f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas GustafssonFrequently Asked Questions about BIND 9

499b34cea04a46823d003d4c0520c8b03e8513cbBrian Wellington

40f53fa8d9c6a4fc38c0014495e7a42b08f52481David LawrenceCopyright � 2004-2007 Internet Systems Consortium, Inc. ("ISC")

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas GustafssonCopyright � 2000-2003 Internet Software Consortium.

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson

40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence-----------------------------------------------------------------------

15a44745412679c30a6d022733925af70a38b715David Lawrence

15a44745412679c30a6d022733925af70a38b715David Lawrence1. Compilation and Installation Questions

15a44745412679c30a6d022733925af70a38b715David Lawrence

15a44745412679c30a6d022733925af70a38b715David LawrenceQ: I'm trying to compile BIND 9, and "make" is failing due to files not

15a44745412679c30a6d022733925af70a38b715David Lawrence being found. Why?

15a44745412679c30a6d022733925af70a38b715David Lawrence

15a44745412679c30a6d022733925af70a38b715David LawrenceA: Using a parallel or distributed "make" to build BIND 9 is not

15a44745412679c30a6d022733925af70a38b715David Lawrence supported, and doesn't work. If you are using one of these, use normal

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson make or gmake instead.

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson

90c099e88e9f16bfee9edee3ac1a51fc98843772Brian WellingtonQ: Isn't "make install" supposed to generate a default named.conf?

9c3531d72aeaad6c5f01efe6a1c82023e1379e4dDavid Lawrence

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas GustafssonA: Short Answer: No.

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson

1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence Long Answer: There really isn't a default configuration which fits any

6028d1ce0380d0ba7f6c6ecd1ad20b31ddd1becbDavid Lawrence site perfectly. There are lots of decisions that need to be made and

1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence there is no consensus on what the defaults should be. For example

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson FreeBSD uses /etc/namedb as the location where the configuration files

90c099e88e9f16bfee9edee3ac1a51fc98843772Brian Wellington for named are stored. Others use /var/named.

90c099e88e9f16bfee9edee3ac1a51fc98843772Brian Wellington

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington What addresses to listen on? For a laptop on the move a lot you may

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson only want to listen on the loop back interfaces.

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson

1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence Who do you offer recursive service to? Is there are firewall to

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson consider? If so is it stateless or stateful. Are you directly on the

3b2f0d1d660486abf9d6c450b39e015836d97373Brian Wellington Internet? Are you on a private network? Are you on a NAT'd network? The

3b2f0d1d660486abf9d6c450b39e015836d97373Brian Wellington answers to all these questions change how you configure even a caching

9259fed3d8ac5d1efa9b5a647969e40c9c934484Andreas Gustafsson name server.

9259fed3d8ac5d1efa9b5a647969e40c9c934484Andreas Gustafsson

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson2. Configuration and Setup Questions

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas GustafssonQ: Why does named log the warning message "no TTL specified - using SOA

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson MINTTL instead"?

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas GustafssonA: Your zone file is illegal according to RFC1035. It must either have a

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson line like:

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson

90c099e88e9f16bfee9edee3ac1a51fc98843772Brian Wellington $TTL 86400

14c5931d3d52baf17a786153c35c05fa62f916dcBrian Wellington

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson at the beginning, or the first record in it must have a TTL field, like

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson the "84600" in this example:

14c5931d3d52baf17a786153c35c05fa62f916dcBrian Wellington

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )

029f5aa86138aa9c32b3dc3c8a00626eea961d35James Brister

909e3c228813f05bcdebf403a69ed18406f86ec4Brian WellingtonQ: Why do I get errors like "dns_zone_load: zone foo/IN: loading master

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington file bar: ran out of space"?

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington

90c099e88e9f16bfee9edee3ac1a51fc98843772Brian WellingtonA: This is often caused by TXT records with missing close quotes. Check

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson that all TXT records containing quoted strings have both open and close

14c5931d3d52baf17a786153c35c05fa62f916dcBrian Wellington quotes.

