1 <?xml-stylesheet href="common.css" type="text/css"?>
2 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
5 - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
6 - Copyright (C) 2000-2003 Internet Software Consortium.
8 - Permission to use, copy, modify, and distribute this software for any
9 - purpose with or without fee is hereby granted, provided that the above
10 - copyright notice and this permission notice appear in all copies.
12 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
13 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
14 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
15 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
16 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
17 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
18 - PERFORMANCE OF THIS SOFTWARE.
21 <!-- $Id: FAQ.xml,v 1.4.4.8 2007/02/05 05:23:39 marka Exp $ -->
24 <title>Frequently Asked Questions about BIND 9</title>
31 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
38 <holder>Internet Software Consortium.</holder>
41 <qandaset defaultlabel='qanda'>
45 Why doesn't -u work on Linux 2.2.x when I build with
51 Linux threads do not fully implement the Posix threads
52 (pthreads) standard. In particular, setuid() operates only
53 on the current thread, not the full process. Because of
54 this limitation, BIND 9 cannot use setuid() on Linux as it
55 can on all other supported platforms. setuid() cannot be
56 called before creating threads, since the server does not
57 start listening on reserved ports until after threads have
61 In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability
62 to preserve capabilities across a setuid() call is present.
63 This allows BIND 9 to call setuid() early, while retaining
64 the ability to bind reserved ports. This is a Linux-specific
68 On a 2.2 kernel, BIND 9 does drop many root privileges, so
69 it should be less of a security risk than a root process
70 that has not dropped privileges.
73 If Linux threads ever work correctly, this restriction will
77 Configuring BIND9 with the --disable-threads option (the
78 default) causes a non-threaded version to be built, which
79 will allow -u to be used.
87 Why do I get the following errors:
88 <programlisting>general: errno2result.c:109: unexpected error:
89 general: unable to convert errno to isc_result: 14: Bad address
90 client: UDP client handler shutting down due to fatal receive error: unexpected error</programlisting>
95 This is the result of a Linux kernel bug.
99 <ulink url="http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2">http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2</ulink>
107 Why does named log the warning message <quote>no TTL specified -
108 using SOA MINTTL instead</quote>?
113 Your zone file is illegal according to RFC1035. It must either
118 $TTL 86400</programlisting>
121 at the beginning, or the first record in it must have a TTL field,
122 like the "84600" in this example:
126 example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )</programlisting>
134 Why do I see 5 (or more) copies of named on Linux?
139 Linux threads each show up as a process under ps. The
140 approximate number of threads running is n+4, where n is
141 the number of CPUs. Note that the amount of memory used
142 is not cumulative; if each process is using 10M of memory,
143 only a total of 10M is used.
146 Newer versions of Linux's ps command hide the individual threads
147 and require -L to display them.
155 Why does BIND 9 log <quote>permission denied</quote> errors accessing
156 its configuration files or zones on my Linux system even
157 though it is running as root?
162 On Linux, BIND 9 drops most of its root privileges on
163 startup. This including the privilege to open files owned
164 by other users. Therefore, if the server is running as
165 root, the configuration files and zone files should also
174 Why do I get errors like <quote>dns_zone_load: zone foo/IN: loading
175 master file bar: ran out of space</quote>?
180 This is often caused by TXT records with missing close
181 quotes. Check that all TXT records containing quoted strings
182 have both open and close quotes.
190 How do I produce a usable core file from a multi-threaded
196 If the Linux kernel is 2.4.7 or newer, multi-threaded core
197 dumps are usable (that is, the correct thread is dumped).
198 Otherwise, if using a 2.2 kernel, apply the kernel patch
199 found in contrib/linux/coredump-patch and rebuild the kernel.
200 This patch will cause multi-threaded programs to dump the
209 How do I restrict people from looking up the server version?
214 Put a "version" option containing something other than the
215 real version in the "options" section of named.conf. Note
216 doing this will not prevent attacks and may impede people
217 trying to diagnose problems with your server. Also it is
218 possible to "fingerprint" nameservers to determine their
227 How do I restrict only remote users from looking up the
233 The following view statement will intercept lookups as the
234 internal view that holds the version information will be
235 matched last. The caveats of the previous answer still
241 match-clients { <those to be refused>; };
242 allow-query { none; };
245 file "/dev/null"; // or any empty file
255 What do <quote>no source of entropy found</quote> or <quote>could not
256 open entropy source foo</quote> mean?
