1 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
4 - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
5 - Copyright (C) 2000-2003 Internet Software Consortium.
7 - Permission to use, copy, modify, and/or distribute this software for any
8 - purpose with or without fee is hereby granted, provided that the above
9 - copyright notice and this permission notice appear in all copies.
11 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
12 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
13 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
14 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
15 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
16 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
17 - PERFORMANCE OF THIS SOFTWARE.
20 <!-- $Id: FAQ.xml,v 1.4.4.24 2008/09/10 01:32:25 tbox Exp $ -->
23 <title>Frequently Asked Questions about BIND 9</title>
31 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
38 <holder>Internet Software Consortium.</holder>
41 <qandaset defaultlabel='qanda'>
43 <qandadiv><title>Compilation and Installation Questions</title>
48 I'm trying to compile BIND 9, and "make" is failing due to
49 files not being found. Why?
54 Using a parallel or distributed "make" to build BIND 9 is
55 not supported, and doesn't work. If you are using one of
56 these, use normal make or gmake instead.
64 Isn't "make install" supposed to generate a default named.conf?
72 Long Answer: There really isn't a default configuration which fits
73 any site perfectly. There are lots of decisions that need to
74 be made and there is no consensus on what the defaults should be.
75 For example FreeBSD uses /etc/namedb as the location where the
76 configuration files for named are stored. Others use /var/named.
79 What addresses to listen on? For a laptop on the move a lot
80 you may only want to listen on the loop back interfaces.
83 Who do you offer recursive service to? Is there are firewall
84 to consider? If so is it stateless or stateful. Are you
85 directly on the Internet? Are you on a private network? Are
86 you on a NAT'd network? The answers
87 to all these questions change how you configure even a
93 </qandadiv> <!-- Compilation and Installation Questions -->
95 <qandadiv><title>Configuration and Setup Questions</title>
98 <!-- configuration, log -->
101 Why does named log the warning message <quote>no TTL specified -
102 using SOA MINTTL instead</quote>?
107 Your zone file is illegal according to RFC1035. It must either
112 $TTL 86400</programlisting>
115 at the beginning, or the first record in it must have a TTL field,
116 like the "84600" in this example:
120 example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )</programlisting>
126 <!-- configuration -->
129 Why do I get errors like <quote>dns_zone_load: zone foo/IN: loading
130 master file bar: ran out of space</quote>?
135 This is often caused by TXT records with missing close
136 quotes. Check that all TXT records containing quoted strings
137 have both open and close quotes.
146 How do I restrict people from looking up the server version?
151 Put a "version" option containing something other than the
152 real version in the "options" section of named.conf. Note
153 doing this will not prevent attacks and may impede people
154 trying to diagnose problems with your server. Also it is
155 possible to "fingerprint" nameservers to determine their
165 How do I restrict only remote users from looking up the
171 The following view statement will intercept lookups as the
172 internal view that holds the version information will be
173 matched last. The caveats of the previous answer still
179 match-clients { <those to be refused>; };
180 allow-query { none; };
183 file "/dev/null"; // or any empty file
191 <!-- configuration -->
194 What do <quote>no source of entropy found</quote> or <quote>could not
195 open entropy source foo</quote> mean?
200 The server requires a source of entropy to perform certain
201 operations, mostly DNSSEC related. These messages indicate
202 that you have no source of entropy. On systems with
203 /dev/random or an equivalent, it is used by default. A
204 source of entropy can also be defined using the random-device
205 option in named.conf.
211 <!-- configuration -->
214 I'm trying to use TSIG to authenticate dynamic updates or
215 zone transfers. I'm sure I have the keys set up correctly,
216 but the server is rejecting the TSIG. Why?
221 This may be a clock skew problem. Check that the the clocks
222 on the client and server are properly synchronised (e.g.,
231 I see a log message like the following. Why?
234 couldn't open pid file '/var/run/named.pid': Permission denied
239 You are most likely running named as a non-root user, and
240 that user does not have permission to write in /var/run.
241 The common ways of fixing this are to create a /var/run/named
242 directory owned by the named user and set pid-file to
243 "/var/run/named/named.pid", or set pid-file to "named.pid",
244 which will put the file in the directory specified by the
245 directory option (which, in this case, must be writable by
254 I can query the nameserver from the nameserver but not from other
260 This is usually the result of the firewall configuration stopping
261 the queries and / or the replies.
