1Copyright ? 2000-2010, 2013-2016 Internet Systems Consortium, Inc. 2("ISC") 3 4----------------------------------------------------------------------- 5 61. Compilation and Installation Questions 7 8Q: I'm trying to compile BIND 9, and "make" is failing due to files not 9 being found. Why? 10 11A: Using a parallel or distributed "make" to build BIND 9 is not 12 supported, and doesn't work. If you are using one of these, use normal 13 make or gmake instead. 14 15Q: Isn't "make install" supposed to generate a default named.conf? 16 17A: Short Answer: No. 18 19 Long Answer: There really isn't a default configuration which fits any 20 site perfectly. There are lots of decisions that need to be made and 21 there is no consensus on what the defaults should be. For example 22 FreeBSD uses /etc/namedb as the location where the configuration files 23 for named are stored. Others use /var/named. 24 25 What addresses to listen on? For a laptop on the move a lot you may 26 only want to listen on the loop back interfaces. 27 28 To whom do you offer recursive service? Is there a firewall to 29 consider? If so, is it stateless or stateful? Are you directly on the 30 Internet? Are you on a private network? Are you on a NAT'd network? The 31 answers to all these questions change how you configure even a caching 32 name server. 33 342. Configuration and Setup Questions 35 36Q: Why does named log the warning message "no TTL specified - using SOA 37 MINTTL instead"? 38 39A: Your zone file is illegal according to RFC1035. It must either have a 40 line like: 41 42 $TTL 86400 43 44 at the beginning, or the first record in it must have a TTL field, like 45 the "84600" in this example: 46 47 example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 ) 48 49Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master 50 file bar: ran out of space"? 51 52A: This is often caused by TXT records with missing close quotes. Check 53 that all TXT records containing quoted strings have both open and close 54 quotes. 55 56Q: How do I restrict people from looking up the server version? 57 58A: Put a "version" option containing something other than the real version 59 in the "options" section of named.conf. Note doing this will not 60 prevent attacks and may impede people trying to diagnose problems with 61 your server. Also it is possible to "fingerprint" nameservers to 62 determine their version. 63 64Q: How do I restrict only remote users from looking up the server version? 65 66A: The following view statement will intercept lookups as the internal 67 view that holds the version information will be matched last. The 68 caveats of the previous answer still apply, of course. 69 70 view "chaos" chaos { 71 match-clients { <those to be refused>; }; 72 allow-query { none; }; 73 zone "." { 74 type hint; 75 file "/dev/null"; // or any empty file 76 }; 77 }; 78 79Q: What do "no source of entropy found" or "could not open entropy source 80 foo" mean? 81 82A: The server requires a source of entropy to perform certain operations, 83 mostly DNSSEC related. These messages indicate that you have no source 84 of entropy. On systems with /dev/random or an equivalent, it is used by 85 default. A source of entropy can also be defined using the 86 random-device option in named.conf. 87 88Q: I'm trying to use TSIG to authenticate dynamic updates or zone 89 transfers. I'm sure I have the keys set up correctly, but the server is 90 rejecting the TSIG. Why? 91 92A: This may be a clock skew problem. Check that the the clocks on the 93 client and server are properly synchronized (e.g., using ntp). 94 95Q: I see a log message like the following. Why? 96 97 couldn't open pid file '/var/run/named.pid': Permission denied 98 99A: You are most likely running named as a non-root user, and that user 100 does not have permission to write in /var/run. The common ways of 101 fixing this are to create a /var/run/named directory owned by the named 102 user and set pid-file to "/var/run/named/named.pid", or set pid-file to 103 "named.pid", which will put the file in the directory specified by the 104 directory option (which, in this case, must be writable by the user 105 named is running as). 106 107Q: I can query the nameserver from the nameserver but not from other 108 machines. Why? 109 110A: This is usually the result of the firewall configuration stopping the 111 queries and / or the replies. 112 113Q: How can I make a server a slave for both an internal and an external 114 view at the same time? When I tried, both views on the slave were 115 transferred from the same view on the master. 116 117A: You will need to give the master and slave multiple IP addresses and 118 use those to make sure you reach the correct view on the other machine. 