1Copyright ? 2000-2010, 2013-2016 Internet Systems Consortium, Inc.
2("ISC")
3
4-----------------------------------------------------------------------
5
61. Compilation and Installation Questions
7
8Q: I'm trying to compile BIND 9, and "make" is failing due to files not
9   being found. Why?
10
11A: Using a parallel or distributed "make" to build BIND 9 is not
12   supported, and doesn't work. If you are using one of these, use normal
13   make or gmake instead.
14
15Q: Isn't "make install" supposed to generate a default named.conf?
16
17A: Short Answer: No.
18
19   Long Answer: There really isn't a default configuration which fits any
20   site perfectly. There are lots of decisions that need to be made and
21   there is no consensus on what the defaults should be. For example
22   FreeBSD uses /etc/namedb as the location where the configuration files
23   for named are stored. Others use /var/named.
24
25   What addresses to listen on? For a laptop on the move a lot you may
26   only want to listen on the loop back interfaces.
27
28   To whom do you offer recursive service? Is there a firewall to
29   consider? If so, is it stateless or stateful? Are you directly on the
30   Internet? Are you on a private network? Are you on a NAT'd network? The
31   answers to all these questions change how you configure even a caching
32   name server.
33
342. Configuration and Setup Questions
35
36Q: Why does named log the warning message "no TTL specified - using SOA
37   MINTTL instead"?
38
39A: Your zone file is illegal according to RFC1035. It must either have a
40   line like:
41
42   $TTL 86400
43
44   at the beginning, or the first record in it must have a TTL field, like
45   the "84600" in this example:
46
47   example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )
48
49Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master
50   file bar: ran out of space"?
51
52A: This is often caused by TXT records with missing close quotes. Check
53   that all TXT records containing quoted strings have both open and close
54   quotes.
55
56Q: How do I restrict people from looking up the server version?
57
58A: Put a "version" option containing something other than the real version
59   in the "options" section of named.conf. Note doing this will not
60   prevent attacks and may impede people trying to diagnose problems with
61   your server. Also it is possible to "fingerprint" nameservers to
62   determine their version.
63
64Q: How do I restrict only remote users from looking up the server version?
65
66A: The following view statement will intercept lookups as the internal
67   view that holds the version information will be matched last. The
68   caveats of the previous answer still apply, of course.
69
70   view "chaos" chaos {
71           match-clients { <those to be refused>; };
72           allow-query { none; };
73           zone "." {
74                   type hint;
75                   file "/dev/null";  // or any empty file
76           };
77   };
78
79Q: What do "no source of entropy found" or "could not open entropy source
80   foo" mean?
81
82A: The server requires a source of entropy to perform certain operations,
83   mostly DNSSEC related. These messages indicate that you have no source
84   of entropy. On systems with /dev/random or an equivalent, it is used by
85   default. A source of entropy can also be defined using the
86   random-device option in named.conf.
87
88Q: I'm trying to use TSIG to authenticate dynamic updates or zone
89   transfers. I'm sure I have the keys set up correctly, but the server is
90   rejecting the TSIG. Why?
91
92A: This may be a clock skew problem. Check that the the clocks on the
93   client and server are properly synchronized (e.g., using ntp).
94
95Q: I see a log message like the following. Why?
96
97   couldn't open pid file '/var/run/named.pid': Permission denied
98
99A: You are most likely running named as a non-root user, and that user
100   does not have permission to write in /var/run. The common ways of
101   fixing this are to create a /var/run/named directory owned by the named
102   user and set pid-file to "/var/run/named/named.pid", or set pid-file to
103   "named.pid", which will put the file in the directory specified by the
104   directory option (which, in this case, must be writable by the user
105   named is running as).
106
107Q: I can query the nameserver from the nameserver but not from other
108   machines. Why?
109
110A: This is usually the result of the firewall configuration stopping the
111   queries and / or the replies.
112
113Q: How can I make a server a slave for both an internal and an external
114   view at the same time? When I tried, both views on the slave were
115   transferred from the same view on the master.
116
117A: You will need to give the master and slave multiple IP addresses and
118   use those to make sure you reach the correct view on the other machine.