269 How can I make a server a slave for both an internal and
270 an external view at the same time? When I tried, both views
271 on the slave were transferred from the same view on the master.
276 You will need to give the master and slave multiple IP
277 addresses and use those to make sure you reach the correct
278 view on the other machine.
282 Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
284 match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
285 notify-source 10.0.1.1;
286 transfer-source 10.0.1.1;
287 query-source address 10.0.1.1;
289 match-clients { any; };
290 recursion no; // don't offer recursion to the world
291 notify-source 10.0.1.2;
292 transfer-source 10.0.1.2;
293 query-source address 10.0.1.2;
295 Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
297 match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
298 notify-source 10.0.1.3;
299 transfer-source 10.0.1.3;
300 query-source address 10.0.1.3;
302 match-clients { any; };
303 recursion no; // don't offer recursion to the world
304 notify-source 10.0.1.4;
305 transfer-source 10.0.1.4;
306 query-source address 10.0.1.4;</programlisting>
309 You put the external address on the alias so that all the other
310 dns clients on these boxes see the internal view by default.
315 BIND 9.3 and later: Use TSIG to select the appropriate view.
325 match-clients { !key external; 10.0.1/24; };
329 match-clients { key external; any; };
330 server 10.0.1.2 { keys external; };
341 match-clients { !key external; 10.0.1/24; };
345 match-clients { key external; any; };
346 server 10.0.1.1 { keys external; };
357 I get error messages like <quote>multiple RRs of singleton type</quote>
358 and <quote>CNAME and other data</quote> when transferring a zone. What
364 These indicate a malformed master zone. You can identify
365 the exact records involved by transferring the zone using
366 dig then running named-checkzone on it.
370 dig axfr example.com @master-server > tmp
371 named-checkzone example.com tmp</programlisting>
374 A CNAME record cannot exist with the same name as another record
375 except for the DNSSEC records which prove its existence (NSEC).
378 RFC 1034, Section 3.6.2: <quote>If a CNAME RR is present at a node,
379 no other data should be present; this ensures that the data for a
380 canonical name and its aliases cannot be different. This rule also
381 insures that a cached CNAME can be used without checking with an
382 authoritative server for other RR types.</quote>
390 I get error messages like <quote>named.conf:99: unexpected end
391 of input</quote> where 99 is the last line of named.conf.
396 There are unbalanced quotes in named.conf.
401 Some text editors (notepad and wordpad) fail to put a line
402 title indication (e.g. CR/LF) on the last line of a
403 text file. This can be fixed by "adding" a blank line to
404 the end of the file. Named expects to see EOF immediately
405 after EOL and treats text files where this is not met as
414 How do I share a dynamic zone between multiple views?
419 You choose one view to be master and the second a slave and
420 transfer the zone between views.
436 match-clients { !key external; 10.0.1/24; };
438 /* Deliver notify messages to external view. */
443 file "internal/example.db";
444 allow-update { key mykey; };
445 notify-also { 10.0.1.1; };
450 match-clients { key external; any; };
453 file "external/example.db";
454 masters { 10.0.1.1; };
455 transfer-source { 10.0.1.1; };
456 // allow-update-forwarding { any; };
457 // allow-notify { ... };
467 I get a error message like <quote>zone wireless.ietf56.ietf.org/IN:
468 loading master file primaries/wireless.ietf56.ietf.org: no
474 This error is produced when a line in the master file
475 contains leading white space (tab/space) but the is no
476 current record owner name to inherit the name from. Usually
477 this is the result of putting white space before a comment,
478 forgetting the "@" for the SOA record, or indenting the master
487 Why are my logs in GMT (UTC).
492 You are running chrooted (-t) and have not supplied local timezone
493 information in the chroot area.
496 <member>FreeBSD: /etc/localtime</member>
497 <member>Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo</member>
498 <member>OSF: /etc/zoneinfo/localtime</member>
501 See also tzset(3) and zic(8).
509 I get <quote>rndc: connect failed: connection refused</quote> when
515 This is usually a configuration error.
518 First ensure that named is running and no errors are being
519 reported at startup (/var/log/messages or equivalent).
