are met prior to proceeding with the update. The message above is saying
+ that conditions were not met and the update is not proceeding. See doc/rfc/
+ rfc2136.txt for more details on prerequisites.
-A: This error message is caused by a known bug in BIND 8.2.3 and is fixed
-in BIND 8.2.4. It can be safely ignored - the notify has been acted on by
-the slave despite the error message.
+Q: I keep getting log messages like the following. Why?
+ Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
-Q: I keep getting log messages like the following. Why?
+A: Someone is trying to update your DNS data using the RFC2136 Dynamic Update
+ protocol. Windows 2000 machines have a habit of sending dynamic update
+ requests to DNS servers without being specifically configured to do so. If
+ the update requests are coming from a Windows 2000 machine, see http://
+ support.microsoft.com/support/kb/articles/q246/8/04.asp for information
+ about how to turn them off.
- Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN':
- update failed: 'RRset exists (value dependent)' prerequisite not
- satisfied (NXRRSET)
+Q: I see a log message like the following. Why?
-A: DNS updates allow the update request to test to see if certain
-conditions are met prior to proceeding with the update. The message
-above is saying that conditions were not met and the update is not
-proceeding. See doc/rfc/rfc2136.txt for more details on prerequisites.
+ couldn't open pid file '/var/run/named.pid': Permission denied
+A: You are most likely running named as a non-root user, and that user does not
+ have permission to write in /var/run. The common ways of fixing this are to
+ create a /var/run/named directory owned by the named user and set pid-file
+ to "/var/run/named/named.pid", or set pid-file to "named.pid", which will
+ put the file in the directory specified by the directory option (which, in
+ this case, must be writable by the named user).
+
+Q: When I do a "dig . ns", many of the A records for the root servers are
+ missing. Why?
+
+A: This is normal and harmless. It is a somewhat confusing side effect of the
+ way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 makes to
+ avoid promoting glue into answers.
+
+ When BIND 9 first starts up and primes its cache, it receives the root
+ server addresses as additional data in an authoritative response from a root
+ server, and these records are eligible for inclusion as additional data in
+ responses. Subsequently it receives a subset of the root server addresses as
+ additional data in a non-authoritative (referral) response from a root
+ server. This causes the addresses to now be considered non-authoritative
+ (glue) data, which is not eligible for inclusion in responses.
+
+ The server does have a complete set of root server addresses cached at all
+ times, it just may not include all of them as additional data, depending on
+ whether they were last received as answers or as glue. You can always look
+ up the addresses with explicit queries like "dig a.root-servers.net A".
+
+Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail. Why?
+
+A: This may be caused by a bug in the Windows 2000 DNS server where DNS
+ messages larger than 16K are not handled properly. This can be worked around
+ by setting the option "transfer-format one-answer;". Also check whether your
+ zone contains domain names with embedded spaces or other special characters,
+ like "John\032Doe\213s\032Computer", since such names have been known to
+ cause Windows 2000 slaves to incorrectly reject the zone.
-Q: I keep getting log messages like the following. Why?
+Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?
- Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
+A: A zone can be updated either by editing zone files and reloading the server
+ or by dynamic update, but not both. If you have enabled dynamic update for a
+ zone using the "allow-update" option, you are not supposed to edit the zone
+ file by hand, and the server will not attempt to reload it.
+
+Q: I can query the nameserver from the nameserver but not from other machines.
+ Why?
+
+A: This is usually the result of the firewall configuration stopping the
+ queries and / or the replies.
+
+Q: How can I make a server a slave for both an internal and an external view at
+ the same time? When I tried, both views on the slave were transferred from
+ the same view on the master.
+
+A: You will need to give the master and slave multiple IP addresses and use
+ those to make sure you reach the correct view on the other machine.
+
+ Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
+ internal:
+ match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
+ notify-source 10.0.1.1;
+ transfer-source 10.0.1.1;
+ query-source address 10.0.1.1;
+ external:
+ match-clients { any; };
+ recursion no; // don't offer recursion to the world
+ notify-source 10.0.1.2;
+ transfer-source 10.0.1.2;
+ query-source address 10.0.1.2;
+
+ Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
+ internal:
+ match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
+ notify-source 10.0.1.3;
+ transfer-source 10.0.1.3;
+ query-source address 10.0.1.3;
+ external:
+ match-clients { any; };
+ recursion no; // don't offer recursion to the world
+ notify-source 10.0.1.4;
+ transfer-source 10.0.1.4;
+ query-source address 10.0.1.4;
+
+ You put the external address on the alias so that all the other dns clients
+ on these boxes see the internal view by default.
