1 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
4 - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
5 - Copyright (C) 2000-2003 Internet Software Consortium.
7 - Permission to use, copy, modify, and distribute this software for any
8 - purpose with or without fee is hereby granted, provided that the above
9 - copyright notice and this permission notice appear in all copies.
11 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
12 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
13 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
14 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
15 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
16 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
17 - PERFORMANCE OF THIS SOFTWARE.
20 <!-- $Id: FAQ.xml,v 1.4.6.3 2005/11/02 22:53:51 marka Exp $ -->
23 <title>Frequently Asked Questions about BIND 9</title>
24 <qandaset defaultlabel='qanda'>
28 Why doesn't -u work on Linux 2.2.x when I build with
34 Linux threads do not fully implement the Posix threads
35 (pthreads) standard. In particular, setuid() operates only
36 on the current thread, not the full process. Because of
37 this limitation, BIND 9 cannot use setuid() on Linux as it
38 can on all other supported platforms. setuid() cannot be
39 called before creating threads, since the server does not
40 start listening on reserved ports until after threads have
44 In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability
45 to preserve capabilities across a setuid() call is present.
46 This allows BIND 9 to call setuid() early, while retaining
47 the ability to bind reserved ports. This is a Linux-specific
51 On a 2.2 kernel, BIND 9 does drop many root privileges, so
52 it should be less of a security risk than a root process
53 that has not dropped privileges.
56 If Linux threads ever work correctly, this restriction will
60 Configuring BIND9 with the --disable-threads option (the
61 default) causes a non-threaded version to be built, which
62 will allow -u to be used.
70 Why does named log the warning message <quote>no TTL specified -
71 using SOA MINTTL instead</quote>?
76 Your zone file is illegal according to RFC1035. It must either
81 $TTL 86400</programlisting>
84 at the beginning, or the first record in it must have a TTL field,
85 like the "84600" in this example:
89 example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )</programlisting>
97 Why do I see 5 (or more) copies of named on Linux?
102 Linux threads each show up as a process under ps. The
103 approximate number of threads running is n+4, where n is
104 the number of CPUs. Note that the amount of memory used
105 is not cumulative; if each process is using 10M of memory,
106 only a total of 10M is used.
114 Why does BIND 9 log <quote>permission denied</quote> errors accessing
115 its configuration files or zones on my Linux system even
116 though it is running as root?
121 On Linux, BIND 9 drops most of its root privileges on
122 startup. This including the privilege to open files owned
123 by other users. Therefore, if the server is running as
124 root, the configuration files and zone files should also
133 Why do I get errors like <quote>dns_zone_load: zone foo/IN: loading
134 master file bar: ran out of space</quote>?
139 This is often caused by TXT records with missing close
140 quotes. Check that all TXT records containing quoted strings
141 have both open and close quotes.
149 How do I produce a usable core file from a multithreaded
155 If the Linux kernel is 2.4.7 or newer, multithreaded core
156 dumps are usable (that is, the correct thread is dumped).
157 Otherwise, if using a 2.2 kernel, apply the kernel patch
158 found in contrib/linux/coredump-patch and rebuild the kernel.
159 This patch will cause multithreaded programs to dump the
168 How do I restrict people from looking up the server version?
173 Put a "version" option containing something other than the
174 real version in the "options" section of named.conf. Note
175 doing this will not prevent attacks and may impede people
176 trying to diagnose problems with your server. Also it is
177 possible to "fingerprint" nameservers to determine their
186 How do I restrict only remote users from looking up the
192 The following view statement will intercept lookups as the
193 internal view that holds the version information will be
194 matched last. The caveats of the previous answer still
200 match-clients { <those to be refused>; };
201 allow-query { none; };
204 file "/dev/null"; // or any empty file
214 What do <quote>no source of entropy found</quote> or <quote>could not
215 open entropy source foo</quote> mean?
220 The server requires a source of entropy to perform certain
221 operations, mostly DNSSEC related. These messages indicate
222 that you have no source of entropy. On systems with
223 /dev/random or an equivalent, it is used by default. A
224 source of entropy can also be defined using the random-device
225 option in named.conf.