520 Running "named -g <usual arguments>" from a title
521 can help at this point.
524 Secondly ensure that named is configured to use rndc either
525 by "rndc-confgen -a", rndc-confgen or manually. The
526 Administrators Reference manual has details on how to do
530 Old versions of rndc-confgen used localhost rather than
531 127.0.0.1 in /etc/rndc.conf for the default server. Update
532 /etc/rndc.conf if necessary so that the default server
533 listed in /etc/rndc.conf matches the addresses used in
534 named.conf. "localhost" has two address (127.0.0.1 and
538 If you use "rndc-confgen -a" and named is running with -t or -u
539 ensure that /etc/rndc.conf has the correct ownership and that
540 a copy is in the chroot area. You can do this by re-running
541 "rndc-confgen -a" with appropriate -t and -u arguments.
549 I get <quote>transfer of 'example.net/IN' from 192.168.4.12#53:
550 failed while receiving responses: permission denied</quote> error
556 These indicate a filesystem permission error preventing
557 named creating / renaming the temporary file. These will
558 usually also have other associated error messages like
562 "dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"</programlisting>
565 Named needs write permission on the directory containing
566 the file. Named writes the new cache file to a temporary
567 file then renames it to the name specified in named.conf
568 to ensure that the contents are always complete. This is
569 to prevent named loading a partial zone in the event of
570 power failure or similar interrupting the write of the
574 Note file names are relative to the directory specified in
575 options and any chroot directory ([<chroot
576 dir>/][<options dir>]).
580 If named is invoked as "named -t /chroot/DNS" with
581 the following named.conf then "/chroot/DNS/var/named/sl"
582 needs to be writable by the user named is running as.
586 directory "/var/named";
591 file "sl/example.net";
592 masters { 192.168.4.12; };
601 I want to forward all DNS queries from my caching nameserver to
602 another server. But there are some domains which have to be
603 served locally, via rbldnsd.
606 How do I achieve this ?
613 forwarders { <ip.of.primary.nameserver>; };
616 zone "sbl-xbl.spamhaus.org" {
617 type forward; forward only;
618 forwarders { <ip.of.rbldns.server> port 530; };
621 zone "list.dsbl.org" {
622 type forward; forward only;
623 forwarders { <ip.of.rbldns.server> port 530; };
632 Can you help me understand how BIND 9 uses memory to store
636 Some times it seems to take several times the amount of
637 memory it needs to store the zone.
642 When reloading a zone named my have multiple copies of
643 the zone in memory at one time. The zone it is serving
644 and the one it is loading. If reloads are ultra fast it
648 e.g. Ones that are transferring out, the one that it is
649 serving and the one that is loading.
652 BIND 8 destroyed the zone before loading and also killed
653 off outgoing transfers of the zone.
656 The new strategy allows slaves to get copies of the new
657 zone regardless of how often the master is loaded compared
658 to the transfer time. The slave might skip some intermediate
659 versions but the transfers will complete and it will keep
660 reasonably in sync with the master.
663 The new strategy also allows the master to recover from
664 syntax and other errors in the master file as it still
665 has an in-core copy of the old contents.
673 I want to use IPv6 locally but I don't have a external IPv6
674 connection. External lookups are slow.
679 You can use server clauses to stop named making external lookups
683 server fd81:ec6c:bd62::/48 { bogus no; }; // site ULA prefix
684 server ::/0 { bogus yes; };
689 </qandadiv> <!-- Configuration and Setup Questions -->
691 <qandadiv><title>Operations Questions</title>
696 How to change the nameservers for a zone?
701 Step 1: Ensure all nameservers, new and old, are serving the
705 Step 2: Work out the maximum TTL of the NS RRset in the parent and child
706 zones. This is the time it will take caches to be clear of a
707 particular version of the NS RRset.
708 If you are just removing nameservers you can skip to Step 6.
711 Step 3: Add new nameservers to the NS RRset for the zone and
712 wait until all the servers for the zone are answering with this
716 Step 4: Inform the parent zone of the new NS RRset then wait for all the
717 parent servers to be answering with the new NS RRset.