119 120 Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias) 121 internal: 122 match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; }; 123 notify-source 10.0.1.1; 124 transfer-source 10.0.1.1; 125 query-source address 10.0.1.1; 126 external: 127 match-clients { any; }; 128 recursion no; // don't offer recursion to the world 129 notify-source 10.0.1.2; 130 transfer-source 10.0.1.2; 131 query-source address 10.0.1.2; 132 133 Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias) 134 internal: 135 match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; }; 136 notify-source 10.0.1.3; 137 transfer-source 10.0.1.3; 138 query-source address 10.0.1.3; 139 external: 140 match-clients { any; }; 141 recursion no; // don't offer recursion to the world 142 notify-source 10.0.1.4; 143 transfer-source 10.0.1.4; 144 query-source address 10.0.1.4; 145 146 You put the external address on the alias so that all the other dns 147 clients on these boxes see the internal view by default. 148 149A: BIND 9.3 and later: Use TSIG to select the appropriate view. 150 151 Master 10.0.1.1: 152 key "external" { 153 algorithm hmac-sha256; 154 secret "xxxxxxxxxxxxxxxxxxxxxxxx"; 155 }; 156 view "internal" { 157 match-clients { !key external; // reject message ment for the 158 // external view. 159 10.0.1/24; }; // accept from these addresses. 160 ... 161 }; 162 view "external" { 163 match-clients { key external; any; }; 164 server 10.0.1.2 { keys external; }; // tag messages from the 165 // external view to the 166 // other servers for the 167 // view. 168 recursion no; 169 ... 170 }; 171 172 Slave 10.0.1.2: 173 key "external" { 174 algorithm hmac-sha256; 175 secret "xxxxxxxxxxxxxxxxxxxxxxxx"; 176 }; 177 view "internal" { 178 match-clients { !key external; 10.0.1/24; }; 179 ... 180 }; 181 view "external" { 182 match-clients { key external; any; }; 183 server 10.0.1.1 { keys external; }; 184 recursion no; 185 ... 186 }; 187 188Q: I get error messages like "multiple RRs of singleton type" and "CNAME 189 and other data" when transferring a zone. What does this mean? 190 191A: These indicate a malformed master zone. You can identify the exact 192 records involved by transferring the zone using dig then running 193 named-checkzone on it. 194 195 dig axfr example.com @master-server > tmp 196 named-checkzone example.com tmp 197 198 A CNAME record cannot exist with the same name as another record except 199 for the DNSSEC records which prove its existence (NSEC). 200 201 RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other 202 data should be present; this ensures that the data for a canonical name 203 and its aliases cannot be different. This rule also insures that a 204 cached CNAME can be used without checking with an authoritative server 205 for other RR types." 206 207Q: I get error messages like "named.conf:99: unexpected end of input" 208 where 99 is the last line of named.conf. 209 210A: There are unbalanced quotes in named.conf. 211 212A: Some text editors (notepad and wordpad) fail to put a line title 213 indication (e.g. CR/LF) on the last line of a text file. This can be 214 fixed by "adding" a blank line to the end of the file. Named expects to 215 see EOF immediately after EOL and treats text files where this is not 216 met as truncated. 217 218Q: How do I share a dynamic zone between multiple views? 219 220A: You choose one view to be master and the second a slave and transfer 221 the zone between views. 222 223 Master 10.0.1.1: 224 key "external" { 225 algorithm hmac-sha256; 226 secret "xxxxxxxxxxxxxxxxxxxxxxxx"; 227 }; 228 229 key "mykey" { 230 algorithm hmac-sha256; 231 secret "yyyyyyyyyyyyyyyyyyyyyyyy"; 232 }; 233 234 view "internal" { 235 match-clients { !key external; 10.0.1/24; }; 236 server 10.0.1.1 { 237 /* Deliver notify messages to external view. */ 238 keys { external; }; 239 }; 240 zone "example.com" { 241 type master; 242 file "internal/example.db"; 243 allow-update { key mykey; }; 244 also-notify { 10.0.1.1; }; 245 }; 246 }; 247 248 view "external" { 249 match-clients { key external; any; }; 250 zone "example.com" { 251 type slave; 252 file "external/example.db"; 253 masters { 10.0.1.1; }; 254 transfer-source 10.0.1.1; 255 // allow-update-forwarding { any; }; 256 // allow-notify { ... }; 257 }; 258 }; 259 260Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading 261 master file primaries/wireless.ietf56.ietf.org: no owner". 262 263A: This error is produced when a line in the master file contains leading 264 white space (tab/space) but there is no current record owner name to 265 inherit the name from. Usually this is the result of putting white 266 space before a comment, forgetting the "@" for the SOA record, or 267 indenting the master file. 268 269Q: Why are my logs in GMT (UTC). 