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas GustafssonQ: How do I restrict people from looking up the server version?

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson

90c099e88e9f16bfee9edee3ac1a51fc98843772Brian WellingtonA: Put a "version" option containing something other than the real version

90c099e88e9f16bfee9edee3ac1a51fc98843772Brian Wellington in the "options" section of named.conf. Note doing this will not

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington prevent attacks and may impede people trying to diagnose problems with

90c099e88e9f16bfee9edee3ac1a51fc98843772Brian Wellington your server. Also it is possible to "fingerprint" nameservers to

90c099e88e9f16bfee9edee3ac1a51fc98843772Brian Wellington determine their version.

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington

909e3c228813f05bcdebf403a69ed18406f86ec4Brian WellingtonQ: How do I restrict only remote users from looking up the server version?

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington

909e3c228813f05bcdebf403a69ed18406f86ec4Brian WellingtonA: The following view statement will intercept lookups as the internal

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington view that holds the version information will be matched last. The

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington caveats of the previous answer still apply, of course.

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington view "chaos" chaos {

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington match-clients { <those to be refused>; };

90c099e88e9f16bfee9edee3ac1a51fc98843772Brian Wellington allow-query { none; };

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington zone "." {

90c099e88e9f16bfee9edee3ac1a51fc98843772Brian Wellington type hint;

90c099e88e9f16bfee9edee3ac1a51fc98843772Brian Wellington file "/dev/null"; // or any empty file

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington };

90c099e88e9f16bfee9edee3ac1a51fc98843772Brian Wellington };

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington

909e3c228813f05bcdebf403a69ed18406f86ec4Brian WellingtonQ: What do "no source of entropy found" or "could not open entropy source

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington foo" mean?

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington

909e3c228813f05bcdebf403a69ed18406f86ec4Brian WellingtonA: The server requires a source of entropy to perform certain operations,

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington mostly DNSSEC related. These messages indicate that you have no source

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington of entropy. On systems with /dev/random or an equivalent, it is used by

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington default. A source of entropy can also be defined using the

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington random-device option in named.conf.

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington

909e3c228813f05bcdebf403a69ed18406f86ec4Brian WellingtonQ: I'm trying to use TSIG to authenticate dynamic updates or zone

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington transfers. I'm sure I have the keys set up correctly, but the server is

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington rejecting the TSIG. Why?

90c099e88e9f16bfee9edee3ac1a51fc98843772Brian Wellington

909e3c228813f05bcdebf403a69ed18406f86ec4Brian WellingtonA: This may be a clock skew problem. Check that the the clocks on the

90c099e88e9f16bfee9edee3ac1a51fc98843772Brian Wellington client and server are properly synchronised (e.g., using ntp).

90c099e88e9f16bfee9edee3ac1a51fc98843772Brian Wellington

909e3c228813f05bcdebf403a69ed18406f86ec4Brian WellingtonQ: I see a log message like the following. Why?

90c099e88e9f16bfee9edee3ac1a51fc98843772Brian Wellington

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington couldn't open pid file '/var/run/named.pid': Permission denied

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington

909e3c228813f05bcdebf403a69ed18406f86ec4Brian WellingtonA: You are most likely running named as a non-root user, and that user

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington does not have permission to write in /var/run. The common ways of

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington fixing this are to create a /var/run/named directory owned by the named

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington user and set pid-file to "/var/run/named/named.pid", or set pid-file to

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington "named.pid", which will put the file in the directory specified by the

909e3c228813f05bcdebf403a69ed18406f86ec4Brian Wellington directory option (which, in this case, must be writable by the named

90c099e88e9f16bfee9edee3ac1a51fc98843772Brian Wellington user).

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas GustafssonQ: I can query the nameserver from the nameserver but not from other

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson machines. Why?

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas GustafssonA: This is usually the result of the firewall configuration stopping the

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson queries and / or the replies.

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas GustafssonQ: How can I make a server a slave for both an internal and an external

f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson view at the same time? When I tried, both views on the slave were

transferred from the same view on the master.