720 Step 5: Wait for cache to be clear of the old NS RRset.
721 See Step 2 for how long.
722 If you are just adding nameservers you are done.
725 Step 6: Remove any old nameservers from the zones NS RRset and
726 wait for all the servers for the zone to be serving the new NS RRset.
729 Step 7: Inform the parent zone of the new NS RRset then wait for all the
730 parent servers to be answering with the new NS RRset.
733 Step 8: Wait for cache to be clear of the old NS RRset.
734 See Step 2 for how long.
737 Step 9: Turn off the old nameservers or remove the zone entry from
738 the configuration of the old nameservers.
741 Step 10: Increment the serial number and wait for the change to
742 be visible in all nameservers for the zone. This ensures that
743 zone transfers are still working after the old servers are
747 Note: the above procedure is designed to be transparent
748 to dns clients. Decommissioning the old servers too early
749 will result in some clients not being able to look up
753 Note: while it is possible to run the addition and removal
754 stages together it is not recommended.
759 </qandadiv> <!-- Operations Questions -->
761 <qandadiv><title>General Questions</title>
766 I keep getting log messages like the following. Why?
769 Dec 4 23:47:59 client 10.0.0.1#1355: updating zone
770 'example.com/IN': update failed: 'RRset exists (value
771 dependent)' prerequisite not satisfied (NXRRSET)
776 DNS updates allow the update request to test to see if
777 certain conditions are met prior to proceeding with the
778 update. The message above is saying that conditions were
779 not met and the update is not proceeding. See doc/rfc/rfc2136.txt
780 for more details on prerequisites.
788 I keep getting log messages like the following. Why?
791 Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
796 Someone is trying to update your DNS data using the RFC2136
797 Dynamic Update protocol. Windows 2000 machines have a habit
798 of sending dynamic update requests to DNS servers without
799 being specifically configured to do so. If the update
800 requests are coming from a Windows 2000 machine, see
802 url="http://support.microsoft.com/support/kb/articles/q246/8/04.asp">
803 <http://support.microsoft.com/support/kb/articles/q246/8/04.asp></ulink>
804 for information about how to turn them off.
812 When I do a "dig . ns", many of the A records for the root
813 servers are missing. Why?
818 This is normal and harmless. It is a somewhat confusing
819 side effect of the way BIND 9 does RFC2181 trust ranking
820 and of the efforts BIND 9 makes to avoid promoting glue
824 When BIND 9 first starts up and primes its cache, it receives
825 the root server addresses as additional data in an authoritative
826 response from a root server, and these records are eligible
827 for inclusion as additional data in responses. Subsequently
828 it receives a subset of the root server addresses as
829 additional data in a non-authoritative (referral) response
830 from a root server. This causes the addresses to now be
831 considered non-authoritative (glue) data, which is not
832 eligible for inclusion in responses.
835 The server does have a complete set of root server addresses
836 cached at all times, it just may not include all of them
837 as additional data, depending on whether they were last
838 received as answers or as glue. You can always look up the
839 addresses with explicit queries like "dig a.root-servers.net A".
847 Why don't my zones reload when I do an "rndc reload" or SIGHUP?
852 A zone can be updated either by editing zone files and
853 reloading the server or by dynamic update, but not both.
854 If you have enabled dynamic update for a zone using the
855 "allow-update" option, you are not supposed to edit the
856 zone file by hand, and the server will not attempt to reload
865 Why is named listening on UDP port other than 53?
870 Named uses a system selected port to make queries of other
871 nameservers. This behaviour can be overridden by using
872 query-source to lock down the port and/or address. See
873 also notify-source and transfer-source.
881 I get warning messages like <quote>zone example.com/IN: refresh:
882 failure trying master 1.2.3.4#53: timed out</quote>.
887 Check that you can make UDP queries from the slave to the master
891 dig +norec example.com soa @1.2.3.4</programlisting>
894 You could be generating queries faster than the slave can
895 cope with. Lower the serial query rate.
899 serial-query-rate 5; // default 20</programlisting>
907 I don't get RRSIG's returned when I use "dig +dnssec".
912 You need to ensure DNSSEC is enabled (dnssec-enable yes;).
920 Can a NS record refer to a CNAME.
925 No. The rules for glue (copies of the *address* records
926 in the parent zones) and additional section processing do
927 not allow it to work.
