2000-12-04 17:00:32 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Frequently Asked Questions about BIND 9
|
|
|
|
|
|
|
|
|
|
|
2001-06-06 23:09:44 +00:00
|
|
|
Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-threads?
|
2000-11-08 02:09:29 +00:00
|
|
|
|
|
|
|
|
A: Linux threads do not fully implement the Posix threads (pthreads) standard.
|
|
|
|
|
In particular, setuid() operates only on the current thread, not the full
|
|
|
|
|
process. Because of this limitation, BIND 9 cannot use setuid() on Linux as it
|
|
|
|
|
can on all other supported platforms. setuid() cannot be called before
|
|
|
|
|
creating threads, since the server does not start listening on reserved ports
|
|
|
|
|
until after threads have started.
|
|
|
|
|
|
2001-04-13 06:26:26 +00:00
|
|
|
In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to preserve
|
|
|
|
|
capabilities across a setuid() call is present. This allows BIND 9 to call
|
|
|
|
|
setuid() early, while retaining the ability to bind reserved ports. This is
|
|
|
|
|
a Linux-specific hack.
|
2000-11-08 02:09:29 +00:00
|
|
|
|
|
|
|
|
On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less
|
|
|
|
|
of a security risk than a root process that has not dropped privileges.
|
|
|
|
|
|
|
|
|
|
If Linux threads ever work correctly, this restriction will go away.
|
2000-11-08 17:12:10 +00:00
|
|
|
|
2001-06-06 23:09:44 +00:00
|
|
|
Configuring BIND9 with the --disable-threads option (the default) causes a
|
|
|
|
|
non-threaded version to be built, which will allow -u to be used.
|
2000-12-04 19:52:44 +00:00
|
|
|
|
2000-11-08 17:12:10 +00:00
|
|
|
|
2001-05-22 02:01:28 +00:00
|
|
|
Q: Why does named log the warning message "no TTL specified - using SOA
|
|
|
|
|
MINTTL instead"?
|
2000-11-08 17:12:10 +00:00
|
|
|
|
2001-05-22 02:01:28 +00:00
|
|
|
A: Your zone file is illegal according to RFC1035. It must either
|
|
|
|
|
have a line like
|
2000-11-08 17:12:10 +00:00
|
|
|
|
|
|
|
|
$TTL 86400
|
|
|
|
|
|
|
|
|
|
at the beginning, or the first record in it must have a TTL field,
|
|
|
|
|
like the "84600" in this example:
|
|
|
|
|
|
|
|
|
|
example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )
|
|
|
|
|
|
2000-11-13 20:14:35 +00:00
|
|
|
Q: Why do I see 5 (or more) copies of named on Linux?
|
|
|
|
|
|
|
|
|
|
A: Linux threads each show up as a process under ps. The approximate
|
2001-02-19 06:02:09 +00:00
|
|
|
number of threads running is n+4, where n is the number of CPUs. Note that
|
|
|
|
|
the amount of memory used is not cumulative; if each process is using 10M of
|
|
|
|
|
memory, only a total of 10M is used.
|
2000-11-16 18:09:48 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
Q: Why does BIND 9 log "permission denied" errors accessing its
|
2000-12-30 01:34:53 +00:00
|
|
|
configuration files or zones on my Linux system even though it is running
|
|
|
|
|
as root?
|
2000-11-16 18:09:48 +00:00
|
|
|
|
|
|
|
|
A: On Linux, BIND 9 drops most of its root privileges on startup.
|
|
|
|
|
This including the privilege to open files owned by other users.
|
|
|
|
|
Therefore, if the server is running as root, the configuration files
|
2000-12-30 01:34:53 +00:00
|
|
|
and zone files should also be owned by root.
|
2000-12-06 23:07:11 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file
|
|
|
|
|
bar: ran out of space"
|
|
|
|
|
|
|
|
|
|
A: This is often caused by TXT records with missing close quotes. Check that
|
|
|
|
|
all TXT records containing quoted strings have both open and close quotes.
|
2000-12-11 18:55:49 +00:00
|
|
|
|
|
|
|
|
|
2001-09-17 20:34:09 +00:00
|
|
|
Q: How do I produce a usable core file from a multithreaded named on Linux?