261 The server requires a source of entropy to perform certain
262 operations, mostly DNSSEC related. These messages indicate
263 that you have no source of entropy. On systems with
264 /dev/random or an equivalent, it is used by default. A
265 source of entropy can also be defined using the random-device
266 option in named.conf.
274 I installed BIND 9 and restarted named, but it's still BIND 8. Why?
279 BIND 9 is installed under /usr/local by default. BIND 8
280 is often installed under /usr. Check that the correct named
289 I'm trying to use TSIG to authenticate dynamic updates or
290 zone transfers. I'm sure I have the keys set up correctly,
291 but the server is rejecting the TSIG. Why?
296 This may be a clock skew problem. Check that the the clocks
297 on the client and server are properly synchronised (e.g.,
306 I'm trying to compile BIND 9, and "make" is failing due to
307 files not being found. Why?
312 Using a parallel or distributed "make" to build BIND 9 is
313 not supported, and doesn't work. If you are using one of
314 these, use normal make or gmake instead.
322 I have a BIND 9 master and a BIND 8.2.3 slave, and the
323 master is logging error messages like <quote>notify to 10.0.0.1#53
324 failed: unexpected end of input</quote>. What's wrong?
329 This error message is caused by a known bug in BIND 8.2.3
330 and is fixed in BIND 8.2.4. It can be safely ignored - the
331 notify has been acted on by the slave despite the error
340 I keep getting log messages like the following. Why?
343 Dec 4 23:47:59 client 10.0.0.1#1355: updating zone
344 'example.com/IN': update failed: 'RRset exists (value
345 dependent)' prerequisite not satisfied (NXRRSET)
350 DNS updates allow the update request to test to see if
351 certain conditions are met prior to proceeding with the
352 update. The message above is saying that conditions were
353 not met and the update is not proceeding. See doc/rfc/rfc2136.txt
354 for more details on prerequisites.
362 I keep getting log messages like the following. Why?
365 Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
370 Someone is trying to update your DNS data using the RFC2136
371 Dynamic Update protocol. Windows 2000 machines have a habit
372 of sending dynamic update requests to DNS servers without
373 being specifically configured to do so. If the update
374 requests are coming from a Windows 2000 machine, see
376 url="http://support.microsoft.com/support/kb/articles/q246/8/04.asp">
377 http://support.microsoft.com/support/kb/articles/q246/8/04.asp
379 for information about how to turn them off.
387 I see a log message like the following. Why?
390 couldn't open pid file '/var/run/named.pid': Permission denied
395 You are most likely running named as a non-root user, and
396 that user does not have permission to write in /var/run.
397 The common ways of fixing this are to create a /var/run/named
398 directory owned by the named user and set pid-file to
399 "/var/run/named/named.pid", or set pid-file to "named.pid",
400 which will put the file in the directory specified by the
401 directory option (which, in this case, must be writable by
410 When I do a "dig . ns", many of the A records for the root
411 servers are missing. Why?
416 This is normal and harmless. It is a somewhat confusing
417 side effect of the way BIND 9 does RFC2181 trust ranking
418 and of the efforts BIND 9 makes to avoid promoting glue
422 When BIND 9 first starts up and primes its cache, it receives
423 the root server addresses as additional data in an authoritative
424 response from a root server, and these records are eligible
425 for inclusion as additional data in responses. Subsequently
426 it receives a subset of the root server addresses as
427 additional data in a non-authoritative (referral) response
428 from a root server. This causes the addresses to now be
429 considered non-authoritative (glue) data, which is not
430 eligible for inclusion in responses.
433 The server does have a complete set of root server addresses
434 cached at all times, it just may not include all of them
435 as additional data, depending on whether they were last
436 received as answers or as glue. You can always look up the
437 addresses with explicit queries like "dig a.root-servers.net A".
445 Zone transfers from my BIND 9 master to my Windows 2000
451 This may be caused by a bug in the Windows 2000 DNS server
452 where DNS messages larger than 16K are not handled properly.