930 You would have to add both the CNAME and address records
931 (A/AAAA) as glue to the parent zone and have CNAMEs be
932 followed when doing additional section processing to make
933 it work. No nameserver implementation supports either of
942 What does <quote>RFC 1918 response from Internet for
943 0.0.0.10.IN-ADDR.ARPA</quote> mean?
948 If the IN-ADDR.ARPA name covered refers to a internal address
949 space you are using then you have failed to follow RFC 1918
950 usage rules and are leaking queries to the Internet. You
951 should establish your own zones for these addresses to prevent
952 you querying the Internet's name servers for these addresses.
953 Please see <ulink url="http://as112.net/"><http://as112.net/></ulink>
954 for details of the problems you are causing and the counter
955 measures that have had to be deployed.
958 If you are not using these private addresses then a client
959 has queried for them. You can just ignore the messages,
960 get the offending client to stop sending you these messages
961 as they are most probably leaking them or setup your own zones
962 empty zones to serve answers to these queries.
966 zone "10.IN-ADDR.ARPA" {
971 zone "16.172.IN-ADDR.ARPA" {
978 zone "31.172.IN-ADDR.ARPA" {
983 zone "168.192.IN-ADDR.ARPA" {
989 @ 10800 IN SOA <name-of-server>. <contact-email>. (
990 1 3600 1200 604800 10800 )
991 @ 10800 IN NS <name-of-server>.</programlisting>
995 Future versions of named are likely to do this automatically.
1004 Will named be affected by the 2007 changes to daylight savings
1010 No, so long as the machines internal clock (as reported
1011 by "date -u") remains at UTC. The only visible change
1012 if you fail to upgrade your OS, if you are in a affected
1013 area, will be that log messages will be a hour out during
1014 the period where the old rules do not match the new rules.
1017 For most OS's this change just means that you need to
1018 update the conversion rules from UTC to local time.
1019 Normally this involves updating a file in /etc (which
1020 sets the default timezone for the machine) and possibly
1021 a directory which has all the conversion rules for the
1022 world (e.g. /usr/share/zoneinfo). When updating the OS
1023 do not forget to update any chroot areas as well.
1024 See your OS's documentation for more details.
1027 The local timezone conversion rules can also be done on
1028 a individual basis by setting the TZ environment variable
1029 appropriately. See your OS's documentation for more
1038 Is there a bugzilla (or other tool) database that mere
1039 mortals can have (read-only) access to for bind?
1044 No. The BIND 9 bug database is kept closed for a number
1045 of reasons. These include, but are not limited to, that
1046 the database contains proprietory information from people
1047 reporting bugs. The database has in the past and may in
1048 future contain unfixed bugs which are capable of bringing
1049 down most of the Internet's DNS infrastructure.
1052 The release pages for each version contain up to date
1053 lists of bugs that have been fixed post release. That
1054 is as close as we can get to providing a bug database.
1062 Why do queries for NSEC3 records fail to return the NSEC3 record?
1067 NSEC3 records are strictly meta data and can only be
1068 returned in the authority section. This is done so that
1069 signing the zone using NSEC3 records does not bring names
1070 into existance that do not exist in the unsigned version
1076 </qandadiv> <!-- General Questions -->
1078 <qandadiv><title>Operating-System Specific Questions</title>
1080 <qandadiv><title>HPUX</title>
1084 <para>I get the following error trying to configure BIND:
1085 <programlisting>checking if unistd.h or sys/types.h defines fd_set... no
1086 configure: error: need either working unistd.h or sys/select.h</programlisting>
1091 You have attempted to configure BIND with the bundled C compiler.
1092 This compiler does not meet the minimum compiler requirements to
1093 for building BIND. You need to install a ANSI C compiler and / or
1094 teach configure how to find the ANSI C compiler. The later can
1095 be done by adjusting the PATH environment variable and / or
1096 specifying the compiler via CC.
