diff options
author | Jakob Schlyter <jakob@cvs.openbsd.org> | 2006-04-05 17:36:37 +0000 |
---|---|---|
committer | Jakob Schlyter <jakob@cvs.openbsd.org> | 2006-04-05 17:36:37 +0000 |
commit | 0505bad000912a66c4f92c91a72202b9250e4bd5 (patch) | |
tree | 00d8701ac1f3ee5feadd765c0274e9ff0a95aeac /usr.sbin/bind/FAQ | |
parent | 1da54ca1fd7764e567cd4bc055abd54d602773e1 (diff) |
resolve conflicts
Diffstat (limited to 'usr.sbin/bind/FAQ')
-rw-r--r-- | usr.sbin/bind/FAQ | 759 |
1 files changed, 407 insertions, 352 deletions
diff --git a/usr.sbin/bind/FAQ b/usr.sbin/bind/FAQ index f6ed41e422c..9b806cbde53 100644 --- a/usr.sbin/bind/FAQ +++ b/usr.sbin/bind/FAQ @@ -1,470 +1,525 @@ - - - Frequently Asked Questions about BIND 9 +------------------------------------------------------------------------------- Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-threads? A: Linux threads do not fully implement the Posix threads (pthreads) standard. -In particular, setuid() operates only on the current thread, not the full -process. Because of this limitation, BIND 9 cannot use setuid() on Linux as it -can on all other supported platforms. setuid() cannot be called before -creating threads, since the server does not start listening on reserved ports -until after threads have started. + In particular, setuid() operates only on the current thread, not the full + process. Because of this limitation, BIND 9 cannot use setuid() on Linux as + it can on all other supported platforms. setuid() cannot be called before + creating threads, since the server does not start listening on reserved + ports until after threads have started. - In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to preserve -capabilities across a setuid() call is present. This allows BIND 9 to call -setuid() early, while retaining the ability to bind reserved ports. This is -a Linux-specific hack. + In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to preserve + capabilities across a setuid() call is present. This allows BIND 9 to call + setuid() early, while retaining the ability to bind reserved ports. This is + a Linux-specific hack. - On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less -of a security risk than a root process that has not dropped privileges. + On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less + of a security risk than a root process that has not dropped privileges. - If Linux threads ever work correctly, this restriction will go away. + If Linux threads ever work correctly, this restriction will go away. - Configuring BIND9 with the --disable-threads option (the default) causes a -non-threaded version to be built, which will allow -u to be used. + Configuring BIND9 with the --disable-threads option (the default) causes a + non-threaded version to be built, which will allow -u to be used. +Q: Why does named log the warning message "no TTL specified - using SOA MINTTL + instead"? -Q: Why does named log the warning message "no TTL specified - using SOA -MINTTL instead"? - -A: Your zone file is illegal according to RFC1035. It must either -have a line like +A: Your zone file is illegal according to RFC1035. It must either have a line + like: $TTL 86400 -at the beginning, or the first record in it must have a TTL field, -like the "84600" in this example: + at the beginning, or the first record in it must have a TTL field, like the + "84600" in this example: example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 ) Q: Why do I see 5 (or more) copies of named on Linux? -A: Linux threads each show up as a process under ps. The approximate -number of threads running is n+4, where n is the number of CPUs. Note that -the amount of memory used is not cumulative; if each process is using 10M of -memory, only a total of 10M is used. - +A: Linux threads each show up as a process under ps. The approximate number of + threads running is n+4, where n is the number of CPUs. Note that the amount + of memory used is not cumulative; if each process is using 10M of memory, + only a total of 10M is used. -Q: Why does BIND 9 log "permission denied" errors accessing its -configuration files or zones on my Linux system even though it is running -as root? - -A: On Linux, BIND 9 drops most of its root privileges on startup. -This including the privilege to open files owned by other users. -Therefore, if the server is running as root, the configuration files -and zone files should also be owned by root. +Q: Why does BIND 9 log "permission denied" errors accessing its configuration + files or zones on my Linux system even though it is running as root? +A: On Linux, BIND 9 drops most of its root privileges on startup. This + including the privilege to open files owned by other users. Therefore, if + the server is running as root, the configuration files and zone files should + also be owned by root. Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file -bar: ran out of space" - -A: This is often caused by TXT records with missing close quotes. Check that -all TXT records containing quoted strings have both open and close quotes. + bar: ran out of space"? +A: This is often caused by TXT records with missing close quotes. Check that + all TXT records containing quoted strings have both open and close quotes. Q: How do I produce a usable core file from a multithreaded named on Linux? -A: If the Linux kernel is 2.4.7 or newer, multithreaded core dumps -are usable (that is, the correct thread is dumped). Otherwise, if using -a 2.2 kernel, apply the kernel patch found in contrib/linux/coredump-patch -and rebuild the kernel. This patch will cause multithreaded programs to dump -the correct thread. - +A: If the Linux kernel is 2.4.7 or newer, multithreaded core dumps are usable + (that is, the correct thread is dumped). Otherwise, if using a 2.2 kernel, + apply the kernel patch found in contrib/linux/coredump-patch and rebuild the + kernel. This patch will cause multithreaded programs to dump the correct + thread. Q: How do I restrict people from looking up the server version? -A: Put a "version" option containing something other than the real -version in the "options" section of named.conf. Note doing this will -not prevent attacks and may impede people trying to diagnose problems -with your server. Also it is possible to "fingerprint" nameservers to -determine their version. - - -Q: How do I restrict only remote users from looking up the server -version? +A: Put a "version" option containing something other than the real version in + the "options" section of named.conf. Note doing this will not prevent + attacks and may impede people trying to diagnose problems with your server. + Also it is possible to "fingerprint" nameservers to determine their version. -A: The following view statement will intercept lookups as the internal -view that holds the version information will be matched last. The -caveats of the previous answer still apply, of course. +Q: How do I restrict only remote users from looking up the server version? - view "chaos" chaos { - match-clients { <those to be refused>; }; - allow-query { none; }; - zone "." { - type hint; - file "/dev/null"; // or any empty file - }; - }; +A: The following view statement will intercept lookups as the internal view + that holds the version information will be matched last. The caveats of the + previous answer still apply, of course. + view "chaos" chaos { + match-clients { <those to be refused>; }; + allow-query { none; }; + zone "." { + type hint; + file "/dev/null"; // or any empty file + }; + }; Q: What do "no source of entropy found" or "could not open entropy source foo" -mean? + mean? A: The server requires a source of entropy to perform certain operations, -mostly DNSSEC related. These messages indicate that you have no source -of entropy. On systems with /dev/random or an equivalent, it is used by -default. A source of entropy can also be defined using the random-device -option in named.conf. + mostly DNSSEC related. These messages indicate that you have no source of + entropy. On systems with /dev/random or an equivalent, it is used by + default. A source of entropy can also be defined using the random-device + option in named.conf. +Q: I installed BIND 9 and restarted named, but it's still BIND 8. Why? -Q: I installed BIND 9 and restarted named, but it's still BIND 8. Why? +A: BIND 9 is installed under /usr/local by default. BIND 8 is often installed + under /usr. Check that the correct named is running. -A: BIND 9 is installed under /usr/local by default. BIND 8 is often -installed under /usr. Check that the correct named is running. +Q: I'm trying to use TSIG to authenticate dynamic updates or zone transfers. + I'm sure I have the keys set up correctly, but the server is rejecting the + TSIG. Why? +A: This may be a clock skew problem. Check that the the clocks on the client + and server are properly synchronised (e.g., using ntp). -Q: I'm trying to use TSIG to authenticate dynamic updates or zone -transfers. I'm sure I have the keys set up correctly, but the server -is rejecting the TSIG. Why? +Q: I'm trying to compile BIND 9, and "make" is failing due to files not being + found. Why? -A: This may be a clock skew problem. Check that the the clocks on -the client and server are properly synchronized (e.g., using ntp). +A: Using a parallel or distributed "make" to build BIND 9 is not supported, and + doesn't work. If you are using one of these, use normal make or gmake + instead. +Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is logging + error messages like "notify to 10.0.0.1#53 failed: unexpected end of input". + What's wrong? -Q: I'm trying to compile BIND 9, and "make" is failing due to files not -being found. Why? +A: This error message is caused by a known bug in BIND 8.2.3 and is fixed in + BIND 8.2.4. It can be safely ignored - the notify has been acted on by the + slave despite the error message. -A: Using a parallel or distributed "make" to build BIND 9 is not -supported, and doesn't work. If you are using one of these, use -normal make or gmake instead. +Q: I keep getting log messages like