A: You will need to give the master and slave multiple IP addresses and

use those to make sure you reach the correct view on the other machine.

Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)

internal:

match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };

notify-source 10.0.1.1;

transfer-source 10.0.1.1;

query-source address 10.0.1.1;

external:

match-clients { any; };

recursion no; // don't offer recursion to the world

notify-source 10.0.1.2;

transfer-source 10.0.1.2;

query-source address 10.0.1.2;

Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)

internal:

match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };

notify-source 10.0.1.3;

transfer-source 10.0.1.3;

query-source address 10.0.1.3;

external:

match-clients { any; };

recursion no; // don't offer recursion to the world

notify-source 10.0.1.4;

transfer-source 10.0.1.4;

query-source address 10.0.1.4;

You put the external address on the alias so that all the other dns

clients on these boxes see the internal view by default.

A: BIND 9.3 and later: Use TSIG to select the appropriate view.

Master 10.0.1.1:

key "external" {

algorithm hmac-md5;

secret "xxxxxxxx";

};

view "internal" {

match-clients { !key external; 10.0.1/24; };

...

};

view "external" {

match-clients { key external; any; };

server 10.0.1.2 { keys external; };

recursion no;

...

};

Slave 10.0.1.2:

key "external" {

algorithm hmac-md5;

secret "xxxxxxxx";

};

view "internal" {

match-clients { !key external; 10.0.1/24; };

...

};

view "external" {

match-clients { key external; any; };

server 10.0.1.1 { keys external; };

recursion no;

...

};

Q: I get error messages like "multiple RRs of singleton type" and "CNAME

and other data" when transferring a zone. What does this mean?

A: These indicate a malformed master zone. You can identify the exact

records involved by transferring the zone using dig then running

named-checkzone on it.

dig axfr example.com @master-server > tmp

named-checkzone example.com tmp

A CNAME record cannot exist with the same name as another record except

for the DNSSEC records which prove its existence (NSEC).

RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other

data should be present; this ensures that the data for a canonical name

and its aliases cannot be different. This rule also insures that a

cached CNAME can be used without checking with an authoritative server

for other RR types."

Q: I get error messages like "named.conf:99: unexpected end of input"

where 99 is the last line of named.conf.

A: Some text editors (notepad and wordpad) fail to put a line title

indication (e.g. CR/LF) on the last line of a text file. This can be

fixed by "adding" a blank line to the end of the file. Named expects to

see EOF immediately after EOL and treats text files where this is not

met as truncated.

Q: How do I share a dynamic zone between multiple views?

A: You choose one view to be master and the second a slave and transfer

the zone between views.

Master 10.0.1.1:

key "external" {

algorithm hmac-md5;

secret "xxxxxxxx";

};

key "mykey" {

algorithm hmac-md5;

secret "yyyyyyyy";

};

view "internal" {

match-clients { !key external; 10.0.1/24; };

server 10.0.1.1 {

/* Deliver notify messages to external view. */

keys { external; };

};

zone "example.com" {

type master;

file "internal/example.db";

allow-update { key mykey; };

notify-also { 10.0.1.1; };

};

};

view "external" {

match-clients { key external; any; };

zone "example.com" {

type slave;

file "external/example.db";

masters { 10.0.1.1; };

transfer-source { 10.0.1.1; };

// allow-update-forwarding { any; };

// allow-notify { ... };

};

};

Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading

master file primaries/wireless.ietf56.ietf.org: no owner".

A: This error is produced when a line in the master file contains leading

white space (tab/space) but the is no current record owner name to

inherit the name from. Usually this is the result of putting white

space before a comment, forgetting the "@" for the SOA record, or

indenting the master file.

Q: Why are my logs in GMT (UTC).

A: You are running chrooted (-t) and have not supplied local timezone

information in the chroot area.

FreeBSD: /etc/localtime

Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo

OSF: /etc/zoneinfo/localtime

See also tzset(3) and zic(8).

Q: I get "rndc: connect failed: connection refused" when I try to run

rndc.

A: This is usually a configuration error.