453 This can be worked around by setting the option "transfer-format
454 one-answer;". Also check whether your zone contains domain
455 names with embedded spaces or other special characters,
456 like "John\032Doe\213s\032Computer", since such names have
457 been known to cause Windows 2000 slaves to incorrectly
466 Why don't my zones reload when I do an "rndc reload" or SIGHUP?
471 A zone can be updated either by editing zone files and
472 reloading the server or by dynamic update, but not both.
473 If you have enabled dynamic update for a zone using the
474 "allow-update" option, you are not supposed to edit the
475 zone file by hand, and the server will not attempt to reload
484 I can query the nameserver from the nameserver but not from other
490 This is usually the result of the firewall configuration stopping
491 the queries and / or the replies.
499 How can I make a server a slave for both an internal and
500 an external view at the same time? When I tried, both views
501 on the slave were transferred from the same view on the master.
506 You will need to give the master and slave multiple IP
507 addresses and use those to make sure you reach the correct
508 view on the other machine.
512 Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
514 match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
515 notify-source 10.0.1.1;
516 transfer-source 10.0.1.1;
517 query-source address 10.0.1.1;
519 match-clients { any; };
520 recursion no; // don't offer recursion to the world
521 notify-source 10.0.1.2;
522 transfer-source 10.0.1.2;
523 query-source address 10.0.1.2;
525 Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
527 match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
528 notify-source 10.0.1.3;
529 transfer-source 10.0.1.3;
530 query-source address 10.0.1.3;
532 match-clients { any; };
533 recursion no; // don't offer recursion to the world
534 notify-source 10.0.1.4;
535 transfer-source 10.0.1.4;
536 query-source address 10.0.1.4;</programlisting>
539 You put the external address on the alias so that all the other
540 dns clients on these boxes see the internal view by default.
545 BIND 9.3 and later: Use TSIG to select the appropriate view.
555 match-clients { !key external; 10.0.1/24; };
559 match-clients { key external; any; };
560 server 10.0.1.2 { keys external; };
571 match-clients { !key external; 10.0.1/24; };
575 match-clients { key external; any; };
576 server 10.0.1.1 { keys external; };
587 I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
592 /dev/random is not configured. Use rndcontrol(8) to tell
593 the kernel to use certain interrupts as a source of random
594 events. You can make this permanent by setting rand_irqs
600 rand_irqs="3 14 15"</programlisting>
604 <ulink url="http://people.freebsd.org/~dougb/randomness.html">
605 http://people.freebsd.org/~dougb/randomness.html
614 Why is named listening on UDP port other than 53?
619 Named uses a system selected port to make queries of other
620 nameservers. This behaviour can be overridden by using
621 query-source to lock down the port and/or address. See
622 also notify-source and transfer-source.
630 I get error messages like <quote>multiple RRs of singleton type</quote>
631 and <quote>CNAME and other data</quote> when transferring a zone. What
637 These indicate a malformed master zone. You can identify
638 the exact records involved by transferring the zone using
639 dig then running named-checkzone on it.
643 dig axfr example.com @master-server > tmp
644 named-checkzone example.com tmp</programlisting>
647 A CNAME record cannot exist with the same name as another record
648 except for the DNSSEC records which prove its existence (NSEC).
651 RFC 1034, Section 3.6.2: <quote>If a CNAME RR is present at a node,
652 no other data should be present; this ensures that the data for a
653 canonical name and its aliases cannot be different. This rule also
654 insures that a cached CNAME can be used without checking with an
655 authoritative server for other RR types.</quote>
663 I get error messages like <quote>named.conf:99: unexpected end
664 of input</quote> where 99 is the last line of named.conf.
669 Some text editors (notepad and wordpad) fail to put a line
670 title indication (e.g. CR/LF) on the last line of a
671 text file. This can be fixed by "adding" a blank line to
672 the end of the file. Named expects to see EOF immediately
673 after EOL and treats text files where this is not met as
682 I get warning messages like <quote>zone example.com/IN: refresh:
683 failure trying master 1.2.3.4#53: timed out</quote>.
688 Check that you can make UDP queries from the slave to the master
692 dig +norec example.com soa @1.2.3.4</programlisting>
695 You could be generating queries faster than the slave can
696 cope with. Lower the serial query rate.