270 271A: You are running chrooted (-t) and have not supplied local timezone 272 information in the chroot area. 273 274 FreeBSD: /etc/localtime 275 Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo 276 OSF: /etc/zoneinfo/localtime 277 278 See also tzset(3) and zic(8). 279 280Q: I get "rndc: connect failed: connection refused" when I try to run 281 rndc. 282 283A: This is usually a configuration error. 284 285 First ensure that named is running and no errors are being reported at 286 startup (/var/log/messages or equivalent). Running "named -g <usual 287 arguments>" from a title can help at this point. 288 289 Secondly ensure that named is configured to use rndc either by 290 "rndc-confgen -a", rndc-confgen or manually. The Administrators 291 Reference manual has details on how to do this. 292 293 Old versions of rndc-confgen used localhost rather than 127.0.0.1 in / 294 etc/rndc.conf for the default server. Update /etc/rndc.conf if 295 necessary so that the default server listed in /etc/rndc.conf matches 296 the addresses used in named.conf. "localhost" has two address 297 (127.0.0.1 and ::1). 298 299 If you use "rndc-confgen -a" and named is running with -t or -u ensure 300 that /etc/rndc.conf has the correct ownership and that a copy is in the 301 chroot area. You can do this by re-running "rndc-confgen -a" with 302 appropriate -t and -u arguments. 303 304Q: I get "transfer of 'example.net/IN' from 192.168.4.12#53: failed while 305 receiving responses: permission denied" error messages. 306 307A: These indicate a filesystem permission error preventing named creating 308 / renaming the temporary file. These will usually also have other 309 associated error messages like 310 311 "dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied" 312 313 Named needs write permission on the directory containing the file. 314 Named writes the new cache file to a temporary file then renames it to 315 the name specified in named.conf to ensure that the contents are always 316 complete. This is to prevent named loading a partial zone in the event 317 of power failure or similar interrupting the write of the master file. 318 319 Note file names are relative to the directory specified in options and 320 any chroot directory ([<chroot dir>/][<options dir>]). 321 322 If named is invoked as "named -t /chroot/DNS" with the following 323 named.conf then "/chroot/DNS/var/named/sl" needs to be writable by the 324 user named is running as. 325 326 options { 327 directory "/var/named"; 328 }; 329 330 zone "example.net" { 331 type slave; 332 file "sl/example.net"; 333 masters { 192.168.4.12; }; 334 }; 335 336Q: I want to forward all DNS queries from my caching nameserver to another 337 server. But there are some domains which have to be served locally, via 338 rbldnsd. 339 340 How do I achieve this ? 341 342A: options { 343 forward only; 344 forwarders { <ip.of.primary.nameserver>; }; 345 }; 346 347 zone "sbl-xbl.spamhaus.org" { 348 type forward; forward only; 349 forwarders { <ip.of.rbldns.server> port 530; }; 350 }; 351 352 zone "list.dsbl.org" { 353 type forward; forward only; 354 forwarders { <ip.of.rbldns.server> port 530; }; 355 }; 356 357 358Q: Can you help me understand how BIND 9 uses memory to store DNS zones? 359 360 Some times it seems to take several times the amount of memory it needs 361 to store the zone. 362 363A: When reloading a zone named my have multiple copies of the zone in 364 memory at one time. The zone it is serving and the one it is loading. 365 If reloads are ultra fast it can have more still. 366 367 e.g. Ones that are transferring out, the one that it is serving and the 368 one that is loading. 369 370 BIND 8 destroyed the zone before loading and also killed off outgoing 371 transfers of the zone. 372 373 The new strategy allows slaves to get copies of the new zone regardless 374 of how often the master is loaded compared to the transfer time. The 375 slave might skip some intermediate versions but the transfers will 376 complete and it will keep reasonably in sync with the master. 377 378 The new strategy also allows the master to recover from syntax and 379 other errors in the master file as it still has an in-core copy of the 380 old contents. 381 382Q: I want to use IPv6 locally but I don't have a external IPv6 connection. 383 External lookups are slow. 384 385A: You can use server clauses to stop named making external lookups over 386 IPv6. 387 388 server fd81:ec6c:bd62::/48 { bogus no; }; // site ULA prefix 389 server ::/0 { bogus yes; }; 390 3913. Operations Questions 392 393Q: How to change the nameservers for a zone? 394 395A: Step 1: Ensure all nameservers, new and old, are serving the same zone 396 content. 