+
+A: BIND 9.3 and later: Use TSIG to select the appropriate view.
+
+ Master 10.0.1.1:
+ key "external" {
+ algorithm hmac-md5;
+ secret "xxxxxxxx";
+ };
+ view "internal" {
+ match-clients { !key external; 10.0.1/24; };
+ ...
+ };
+ view "external" {
+ match-clients { key external; any; };
+ server 10.0.0.2 { keys external; };
+ recursion no;
+ ...
+ };
+
+ Slave 10.0.1.2:
+ key "external" {
+ algorithm hmac-md5;
+ secret "xxxxxxxx";
+ };
+ view "internal" {
+ match-clients { !key external; 10.0.1/24; };
+ ...
+ };
+ view "external" {
+ match-clients { key external; any; };
+ server 10.0.0.1 { keys external; };
+ recursion no;
+ ...
+ };
+
+Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
+
+A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to use
+ certain interrupts as a source of random events. You can make this permanent
+ by setting rand_irqs in /etc/rc.conf.
+
+ /etc/rc.conf
+ rand_irqs="3 14 15"
+
+ See also http://people.freebsd.org/~dougb/randomness.html
-A: Someone is trying to update your DNS data using the RFC2136 Dynamic
-Update protocol. Windows 2000 machines have a habit of sending dynamic
-update requests to DNS servers without being specifically configured to
-do so. If the update requests are coming from a Windows 2000 machine,
-see <http://support.microsoft.com/support/kb/articles/q246/8/04.asp>
-for information about how to turn them off.
+Q: Why is named listening on UDP port other than 53?
+A: Named uses a system selected port to make queries of other nameservers. This
+ behaviour can be overridden by using query-source to lock down the port and/
+ or address. See also notify-source and transfer-source.
-Q: I see a log message like the following. Why?
+Q: I get error messages like "multiple RRs of singleton type" and "CNAME and
+ other data" when transferring a zone. What does this mean?
- couldn't open pid file '/var/run/named.pid': Permission denied
+A: These indicate a malformed master zone. You can identify the exact records
+ involved by transferring the zone using dig then running named-checkzone on
+ it.
-A: You are most likely running named as a non-root user, and that user
-does not have permission to write in /var/run. The common ways of
-fixing this are to create a /var/run/named directory owned by the named
-user and set pid-file to "/var/run/named/named.pid", or set
-pid-file to "named.pid", which will put the file in the directory
-specified by the directory option (which, in this case, must be writable
-by the named user).
+ dig axfr example.com @master-server > tmp
+ named-checkzone example.com tmp
+ A CNAME record cannot exist with the same name as another record except for
+ the DNSSEC records which prove its existance (NSEC).
-Q: When I do a "dig . ns", many of the A records for the root
-servers are missing. Why?
+ RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other data
+ should be present; this ensures that the data for a canonical name and its
+ aliases cannot be different. This rule also insures that a cached CNAME can
+ be used without checking with an authoritative server for other RR types."
-A: This is normal and harmless. It is a somewhat confusing side effect
-of the way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9
-makes to avoid promoting glue into answers.
+Q: I get error messages like "named.conf:99: unexpected end of input" where 99
+ is the last line of named.conf.
-When BIND 9 first starts up and primes its cache, it receives the root
-server addresses as additional data in an authoritative response from
-a root server, and these records are eligible for inclusion as
-additional data in responses. Subsequently it receives a subset of
-the root server addresses as additional data in a non-authoritative
-(referral) response from a root server. This causes the addresses to
-now be considered non-authoritative (glue) data, which is not eligible
-for inclusion in responses.
+A: Some text editors (notepad and wordpad) fail to put a line title indication
+ (e.g. CR/LF) on the last line of a text file. This can be fixed by "adding"
+ a blank line to the end of the file. Named expects to see EOF immediately
+ after EOL and treats text files where this is not met as truncated.
-The server does have a complete set of root server addresses cached
-at all times, it just may not include all of them as additional data,
-depending on whether they were last received as answers or as glue.
-You can always look up the addresses with explicit queries like
-"dig a.root-servers.net A".
+Q: I get warning messages like "zone example.com/IN: refresh: failure trying
+ master 1.2.3.4#53: timed out".
+A: Check that you can make UDP queries from the slave to the master
-Q: Zone transfers from my BIND 9 master to my Windows 2000 slave
-fail. Why?
+ dig +norec example.com soa @1.2.3.4
-A: This may be caused by a bug in the Windows 2000 DNS server where
-DNS messages larger than 16K are not handled properly. This can be
-worked around by setting the option "transfer-format one-answer;".