700 serial-query-rate 5; // default 20</programlisting>
708 How do I share a dynamic zone between multiple views?
713 You choose one view to be master and the second a slave and
714 transfer the zone between views.
730 match-clients { !external; 10.0.1/24; };
732 /* Deliver notify messages to external view. */
737 file "internal/example.db";
738 allow-update { key mykey; };
739 notify-also { 10.0.1.1; };
744 match-clients { external; any; };
747 file "external/example.db";
748 masters { 10.0.1.1; };
749 transfer-source { 10.0.1.1; };
750 // allow-update-forwarding { any; };
751 // allow-notify { ... };
761 I get a error message like <quote>zone wireless.ietf56.ietf.org/IN:
762 loading master file primaries/wireless.ietf56.ietf.org: no
768 This error is produced when a line in the master file
769 contains leading white space (tab/space) but the is no
770 current record owner name to inherit the name from. Usually
771 this is the result of putting white space before a comment.
772 Forgetting the "@" for the SOA record or indenting the master
781 Why are my logs in GMT (UTC).
786 You are running chrooted (-t) and have not supplied local timezone
787 information in the chroot area.
790 <member>FreeBSD: /etc/localtime</member>
791 <member>Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo</member>
792 <member>OSF: /etc/zoneinfo/localtime</member>
795 See also tzset(3) and zic(8).
803 I get the error message <quote>named: capset failed: Operation
804 not permitted</quote> when starting named.
809 The capability module, part of "Linux Security Modules/LSM",
810 has not been loaded into the kernel. See insmod(8).
818 I get <quote>rndc: connect failed: connection refused</quote> when
824 This is usually a configuration error.
827 First ensure that named is running and no errors are being
828 reported at startup (/var/log/messages or equivalent).
829 Running "named -g <usual arguments>" from a title
830 can help at this point.
833 Secondly ensure that named is configured to use rndc either
834 by "rndc-confgen -a", rndc-confgen or manually. The
835 Administrators Reference manual has details on how to do
839 Old versions of rndc-confgen used localhost rather than
840 127.0.0.1 in /etc/rndc.conf for the default server. Update
841 /etc/rndc.conf if necessary so that the default server
842 listed in /etc/rndc.conf matches the addresses used in
843 named.conf. "localhost" has two address (127.0.0.1 and
847 If you use "rndc-confgen -a" and named is running with -t or -u
848 ensure that /etc/rndc.conf has the correct ownership and that
849 a copy is in the chroot area. You can do this by re-running
850 "rndc-confgen -a" with appropriate -t and -u arguments.
858 I don't get RRSIG's returned when I use "dig +dnssec".
863 You need to ensure DNSSEC is enabled (dnssec-enable yes;).
871 I get <quote>Error 1067</quote> when starting named under Windows.
876 This is the service manager saying that named exited. You
877 need to examine the Application log in the EventViewer to
881 Common causes are that you failed to create "named.conf"
882 (usually "C:\windows\dns\etc\named.conf") or failed to
883 specify the directory in named.conf.
888 Directory "C:\windows\dns\etc";
897 I get <quote>transfer of 'example.net/IN' from 192.168.4.12#53:
898 failed while receiving responses: permission denied</quote> error
904 These indicate a filesystem permission error preventing
905 named creating / renaming the temporary file. These will
906 usually also have other associated error messages like
910 "dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"</programlisting>
913 Named needs write permission on the directory containing
914 the file. Named writes the new cache file to a temporary
915 file then renames it to the name specified in named.conf
916 to ensure that the contents are always complete. This is
917 to prevent named loading a partial zone in the event of
918 power failure or similar interrupting the write of the
922 Note file names are relative to the directory specified in
923 options and any chroot directory ([<chroot
924 dir>/][<options dir>]).
928 If named is invoked as "named -t /chroot/DNS" with
929 the following named.conf then "/chroot/DNS/var/named/sl"
930 needs to be writable by the user named is running as.
934 directory "/var/named";
939 file "sl/example.net";
940 masters { 192.168.4.12; };
949 How do I integrate BIND 9 and Solaris SMF
954 Sun has a blog entry describing how to do this.
958 url="http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris">
959 http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris
968 Can a NS record refer to a CNAME.
973 No. The rules for glue (copies of the *address* records
974 in the parent zones) and additional section processing do
975 not allow it to work.