|
2000-12-11 18:55:49 +00:00
|
|
|
|
2001-09-17 20:34:09 +00:00
|
|
|
A: If the Linux kernel is 2.4.7 or newer, multithreaded core dumps
|
|
|
|
|
are usable (that is, the correct thread is dumped). Otherwise, if using
|
|
|
|
|
a 2.2 kernel, apply the kernel patch found in contrib/linux/coredump-patch
|
|
|
|
|
and rebuild the kernel. This patch will cause multithreaded programs to dump
|
|
|
|
|
the correct thread.
|
2000-12-20 04:30:39 +00:00
|
|
|
|
|
|
|
|
|
2000-12-20 05:52:28 +00:00
|
|
|
Q: How do I restrict people from looking up the server version?
|
|
|
|
|
|
|
|
|
|
A: Put a "version" option containing something other than the real
|
|
|
|
|
version in the "options" section of named.conf. Note doing this will
|
|
|
|
|
not prevent attacks and may impede people trying to diagnose problems
|
2000-12-20 04:30:39 +00:00
|
|
|
with your server. Also it is possible to "fingerprint" nameservers to
|
2000-12-20 05:52:28 +00:00
|
|
|
determine their version.
|
|
|
|
|
|
2000-12-20 04:30:39 +00:00
|
|
|
|
2000-12-20 05:52:28 +00:00
|
|
|
Q: How do I restrict only remote users from looking up the server
|
|
|
|
|
version?
|
|
|
|
|
|
|
|
|
|
A: The following view statement will intercept lookups as the internal
|
|
|
|
|
view that holds the version information will be matched last. The
|
|
|
|
|
caveats of the previous answer still apply, of course.
|
|
|
|
|
|
|
|
|
|
view "chaos" chaos {
|
|
|
|
|
match-clients { <those to be refused>; };
|
|
|
|
|
allow-query { none; };
|
|
|
|
|
zone "." {
|
|
|
|
|
type hint;
|
|
|
|
|
file "/dev/null"; // or any empty file
|
|
|
|
|
};
|
|
|
|
|
};
|
2001-01-10 18:24:12 +00:00
|
|
|
|
2001-01-11 23:48:54 +00:00
|
|
|
|
2001-01-12 00:37:48 +00:00
|
|
|
Q: What do "no source of entropy found" or "could not open entropy source foo"
|
2001-01-11 23:48:54 +00:00
|
|
|
mean?
|
|
|
|
|
|
|
|
|
|
A: The server requires a source of entropy to perform certain operations,
|
|
|
|
|
mostly DNSSEC related. These messages indicate that you have no source
|
|
|
|
|
of entropy. On systems with /dev/random or an equivalent, it is used by
|
|
|
|
|
default. A source of entropy can also be defined using the random-device
|
|
|
|
|
option in named.conf.
|
2001-02-13 06:02:59 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
Q: I installed BIND 9 and restarted named, but it's still BIND 8. Why?
|
|
|
|
|
|
|
|
|
|
A: BIND 9 is installed under /usr/local by default. BIND 8 is often
|
|
|
|
|
installed under /usr. Check that the correct named is running.
|
2001-02-22 17:19:16 +00:00
|
|
|
|
|
|
|
|
|
2001-02-25 06:47:52 +00:00
|
|
|
Q: I'm trying to use TSIG to authenticate dynamic updates or zone
|
|
|
|
|
transfers. I'm sure I have the keys set up correctly, but the server
|
|
|
|
|
is rejecting the TSIG. Why?
|
|
|
|
|
|
|
|
|
|
A: This may be a clock skew problem. Check that the the clocks on
|
|
|
|
|
the client and server are properly synchronized (e.g., using ntp).
|
2001-03-21 18:18:57 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
Q: I'm trying to compile BIND 9, and "make" is failing due to files not
|
|
|
|
|
being found. Why?
|
|
|
|
|
|
2001-03-22 00:06:01 +00:00
|
|
|
A: Using a parallel or distributed "make" to build BIND 9 is not
|
|
|
|
|
supported, and doesn't work. If you are using one of these, use
|
|
|
|
|
normal make or gmake instead.
|
2001-04-17 17:12:05 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is
|
|
|
|
|
logging error messages like "notify to 10.0.0.1#53 failed: unexpected
|
|
|
|
|
end of input". What's wrong?
|
|
|
|
|
|
|
|
|
|
A: This error message is caused by a known bug in BIND 8.2.3 and will
|
|
|
|
|
be fixed in 8.2.4. It can be safely ignored - the notify has been
|
|
|
|
|
acted on by the slave despite the error message.
|
2001-06-21 17:20:04 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
Q: I keep getting log messages like the following. Why?