the following. Why? + Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN': update + failed: 'RRset exists (value dependent)' prerequisite not satisfied + (NXRRSET) -Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is -logging error messages like "notify to 10.0.0.1#53 failed: unexpected -end of input". What's wrong? +A: DNS updates allow the update request to test to see if certain conditions + are met prior to proceeding with the update. The message above is saying + that conditions were not met and the update is not proceeding. See doc/rfc/ + rfc2136.txt for more details on prerequisites. -A: This error message is caused by a known bug in BIND 8.2.3 and is fixed -in BIND 8.2.4. It can be safely ignored - the notify has been acted on by -the slave despite the error message. +Q: I keep getting log messages like the following. Why? + Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied -Q: I keep getting log messages like the following. Why? +A: Someone is trying to update your DNS data using the RFC2136 Dynamic Update + protocol. Windows 2000 machines have a habit of sending dynamic update + requests to DNS servers without being specifically configured to do so. If + the update requests are coming from a Windows 2000 machine, see http:// + support.microsoft.com/support/kb/articles/q246/8/04.asp for information + about how to turn them off. - Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN': - update failed: 'RRset exists (value dependent)' prerequisite not - satisfied (NXRRSET) +Q: I see a log message like the following. Why? -A: DNS updates allow the update request to test to see if certain -conditions are met prior to proceeding with the update. The message -above is saying that conditions were not met and the update is not -proceeding. See doc/rfc/rfc2136.txt for more details on prerequisites. + couldn't open pid file '/var/run/named.pid': Permission denied +A: You are most likely running named as a non-root user, and that user does not + have permission to write in /var/run. The common ways of fixing this are to + create a /var/run/named directory owned by the named user and set pid-file + to "/var/run/named/named.pid", or set pid-file to "named.pid", which will + put the file in the directory specified by the directory option (which, in + this case, must be writable by the named user). + +Q: When I do a "dig . ns", many of the A records for the root servers are + missing. Why? + +A: This is normal and harmless. It is a somewhat confusing side effect of the + way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 makes to + avoid promoting glue into answers. + + When BIND 9 first starts up and primes its cache, it receives the root + server addresses as additional data in an authoritative response from a root + server, and these records are eligible for inclusion as additional data in + responses. Subsequently it receives a subset of the root server addresses as + additional data in a non-authoritative (referral) response from a root + server. This causes the addresses to now be considered non-authoritative + (glue) data, which is not eligible for inclusion in responses. + + The server does have a complete set of root server addresses cached at all + times, it just may not include all of them as additional data, depending on + whether they were last received as answers or as glue. You can always look + up the addresses with explicit queries like "dig a.root-servers.net A". + +Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail. Why? + +A: This may be caused by a bug in the Windows 2000 DNS server where DNS + messages larger than 16K are not handled properly. This can be worked around + by setting the option "transfer-format one-answer;". Also check whether your + zone contains domain names with embedded spaces or other special characters, + like "John\032Doe\213s\032Computer", since such names have been known to + cause Windows 2000 slaves to incorrectly reject the zone. -Q: I keep getting log messages like the following. Why? +Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP? - Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied +A: A zone can be updated either by editing zone files and reloading the server + or by dynamic update, but not both. If you have enabled dynamic update for a + zone using the "allow-update" option, you are not supposed to edit the zone + file by hand, and the server will not attempt to reload it. + +Q: I can query the nameserver from the nameserver but not from other machines. + Why? + +A: This is usually the result of the firewall configuration stopping the + queries and / or the replies. + +Q: How can I make a server a slave for both an internal and an external view at + the same time? When I tried, both views on the slave were transferred from + the same view on the master. + +A: You will need to give the master and slave multiple IP addresses and use + those to make sure you reach the correct view on the other machine. + + Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias) + internal: + match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; }; + notify-source 10.0.1.1; + transfer-source 10.0.1.1; + query-source address 10.0.1.1; + external: + match-clients { any; }; + recursion no; // don't offer recursion to the world + notify-source 10.0.1.2; + transfer-source 10.0.1.2; + query-source address 10.0.1.2; + + Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias) + internal: + match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; }; + notify-source 10.0.1.3; + transfer-source 10.0.1.3; + query-source address 10.0.1.3; + external: + match-clients { any; }; + recursion no; // don't offer recursion to the world + notify-source 10.0.1.4; + transfer-source 10.0.1.4; + query-source address 10.0.1.4; + + You put the external address on the alias so that all the other dns clients + on these boxes see the internal view by default. + +A: BIND 9.3 and later: Use TSIG to select the appropriate view. + + Master 10.0.1.1: + key "external" { + algorithm hmac-md5; + secret "xxxxxxxx"; + }; + view "internal" { + match-clients { !key external; 10.0.1/24; }; + ... + }; + view "external" { + match-clients { key external; any; }; + server 10.0.0.2 { keys external; }; + recursion no; + ... + }; + + Slave 10.0.1.2: + key "external" { + algorithm hmac-md5; + secret "xxxxxxxx"; + }; + view "internal" { + match-clients { !key external; 10.0.1/24; }; + ... + }; + view "external" { + match-clients { key external; any; }; + server 10.0.0.1 { keys external; }; + recursion no; + ... + }; + +Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there. + +A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to use + certain interrupts as a source of random events. You can make this permanent + by setting rand_irqs in /etc/rc.conf. + + /etc/rc.conf + rand_irqs="3 14 15" + + See also http://people.freebsd.org/~dougb/randomness.html -A: Someone is trying to update your DNS data using the RFC2136 Dynamic -Update protocol. Windows 2000 machines have a habit of sending dynamic -update requests to DNS servers without being specifically configured to -do so. If the update requests are coming from a Windows 2000 machine, -see <http://support.microsoft.com/support/kb/articles/q246/8/04.asp> -for information about how to turn them off. +Q: Why is named listening on UDP port other than 53? +A: Named uses a system selected port to make queries of other nameservers. This + behaviour can be overridden by using query-source to lock down the port and/ + or address. See also notify-source and transfer-source. -Q: I see a log message like the following. Why? +Q: I get error messages like "multiple RRs of singleton type" and "CNAME and + other data" when transferring a zone. What does this mean? - couldn't open pid file '/var/run/named.pid': Permission denied +A: These indicate a malformed master zone. You can identify the exact records + involved by transferring the zone using dig then running named-checkzone on + it. -A: You are most likely running named as a non-root user, and that user -does not have permission to write in /var/run. The common ways of -fixing this are to create a /var/run/named directory owned by the named -user and set pid-file to "/var/run/named/named.pid", or set -pid-file to "named.pid", which will put the file in the directory -specified by the directory option (which, in this case, must be writable -by the named user). + dig axfr example.com @master-server > tmp + named-checkzone example.com tmp + A CNAME record cannot exist with the same name as another record except for + the DNSSEC records which prove its existance (NSEC). -Q: When I do a "dig . ns", many of the A records for the root -servers are missing. Why? + RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other data + should be present; this ensures that the data for a canonical name and its + aliases cannot be different. This rule also insures that a cached CNAME can + be used without checking with an authoritative server for other RR types." -A: This is normal and harmless. It is a somewhat confusing side effect -of the way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 -makes to avoid promoting glue into answers. +Q: I get error messages like "named.conf:99: unexpected end of input" where 99 + is the last line of named.conf. -When BIND 9 first starts up and primes its cache, it receives the root -server addresses as additional data in an authoritative response from -a root server, and these records are eligible for inclusion as -additional data in responses. Subsequently it receives a subset of -the root server addresses as additional data in a non-authoritative -(referral) response from a root server. This causes the addresses to -now be considered non-authoritative (glue) data, which is not eligible -for inclusion in responses. +A: Some text editors (notepad and wordpad) fail to put a line title indication + (e.g. CR/LF) on the last line of a text file. This can be fixed by "adding" + a blank line to the end of the file. Named expects to see EOF immediately + after EOL and treats text files where this