119
120   Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
121       internal:
122           match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
123                   notify-source 10.0.1.1;
124                   transfer-source 10.0.1.1;
125                   query-source address 10.0.1.1;
126       external:
127           match-clients { any; };
128           recursion no;   // don't offer recursion to the world
129           notify-source 10.0.1.2;
130           transfer-source 10.0.1.2;
131           query-source address 10.0.1.2;
132
133   Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
134       internal:
135           match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
136           notify-source 10.0.1.3;
137           transfer-source 10.0.1.3;
138           query-source address 10.0.1.3;
139      external:
140           match-clients { any; };
141           recursion no;   // don't offer recursion to the world
142           notify-source 10.0.1.4;
143           transfer-source 10.0.1.4;
144           query-source address 10.0.1.4;
145
146   You put the external address on the alias so that all the other dns
147   clients on these boxes see the internal view by default.
148
149A: BIND 9.3 and later: Use TSIG to select the appropriate view.
150
151   Master 10.0.1.1:
152           key "external" {
153                   algorithm hmac-sha256;
154                   secret "xxxxxxxxxxxxxxxxxxxxxxxx";
155           };
156           view "internal" {
157                   match-clients { !key external; // reject message ment for the
158                                                  // external view.
159                                   10.0.1/24; };  // accept from these addresses.
160                   ...
161           };
162           view "external" {
163                   match-clients { key external; any; };
164                   server 10.0.1.2 { keys external; };  // tag messages from the
165                                                        // external view to the
166                                                        // other servers for the
167                                                        // view.
168                   recursion no;
169                   ...
170           };
171
172   Slave 10.0.1.2:
173           key "external" {
174                   algorithm hmac-sha256;
175                   secret "xxxxxxxxxxxxxxxxxxxxxxxx";
176           };
177           view "internal" {
178                   match-clients { !key external; 10.0.1/24; };
179                   ...
180           };
181           view "external" {
182                   match-clients { key external; any; };
183                   server 10.0.1.1 { keys external; };
184                   recursion no;
185                   ...
186           };
187
188Q: I get error messages like "multiple RRs of singleton type" and "CNAME
189   and other data" when transferring a zone. What does this mean?
190
191A: These indicate a malformed master zone. You can identify the exact
192   records involved by transferring the zone using dig then running
193   named-checkzone on it.
194
195   dig axfr example.com @master-server > tmp
196   named-checkzone example.com tmp
197
198   A CNAME record cannot exist with the same name as another record except
199   for the DNSSEC records which prove its existence (NSEC).
200
201   RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other
202   data should be present; this ensures that the data for a canonical name
203   and its aliases cannot be different. This rule also insures that a
204   cached CNAME can be used without checking with an authoritative server
205   for other RR types."
206
207Q: I get error messages like "named.conf:99: unexpected end of input"
208   where 99 is the last line of named.conf.
209
210A: There are unbalanced quotes in named.conf.
211
212A: Some text editors (notepad and wordpad) fail to put a line title
213   indication (e.g. CR/LF) on the last line of a text file. This can be
214   fixed by "adding" a blank line to the end of the file. Named expects to
215   see EOF immediately after EOL and treats text files where this is not
216   met as truncated.
217
218Q: How do I share a dynamic zone between multiple views?
219
220A: You choose one view to be master and the second a slave and transfer
221   the zone between views.
222
223   Master 10.0.1.1:
224           key "external" {
225                   algorithm hmac-sha256;
226                   secret "xxxxxxxxxxxxxxxxxxxxxxxx";
227           };
228
229           key "mykey" {
230                   algorithm hmac-sha256;
231                   secret "yyyyyyyyyyyyyyyyyyyyyyyy";
232           };
233
234           view "internal" {
235                   match-clients { !key external; 10.0.1/24; };
236                   server 10.0.1.1 {
237                           /* Deliver notify messages to external view. */
238                           keys { external; };
239                   };
240                   zone "example.com" {
241                           type master;
242                           file "internal/example.db";
243                           allow-update { key mykey; };
244                           also-notify { 10.0.1.1; };
245                   };
246           };
247
248           view "external" {
249                   match-clients { key external; any; };
250                   zone "example.com" {
251                           type slave;
252                           file "external/example.db";
253                           masters { 10.0.1.1; };
254                           transfer-source 10.0.1.1;
255                           // allow-update-forwarding { any; };
256                           // allow-notify { ... };
257                   };
258           };
259
260Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading
261   master file primaries/wireless.ietf56.ietf.org: no owner".