397 398 Step 2: Work out the maximum TTL of the NS RRset in the parent and 399 child zones. This is the time it will take caches to be clear of a 400 particular version of the NS RRset. If you are just removing 401 nameservers you can skip to Step 6. 402 403 Step 3: Add new nameservers to the NS RRset for the zone and wait until 404 all the servers for the zone are answering with this new NS RRset. 405 406 Step 4: Inform the parent zone of the new NS RRset then wait for all 407 the parent servers to be answering with the new NS RRset. 408 409 Step 5: Wait for cache to be clear of the old NS RRset. See Step 2 for 410 how long. If you are just adding nameservers you are done. 411 412 Step 6: Remove any old nameservers from the zones NS RRset and wait for 413 all the servers for the zone to be serving the new NS RRset. 414 415 Step 7: Inform the parent zone of the new NS RRset then wait for all 416 the parent servers to be answering with the new NS RRset. 417 418 Step 8: Wait for cache to be clear of the old NS RRset. See Step 2 for 419 how long. 420 421 Step 9: Turn off the old nameservers or remove the zone entry from the 422 configuration of the old nameservers. 423 424 Step 10: Increment the serial number and wait for the change to be 425 visible in all nameservers for the zone. This ensures that zone 426 transfers are still working after the old servers are decommissioned. 427 428 Note: the above procedure is designed to be transparent to dns clients. 429 Decommissioning the old servers too early will result in some clients 430 not being able to look up answers in the zone. 431 432 Note: while it is possible to run the addition and removal stages 433 together it is not recommended. 434 4354. General Questions 436 437Q: I keep getting log messages like the following. Why? 438 439 Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN': 440 update failed: 'RRset exists (value dependent)' prerequisite not 441 satisfied (NXRRSET) 442 443A: DNS updates allow the update request to test to see if certain 444 conditions are met prior to proceeding with the update. The message 445 above is saying that conditions were not met and the update is not 446 proceeding. See doc/rfc/rfc2136.txt for more details on prerequisites. 447 448Q: I keep getting log messages like the following. Why? 449 450 Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied 451 452A: Someone is trying to update your DNS data using the RFC2136 Dynamic 453 Update protocol. Windows 2000 machines have a habit of sending dynamic 454 update requests to DNS servers without being specifically configured to 455 do so. If the update requests are coming from a Windows 2000 machine, 456 see <http://support.microsoft.com/support/kb/articles/q246/8/04.asp> 457 for information about how to turn them off. 458 459Q: When I do a "dig . ns", many of the A records for the root servers are 460 missing. Why? 461 462A: This is normal and harmless. It is a somewhat confusing side effect of 463 the way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 464 makes to avoid promoting glue into answers. 465 466 When BIND 9 first starts up and primes its cache, it receives the root 467 server addresses as additional data in an authoritative response from a 468 root server, and these records are eligible for inclusion as additional 469 data in responses. Subsequently it receives a subset of the root server 470 addresses as additional data in a non-authoritative (referral) response 471 from a root server. This causes the addresses to now be considered 472 non-authoritative (glue) data, which is not eligible for inclusion in 473 responses. 474 475 The server does have a complete set of root server addresses cached at 476 all times, it just may not include all of them as additional data, 477 depending on whether they were last received as answers or as glue. You 478 can always look up the addresses with explicit queries like "dig 479 a.root-servers.net A". 480 481Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP? 482 483A: A zone can be updated either by editing zone files and reloading the 484 server or by dynamic update, but not both. If you have enabled dynamic 485 update for a zone using the "allow-update" option, you are not supposed 486 to edit the zone file by hand, and the server will not attempt to 487 reload it. 488 489Q: Why is named listening on UDP port other than 53? 490 491A: Named uses a system selected port to make queries of other nameservers. 492 This behaviour can be overridden by using query-source to lock down the 493 port and/or address. See also notify-source and transfer-source. 494 495Q: I get warning messages like "zone example.com/IN: refresh: failure 496 trying master 1.2.3.4#53: timed out". 