233 I installed BIND 9 and restarted named, but it's still BIND 8. Why?
238 BIND 9 is installed under /usr/local by default. BIND 8
239 is often installed under /usr. Check that the correct named
248 I'm trying to use TSIG to authenticate dynamic updates or
249 zone transfers. I'm sure I have the keys set up correctly,
250 but the server is rejecting the TSIG. Why?
255 This may be a clock skew problem. Check that the the clocks
256 on the client and server are properly synchronised (e.g.,
265 I'm trying to compile BIND 9, and "make" is failing due to
266 files not being found. Why?
271 Using a parallel or distributed "make" to build BIND 9 is
272 not supported, and doesn't work. If you are using one of
273 these, use normal make or gmake instead.
281 I have a BIND 9 master and a BIND 8.2.3 slave, and the
282 master is logging error messages like <quote>notify to 10.0.0.1#53
283 failed: unexpected end of input</quote>. What's wrong?
288 This error message is caused by a known bug in BIND 8.2.3
289 and is fixed in BIND 8.2.4. It can be safely ignored - the
290 notify has been acted on by the slave despite the error
299 I keep getting log messages like the following. Why?
302 Dec 4 23:47:59 client 10.0.0.1#1355: updating zone
303 'example.com/IN': update failed: 'RRset exists (value
304 dependent)' prerequisite not satisfied (NXRRSET)
309 DNS updates allow the update request to test to see if
310 certain conditions are met prior to proceeding with the
311 update. The message above is saying that conditions were
312 not met and the update is not proceeding. See doc/rfc/rfc2136.txt
313 for more details on prerequisites.
321 I keep getting log messages like the following. Why?
324 Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
329 Someone is trying to update your DNS data using the RFC2136
330 Dynamic Update protocol. Windows 2000 machines have a habit
331 of sending dynamic update requests to DNS servers without
332 being specifically configured to do so. If the update
333 requests are coming from a Windows 2000 machine, see
335 url="http://support.microsoft.com/support/kb/articles/q246/8/04.asp">
336 http://support.microsoft.com/support/kb/articles/q246/8/04.asp
338 for information about how to turn them off.
346 I see a log message like the following. Why?
349 couldn't open pid file '/var/run/named.pid': Permission denied
354 You are most likely running named as a non-root user, and
355 that user does not have permission to write in /var/run.
356 The common ways of fixing this are to create a /var/run/named
357 directory owned by the named user and set pid-file to
358 "/var/run/named/named.pid", or set pid-file to "named.pid",
359 which will put the file in the directory specified by the
360 directory option (which, in this case, must be writable by
369 When I do a "dig . ns", many of the A records for the root
370 servers are missing. Why?
375 This is normal and harmless. It is a somewhat confusing
376 side effect of the way BIND 9 does RFC2181 trust ranking
377 and of the efforts BIND 9 makes to avoid promoting glue
381 When BIND 9 first starts up and primes its cache, it receives
382 the root server addresses as additional data in an authoritative
383 response from a root server, and these records are eligible
384 for inclusion as additional data in responses. Subsequently
385 it receives a subset of the root server addresses as
386 additional data in a non-authoritative (referral) response
387 from a root server. This causes the addresses to now be
388 considered non-authoritative (glue) data, which is not
389 eligible for inclusion in responses.
392 The server does have a complete set of root server addresses
393 cached at all times, it just may not include all of them
394 as additional data, depending on whether they were last
395 received as answers or as glue. You can always look up the
396 addresses with explicit queries like "dig a.root-servers.net A".
404 Zone transfers from my BIND 9 master to my Windows 2000
410 This may be caused by a bug in the Windows 2000 DNS server
411 where DNS messages larger than 16K are not handled properly.
412 This can be worked around by setting the option "transfer-format
413 one-answer;". Also check whether your zone contains domain
414 names with embedded spaces or other special characters,
415 like "John\032Doe\213s\032Computer", since such names have
416 been known to cause Windows 2000 slaves to incorrectly
425 Why don't my zones reload when I do an "rndc reload" or SIGHUP?
430 A zone can be updated either by editing zone files and
431 reloading the server or by dynamic update, but not both.