262
263A: This error is produced when a line in the master file contains leading
264   white space (tab/space) but there is no current record owner name to
265   inherit the name from. Usually this is the result of putting white
266   space before a comment, forgetting the "@" for the SOA record, or
267   indenting the master file.
268
269Q: Why are my logs in GMT (UTC).
270
271A: You are running chrooted (-t) and have not supplied local timezone
272   information in the chroot area.
273
274   FreeBSD: /etc/localtime
275   Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
276   OSF: /etc/zoneinfo/localtime
277
278   See also tzset(3) and zic(8).
279
280Q: I get "rndc: connect failed: connection refused" when I try to run
281   rndc.
282
283A: This is usually a configuration error.
284
285   First ensure that named is running and no errors are being reported at
286   startup (/var/log/messages or equivalent). Running "named -g <usual
287   arguments>" from a title can help at this point.
288
289   Secondly ensure that named is configured to use rndc either by
290   "rndc-confgen -a", rndc-confgen or manually. The Administrators
291   Reference manual has details on how to do this.
292
293   Old versions of rndc-confgen used localhost rather than 127.0.0.1 in /
294   etc/rndc.conf for the default server. Update /etc/rndc.conf if
295   necessary so that the default server listed in /etc/rndc.conf matches
296   the addresses used in named.conf. "localhost" has two address
297   (127.0.0.1 and ::1).
298
299   If you use "rndc-confgen -a" and named is running with -t or -u ensure
300   that /etc/rndc.conf has the correct ownership and that a copy is in the
301   chroot area. You can do this by re-running "rndc-confgen -a" with
302   appropriate -t and -u arguments.
303
304Q: I get "transfer of 'example.net/IN' from 192.168.4.12#53: failed while
305   receiving responses: permission denied" error messages.
306
307A: These indicate a filesystem permission error preventing named creating
308   / renaming the temporary file. These will usually also have other
309   associated error messages like
310
311   "dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"
312
313   Named needs write permission on the directory containing the file.
314   Named writes the new cache file to a temporary file then renames it to
315   the name specified in named.conf to ensure that the contents are always
316   complete. This is to prevent named loading a partial zone in the event
317   of power failure or similar interrupting the write of the master file.
318
319   Note file names are relative to the directory specified in options and
320   any chroot directory ([<chroot dir>/][<options dir>]).
321
322   If named is invoked as "named -t /chroot/DNS" with the following
323   named.conf then "/chroot/DNS/var/named/sl" needs to be writable by the
324   user named is running as.
325
326   options {
327           directory "/var/named";
328   };
329
330   zone "example.net" {
331           type slave;
332           file "sl/example.net";
333           masters { 192.168.4.12; };
334   };
335
336Q: I want to forward all DNS queries from my caching nameserver to another
337   server. But there are some domains which have to be served locally, via
338   rbldnsd.
339
340   How do I achieve this ?
341
342A: options {
343           forward only;
344           forwarders { <ip.of.primary.nameserver>; };
345   };
346
347   zone "sbl-xbl.spamhaus.org" {
348           type forward; forward only;
349           forwarders { <ip.of.rbldns.server> port 530; };
350   };
351
352   zone "list.dsbl.org" {
353           type forward; forward only;
354           forwarders { <ip.of.rbldns.server> port 530; };
355   };
356
357
358Q: Can you help me understand how BIND 9 uses memory to store DNS zones?
359
360   Some times it seems to take several times the amount of memory it needs
361   to store the zone.
362
363A: When reloading a zone named my have multiple copies of the zone in
364   memory at one time. The zone it is serving and the one it is loading.
365   If reloads are ultra fast it can have more still.
366
367   e.g. Ones that are transferring out, the one that it is serving and the
368   one that is loading.
369
370   BIND 8 destroyed the zone before loading and also killed off outgoing
371   transfers of the zone.
372
373   The new strategy allows slaves to get copies of the new zone regardless
374   of how often the master is loaded compared to the transfer time. The
375   slave might skip some intermediate versions but the transfers will
376   complete and it will keep reasonably in sync with the master.
377
378   The new strategy also allows the master to recover from syntax and
379   other errors in the master file as it still has an in-core copy of the
380   old contents.
381
382Q: I want to use IPv6 locally but I don't have a external IPv6 connection.
383   External lookups are slow.
384
385A: You can use server clauses to stop named making external lookups over
386   IPv6.
387
388   server fd81:ec6c:bd62::/48 { bogus no; }; // site ULA prefix
389   server ::/0 { bogus yes; };
390
3913. Operations Questions
392
393Q: How to change the nameservers for a zone?
394
395A: Step 1: Ensure all nameservers, new and old, are serving the same zone
396   content.
397
398   Step 2: Work out the maximum TTL of the NS RRset in the parent and
399   child zones. This is the time it will take caches to be clear of a
400   particular version of the NS RRset. If you are just removing
401   nameservers you can skip to Step 6.
402
403   Step 3: Add new nameservers to the NS RRset for the zone and wait until
404   all the servers for the zone are answering with this new NS RRset.
405
406   Step 4: Inform the parent zone of the new NS RRset then wait for all
407   the parent servers to be answering with the new NS RRset.
408
409   Step 5: Wait for cache to be clear of the old NS RRset. See Step 2 for
410   how long. If you are just adding nameservers you are done.
411
412   Step 6: Remove any old nameservers from the zones NS RRset and wait for
413   all the servers for the zone to be serving the new NS RRset.
414
415   Step 7: Inform the parent zone of the new NS RRset then wait for all
416   the parent servers to be answering with the new NS RRset.
417
418   Step 8: Wait for cache to be clear of the old NS RRset. See Step 2 for
419   how long.
420
421   Step 9: Turn off the old nameservers or remove the zone entry from the
422   configuration of the old nameservers.
423
424   Step 10: Increment the serial number and wait for the change to be
425   visible in all nameservers for the zone. This ensures that zone
426   transfers are still working after the old servers are decommissioned.
427
428   Note: the above procedure is designed to be transparent to dns clients.
429   Decommissioning the old servers too early will result in some clients
430   not being able to look up answers in the zone.
431
432   Note: while it is possible to run the addition and removal stages
433   together it is not recommended.
434
4354. General Questions
436
437Q: I keep getting log messages like the following. Why?
438
439   Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN':
440   update failed: 'RRset exists (value dependent)' prerequisite not
441   satisfied (NXRRSET)
442
443A: DNS updates allow the update request to test to see if certain
444   conditions are met prior to proceeding with the update. The message
445   above is saying that conditions were not met and the update is not
446   proceeding. See doc/rfc/rfc2136.txt for more details on prerequisites.
447
448Q: I keep getting log messages like the following. Why?
449
450   Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
451
452A: Someone is trying to update your DNS data using the RFC2136 Dynamic
453   Update protocol. Windows 2000 machines have a habit of sending dynamic
454   update requests to DNS servers without being specifically configured to
455   do so. If the update requests are coming from a Windows 2000 machine,
456   see <http://support.microsoft.com/support/kb/articles/q246/8/04.asp>
457   for information about how to turn them off.
458
459Q: When I do a "dig . ns", many of the A records for the root servers are
460   missing. Why?
461
462A: This is normal and harmless. It is a somewhat confusing side effect of
463   the way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9
464   makes to avoid promoting glue into answers.
465
466   When BIND 9 first starts up and primes its cache, it receives the root
467   server addresses as additional data in an authoritative response from a
468   root server, and these records are eligible for inclusion as additional
469   data in responses. Subsequently it receives a subset of the root server
470   addresses as additional data in a non-authoritative (referral) response
471   from a root server. This causes the addresses to now be considered
472   non-authoritative (glue) data, which is not eligible for inclusion in
473   responses.
474
475   The server does have a complete set of root server addresses cached at
476   all times, it just may not include all of them as additional data,
477   depending on whether they were last received as answers or as glue. You
478   can always look up the addresses with explicit queries like "dig
479   a.root-servers.net A".
480
481Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?
482
483A: A zone can be updated either by editing zone files and reloading the
484   server or by dynamic update, but not both. If you have enabled dynamic
485   update for a zone using the "allow-update" option, you are not supposed
486   to edit the zone file by hand, and the server will not attempt to
487   reload it.
488
489Q: Why is named listening on UDP port other than 53?
490
491A: Named uses a system selected port to make queries of other nameservers.
492   This behaviour can be overridden by using query-source to lock down the
493   port and/or address. See also notify-source and transfer-source.
494
495Q: I get warning messages like "zone example.com/IN: refresh: failure
496   trying master 1.2.3.4#53: timed out".
497
498A: Check that you can make UDP queries from the slave to the master
499
500   dig +norec example.com soa @1.2.3.4
501
502   You could be generating queries faster than the slave can cope with.
503   Lower the serial query rate.
504
505   serial-query-rate 5; // default 20
506
507Q: I don't get RRSIG's returned when I use "dig +dnssec".
508
509A: You need to ensure DNSSEC is enabled (dnssec-enable yes;).
510
511Q: Can a NS record refer to a CNAME.
512
513A: No. The rules for glue (copies of the *address* records in the parent
514   zones) and additional section processing do not allow it to work.
515
516   You would have to add both the CNAME and address records (A/AAAA) as
517   glue to the parent zone and have CNAMEs be followed when doing
518   additional section processing to make it work. No nameserver
519   implementation supports either of these requirements.
520
521Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA"
522   mean?
523
524A: If the IN-ADDR.ARPA name covered refers to a internal address space you
525   are using then you have failed to follow RFC 1918 usage rules and are
526   leaking queries to the Internet. You should establish your own zones
527   for these addresses to prevent you querying the Internet's name servers
528   for these addresses. Please see <http://as112.net/> for details of the
529   problems you are causing and the counter measures that have had to be
530   deployed.
531
532   If you are not using these private addresses then a client has queried
533   for them. You can just ignore the messages, get the offending client to
534   stop sending you these messages as they are most probably leaking them
535   or setup your own zones empty zones to serve answers to these queries.
536
537   zone "10.IN-ADDR.ARPA" {
538           type master;
539           file "empty";
540   };
541
542   zone "16.172.IN-ADDR.ARPA" {
543           type master;
544           file "empty";
545   };
546
547   ...
548
549   zone "31.172.IN-ADDR.ARPA" {
550           type master;
551           file "empty";
552   };
553
554   zone "168.192.IN-ADDR.ARPA" {
555           type master;
556           file "empty";
557   };
558
559   empty:
560   @ 10800 IN SOA <name-of-server>. <contact-email>. (
561                  1 3600 1200 604800 10800 )
562   @ 10800 IN NS <name-of-server>.
563
564   Note
565
566   Future versions of named are likely to do this automatically.
567
568Q: Will named be affected by the 2007 changes to daylight savings rules in
569   the US.
570
571A: No, so long as the machines internal clock (as reported by "date -u")
572   remains at UTC. The only visible change if you fail to upgrade your OS,
573   if you are in a affected area, will be that log messages will be a hour
574   out during the period where the old rules do not match the new rules.
575
576   For most OS's this change just means that you need to update the
577   conversion rules from UTC to local time. Normally this involves
578   updating a file in /etc (which sets the default timezone for the
579   machine) and possibly a directory which has all the conversion rules
580   for the world (e.g. /usr/share/zoneinfo). When updating the OS do not
581   forget to update any chroot areas as well. See your OS's documentation
582   for more details.
583
584   The local timezone conversion rules can also be done on a individual
585   basis by setting the TZ environment variable appropriately. See your
586   OS's documentation for more details.
587
588Q: Is there a bugzilla (or other tool) database that mere mortals can have
589   (read-only) access to for bind?
590
591A: No. The BIND 9 bug database is kept closed for a number of reasons.
592   These include, but are not limited to, that the database contains
593   proprietory information from people reporting bugs. The database has in
594   the past and may in future contain unfixed bugs which are capable of
595   bringing down most of the Internet's DNS infrastructure.
596
597   The release pages for each version contain up to date lists of bugs
598   that have been fixed post release. That is as close as we can get to
599   providing a bug database.
600
601Q: Why do queries for NSEC3 records fail to return the NSEC3 record?
602
603A: NSEC3 records are strictly meta data and can only be returned in the
604   authority section. This is done so that signing the zone using NSEC3
605   records does not bring names into existence that do not exist in the
606   unsigned version of the zone.
607
6085. Operating-System Specific Questions
609
6105.1. HPUX
611
612Q: I get the following error trying to configure BIND:
613
614   checking if unistd.h or sys/types.h defines fd_set... no
615   configure: error: need either working unistd.h or sys/select.h
616
617A: You have attempted to configure BIND with the bundled C compiler. This
618   compiler does not meet the minimum compiler requirements to for
619   building BIND. You need to install a ANSI C compiler and / or teach
620   configure how to find the ANSI C compiler. The later can be done by
621   adjusting the PATH environment variable and / or specifying the
622   compiler via CC.