First ensure that named is running and no errors are being reported at

startup (/var/log/messages or equivalent). Running "named -g <usual

arguments>" from a title can help at this point.

Secondly ensure that named is configured to use rndc either by

"rndc-confgen -a", rndc-confgen or manually. The Administrators

Reference manual has details on how to do this.

Old versions of rndc-confgen used localhost rather than 127.0.0.1 in /

etc/rndc.conf for the default server. Update /etc/rndc.conf if

necessary so that the default server listed in /etc/rndc.conf matches

the addresses used in named.conf. "localhost" has two address

(127.0.0.1 and ::1).

If you use "rndc-confgen -a" and named is running with -t or -u ensure

that /etc/rndc.conf has the correct ownership and that a copy is in the

chroot area. You can do this by re-running "rndc-confgen -a" with

appropriate -t and -u arguments.

Q: I get "transfer of 'example.net/IN' from 192.168.4.12#53: failed while

receiving responses: permission denied" error messages.

A: These indicate a filesystem permission error preventing named creating

/ renaming the temporary file. These will usually also have other

associated error messages like

"dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"

Named needs write permission on the directory containing the file.

Named writes the new cache file to a temporary file then renames it to

the name specified in named.conf to ensure that the contents are always

complete. This is to prevent named loading a partial zone in the event

of power failure or similar interrupting the write of the master file.

Note file names are relative to the directory specified in options and

any chroot directory ([<chroot dir>/][<options dir>]).

If named is invoked as "named -t /chroot/DNS" with the following

named.conf then "/chroot/DNS/var/named/sl" needs to be writable by the

user named is running as.

options {

directory "/var/named";

};

zone "example.net" {

type slave;

file "sl/example.net";

masters { 192.168.4.12; };

};

Q: I want to forward all DNS queries from my caching nameserver to another

server. But there are some domains which have to be served locally, via

rbldnsd.

How do I achieve this ?

A: options {

forward only;

forwarders { <ip.of.primary.nameserver>; };

};

zone "sbl-xbl.spamhaus.org" {

type forward; forward only;

forwarders { <ip.of.rbldns.server> port 530; };

};

zone "list.dsbl.org" {

type forward; forward only;

forwarders { <ip.of.rbldns.server> port 530; };

};

3. General Questions

Q: I keep getting log messages like the following. Why?

Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN':

update failed: 'RRset exists (value dependent)' prerequisite not

satisfied (NXRRSET)

A: DNS updates allow the update request to test to see if certain

conditions are met prior to proceeding with the update. The message

above is saying that conditions were not met and the update is not

proceeding. See doc/rfc/rfc2136.txt for more details on prerequisites.

Q: I keep getting log messages like the following. Why?

Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied

A: Someone is trying to update your DNS data using the RFC2136 Dynamic

Update protocol. Windows 2000 machines have a habit of sending dynamic

update requests to DNS servers without being specifically configured to

do so. If the update requests are coming from a Windows 2000 machine,

see http://support.microsoft.com/support/kb/articles/q246/8/04.asp for

information about how to turn them off.

Q: When I do a "dig . ns", many of the A records for the root servers are

missing. Why?

A: This is normal and harmless. It is a somewhat confusing side effect of

the way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9

makes to avoid promoting glue into answers.

When BIND 9 first starts up and primes its cache, it receives the root

server addresses as additional data in an authoritative response from a

root server, and these records are eligible for inclusion as additional

data in responses. Subsequently it receives a subset of the root server

addresses as additional data in a non-authoritative (referral) response

from a root server. This causes the addresses to now be considered

non-authoritative (glue) data, which is not eligible for inclusion in

responses.

The server does have a complete set of root server addresses cached at

all times, it just may not include all of them as additional data,

depending on whether they were last received as answers or as glue. You

can always look up the addresses with explicit queries like "dig

a.root-servers.net A".

Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?

A: A zone can be updated either by editing zone files and reloading the

server or by dynamic update, but not both. If you have enabled dynamic

update for a zone using the "allow-update" option, you are not supposed

to edit the zone file by hand, and the server will not attempt to

reload it.