is not met as truncated. -The server does have a complete set of root server addresses cached -at all times, it just may not include all of them as additional data, -depending on whether they were last received as answers or as glue. -You can always look up the addresses with explicit queries like -"dig a.root-servers.net A". +Q: I get warning messages like "zone example.com/IN: refresh: failure trying + master 1.2.3.4#53: timed out". +A: Check that you can make UDP queries from the slave to the master -Q: Zone transfers from my BIND 9 master to my Windows 2000 slave -fail. Why? + dig +norec example.com soa @1.2.3.4 -A: This may be caused by a bug in the Windows 2000 DNS server where -DNS messages larger than 16K are not handled properly. This can be -worked around by setting the option "transfer-format one-answer;". -Also check whether your zone contains domain names with embedded -spaces or other special characters, like "John\032Doe\213s\032Computer", -since such names have been known to cause Windows 2000 slaves to -incorrectly reject the zone. + You could be generating queries faster than the slave can cope with. Lower + the serial query rate. + serial-query-rate 5; // default 20 -Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP? +Q: How do I share a dynamic zone between multiple views? -A: A zone can be updated either by editing zone files and reloading -the server or by dynamic update, but not both. If you have enabled -dynamic update for a zone using the "allow-update" option, you are not -supposed to edit the zone file by hand, and the server will not -attempt to reload it. - - -Q: I can query the nameserver from the nameserver but not from other -machines. Why? - -A: This is usually the result of the firewall configuration stopping -the queries and / or the replies. - - -Q: How can I make a server a slave for both an internal and -an external view at the same time? When I tried, both views -on the slave were transferred from the same view on the master. - -A: You will need to give the master and slave multiple IP addresses and -use those to make sure you reach the correct view on the other machine. - - e.g. - Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias) - internal: - match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; }; - notify-source 10.0.1.1; - transfer-source 10.0.1.1; - query-source address 10.0.1.1; - external: - match-clients { any; }; - recursion no; // don't offer recursion to the world - notify-source 10.0.1.2; - transfer-source 10.0.1.2; - query-source address 10.0.1.2; - - Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias) - internal: - match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; }; - notify-source 10.0.1.3; - transfer-source 10.0.1.3; - query-source address 10.0.1.3; - external: - match-clients { any; }; - recursion no; // don't offer recursion to the world - notify-source 10.0.1.4; - transfer-source 10.0.1.4; - query-source address 10.0.1.4; - - You put the external address on the alias so that all the other - dns clients on these boxes see the internal view by default. - -A: (BIND 9.3 and later) Use TSIG to select the appropriate view. - - Master 10.0.1.1: - key "external" { - algorithm hmac-md5; - secret "xxxxxxxx"; - }; - view "internal" { - match-clients { !key external; 10.0.1/24; }; - ... - }; - view "external" { - match-clients { key external; any; }; - server 10.0.0.2 { keys external; }; - recursion no; - ... - }; - - Slave 10.0.1.2: - key "external" { - algorithm hmac-md5; - secret "xxxxxxxx"; - }; - view "internal" { - match-clients { !key external; 10.0.1/24; }; - }; - view "external" { - match-clients { key external; any; }; - server 10.0.0.1 { keys external; }; - recursion no; - ... - }; - - -Q: I have Freebsd 4.x and "rndc-confgen -a" just sits there. - -A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel -to use certain interrupts as a source of random events. You can make this -permanent by setting rand_irqs in /etc/rc.conf. - -e.g. - /etc/rc.conf - rand_irqs="3 14 15" - -See also http://people.freebsd.org/~dougb/randomness.html +A: You choose one view to be master and the second a slave and transfer the + zone between views. + + Master 10.0.1.1: + key "external" { + algorithm hmac-md5; + secret "xxxxxxxx"; + }; + + key "mykey" { + algorithm hmac-md5; + secret "yyyyyyyy"; + }; + + view "internal" { + match-clients { !external; 10.0.1/24; }; + server 10.0.1.1 { + /* Deliver notify messages to external view. */ + keys { external; }; + }; + zone "example.com" { + type master; + file "internal/example.db"; + allow-update { key mykey; }; + notify-also { 10.0.1.1; }; + }; + }; + + view "external" { + match-clients { external; any; }; + zone "example.com" { + type slave; + file "external/example.db"; + masters { 10.0.1.1; }; + transfer-source { 10.0.1.1; }; + // allow-update-forwarding { any; }; + // allow-notify { ... }; + }; + }; +Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading master + file primaries/wireless.ietf56.ietf.org: no owner". -Q: Why is named listening on