497 498A: Check that you can make UDP queries from the slave to the master 499 500 dig +norec example.com soa @1.2.3.4 501 502 You could be generating queries faster than the slave can cope with. 503 Lower the serial query rate. 504 505 serial-query-rate 5; // default 20 506 507Q: I don't get RRSIG's returned when I use "dig +dnssec". 508 509A: You need to ensure DNSSEC is enabled (dnssec-enable yes;). 510 511Q: Can a NS record refer to a CNAME. 512 513A: No. The rules for glue (copies of the *address* records in the parent 514 zones) and additional section processing do not allow it to work. 515 516 You would have to add both the CNAME and address records (A/AAAA) as 517 glue to the parent zone and have CNAMEs be followed when doing 518 additional section processing to make it work. No nameserver 519 implementation supports either of these requirements. 520 521Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA" 522 mean? 523 524A: If the IN-ADDR.ARPA name covered refers to a internal address space you 525 are using then you have failed to follow RFC 1918 usage rules and are 526 leaking queries to the Internet. You should establish your own zones 527 for these addresses to prevent you querying the Internet's name servers 528 for these addresses. Please see <http://as112.net/> for details of the 529 problems you are causing and the counter measures that have had to be 530 deployed. 531 532 If you are not using these private addresses then a client has queried 533 for them. You can just ignore the messages, get the offending client to 534 stop sending you these messages as they are most probably leaking them 535 or setup your own zones empty zones to serve answers to these queries. 536 537 zone "10.IN-ADDR.ARPA" { 538 type master; 539 file "empty"; 540 }; 541 542 zone "16.172.IN-ADDR.ARPA" { 543 type master; 544 file "empty"; 545 }; 546 547 ... 548 549 zone "31.172.IN-ADDR.ARPA" { 550 type master; 551 file "empty"; 552 }; 553 554 zone "168.192.IN-ADDR.ARPA" { 555 type master; 556 file "empty"; 557 }; 558 559 empty: 560 @ 10800 IN SOA <name-of-server>. <contact-email>. ( 561 1 3600 1200 604800 10800 ) 562 @ 10800 IN NS <name-of-server>. 563 564 Note 565 566 Future versions of named are likely to do this automatically. 567 568Q: Will named be affected by the 2007 changes to daylight savings rules in 569 the US. 570 571A: No, so long as the machines internal clock (as reported by "date -u") 572 remains at UTC. The only visible change if you fail to upgrade your OS, 573 if you are in a affected area, will be that log messages will be a hour 574 out during the period where the old rules do not match the new rules. 575 576 For most OS's this change just means that you need to update the 577 conversion rules from UTC to local time. Normally this involves 578 updating a file in /etc (which sets the default timezone for the 579 machine) and possibly a directory which has all the conversion rules 580 for the world (e.g. /usr/share/zoneinfo). When updating the OS do not 581 forget to update any chroot areas as well. See your OS's documentation 582 for more details. 583 584 The local timezone conversion rules can also be done on a individual 585 basis by setting the TZ environment variable appropriately. See your 586 OS's documentation for more details. 587 588Q: Is there a bugzilla (or other tool) database that mere mortals can have 589 (read-only) access to for bind? 590 591A: No. The BIND 9 bug database is kept closed for a number of reasons. 592 These include, but are not limited to, that the database contains 593 proprietory information from people reporting bugs. The database has in 594 the past and may in future contain unfixed bugs which are capable of 595 bringing down most of the Internet's DNS infrastructure. 596 597 The release pages for each version contain up to date lists of bugs 598 that have been fixed post release. That is as close as we can get to 599 providing a bug database. 600 601Q: Why do queries for NSEC3 records fail to return the NSEC3 record? 602 603A: NSEC3 records are strictly meta data and can only be returned in the 604 authority section. This is done so that signing the zone using NSEC3 605 records does not bring names into existence that do not exist in the 606 unsigned version of the zone. 607 6085. Operating-System Specific Questions 609 6105.1. HPUX 611 612Q: I get the following error trying to configure BIND: 613 614 checking if unistd.h or sys/types.h defines fd_set... no 615 configure: error: need either working unistd.h or sys/select.h 616 617A: You have attempted to configure BIND with the bundled C compiler. This 618 compiler does not meet the minimum compiler requirements to for 619 building BIND. You need to install a ANSI C compiler and / or teach 620 configure how to find the ANSI C compiler. The later can be done by 621 adjusting the PATH environment variable and / or specifying the 622 compiler via CC. 623 624 ./configure CC=<compiler> ... 