Q: Why is named listening on UDP port other than 53?

A: Named uses a system selected port to make queries of other nameservers.

This behaviour can be overridden by using query-source to lock down the

port and/or address. See also notify-source and transfer-source.

Q: I get warning messages like "zone example.com/IN: refresh: failure

trying master 1.2.3.4#53: timed out".

A: Check that you can make UDP queries from the slave to the master

dig +norec example.com soa @1.2.3.4

You could be generating queries faster than the slave can cope with.

Lower the serial query rate.

serial-query-rate 5; // default 20

Q: I don't get RRSIG's returned when I use "dig +dnssec".

A: You need to ensure DNSSEC is enabled (dnssec-enable yes;).

Q: Can a NS record refer to a CNAME.

A: No. The rules for glue (copies of the *address* records in the parent

zones) and additional section processing do not allow it to work.

You would have to add both the CNAME and address records (A/AAAA) as

glue to the parent zone and have CNAMEs be followed when doing

additional section processing to make it work. No nameserver

implementation supports either of these requirements.

Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA"

mean?

A: If the IN-ADDR.ARPA name covered refers to a internal address space you

are using then you have failed to follow RFC 1918 usage rules and are

leaking queries to the Internet. You should establish your own zones

for these addresses to prevent you querying the Internet's name servers

for these addresses. Please see http://as112.net/ for details of the

problems you are causing and the counter measures that have had to be

deployed.

If you are not using these private addresses then a client has queried

for them. You can just ignore the messages, get the offending client to

stop sending you these messages as they are most probably leaking them

or setup your own zones empty zones to serve answers to these queries.

zone "10.IN-ADDR.ARPA" {

type master;

file "empty";

};

zone "16.172.IN-ADDR.ARPA" {

type master;

file "empty";

};

...

zone "31.172.IN-ADDR.ARPA" {

type master;

file "empty";

};

zone "168.192.IN-ADDR.ARPA" {

type master;

file "empty";

};

empty:

@ 10800 IN SOA <name-of-server>. <contact-email>. (

1 3600 1200 604800 10800 )

@ 10800 IN NS <name-of-server>.

Note

Future versions of named are likely to do this automatically.

Q: Will named be affected by the 2007 changes to daylight savings rules in

the US.

A: No, so long as the machines internal clock (as reported by "date -u")

remains at UTC. The only visible change if you fail to upgrade your OS,

if you are in a affected area, will be that log messages will be a hour

out during the period where the old rules do not match the new rules.

For most OS's this change just means that you need to update the

conversion rules from UTC to local time. Normally this involves

updating a file in /etc (which sets the default timezone for the

machine) and possibly a directory which has all the conversion rules

for the world (e.g. /usr/share/zoneinfo). When updating the OS do not

forget to update any chroot areas as well. See your OS's documentation

for more details.

The local timezone conversion rules can also be done on a individual

basis by setting the TZ environment variable appropriately. See your

OS's documentation for more details.

4. Operating-System Specific Questions

4.1. Linux

Q: Why do I get the following errors:

general: errno2result.c:109: unexpected error:

general: unable to convert errno to isc_result: 14: Bad address

client: UDP client handler shutting down due to fatal receive error: unexpected error

A: This is the result of a Linux kernel bug.

See: http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2

Q: Why do I see 5 (or more) copies of named on Linux?

A: Linux threads each show up as a process under ps. The approximate

number of threads running is n+4, where n is the number of CPUs. Note

that the amount of memory used is not cumulative; if each process is

using 10M of memory, only a total of 10M is used.

Newer versions of Linux's ps command hide the individual threads and

require -L to display them.

Q: Why does BIND 9 log "permission denied" errors accessing its

configuration files or zones on my Linux system even though it is

running as root?

A: On Linux, BIND 9 drops most of its root privileges on startup. This

including the privilege to open files owned by other users. Therefore,

if the server is running as root, the configuration files and zone

files should also be owned by root.

Q: I get the error message "named: capset failed: Operation not permitted"

when starting named.