-Also check whether your zone contains domain names with embedded
-spaces or other special characters, like "John\032Doe\213s\032Computer",
-since such names have been known to cause Windows 2000 slaves to
-incorrectly reject the zone.
+ You could be generating queries faster than the slave can cope with. Lower
+ the serial query rate.
+ serial-query-rate 5; // default 20
-Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?
+Q: How do I share a dynamic zone between multiple views?
-A: A zone can be updated either by editing zone files and reloading
-the server or by dynamic update, but not both. If you have enabled
-dynamic update for a zone using the "allow-update" option, you are not
-supposed to edit the zone file by hand, and the server will not
-attempt to reload it.
-
-
-Q: I can query the nameserver from the nameserver but not from other
-machines. Why?
-
-A: This is usually the result of the firewall configuration stopping
-the queries and / or the replies.
-
-
-Q: How can I make a server a slave for both an internal and
-an external view at the same time? When I tried, both views
-on the slave were transferred from the same view on the master.
-
-A: You will need to give the master and slave multiple IP addresses and
-use those to make sure you reach the correct view on the other machine.
-
- e.g.
- Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
- internal:
- match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
- notify-source 10.0.1.1;
- transfer-source 10.0.1.1;
- query-source address 10.0.1.1;
- external:
- match-clients { any; };
- recursion no; // don't offer recursion to the world
- notify-source 10.0.1.2;
- transfer-source 10.0.1.2;
- query-source address 10.0.1.2;
-
- Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
- internal:
- match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
- notify-source 10.0.1.3;
- transfer-source 10.0.1.3;
- query-source address 10.0.1.3;
- external:
- match-clients { any; };
- recursion no; // don't offer recursion to the world
- notify-source 10.0.1.4;
- transfer-source 10.0.1.4;
- query-source address 10.0.1.4;
-
- You put the external address on the alias so that all the other
- dns clients on these boxes see the internal view by default.
-
-A: (BIND 9.3 and later) Use TSIG to select the appropriate view.
-
- Master 10.0.1.1:
- key "external" {
- algorithm hmac-md5;
- secret "xxxxxxxx";
- };
- view "internal" {
- match-clients { !key external; 10.0.1/24; };
- ...
- };
- view "external" {
- match-clients { key external; any; };
- server 10.0.0.2 { keys external; };
- recursion no;
- ...
- };
-
- Slave 10.0.1.2:
- key "external" {
- algorithm hmac-md5;
- secret "xxxxxxxx";
- };
- view "internal" {
- match-clients { !key external; 10.0.1/24; };
- };
- view "external" {
- match-clients { key external; any; };
- server 10.0.0.1 { keys external; };
- recursion no;
- ...
- };
-
-
-Q: I have Freebsd 4.x and "rndc-confgen -a" just sits there.
-
-A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel
-to use certain interrupts as a source of random events. You can make this
-permanent by setting rand_irqs in /etc/rc.conf.
-
-e.g.
- /etc/rc.conf
- rand_irqs="3 14 15"
-
-See also http://people.freebsd.org/~dougb/randomness.html
+A: You choose one view to be master and the second a slave and transfer the
+ zone between views.
+
+ Master 10.0.1.1:
+ key "external" {
+ algorithm hmac-md5;
+ secret "xxxxxxxx";
+ };
+
+ key "mykey" {
+ algorithm hmac-md5;
+ secret "yyyyyyyy";
+ };
+
+ view "internal" {
+ match-clients { !external; 10.0.1/24; };
+ server 10.0.1.1 {
+ /* Deliver notify messages to external view. */
+ keys { external; };
+ };
+ zone "example.com" {
+ type master;
+ file "internal/example.db";
+ allow-update { key mykey; };
+ notify-also { 10.0.1.1; };
+ };
+ };
+
+ view "external" {
+ match-clients { external; any; };
+ zone "example.com" {
+ type slave;
+ file "external/example.db";
+ masters { 10.0.1.1; };
+ transfer-source { 10.0.1.1; };
+ // allow-update-forwarding { any; };
+ // allow-notify { ... };
+ };
+ };
+Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading master
+ file primaries/wireless.ietf56.ietf.org: no owner".
-Q: Why is named listening on UDP port other than 53?
+A: This error is produced when a line in the master file contains leading white
+ space (tab/space) but the is no current record owner name to inherit the
+ name from. Usually this is the result of putting white space before a
+ comment. Forgeting the "@" for the SOA record or indenting the master file.
-A: Named uses a system selected port to make queries of other nameservers.
-This behaviour can be overridden by using query-source to lock down the
-port and/or address. See also notify-source and transfer-source.