1099 <programlisting>./configure CC=<compiler> ...</programlisting>
1104 </qandadiv> <!-- HPUX -->
1106 <qandadiv><title>Linux</title>
1111 Why do I get the following errors:
1112 <programlisting>general: errno2result.c:109: unexpected error:
1113 general: unable to convert errno to isc_result: 14: Bad address
1114 client: UDP client handler shutting down due to fatal receive error: unexpected error</programlisting>
1119 This is the result of a Linux kernel bug.
1123 <ulink url="http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2"><http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2></ulink>
1131 Why does named lock up when it attempts to connect over IPSEC tunnels?
1136 This is due to a kernel bug where the fact that a socket is marked
1137 non-blocking is ignored. It is reported that setting
1138 xfrm_larval_drop to 1 helps but this may have negative side effects.
1140 <ulink url="https://bugzilla.redhat.com/show_bug.cgi?id=427629"><https://bugzilla.redhat.com/show_bug.cgi?id=427629></ulink>
1142 <ulink url="http://lkml.org/lkml/2007/12/4/260"><http://lkml.org/lkml/2007/12/4/260></ulink>.
1145 xfrm_larval_drop can be set to 1 by the following procedure:
1147 echo "1" > proc/sys/net/core/xfrm_larval_drop</programlisting>
1155 Why do I see 5 (or more) copies of named on Linux?
1160 Linux threads each show up as a process under ps. The
1161 approximate number of threads running is n+4, where n is
1162 the number of CPUs. Note that the amount of memory used
1163 is not cumulative; if each process is using 10M of memory,
1164 only a total of 10M is used.
1167 Newer versions of Linux's ps command hide the individual threads
1168 and require -L to display them.
1176 Why does BIND 9 log <quote>permission denied</quote> errors accessing
1177 its configuration files or zones on my Linux system even
1178 though it is running as root?
1183 On Linux, BIND 9 drops most of its root privileges on
1184 startup. This including the privilege to open files owned
1185 by other users. Therefore, if the server is running as
1186 root, the configuration files and zone files should also
1195 I get the error message <quote>named: capset failed: Operation
1196 not permitted</quote> when starting named.
1201 The capability module, part of "Linux Security Modules/LSM",
1202 has not been loaded into the kernel. See insmod(8), modprobe(8).
1205 The relevant modules can be loaded by running:
1208 modprobe capability</programlisting>
1216 I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
1219 Why can't named update slave zone database files?
1222 Why can't named create DDNS journal files or update
1223 the master zones from journals?
1226 Why can't named create custom log files?
1232 Red Hat Security Enhanced Linux (SELinux) policy security
1237 Red Hat have adopted the National Security Agency's
1238 SELinux security policy (see <ulink
1239 url="http://www.nsa.gov/selinux"><http://www.nsa.gov/selinux></ulink>)
1240 and recommendations for BIND security , which are more
1241 secure than running named in a chroot and make use of
1242 the bind-chroot environment unnecessary .
1246 By default, named is not allowed by the SELinux policy
1247 to write, create or delete any files EXCEPT in these
1251 $ROOTDIR/var/named/slaves
1252 $ROOTDIR/var/named/data
1256 where $ROOTDIR may be set in /etc/sysconfig/named if
1257 bind-chroot is installed.
1261 The SELinux policy particularly does NOT allow named to modify
1262 the $ROOTDIR/var/named directory, the default location for master
1263 zone database files.
1267 SELinux policy overrules file access permissions - so
1268 even if all the files under /var/named have ownership
1269 named:named and mode rw-rw-r--, named will still not be
1270 able to write or create files except in the directories
1271 above, with SELinux in Enforcing mode.
1275 So, to allow named to update slave or DDNS zone files,
1276 it is best to locate them in $ROOTDIR/var/named/slaves,
1277 with named.conf zone statements such as:
1280 zone "slave.zone." IN {
1282 file "slaves/slave.zone.db";
1285 zone "ddns.zone." IN {
1287 allow-updates {...};
1288 file "slaves/ddns.zone.db";
1295 To allow named to create its cache dump and statistics
1296 files, for example, you could use named.conf options
1302 dump-file "/var/named/data/cache_dump.db";
1303 statistics-file "/var/named/data/named_stats.txt";
1311 You can also tell SELinux to allow named to update any
1312 zone database files, by setting the SELinux tunable boolean
1313 parameter 'named_write_master_zones=1', using the
1314 system-config-securitylevel GUI, using the 'setsebool'
1315 command, or in /etc/selinux/targeted/booleans.