A: The capability module, part of "Linux Security Modules/LSM", has not

been loaded into the kernel. See insmod(8).

Q: I'm running BIND on Red Hat Enterprise Linux or Fedora Core -

Why can't named update slave zone database files?

Why can't named create DDNS journal files or update the master zones

from journals?

Why can't named create custom log files?

A: Red Hat Security Enhanced Linux (SELinux) policy security protections :

Red Hat have adopted the National Security Agency's SELinux security

policy ( see http://www.nsa.gov/selinux ) and recommendations for BIND

security , which are more secure than running named in a chroot and

make use of the bind-chroot environment unnecessary .

By default, named is not allowed by the SELinux policy to write, create

or delete any files EXCEPT in these directories:

$ROOTDIR/var/named/slaves

$ROOTDIR/var/named/data

$ROOTDIR/var/tmp

where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is

installed.

The SELinux policy particularly does NOT allow named to modify the

$ROOTDIR/var/named directory, the default location for master zone

database files.

SELinux policy overrules file access permissions - so even if all the

files under /var/named have ownership named:named and mode rw-rw-r--,

named will still not be able to write or create files except in the

directories above, with SELinux in Enforcing mode.

So, to allow named to update slave or DDNS zone files, it is best to

locate them in $ROOTDIR/var/named/slaves, with named.conf zone

statements such as:

zone "slave.zone." IN {

type slave;

file "slaves/slave.zone.db";

...

};

zone "ddns.zone." IN {

type master;

allow-updates {...};

file "slaves/ddns.zone.db";

};

To allow named to create its cache dump and statistics files, for

example, you could use named.conf options statements such as:

options {

...

dump-file "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

...

};

You can also tell SELinux to allow named to update any zone database

files, by setting the SELinux tunable boolean parameter

'named_write_master_zones=1', using the system-config-securitylevel

GUI, using the 'setsebool' command, or in /etc/selinux/targeted/

booleans.

You can disable SELinux protection for named entirely by setting the

'named_disable_trans=1' SELinux tunable boolean parameter.

The SELinux named policy defines these SELinux contexts for named:

named_zone_t : for zone database files - $ROOTDIR/var/named/*

named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*

named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}

If you want to retain use of the SELinux policy for named, and put

named files in different locations, you can do so by changing the

context of the custom file locations .

To create a custom configuration file location, e.g. '/root/

named.conf', to use with the 'named -c' option, do:

# chcon system_u:object_r:named_conf_t /root/named.conf

To create a custom modifiable named data location, e.g. '/var/log/

named' for a log file, do:

# chcon system_u:object_r:named_cache_t /var/log/named

To create a custom zone file location, e.g. /root/zones/, do:

# chcon system_u:object_r:named_zone_t /root/zones/{.,*}

See these man-pages for more information : selinux(8), named_selinux

(8), chcon(1), setsebool(8)

4.2. Windows

Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail.

Why?

A: This may be caused by a bug in the Windows 2000 DNS server where DNS

messages larger than 16K are not handled properly. This can be worked

around by setting the option "transfer-format one-answer;". Also check

whether your zone contains domain names with embedded spaces or other

special characters, like "John\032Doe\213s\032Computer", since such

names have been known to cause Windows 2000 slaves to incorrectly

reject the zone.

Q: I get "Error 1067" when starting named under Windows.

A: This is the service manager saying that named exited. You need to

examine the Application log in the EventViewer to find out why.

Common causes are that you failed to create "named.conf" (usually "C:\

windows\dns\etc\named.conf") or failed to specify the directory in

named.conf.

options {

Directory "C:\windows\dns\etc";

};

4.3. FreeBSD

Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there.

A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to

use certain interrupts as a source of random events. You can make this

permanent by setting rand_irqs in /etc/rc.conf.

/etc/rc.conf

rand_irqs="3 14 15"

See also http://people.freebsd.org/~dougb/randomness.html

4.4. Solaris

Q: How do I integrate BIND 9 and Solaris SMF

A: Sun has a blog entry describing how to do this.

http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris