Merge from vendor branch INTEL_ACPICA:

[dragonfly.git] / contrib / bind-9.3 / FAQ

Frequently Asked Questions about BIND 9

-------------------------------------------------------------------------------

Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-threads?

A: Linux threads do not fully implement the Posix threads (pthreads) standard.
   In particular, setuid() operates only on the current thread, not the full
   process. Because of this limitation, BIND 9 cannot use setuid() on Linux as
   it can on all other supported platforms. setuid() cannot be called before
   creating threads, since the server does not start listening on reserved
   ports until after threads have started.

   In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to preserve
   capabilities across a setuid() call is present. This allows BIND 9 to call
   setuid() early, while retaining the ability to bind reserved ports. This is
   a Linux-specific hack.

   On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less
   of a security risk than a root process that has not dropped privileges.

   If Linux threads ever work correctly, this restriction will go away.

   Configuring BIND9 with the --disable-threads option (the default) causes a
   non-threaded version to be built, which will allow -u to be used.

Q: Why does named log the warning message "no TTL specified - using SOA MINTTL
   instead"?

A: Your zone file is illegal according to RFC1035. It must either have a line
   like:

   $TTL 86400

   at the beginning, or the first record in it must have a TTL field, like the
   "84600" in this example:

   example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )

Q: Why do I see 5 (or more) copies of named on Linux?

A: Linux threads each show up as a process under ps. The approximate number of
   threads running is n+4, where n is the number of CPUs. Note that the amount
   of memory used is not cumulative; if each process is using 10M of memory,
   only a total of 10M is used.

Q: Why does BIND 9 log "permission denied" errors accessing its configuration
   files or zones on my Linux system even though it is running as root?

A: On Linux, BIND 9 drops most of its root privileges on startup. This
   including the privilege to open files owned by other users. Therefore, if
   the server is running as root, the configuration files and zone files should
   also be owned by root.

Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file
   bar: ran out of space"?

A: This is often caused by TXT records with missing close quotes. Check that
   all TXT records containing quoted strings have both open and close quotes.

Q: How do I produce a usable core file from a multithreaded named on Linux?

A: If the Linux kernel is 2.4.7 or newer, multithreaded core dumps are usable
   (that is, the correct thread is dumped). Otherwise, if using a 2.2 kernel,
   apply the kernel patch found in contrib/linux/coredump-patch and rebuild the
   kernel. This patch will cause multithreaded programs to dump the correct
   thread.

Q: How do I restrict people from looking up the server version?

A: Put a "version" option containing something other than the real version in
   the "options" section of named.conf. Note doing this will not prevent
   attacks and may impede people trying to diagnose problems with your server.
   Also it is possible to "fingerprint" nameservers to determine their version.

Q: How do I restrict only remote users from looking up the server version?

A: The following view statement will intercept lookups as the internal view
   that holds the version information will be matched last. The caveats of the
   previous answer still apply, of course.

   view "chaos" chaos {
           match-clients { <those to be refused>; };
           allow-query { none; };
           zone "." {
                   type hint;
                   file "/dev/null";  // or any empty file
           };
   };

Q: What do "no source of entropy found" or "could not open entropy source foo"
   mean?

A: The server requires a source of entropy to perform certain operations,
   mostly DNSSEC related. These messages indicate that you have no source of
   entropy. On systems with /dev/random or an equivalent, it is used by
   default. A source of entropy can also be defined using the random-device
   option in named.conf.

Q: I installed BIND 9 and restarted named, but it's still BIND 8. Why?

A: BIND 9 is installed under /usr/local by default. BIND 8 is often installed
   under /usr. Check that the correct named is running.

Q: I'm trying to use TSIG to authenticate dynamic updates or zone transfers.
   I'm sure I have the keys set up correctly, but the server is rejecting the
   TSIG. Why?

A: This may be a clock skew problem. Check that the the clocks on the client
   and server are properly synchronised (e.g., using ntp).

Q: I'm trying to compile BIND 9, and "make" is failing due to files not being
   found. Why?

A: Using a parallel or distributed "make" to build BIND 9 is not supported, and
   doesn't work. If you are using one of these, use normal make or gmake
   instead.

Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is logging
   error messages like "notify to 10.0.0.1#53 failed: unexpected end of input".
   What's wrong?

A: This error message is caused by a known bug in BIND 8.2.3 and is fixed in
   BIND 8.2.4. It can be safely ignored - the notify has been acted on by the
   slave despite the error message.

Q: I keep getting log messages like the following. Why?

   Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN': update
   failed: 'RRset exists (value dependent)' prerequisite not satisfied
   (NXRRSET)

A: DNS updates allow the update request to test to see if certain conditions
   are met prior to proceeding with the update. The message above is saying
   that conditions were not met and the update is not proceeding. See doc/rfc/
   rfc2136.txt for more details on prerequisites.

Q: I keep getting log messages like the following. Why?

   Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied

A: Someone is trying to update your DNS data using the RFC2136 Dynamic Update
   protocol. Windows 2000 machines have a habit of sending dynamic update
   requests to DNS servers without being specifically configured to do so. If
   the update requests are coming from a Windows 2000 machine, see http://
   support.microsoft.com/support/kb/articles/q246/8/04.asp for information
   about how to turn them off.

Q: I see a log message like the following. Why?

   couldn't open pid file '/var/run/named.pid': Permission denied

A: You are most likely running named as a non-root user, and that user does not
   have permission to write in /var/run. The common ways of fixing this are to
   create a /var/run/named directory owned by the named user and set pid-file
   to "/var/run/named/named.pid", or set pid-file to "named.pid", which will
   put the file in the directory specified by the directory option (which, in
   this case, must be writable by the named user).

Q: When I do a "dig . ns", many of the A records for the root servers are
   missing. Why?

A: This is normal and harmless. It is a somewhat confusing side effect of the
   way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 makes to
   avoid promoting glue into answers.

   When BIND 9 first starts up and primes its cache, it receives the root
   server addresses as additional data in an authoritative response from a root
   server, and these records are eligible for inclusion as additional data in
   responses. Subsequently it receives a subset of the root server addresses as
   additional data in a non-authoritative (referral) response from a root
   server. This causes the addresses to now be considered non-authoritative
   (glue) data, which is not eligible for inclusion in responses.

   The server does have a complete set of root server addresses cached at all
   times, it just may not include all of them as additional data, depending on
   whether they were last received as answers or as glue. You can always look
   up the addresses with explicit queries like "dig a.root-servers.net A".

Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail. Why?

A: This may be caused by a bug in the Windows 2000 DNS server where DNS
   messages larger than 16K are not handled properly. This can be worked around
   by setting the option "transfer-format one-answer;". Also check whether your
   zone contains domain names with embedded spaces or other special characters,
   like "John\032Doe\213s\032Computer", since such names have been known to
   cause Windows 2000 slaves to incorrectly reject the zone.

Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?

A: A zone can be updated either by editing zone files and reloading the server
   or by dynamic update, but not both. If you have enabled dynamic update for a
   zone using the "allow-update" option, you are not supposed to edit the zone
   file by hand, and the server will not attempt to reload it.

Q: I can query the nameserver from the nameserver but not from other machines.
   Why?

A: This is usually the result of the firewall configuration stopping the
   queries and / or the replies.

Q: How can I make a server a slave for both an internal and an external view at
   the same time? When I tried, both views on the slave were transferred from
   the same view on the master.

A: You will need to give the master and slave multiple IP addresses and use
   those to make sure you reach the correct view on the other machine.

   Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
       internal:
           match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
                   notify-source 10.0.1.1;
                   transfer-source 10.0.1.1;
                   query-source address 10.0.1.1;
       external:
           match-clients { any; };
           recursion no;   // don't offer recursion to the world
           notify-source 10.0.1.2;
           transfer-source 10.0.1.2;
           query-source address 10.0.1.2;

   Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
       internal:
           match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
           notify-source 10.0.1.3;
           transfer-source 10.0.1.3;
           query-source address 10.0.1.3;
      external:
           match-clients { any; };
           recursion no;   // don't offer recursion to the world
           notify-source 10.0.1.4;
           transfer-source 10.0.1.4;
           query-source address 10.0.1.4;

   You put the external address on the alias so that all the other dns clients
   on these boxes see the internal view by default.

A: BIND 9.3 and later: Use TSIG to select the appropriate view.

   Master 10.0.1.1:
           key "external" {
                   algorithm hmac-md5;
                   secret "xxxxxxxx";
           };
           view "internal" {
                   match-clients { !key external; 10.0.1/24; };
                   ...
           };
           view "external" {
                   match-clients { key external; any; };
                   server 10.0.0.2 { keys external; };
                   recursion no;
                   ...
           };

   Slave 10.0.1.2:
           key "external" {
                   algorithm hmac-md5;
                   secret "xxxxxxxx";
           };
           view "internal" {
                   match-clients { !key external; 10.0.1/24; };
                   ...
           };
           view "external" {
                   match-clients { key external; any; };
                   server 10.0.0.1 { keys external; };
                   recursion no;
                   ...
           };

Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there.

A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to use
   certain interrupts as a source of random events. You can make this permanent
   by setting rand_irqs in /etc/rc.conf.

   /etc/rc.conf
   rand_irqs="3 14 15"

   See also http://people.freebsd.org/~dougb/randomness.html

Q: Why is named listening on UDP port other than 53?

A: Named uses a system selected port to make queries of other nameservers. This
   behaviour can be overridden by using query-source to lock down the port and/
   or address. See also notify-source and transfer-source.

Q: I get error messages like "multiple RRs of singleton type" and "CNAME and
   other data" when transferring a zone. What does this mean?

A: These indicate a malformed master zone. You can identify the exact records
   involved by transferring the zone using dig then running named-checkzone on
   it.

   dig axfr example.com @master-server > tmp
   named-checkzone example.com tmp

   A CNAME record cannot exist with the same name as another record except for
   the DNSSEC records which prove its existance (NSEC).

   RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other data
   should be present; this ensures that the data for a canonical name and its
   aliases cannot be different. This rule also insures that a cached CNAME can
   be used without checking with an authoritative server for other RR types."

Q: I get error messages like "named.conf:99: unexpected end of input" where 99
   is the last line of named.conf.

A: Some text editors (notepad and wordpad) fail to put a line title indication
   (e.g. CR/LF) on the last line of a text file. This can be fixed by "adding"
   a blank line to the end of the file. Named expects to see EOF immediately
   after EOL and treats text files where this is not met as truncated.

Q: I get warning messages like "zone example.com/IN: refresh: failure trying
   master 1.2.3.4#53: timed out".

A: Check that you can make UDP queries from the slave to the master

   dig +norec example.com soa @1.2.3.4

   You could be generating queries faster than the slave can cope with. Lower
   the serial query rate.

   serial-query-rate 5; // default 20

Q: How do I share a dynamic zone between multiple views?

A: You choose one view to be master and the second a slave and transfer the
   zone between views.

   Master 10.0.1.1:
           key "external" {
                   algorithm hmac-md5;
                   secret "xxxxxxxx";
           };

           key "mykey" {
                   algorithm hmac-md5;
                   secret "yyyyyyyy";
           };

           view "internal" {
                   match-clients { !external; 10.0.1/24; };
                   server 10.0.1.1 {
                           /* Deliver notify messages to external view. */
                           keys { external; };
                   };
                   zone "example.com" {
                           type master;
                           file "internal/example.db";
                           allow-update { key mykey; };
                           notify-also { 10.0.1.1; };
                   };
           };

           view "external" {
                   match-clients { external; any; };
                   zone "example.com" {
                           type slave;
                           file "external/example.db";
                           masters { 10.0.1.1; };
                           transfer-source { 10.0.1.1; };
                           // allow-update-forwarding { any; };
                           // allow-notify { ... };
                   };
           };

Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading master
   file primaries/wireless.ietf56.ietf.org: no owner".

A: This error is produced when a line in the master file contains leading white
   space (tab/space) but the is no current record owner name to inherit the
   name from. Usually this is the result of putting white space before a
   comment. Forgeting the "@" for the SOA record or indenting the master file.

Q: Why are my logs in GMT (UTC).

A: You are running chrooted (-t) and have not supplied local timzone
   information in the chroot area.

   FreeBSD: /etc/localtime
   Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
   OSF: /etc/zoneinfo/localtime

   See also tzset(3) and zic(8).

Q: I get the error message "named: capset failed: Operation not permitted" when
   starting named.

A: The capability module, part of "Linux Security Modules/LSM", has not been
   loaded into the kernel. See insmod(8).

Q: I get "rndc: connect failed: connection refused" when I try to run rndc.

A: This is usually a configuration error.

   First ensure that named is running and no errors are being reported at
   startup (/var/log/messages or equivalent). Running "named -g <usual
   arguments>" from a title can help at this point.

   Secondly ensure that named is configured to use rndc either by "rndc-confgen
   -a", rndc-confgen or manually. The Administrators Reference manual has
   details on how to do this.

   Old versions of rndc-confgen used localhost rather than 127.0.0.1 in /etc/
   rndc.conf for the default server. Update /etc/rndc.conf if necessary so that
   the default server listed in /etc/rndc.conf matches the addresses used in
   named.conf. "localhost" has two address (127.0.0.1 and ::1).

   If you use "rndc-confgen -a" and named is running with -t or -u ensure that
   /etc/rndc.conf has the correct ownership and that a copy is in the chroot
   area. You can do this by re-running "rndc-confgen -a" with appropriate -t
   and -u arguments.

Q: I don't get RRSIG's returned when I use "dig +dnssec".

A: You need to ensure DNSSEC is enabled (dnssec-enable yes;).

Q: I get "Error 1067" when starting named under Windows.

A: This is the service manager saying that named exited. You need to examine
   the Application log in the EventViewer to find out why.

   Common causes are that you failed to create "named.conf" (usually "C:\
   windows\dns\etc\named.conf") or failed to specify the directory in
   named.conf.

   options {
           Directory "C:\windows\dns\etc";
   };

Q: I get "transfer of 'example.net/IN' from 192.168.4.12#53: failed while
   receiving responses: permission denied" error messages.

A: These indicate a filesystem permission error preventing named creating /
   renaming the temporary file. These will usually also have other associated
   error messages like

   "dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"

   Named needs write permission on the directory containing the file. Named
   writes the new cache file to a temporary file then renames it to the name
   specified in named.conf to ensure that the contents are always complete.
   This is to prevent named loading a partial zone in the event of power
   failure or similar interrupting the write of the master file.

   Note file names are relative to the directory specified in options and any
   chroot directory ([<chroot dir>/][<options dir>]).

   If named is invoked as "named -t /chroot/DNS" with the following named.conf
   then "/chroot/DNS/var/named/sl" needs to be writable by the user named is
   running as.

   options {
           directory "/var/named";
   };

   zone "example.net" {
           type slave;
           file "sl/example.net";
           masters { 192.168.4.12; };
   };

Q: How do I intergrate BIND 9 and Solaris SMF

A: Sun has a blog entry describing how to do this.

   http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris

Q: Can a NS record refer to a CNAME.

A: No. The rules for glue (copies of the *address* records in the parent zones)
   and additional section processing do not allow it to work.

   You would have to add both the CNAME and address records (A/AAAA) as glue to
   the parent zone and have CNAMEs be followed when doing additional section
   processing to make it work. No namesever implementation supports either of
   these requirements.

Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA" mean?

A: If the IN-ADDR.ARPA name covered refers to a internal address space you are
   using then you have failed to follow RFC 1918 usage rules and are leaking
   queries to the Internet. You should establish your own zones for these
   addresses to prevent you quering the Internet's name servers for these
   addresses. Please see http://as112.net/ for details of the problems you are
   causing and the counter measures that have had to be deployed.

   If you are not using these private addresses then a client has queried for
   them. You can just ignore the messages, get the offending client to stop
   sending you these messages as they are most probably leaking them or setup
   your own zones empty zones to serve answers to these queries.

   zone "10.IN-ADDR.ARPA" {
           type master;
           file "empty";
   };

   zone "16.172.IN-ADDR.ARPA" {
           type master;
           file "empty";
   };

   ...

   zone "31.172.IN-ADDR.ARPA" {
           type master;
           file "empty";
   };

   zone "168.192.IN-ADDR.ARPA" {
           type master;
           file "empty";
   };

   empty:
   @ 10800 IN SOA <name-of-server>. <contact-email>. (
                  1 3600 1200 604800 10800 )
   @ 10800 IN NS <name-of-server>.

   Note

   Future versions of named are likely to do this automatically.