978 You would have to add both the CNAME and address records
979 (A/AAAA) as glue to the parent zone and have CNAMEs be
980 followed when doing additional section processing to make
981 it work. No nameserver implementation supports either of
990 What does <quote>RFC 1918 response from Internet for
991 0.0.0.10.IN-ADDR.ARPA</quote> mean?
996 If the IN-ADDR.ARPA name covered refers to a internal address
997 space you are using then you have failed to follow RFC 1918
998 usage rules and are leaking queries to the Internet. You
999 should establish your own zones for these addresses to prevent
1000 you querying the Internet's name servers for these addresses.
1001 Please see <ulink url="http://as112.net/">http://as112.net/</ulink>
1002 for details of the problems you are causing and the counter
1003 measures that have had to be deployed.
1006 If you are not using these private addresses then a client
1007 has queried for them. You can just ignore the messages,
1008 get the offending client to stop sending you these messages
1009 as they are most probably leaking them or setup your own zones
1010 empty zones to serve answers to these queries.
1014 zone "10.IN-ADDR.ARPA" {
1019 zone "16.172.IN-ADDR.ARPA" {
1026 zone "31.172.IN-ADDR.ARPA" {
1031 zone "168.192.IN-ADDR.ARPA" {
1037 @ 10800 IN SOA <name-of-server>. <contact-email>. (
1038 1 3600 1200 604800 10800 )
1039 @ 10800 IN NS <name-of-server>.</programlisting>
1043 Future versions of named are likely to do this automatically.
1052 I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
1055 Why can't named update slave zone database files?
1058 Why can't named create DDNS journal files or update
1059 the master zones from journals?
1062 Why can't named create custom log files?
1068 Red Hat Security Enhanced Linux (SELinux) policy security
1073 Red Hat have adopted the National Security Agency's
1074 SELinux security policy ( see http://www.nsa.gov/selinux
1075 ) and recommendations for BIND security , which are more
1076 secure than running named in a chroot and make use of
1077 the bind-chroot environment unnecessary .
1081 By default, named is not allowed by the SELinux policy
1082 to write, create or delete any files EXCEPT in these
1086 $ROOTDIR/var/named/slaves
1087 $ROOTDIR/var/named/data
1091 where $ROOTDIR may be set in /etc/sysconfig/named if
1092 bind-chroot is installed.
1096 The SELinux policy particularly does NOT allow named to modify
1097 the $ROOTDIR/var/named directory, the default location for master
1098 zone database files.
1102 SELinux policy overrules file access permissions - so
1103 even if all the files under /var/named have ownership
1104 named:named and mode rw-rw-r--, named will still not be
1105 able to write or create files except in the directories
1106 above, with SELinux in Enforcing mode.
1110 So, to allow named to update slave or DDNS zone files,
1111 it is best to locate them in $ROOTDIR/var/named/slaves,
1112 with named.conf zone statements such as:
1115 zone "slave.zone." IN {
1117 file "slaves/slave.zone.db";
1120 zone "ddns.zone." IN {
1122 allow-updates {...};
1123 file "slaves/ddns.zone.db";
1130 To allow named to create its cache dump and statistics
1131 files, for example, you could use named.conf options
1137 dump-file "/var/named/data/cache_dump.db";
1138 statistics-file "/var/named/data/named_stats.txt";
1146 You can also tell SELinux to allow named to update any
1147 zone database files, by setting the SELinux tunable boolean
1148 parameter 'named_write_master_zones=1', using the
1149 system-config-securitylevel GUI, using the 'setsebool'
1150 command, or in /etc/selinux/targeted/booleans.