625 6265.2. Linux 627 628Q: Why do I get the following errors: 629 630 general: errno2result.c:109: unexpected error: 631 general: unable to convert errno to isc_result: 14: Bad address 632 client: UDP client handler shutting down due to fatal receive error: unexpected error 633 634A: This is the result of a Linux kernel bug. 635 636 See: <http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w= 637 2> 638 639Q: Why does named lock up when it attempts to connect over IPSEC tunnels? 640 641A: This is due to a kernel bug where the fact that a socket is marked 642 non-blocking is ignored. It is reported that setting xfrm_larval_drop 643 to 1 helps but this may have negative side effects. See: <https:// 644 bugzilla.redhat.com/show_bug.cgi?id=427629> and <http://lkml.org/lkml/ 645 2007/12/4/260>. 646 647 xfrm_larval_drop can be set to 1 by the following procedure: 648 649 echo "1" > proc/sys/net/core/xfrm_larval_drop 650 651Q: Why do I see 5 (or more) copies of named on Linux? 652 653A: Linux threads each show up as a process under ps. The approximate 654 number of threads running is n+4, where n is the number of CPUs. Note 655 that the amount of memory used is not cumulative; if each process is 656 using 10M of memory, only a total of 10M is used. 657 658 Newer versions of Linux's ps command hide the individual threads and 659 require -L to display them. 660 661Q: Why does BIND 9 log "permission denied" errors accessing its 662 configuration files or zones on my Linux system even though it is 663 running as root? 664 665A: On Linux, BIND 9 drops most of its root privileges on startup. This 666 including the privilege to open files owned by other users. Therefore, 667 if the server is running as root, the configuration files and zone 668 files should also be owned by root. 669 670Q: I get the error message "named: capset failed: Operation not permitted" 671 when starting named. 672 673A: The capability module, part of "Linux Security Modules/LSM", has not 674 been loaded into the kernel. See insmod(8), modprobe(8). 675 676 The relevant modules can be loaded by running: 677 678 modprobe commoncap 679 modprobe capability 680 681Q: I'm running BIND on Red Hat Enterprise Linux or Fedora Core - 682 683 Why can't named update slave zone database files? 684 685 Why can't named create DDNS journal files or update the master zones 686 from journals? 687 688 Why can't named create custom log files? 689 690A: Red Hat Security Enhanced Linux (SELinux) policy security protections : 691 692 Red Hat have adopted the National Security Agency's SELinux security 693 policy (see <http://www.nsa.gov/selinux>) and recommendations for BIND 694 security , which are more secure than running named in a chroot and 695 make use of the bind-chroot environment unnecessary . 696 697 By default, named is not allowed by the SELinux policy to write, create 698 or delete any files EXCEPT in these directories: 699 700 $ROOTDIR/var/named/slaves 701 $ROOTDIR/var/named/data 702 $ROOTDIR/var/tmp 703 704 705 where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is 706 installed. 707 708 The SELinux policy particularly does NOT allow named to modify the 709 $ROOTDIR/var/named directory, the default location for master zone 710 database files. 711 712 SELinux policy overrules file access permissions - so even if all the 713 files under /var/named have ownership named:named and mode rw-rw-r--, 714 named will still not be able to write or create files except in the 715 directories above, with SELinux in Enforcing mode. 716 717 So, to allow named to update slave or DDNS zone files, it is best to 718 locate them in $ROOTDIR/var/named/slaves, with named.conf zone 719 statements such as: 720 721 zone "slave.zone." IN { 722 type slave; 723 file "slaves/slave.zone.db"; 724 ... 725 }; 726 zone "ddns.zone." IN { 727 type master; 728 allow-updates {...}; 729 file "slaves/ddns.zone.db"; 730 }; 731 732 733 To allow named to create its cache dump and statistics files, for 734 example, you could use named.conf options statements such as: 735 736 options { 737 ... 738 dump-file "/var/named/data/cache_dump.db"; 739 statistics-file "/var/named/data/named_stats.txt"; 740 ... 741 }; 742 743 744 You can also tell SELinux to allow named to update any zone database 745 files, by setting the SELinux tunable boolean parameter 746 'named_write_master_zones=1', using the system-config-securitylevel 747 GUI, using the 'setsebool' command, or in /etc/selinux/targeted/ 748 booleans. 