623
624   ./configure CC=<compiler> ...
625
6265.2. Linux
627
628Q: Why do I get the following errors:
629
630   general: errno2result.c:109: unexpected error:
631   general: unable to convert errno to isc_result: 14: Bad address
632   client: UDP client handler shutting down due to fatal receive error: unexpected error
633
634A: This is the result of a Linux kernel bug.
635
636   See: <http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=
637   2>
638
639Q: Why does named lock up when it attempts to connect over IPSEC tunnels?
640
641A: This is due to a kernel bug where the fact that a socket is marked
642   non-blocking is ignored. It is reported that setting xfrm_larval_drop
643   to 1 helps but this may have negative side effects. See: <https://
644   bugzilla.redhat.com/show_bug.cgi?id=427629> and <http://lkml.org/lkml/
645   2007/12/4/260>.
646
647   xfrm_larval_drop can be set to 1 by the following procedure:
648
649   echo "1" > proc/sys/net/core/xfrm_larval_drop
650
651Q: Why do I see 5 (or more) copies of named on Linux?
652
653A: Linux threads each show up as a process under ps. The approximate
654   number of threads running is n+4, where n is the number of CPUs. Note
655   that the amount of memory used is not cumulative; if each process is
656   using 10M of memory, only a total of 10M is used.
657
658   Newer versions of Linux's ps command hide the individual threads and
659   require -L to display them.
660
661Q: Why does BIND 9 log "permission denied" errors accessing its
662   configuration files or zones on my Linux system even though it is
663   running as root?
664
665A: On Linux, BIND 9 drops most of its root privileges on startup. This
666   including the privilege to open files owned by other users. Therefore,
667   if the server is running as root, the configuration files and zone
668   files should also be owned by root.
669
670Q: I get the error message "named: capset failed: Operation not permitted"
671   when starting named.
672
673A: The capability module, part of "Linux Security Modules/LSM", has not
674   been loaded into the kernel. See insmod(8), modprobe(8).
675
676   The relevant modules can be loaded by running:
677
678   modprobe commoncap
679   modprobe capability
680
681Q: I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
682
683   Why can't named update slave zone database files?
684
685   Why can't named create DDNS journal files or update the master zones
686   from journals?
687
688   Why can't named create custom log files?
689
690A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
691
692   Red Hat have adopted the National Security Agency's SELinux security
693   policy (see <http://www.nsa.gov/selinux>) and recommendations for BIND
694   security , which are more secure than running named in a chroot and
695   make use of the bind-chroot environment unnecessary .
696
697   By default, named is not allowed by the SELinux policy to write, create
698   or delete any files EXCEPT in these directories:
699
700   $ROOTDIR/var/named/slaves
701   $ROOTDIR/var/named/data
702   $ROOTDIR/var/tmp
703
704
705   where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is
706   installed.
707
708   The SELinux policy particularly does NOT allow named to modify the
709   $ROOTDIR/var/named directory, the default location for master zone
710   database files.
711
712   SELinux policy overrules file access permissions - so even if all the
713   files under /var/named have ownership named:named and mode rw-rw-r--,
714   named will still not be able to write or create files except in the
715   directories above, with SELinux in Enforcing mode.
716
717   So, to allow named to update slave or DDNS zone files, it is best to
718   locate them in $ROOTDIR/var/named/slaves, with named.conf zone
719   statements such as:
720
721   zone "slave.zone." IN {
722           type slave;
723           file "slaves/slave.zone.db";
724           ...
725   };
726   zone "ddns.zone." IN  {
727           type master;
728           allow-updates {...};
729           file "slaves/ddns.zone.db";
730   };
731
732
733   To allow named to create its cache dump and statistics files, for
734   example, you could use named.conf options statements such as:
735
736   options {
737           ...
738           dump-file "/var/named/data/cache_dump.db";
739           statistics-file "/var/named/data/named_stats.txt";
740           ...
741   };
742
743
744   You can also tell SELinux to allow named to update any zone database
745   files, by setting the SELinux tunable boolean parameter
746   'named_write_master_zones=1', using the system-config-securitylevel
747   GUI, using the 'setsebool' command, or in /etc/selinux/targeted/
748   booleans.
749
750   You can disable SELinux protection for named entirely by setting the
751   'named_disable_trans=1' SELinux tunable boolean parameter.