|
|
|
|
|
|
|
|
|
|
Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
|
|
|
|
|
|
2001-09-17 20:34:57 +00:00
|
|
|
A: Someone is trying to update your DNS data using the RFC2136 Dynamic
|
2001-06-21 17:20:04 +00:00
|
|
|
Update protocol. Windows 2000 machines have a habit of sending dynamic
|
|
|
|
|
update requests to DNS servers without being specifically configured to
|
|
|
|
|
do so. If the update requests are coming from a Windows 2000 machine,
|
|
|
|
|
see <http://support.microsoft.com/support/kb/articles/q246/8/04.asp>
|
|
|
|
|
for information about how to turn them off.
|
2001-06-29 21:17:03 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
Q: I see a log message like the following. Why?
|
|
|
|
|
|
|
|
|
|
couldn't open pid file '/var/run/named.pid': Permission denied
|
|
|
|
|
|
2001-09-17 20:34:57 +00:00
|
|
|
A: You are most likely running named as a non-root user, and that user
|
2001-06-29 21:17:03 +00:00
|
|
|
does not have permission to write in /var/run. The common ways of
|
|
|
|
|
fixing this are to create a /var/run/named directory owned by the named
|
|
|
|
|
user and set pid-file to "/var/run/named/named.pid", or set
|
|
|
|
|
pid-file to "named.pid", which will put the file in the directory
|
|
|
|
|
specified by the directory option (which, in this case, must be writable
|
|
|
|
|
by the named user).
|
2001-07-19 22:11:10 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
Q: When I do a "dig . ns", many of the A records for the root
|
|
|
|
|
servers are missing. Why?
|
|
|
|
|
|
|
|
|
|
A: This is normal and harmless. It is a somewhat confusing side effect
|
|
|
|
|
of the way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9
|
|
|
|
|
makes to avoid promoting glue into answers.
|
|
|
|
|
|
|
|
|
|
When BIND 9 first starts up and primes its cache, it receives the root
|
|
|
|
|
server addresses as additional data in an authoritative response from
|
|
|
|
|
a root server, and these records are eligible for inclusion as
|
|
|
|
|
additional data in responses. Subsequently it receives a subset of
|
|
|
|
|
the root server addresses as additional data in a non-authoritative
|
|
|
|
|
(referral) response from a root server. This causes the addresses to
|
|
|
|
|
now be considered non-authoritative (glue) data, which is not eligible
|
|
|
|
|
for inclusion in responses.
|
|
|
|
|
|
|
|
|
|
The server does have a complete set of root server addresses cached
|
|
|
|
|
at all times, it just may not include all of them as additional data,
|
|
|
|
|
depending on whether they were last received as answers or as glue.
|
|
|
|
|
You can always look up the addresses with explicit queries like
|
|
|
|
|
"dig a.root-servers.net A".
|
|
|
|
|
|
2001-09-29 01:52:20 +00:00
|
|
|
|
|
|
|
|
Q: Zone transfers from my BIND 9 master to my Windows 2000 slave
|
|
|
|
|
fail. Why?
|
|
|
|
|
|
|
|
|
|
A: This may be caused by a bug in the Windows 2000 DNS server where
|
|
|
|
|
DNS messages larger than 16K are not handled properly. This can be
|
|
|
|
|
worked around by setting the option "transfer-format one-answer;".
|
|
|
|
|
Also check whether your zone contains domain names with embedded
|
2001-10-01 21:58:03 +00:00
|
|
|
spaces or other special characters, like "John\032Doe\213s\032Computer",
|
|
|
|
|
since such names have been known to cause Windows 2000 slaves to
|
|
|
|
|
incorrectly reject the zone.
|
2001-10-10 23:25:40 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?
|
|
|
|
|
|
|
|
|
|
A: A zone can be updated either by editing zone files and reloading
|
|
|
|
|
the server or by dynamic update, but not both. If you have enabled
|
|
|
|
|
dynamic update for a zone using the "allow-update" option, you are not
|
|
|
|
|
supposed to edit the zone file by hand, and the server will not
|
|
|
|
|
attempt to reload it.
|
2001-10-16 13:46:41 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
Q: I can query the nameserver from the nameserver but not from other
|
|
|
|
|
machines. Why?
|
|
|
|
|
|
|
|
|
|
A: This is usually the result of the firewall configuration stopping
|
|
|
|
|
the queries and / or the replies.
|