749 750 You can disable SELinux protection for named entirely by setting the 751 'named_disable_trans=1' SELinux tunable boolean parameter. 752 753 The SELinux named policy defines these SELinux contexts for named: 754 755 named_zone_t : for zone database files - $ROOTDIR/var/named/* 756 named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.* 757 named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}} 758 759 760 If you want to retain use of the SELinux policy for named, and put 761 named files in different locations, you can do so by changing the 762 context of the custom file locations . 763 764 To create a custom configuration file location, e.g. '/root/ 765 named.conf', to use with the 'named -c' option, do: 766 767 # chcon system_u:object_r:named_conf_t /root/named.conf 768 769 770 To create a custom modifiable named data location, e.g. '/var/log/ 771 named' for a log file, do: 772 773 # chcon system_u:object_r:named_cache_t /var/log/named 774 775 776 To create a custom zone file location, e.g. /root/zones/, do: 777 778 # chcon system_u:object_r:named_zone_t /root/zones/{.,*} 779 780 781 See these man-pages for more information : selinux(8), named_selinux 782 (8), chcon(1), setsebool(8) 783 784Q: I'm running BIND on Ubuntu - 785 786 Why can't named update slave zone database files? 787 788 Why can't named create DDNS journal files or update the master zones 789 from journals? 790 791 Why can't named create custom log files? 792 793A: Ubuntu uses AppArmor <http://en.wikipedia.org/wiki/AppArmor> in 794 addition to normal file system permissions to protect the system. 795 796 Adjust the paths to use those specified in /etc/apparmor.d/ 797 usr.sbin.named or adjust /etc/apparmor.d/usr.sbin.named to allow named 798 to write at the location specified in named.conf. 799 800Q: Listening on individual IPv6 interfaces does not work. 801 802A: This is usually due to "/proc/net/if_inet6" not being available in the 803 chroot file system. Mount another instance of "proc" in the chroot file 804 system. 805 806 This can be be made permanent by adding a second instance to /etc/ 807 fstab. 808 809 proc /proc proc defaults 0 0 810 proc /var/named/proc proc defaults 0 0 811 8125.3. Windows 813 814Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail. 815 Why? 816 817A: This may be caused by a bug in the Windows 2000 DNS server where DNS 818 messages larger than 16K are not handled properly. This can be worked 819 around by setting the option "transfer-format one-answer;". Also check 820 whether your zone contains domain names with embedded spaces or other 821 special characters, like "John\032Doe\213s\032Computer", since such 822 names have been known to cause Windows 2000 slaves to incorrectly 823 reject the zone. 824 825Q: I get "Error 1067" when starting named under Windows. 826 827A: This is the service manager saying that named exited. You need to 828 examine the Application log in the EventViewer to find out why. 829 830 Common causes are that you failed to create "named.conf" (usually "C:\ 831 windows\dns\etc\named.conf") or failed to specify the directory in 832 named.conf. 833 834 options { 835 Directory "C:\windows\dns\etc"; 836 }; 837 8385.4. FreeBSD 839 840Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there. 841 842A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to 843 use certain interrupts as a source of random events. You can make this 844 permanent by setting rand_irqs in /etc/rc.conf. 845 846 rand_irqs="3 14 15" 847 848 See also <http://people.freebsd.org/~dougb/randomness.html>. 849 8505.5. Solaris 851 852Q: How do I integrate BIND 9 and Solaris SMF 853 854A: Sun has a blog entry describing how to do this. 855 856 <http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris> 857 8585.6. Apple Mac OS X 859 860Q: How do I run BIND 9 on Apple Mac OS X? 861 862A: If you run Tiger(Mac OS 10.4) or later then this is all you need to do: 863 864 % sudo rndc-confgen > /etc/rndc.conf 865 866 Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.: 867 868 key "rndc-key" { 869 algorithm hmac-sha256; 870 secret "uvceheVuqf17ZwIcTydddw=="; 871 }; 872 873 Then start the relevant service: 874 875 % sudo service org.isc.named start 876 877 This is persistent upon a reboot, so you will have to do it only once. 878 879A: Alternatively you can just generate /etc/rndc.key by running: 880 881 % sudo rndc-confgen -a 882 883 Then start the relevant service: 884 885 % sudo service org.isc.named start 886 887 Named will look for /etc/rndc.key when it starts if it doesn't have a 888 controls section or the existing controls are missing keys sub-clauses. 889 This is persistent upon a reboot, so you will have to do it only once. 890 891