+Q: Why are my logs in GMT (UTC).
+A: You are running chrooted (-t) and have not supplied local timzone
+ information in the chroot area.
-Q: I get error messages like "multiple RRs of singleton type" and
-"CNAME and other data" when transferring a zone. What does this mean?
+ FreeBSD: /etc/localtime
+ Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
+ OSF: /etc/zoneinfo/localtime
-A: These indicate a malformed master zone. You can identify the
-exact records involved by transferring the zone using dig then
-running named-checkzone on it.
+ See also tzset(3) and zic(8).
- e.g.
- dig axfr example.com @master-server > tmp
- named-checkzone example.com tmp
+Q: I get the error message "named: capset failed: Operation not permitted" when
+ starting named.
+A: The capability module, part of "Linux Security Modules/LSM", has not been
+ loaded into the kernel. See insmod(8).
-Q: I get error messages like "named.conf:99: unexpected end of input" where
-99 is the last line of named.conf.
+Q: I get "rndc: connect failed: connection refused" when I try to run rndc.
-A: Some text editors (notepad and wordpad) fail to put a line termination
-indication (e.g. CR/LF) on the last line of a text file. This can be fixed
-by "adding" a blank line to the end of the file. Named expects to see EOF
-immediately after EOL and treats text files where this is not met as truncated.
+A: This is usually a configuration error.
+ First ensure that named is running and no errors are being reported at
+ startup (/var/log/messages or equivalent). Running "named -g <usual
+ arguments>" from a title can help at this point.
-Q: I get warning messages like "zone example.com/IN: refresh: failure trying master
-1.2.3.4#53: timed out".
+ Secondly ensure that named is configured to use rndc either by "rndc-confgen
+ -a", rndc-confgen or manually. The Administrators Reference manual has
+ details on how to do this.
-A: Check that you can make UDP queries from the slave to the master
+ Old versions of rndc-confgen used localhost rather than 127.0.0.1 in /etc/
+ rndc.conf for the default server. Update /etc/rndc.conf if necessary so that
+ the default server listed in /etc/rndc.conf matches the addresses used in
+ named.conf. "localhost" has two address (127.0.0.1 and ::1).
- dig +norec example.com soa @1.2.3.4
+ If you use "rndc-confgen -a" and named is running with -t or -u ensure that
+ /etc/rndc.conf has the correct ownership and that a copy is in the chroot
+ area. You can do this by re-running "rndc-confgen -a" with appropriate -t
+ and -u arguments.
-A: You could be generating queries faster than the slave can cope with. Lower
-the serial query rate.
+Q: I don't get RRSIG's returned when I use "dig +dnssec".
- serial-query-rate 5; // default 20
+A: You need to ensure DNSSEC is enabled (dnssec-enable yes;).
-Q: How do I share a dynamic zone between multiple views?
+Q: I get "Error 1067" when starting named under Windows.
-A: You choose one view to be master and the second a slave and transfer
-the zone between views.
-
- Master 10.0.1.1:
- key "external" {
- algorithm hmac-md5;
- secret "xxxxxxxx";
- };
-
- key "mykey" {
- algorithm hmac-md5;
- secret "yyyyyyyy";
- };
-
- view "internal" {
- match-clients { !external; 10.0.1/24; };
- server 10.0.1.1 {
- /* Deliver notify messages to external view. */
- keys { external; };
- };
- zone "example.com" {
- type master;
- file "internal/example.db";
- allow-update { key mykey; };
- notify-also { 10.0.1.1; };
- };
- };
-
- view "external" {
- match-clients { external; any; };
- zone "example.com" {
- type slave;
- file "external/example.db";
- masters { 10.0.1.1; };
- transfer-source { 10.0.1.1; };
- // allow-update-forwarding { any; };
- // allow-notify { ... };
- };
- };
+A: This is the service manager saying that named exited. You need to examine
+ the Application log in the EventViewer to find out why.
-Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading master
-file primaries/wireless.ietf56.ietf.org: no owner".
+ Common causes are that you failed to create "named.conf" (usually "C:\
+ windows\dns\etc\named.conf") or failed to specify the directory in
+ named.conf.
-A: This error is produced when a line in the master file contains leading
-white space (tab/space) but the is no current record owner name to inherit
-the name from. Usually this is the result of putting white space before
-a comment. Forgeting the "@" for the SOA record or indenting the master
-file.
+ options {
+ Directory "C:\windows\dns\etc";
+ };
+Q: I get "transfer of 'example.net/IN' from 192.168.4.12#53: failed while
+ receiving responses: permission denied" error messages.
-Q: Why are my logs in GMT (UTC).
+A: These indicate a filesystem permission error preventing named creating /
+ renaming the temporary file. These will usually also have other associated
+ error messages like
-A: You are running chrooted (-t) and have not supplied local timzone
-information in the chroot area.
+ "dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"
- FreeBSD: /etc/localtime
- Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
- OSF: /etc/zoneinfo/localtime
+ Named needs write permission on the directory containing the file. Named
+ writes the new cache file to a temporary file then renames it to the name
+ specified in named.conf to ensure that the contents are always complete.
+ This is to prevent named loading a partial zone in the event of power
+ failure or similar interrupting the write of the master file.
- See also tzset(3) and zic(8).
+ Note file names are relative to the directory specified in options and any
+ chroot directory ([<chroot dir>/][<options dir>]).
+ If named is invoked as "named -t /chroot/DNS" with the following named.conf
+ then "/chroot/DNS/var/named/sl" needs to be writable by the user named is
+ running as.
-Q: I get the error message "named: capset failed: Operation not permitted"
-when starting named.
+ options {
+ directory "/var/named";
+ };
-A: The capset module has not been loaded into the kernel. See insmod(8).
+ zone "example.net" {
+ type slave;
+ file "sl/example.net";
+ masters { 192.168.4.12; };
+ };
+Q: How do I intergrate BIND 9 and Solaris SMF
-Q: I get "rndc: connect failed: connection refused" when I try to run
- rndc.
+A: Sun has a blog entry describing how to do this.
-A: This is usually a configuration error.
+ http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris
- First ensure that named is running and no errors are being
- reported at startup (/var/log/messages or equivalent). Running
- "named -g <usual arguements>" from a terminal can help at this
- point.
+Q: Can a NS record refer to a CNAME.
- Secondly ensure that named is configured to use rndc either by
- "rndc-confgen -a", rndc-confgen or manually. The Administators
- Reference manual has details on how to do this.
+A: No. The rules for glue (copies of the *address* records in the parent zones)
+ and additional section processing do not allow it to work.
- Old versions of rndc-confgen used localhost rather than 127.0.0.1
- in /etc/rndc.conf for the default server. Update /etc/rndc.conf
- if necessary so that the default server listed in /etc/rndc.conf
- matches the addresses used in named.conf. "localhost" has two
- address (127.0.0.1 and ::1).
+ You would have to add both the CNAME and address records (A/AAAA) as glue to
+ the parent zone and have CNAMEs be followed when doing additional section
+ processing to make it work. No namesever implementation supports either of
+ these requirements.
- If you use "rndc-confgen -a" and named is running with -t or -u
- ensure that /etc/rndc.conf has the correct ownership and that
- a copy is in the chroot area. You can do this by re-running
- "rndc-confgen -a" with appropriate -t and -u arguements.
+Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA" mean?
+A: If the IN-ADDR.ARPA name covered refers to a internal address space you are
+ using then you have failed to follow RFC 1918 usage rules and are leaking
+ queries to the Internet. You should establish your own zones for these
+ addresses to prevent you quering the Internet's name servers for these
+ addresses. Please see http://as112.net/ for details of the problems you are
+ causing and the counter measures that have had to be deployed.
-Q: I don't get RRSIG's returned when I use "dig +dnssec".
+ If you are not using these private addresses then a client has queried for
+ them. You can just ignore the messages, get the offending client to stop
+ sending you these messages as they are most probably leaking them or setup
+ your own zones empty zones to serve answers to these queries.
-A: You need to ensure DNSSEC is enabled (dnssec-enable yes;).
+ zone "10.IN-ADDR.ARPA" {
+ type master;
+ file "empty";
+ };
+ zone "16.172.IN-ADDR.ARPA" {
+ type master;
+ file "empty";
+ };
-Q: I get "Error 1067" when starting named under Windows.
+ ...
+
+ zone "31.172.IN-ADDR.ARPA" {
+ type master;
+ file "empty";
+ };
-A: This is the service manager saying that named exited. You need to
- examine the Application log in the EventViewer to find out why.
+ zone "168.192.IN-ADDR.ARPA" {
+ type master;
+ file "empty";
+ };
- Common causes are that you failed to create "named.conf" (usually
- "C:\windows\dns\etc\named.conf") or failed to specify the directory
- in named.conf.
+ empty:
+ @ 10800 IN SOA <name-of-server>. <contact-email>. (
+ 1 3600 1200 604800 10800 )
+ @ 10800 IN NS <name-of-server>.
- options {
- Directory "C:\windows\dns\etc";
- };
+ Note
+ Future versions of named are likely to do this automatically.