1319 You can disable SELinux protection for named entirely by
1320 setting the 'named_disable_trans=1' SELinux tunable boolean
1325 The SELinux named policy defines these SELinux contexts for named:
1328 named_zone_t : for zone database files - $ROOTDIR/var/named/*
1329 named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
1330 named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
1336 If you want to retain use of the SELinux policy for named,
1337 and put named files in different locations, you can do
1338 so by changing the context of the custom file locations
1343 To create a custom configuration file location, e.g.
1344 '/root/named.conf', to use with the 'named -c' option,
1348 # chcon system_u:object_r:named_conf_t /root/named.conf
1354 To create a custom modifiable named data location, e.g.
1355 '/var/log/named' for a log file, do:
1358 # chcon system_u:object_r:named_cache_t /var/log/named
1364 To create a custom zone file location, e.g. /root/zones/, do:
1367 # chcon system_u:object_r:named_zone_t /root/zones/{.,*}
1373 See these man-pages for more information : selinux(8),
1374 named_selinux(8), chcon(1), setsebool(8)
1382 Listening on individual IPv6 interfaces does not work.
1387 This is usually due to "/proc/net/if_inet6" not being available
1388 in the chroot file system. Mount another instance of "proc"
1389 in the chroot file system.
1392 This can be be made permanent by adding a second instance to
1396 proc /proc proc defaults 0 0
1397 proc /var/named/proc proc defaults 0 0</programlisting>
1403 </qandadiv> <!-- Linux -->
1405 <qandadiv><title>Windows</title>
1410 Zone transfers from my BIND 9 master to my Windows 2000
1416 This may be caused by a bug in the Windows 2000 DNS server
1417 where DNS messages larger than 16K are not handled properly.
1418 This can be worked around by setting the option "transfer-format
1419 one-answer;". Also check whether your zone contains domain
1420 names with embedded spaces or other special characters,
1421 like "John\032Doe\213s\032Computer", since such names have
1422 been known to cause Windows 2000 slaves to incorrectly
1431 I get <quote>Error 1067</quote> when starting named under Windows.
1436 This is the service manager saying that named exited. You
1437 need to examine the Application log in the EventViewer to
1441 Common causes are that you failed to create "named.conf"
1442 (usually "C:\windows\dns\etc\named.conf") or failed to
1443 specify the directory in named.conf.
1448 Directory "C:\windows\dns\etc";
1454 </qandadiv> <!-- Windows -->
1456 <qandadiv><title>FreeBSD</title>
1461 I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
1466 /dev/random is not configured. Use rndcontrol(8) to tell
1467 the kernel to use certain interrupts as a source of random
1468 events. You can make this permanent by setting rand_irqs
1474 rand_irqs="3 14 15"</programlisting>
1478 <ulink url="http://people.freebsd.org/~dougb/randomness.html">
1479 <http://people.freebsd.org/~dougb/randomness.html></ulink>.
1484 </qandadiv> <!-- FreeBSD -->
1486 <qandadiv><title>Solaris</title>
1491 How do I integrate BIND 9 and Solaris SMF
1496 Sun has a blog entry describing how to do this.
1500 url="http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris">
1501 <http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris>
1509 <qandadiv><title>Apple Mac OS X</title>
1514 How do I run BIND 9 on Apple Mac OS X?
1519 If you run Tiger(Mac OS 10.4) or later then this is all you need to do:
1523 % sudo rndc-confgen > /etc/rndc.conf</programlisting>
1526 Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.:
1532 secret "uvceheVuqf17ZwIcTydddw==";
1536 Then start the relevant service:
1540 % sudo service org.isc.named start</programlisting>
1543 This is persistent upon a reboot, so you will have to do it only once.
1549 Alternatively you can just generate /etc/rndc.key by running:
1553 % sudo rndc-confgen -a</programlisting>
1556 Then start the relevant service:
1560 % sudo service org.isc.named start</programlisting>
1563 Named will look for /etc/rndc.key when it starts if it
1564 doesn't have a controls section or the existing controls are
1565 missing keys sub-clauses. This is persistent upon a
1566 reboot, so you will have to do it only once.
1573 </qandadiv> <!-- Operating-System Specific Questions -->
projects / FreeBSD / releng / 7.2.git / blob