1154 You can disable SELinux protection for named entirely by
1155 setting the 'named_disable_trans=1' SELinux tunable boolean
1160 The SELinux named policy defines these SELinux contexts for named:
1163 named_zone_t : for zone database files - $ROOTDIR/var/named/*
1164 named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
1165 named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
1171 If you want to retain use of the SELinux policy for named,
1172 and put named files in different locations, you can do
1173 so by changing the context of the custom file locations
1178 To create a custom configuration file location, e.g.
1179 '/root/named.conf', to use with the 'named -c' option,
1183 # chcon system_u:object_r:named_conf_t /root/named.conf
1189 To create a custom modifiable named data location, e.g.
1190 '/var/log/named' for a log file, do:
1193 # chcon system_u:object_r:named_cache_t /var/log/named
1199 To create a custom zone file location, e.g. /root/zones/, do:
1202 # chcon system_u:object_r:named_zone_t /root/zones/{.,*}
1208 See these man-pages for more information : selinux(8),
1209 named_selinux(8), chcon(1), setsebool(8)
1217 I want to forward all DNS queries from my caching nameserver to
1218 another server. But there are some domains which have to be
1219 served locally, via rbldnsd.
1222 How do I achieve this ?
1229 forwarders { <ip.of.primary.nameserver>; };
1232 zone "sbl-xbl.spamhaus.org" {
1233 type forward; forward only;
1234 forwarders { <ip.of.rbldns.server> port 530; };
1237 zone "list.dsbl.org" {
1238 type forward; forward only;
1239 forwarders { <ip.of.rbldns.server> port 530; };
1248 Will named be affected by the 2007 changes to daylight savings
1254 No, so long as the machines internal clock (as reported
1255 by "date -u") remains at UTC. The only visible change
1256 if you fail to upgrade your OS, if you are in a affected
1257 area, will be that log messages will be a hour out during
1258 the period where the old rules do not match the new rules.
1261 For most OS's this change just means that you need to
1262 update the conversion rules from UTC to local time.
1263 Normally this involves updating a file in /etc (which
1264 sets the default timezone for the machine) and possibly
1265 a directory which has all the conversion rules for the
1266 world (e.g. /usr/share/zoneinfo). When updating the OS
1267 do not forget to update any chroot areas as well.
1268 See your OS's documentation for more details.
1271 The local timezone conversion rules can also be done on
1272 a individual basis by setting the TZ environment variable
1273 appropriately. See your OS's documentation for more
1282 Why do we get the following warning at run time:
1283 <programlisting>kernel: process `named' is using obsolete setsockopt SO_BSDCOMPAT</programlisting>
1288 The early Linux kernels broke sendto() by having it return
1289 that a ICMP unreachable had be received for non connected
1290 UDP sockets. This made non connected UDP sockets work like
1291 connected UDP socket which is fine when you are only talking
1292 to one destination. Named however talks to multiple
1293 destinations and it caused problems.
1296 Rather than fix sendto() to just have BSD behaviour they added
1297 SO_BSDCOMPAT to turn BSD behaviour on/off on a per socket basis.
1300 Later they decided to make BSD behaviour the default and
1301 to aggressively track down applications that used SO_BSDCOMPAT
1302 by issuing a warning. This is the sort of things vendors
1303 do in alpha/beta stages of a release so that their code is
1304 clean. They then turn the warning *off* for release code.
1307 We still have customers that have kernels that require
1308 SO_BSDCOMPAT to operate. We therefore cannot remove the
1309 setsockopt(SO_BSDCOMPAT) call.
1312 Now most/all portable applications that use SO_BSDCOMPAT use it
1313 conditionally manner so just removing SO_BSDCOMPAT from the
1314 header file would be safe as long as the binary was not to
1315 be moved between systems. BIND's use is conditional.
1318 In short, the Linux developers should either, remove the #define for
1319 SO_BSDCOMPAT, and/or remove the warning.
1327 Isn't "make install" supposed to generate a default named.conf?
1335 Long Answer: There really isn't a default configuration which fits
1336 any site perfectly. There are lots of decisions that need to
1337 be made and there is no consensus on what the defaults should be.
1338 For example FreeBSD uses /etc/namedb as the location where the
1339 configuration files for named are stored. Others use /var/named.
1342 What addresses to listen on? For a laptop on the move a lot
1343 you may only want to listen on the loop back interfaces.
1346 Who do you offer recursive service to? Is there are firewall
1347 to consider? If so is it stateless or stateful. Are you
1348 directly on the Internet? Are you on a private network? Are
1349 you on a NAT'd network? The answers
1350 to all these questions change how you configure even a
1351 caching name server.
projects / FreeBSD / FreeBSD.git / blob