UDP port other than 53? +A: This error is produced when a line in the master file contains leading white + space (tab/space) but the is no current record owner name to inherit the + name from. Usually this is the result of putting white space before a + comment. Forgeting the "@" for the SOA record or indenting the master file. -A: Named uses a system selected port to make queries of other nameservers. -This behaviour can be overridden by using query-source to lock down the -port and/or address. See also notify-source and transfer-source. +Q: Why are my logs in GMT (UTC). +A: You are running chrooted (-t) and have not supplied local timzone + information in the chroot area. -Q: I get error messages like "multiple RRs of singleton type" and -"CNAME and other data" when transferring a zone. What does this mean? + FreeBSD: /etc/localtime + Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo + OSF: /etc/zoneinfo/localtime -A: These indicate a malformed master zone. You can identify the -exact records involved by transferring the zone using dig then -running named-checkzone on it. + See also tzset(3) and zic(8). - e.g. - dig axfr example.com @master-server > tmp - named-checkzone example.com tmp +Q: I get the error message "named: capset failed: Operation not permitted" when + starting named. +A: The capability module, part of "Linux Security Modules/LSM", has not been + loaded into the kernel. See insmod(8). -Q: I get error messages like "named.conf:99: unexpected end of input" where -99 is the last line of named.conf. +Q: I get "rndc: connect failed: connection refused" when I try to run rndc. -A: Some text editors (notepad and wordpad) fail to put a line termination -indication (e.g. CR/LF) on the last line of a text file. This can be fixed -by "adding" a blank line to the end of the file. Named expects to see EOF -immediately after EOL and treats text files where this is not met as truncated. +A: This is usually a configuration error. + First ensure that named is running and no errors are being reported at + startup (/var/log/messages or equivalent). Running "named -g <usual + arguments>" from a title can help at this point. -Q: I get warning messages like "zone example.com/IN: refresh: failure trying master -1.2.3.4#53: timed out". + Secondly ensure that named is configured to use rndc either by "rndc-confgen + -a", rndc-confgen or manually. The Administrators Reference manual has + details on how to do this. -A: Check that you can make UDP queries from the slave to the master + Old versions of rndc-confgen used localhost rather than 127.0.0.1 in /etc/ + rndc.conf for the default server. Update /etc/rndc.conf if necessary so that + the default server listed in /etc/rndc.conf matches the addresses used in + named.conf. "localhost" has two address (127.0.0.1 and ::1). - dig +norec example.com soa @1.2.3.4 + If you use "rndc-confgen -a" and named is running with -t or -u ensure that + /etc/rndc.conf has the correct ownership and that a copy is in the chroot + area. You can do this by re-running "rndc-confgen -a" with appropriate -t + and -u arguments. -A: You could be generating queries faster than the slave can cope with. Lower -the serial query rate. +Q: I don't get RRSIG's returned when I use "dig +dnssec". - serial-query-rate 5; // default 20 +A: You need to ensure DNSSEC is enabled (dnssec-enable yes;). -Q: How do I share a dynamic zone between multiple views? +Q: I get "Error 1067" when starting named under Windows. -A: You choose one view to be master and the second a slave and transfer -the zone between views. - - Master 10.0.1.1: - key "external" { - algorithm hmac-md5; - secret "xxxxxxxx"; - }; - - key "mykey" { - algorithm hmac-md5; - secret "yyyyyyyy"; - }; - - view "internal" { - match-clients { !external; 10.0.1/24; }; - server 10.0.1.1 { - /* Deliver notify messages to external view. */ - keys { external; }; - }; - zone "example.com" { - type master; - file "internal/example.db"; - allow-update { key mykey; }; - notify-also { 10.0.1.1; }; - }; - }; - - view "external" { - match-clients { external; any; }; - zone "example.com" { - type slave; - file "external/example.db"; - masters { 10.0.1.1; }; - transfer-source { 10.0.1.1; }; - // allow-update-forwarding { any; }; - // allow-notify { ... }; - }; - }; +A: This is the service manager saying that named exited. You need to examine + the Application log in the EventViewer to find out why. -Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading master -file primaries/wireless.ietf56.ietf.org: no owner". + Common causes are that you failed to create "named.conf" (usually "C:\ + windows\dns\etc\named.conf") or failed to specify the directory in + named.conf. -A: This error is produced when a line in the master file contains leading -white space (tab/space) but the is no current record owner name to inherit -the name from. Usually this is the result of putting white space before -a comment. Forgeting the "@" for the SOA record or indenting the master -file. + options { + Directory "C:\windows\dns\etc"; + }; +Q: I get "transfer of 'example.net/IN' from 192.168.4.12#53: failed while + receiving responses: permission denied" error messages. -Q: Why are my logs in GMT (UTC). +A: These indicate a filesystem permission error preventing named creating / + renaming the temporary file. These will usually also have other associated + error messages like -A: You are running chrooted (-t) and have not supplied local timzone -information in the chroot area. + "dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied" - FreeBSD: /etc/localtime - Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo - OSF: /etc/zoneinfo/localtime + Named needs write permission on the directory containing the file. Named + writes the new cache file to a temporary file then renames it to the name + specified in named.conf to ensure that the contents are always complete. + This is to prevent named loading a partial zone in the event of power + failure or similar interrupting the write of the master file. - See also tzset(3) and zic(8). + Note file names are relative to the directory specified in options and any + chroot directory ([<chroot dir>/][<options dir>]). + If named is invoked as "named -t /chroot/DNS" with the following named.conf + then "/chroot/DNS/var/named/sl" needs to be writable by the user named is + running as. -Q: I get the error message "named: capset failed: Operation not permitted" -when starting named. + options { + directory "/var/named"; + }; -A: The capset module has not been loaded into the kernel. See insmod(8). + zone "example.net" { + type slave; + file "sl/example.net"; + masters { 192.168.4.12; }; + }; +Q: How do I intergrate BIND 9 and Solaris SMF -Q: I get "rndc: connect failed: connection refused" when I try to run - rndc. +A: Sun has a blog entry describing how to do this. -A: This is usually a configuration error. + http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris - First ensure that named is running and no errors are being - reported at startup (/var/log/messages or equivalent). Running - "named -g <usual arguements>" from a terminal can help at this - point. +Q: Can a NS record refer to a CNAME. - Secondly ensure that named is configured to use rndc either by - "rndc-confgen -a", rndc-confgen or manually. The Administators - Reference manual has details on how to do this. +A: No. The rules for glue (copies of the *address* records in the parent zones) + and additional section processing do not allow it to work. - Old versions of rndc-confgen used localhost rather than 127.0.0.1 - in /etc/rndc.conf for the default server. Update /etc/rndc.conf - if necessary so that the default server listed in /etc/rndc.conf - matches the addresses used in named.conf. "localhost" has two - address (127.0.0.1 and ::1). + You would have to add both the CNAME and address records (A/AAAA) as glue to + the parent zone and have CNAMEs be followed when doing additional section + processing to make it work. No namesever implementation supports either of + these requirements. - If you use "rndc-confgen -a" and named is running with -t or -u - ensure that /etc/rndc.conf has the correct ownership and that - a copy is in the chroot area. You can do this by re-running - "rndc-confgen -a" with appropriate -t and -u arguements. +Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA" mean? +A: If the IN-ADDR.ARPA name covered refers to a internal address space you are + using then you have failed to follow RFC 1918 usage rules and are leaking + queries to the Internet. You should establish your own zones for these + addresses to prevent you quering the Internet's name servers for these + addresses. Please see http://as112.net/ for details of the problems you are + causing and the counter measures that have had to be deployed. -Q: I don't get RRSIG's returned when I use "dig +dnssec". + If you are not using these private addresses then a client has queried for + them. You can just ignore the messages, get the offending client to stop + sending you these messages as they are most probably leaking them or setup + your own zones empty zones to serve answers to these queries. -A: You need to ensure DNSSEC is enabled (dnssec-enable yes;). + zone "10.IN-ADDR.ARPA" { + type master; + file "empty"; + }; + zone "16.172.IN-ADDR.ARPA" { + type master; + file "empty"; + }; -Q: I get "Error 1067" when starting named under Windows. + ... + + zone "31.172.IN-ADDR.ARPA" { + type master; + file "empty"; + }; -A: This is the service manager saying that named exited. You need to - examine the Application log in the EventViewer to find out why. + zone "168.192.IN-ADDR.ARPA" { + type master; + file "empty"; + }; - Common causes are that you failed to create "named.conf" (usually - "C:\windows\dns\etc\named.conf") or failed to specify the directory - in named.conf. + empty: + @ 10800 IN SOA <name-of-server>. <contact-email>. ( + 1 3600 1200 604800 10800 ) + @ 10800 IN NS <name-of-server>. - options { - Directory "C:\windows\dns\etc"; - }; + Note + Future versions of named are likely to do this automatically. |