752
753   The SELinux named policy defines these SELinux contexts for named:
754
755   named_zone_t : for zone database files       - $ROOTDIR/var/named/*
756   named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
757   named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
758
759
760   If you want to retain use of the SELinux policy for named, and put
761   named files in different locations, you can do so by changing the
762   context of the custom file locations .
763
764   To create a custom configuration file location, e.g. '/root/
765   named.conf', to use with the 'named -c' option, do:
766
767   # chcon system_u:object_r:named_conf_t /root/named.conf
768
769
770   To create a custom modifiable named data location, e.g. '/var/log/
771   named' for a log file, do:
772
773   # chcon system_u:object_r:named_cache_t /var/log/named
774
775
776   To create a custom zone file location, e.g. /root/zones/, do:
777
778   # chcon system_u:object_r:named_zone_t /root/zones/{.,*}
779
780
781   See these man-pages for more information : selinux(8), named_selinux
782   (8), chcon(1), setsebool(8)
783
784Q: I'm running BIND on Ubuntu -
785
786   Why can't named update slave zone database files?
787
788   Why can't named create DDNS journal files or update the master zones
789   from journals?
790
791   Why can't named create custom log files?
792
793A: Ubuntu uses AppArmor <http://en.wikipedia.org/wiki/AppArmor> in
794   addition to normal file system permissions to protect the system.
795
796   Adjust the paths to use those specified in /etc/apparmor.d/
797   usr.sbin.named or adjust /etc/apparmor.d/usr.sbin.named to allow named
798   to write at the location specified in named.conf.
799
800Q: Listening on individual IPv6 interfaces does not work.
801
802A: This is usually due to "/proc/net/if_inet6" not being available in the
803   chroot file system. Mount another instance of "proc" in the chroot file
804   system.
805
806   This can be be made permanent by adding a second instance to /etc/
807   fstab.
808
809   proc /proc           proc defaults 0 0
810   proc /var/named/proc proc defaults 0 0
811
8125.3. Windows
813
814Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail.
815   Why?
816
817A: This may be caused by a bug in the Windows 2000 DNS server where DNS
818   messages larger than 16K are not handled properly. This can be worked
819   around by setting the option "transfer-format one-answer;". Also check
820   whether your zone contains domain names with embedded spaces or other
821   special characters, like "John\032Doe\213s\032Computer", since such
822   names have been known to cause Windows 2000 slaves to incorrectly
823   reject the zone.
824
825Q: I get "Error 1067" when starting named under Windows.
826
827A: This is the service manager saying that named exited. You need to
828   examine the Application log in the EventViewer to find out why.
829
830   Common causes are that you failed to create "named.conf" (usually "C:\
831   windows\dns\etc\named.conf") or failed to specify the directory in
832   named.conf.
833
834   options {
835           Directory "C:\windows\dns\etc";
836   };
837
8385.4. FreeBSD
839
840Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
841
842A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to
843   use certain interrupts as a source of random events. You can make this
844   permanent by setting rand_irqs in /etc/rc.conf.
845
846   rand_irqs="3 14 15"
847
848   See also <http://people.freebsd.org/~dougb/randomness.html>.
849
8505.5. Solaris
851
852Q: How do I integrate BIND 9 and Solaris SMF
853
854A: Sun has a blog entry describing how to do this.
855
856   <http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris>
857
8585.6. Apple Mac OS X
859
860Q: How do I run BIND 9 on Apple Mac OS X?
861
862A: If you run Tiger(Mac OS 10.4) or later then this is all you need to do:
863
864   % sudo rndc-confgen  > /etc/rndc.conf
865
866   Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.:
867
868   key "rndc-key" {
869           algorithm hmac-sha256;
870           secret "uvceheVuqf17ZwIcTydddw==";
871   };
872
873   Then start the relevant service:
874
875   % sudo service org.isc.named start
876
877   This is persistent upon a reboot, so you will have to do it only once.
878
879A: Alternatively you can just generate /etc/rndc.key by running:
880
881   % sudo rndc-confgen -a
882
883   Then start the relevant service:
884
885   % sudo service org.isc.named start
886
887   Named will look for /etc/rndc.key when it starts if it doesn't have a
888   controls section or the existing controls are missing keys sub-clauses.
889   This is persistent upon a reboot, so you will have to do it only once.
890
891