432 If you have enabled dynamic update for a zone using the
433 "allow-update" option, you are not supposed to edit the
434 zone file by hand, and the server will not attempt to reload
443 I can query the nameserver from the nameserver but not from other
449 This is usually the result of the firewall configuration stopping
450 the queries and / or the replies.
458 How can I make a server a slave for both an internal and
459 an external view at the same time? When I tried, both views
460 on the slave were transferred from the same view on the master.
465 You will need to give the master and slave multiple IP
466 addresses and use those to make sure you reach the correct
467 view on the other machine.
471 Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
473 match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
474 notify-source 10.0.1.1;
475 transfer-source 10.0.1.1;
476 query-source address 10.0.1.1;
478 match-clients { any; };
479 recursion no; // don't offer recursion to the world
480 notify-source 10.0.1.2;
481 transfer-source 10.0.1.2;
482 query-source address 10.0.1.2;
484 Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
486 match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
487 notify-source 10.0.1.3;
488 transfer-source 10.0.1.3;
489 query-source address 10.0.1.3;
491 match-clients { any; };
492 recursion no; // don't offer recursion to the world
493 notify-source 10.0.1.4;
494 transfer-source 10.0.1.4;
495 query-source address 10.0.1.4;</programlisting>
498 You put the external address on the alias so that all the other
499 dns clients on these boxes see the internal view by default.
504 BIND 9.3 and later: Use TSIG to select the appropriate view.
514 match-clients { !key external; 10.0.1/24; };
518 match-clients { key external; any; };
519 server 10.0.0.2 { keys external; };
530 match-clients { !key external; 10.0.1/24; };
534 match-clients { key external; any; };
535 server 10.0.0.1 { keys external; };
546 I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
551 /dev/random is not configured. Use rndcontrol(8) to tell
552 the kernel to use certain interrupts as a source of random
553 events. You can make this permanent by setting rand_irqs
559 rand_irqs="3 14 15"</programlisting>
563 <ulink url="http://people.freebsd.org/~dougb/randomness.html">
564 http://people.freebsd.org/~dougb/randomness.html
573 Why is named listening on UDP port other than 53?
578 Named uses a system selected port to make queries of other
579 nameservers. This behaviour can be overridden by using
580 query-source to lock down the port and/or address. See
581 also notify-source and transfer-source.
589 I get error messages like <quote>multiple RRs of singleton type</quote>
590 and <quote>CNAME and other data</quote> when transferring a zone. What
596 These indicate a malformed master zone. You can identify
597 the exact records involved by transferring the zone using
598 dig then running named-checkzone on it.
602 dig axfr example.com @master-server > tmp
603 named-checkzone example.com tmp</programlisting>
606 A CNAME record cannot exist with the same name as another record
607 except for the DNSSEC records which prove its existance (NSEC).
610 RFC 1034, Section 3.6.2: <quote>If a CNAME RR is present at a node,
611 no other data should be present; this ensures that the data for a
612 canonical name and its aliases cannot be different. This rule also
613 insures that a cached CNAME can be used without checking with an
614 authoritative server for other RR types.</quote>
622 I get error messages like <quote>named.conf:99: unexpected end
623 of input</quote> where 99 is the last line of named.conf.
628 Some text editors (notepad and wordpad) fail to put a line
629 title indication (e.g. CR/LF) on the last line of a
630 text file. This can be fixed by "adding" a blank line to
631 the end of the file. Named expects to see EOF immediately
632 after EOL and treats text files where this is not met as
641 I get warning messages like <quote>zone example.com/IN: refresh:
642 failure trying master 1.2.3.4#53: timed out</quote>.
647 Check that you can make UDP queries from the slave to the master
651 dig +norec example.com soa @1.2.3.4</programlisting>
654 You could be generating queries faster than the slave can
655 cope with. Lower the serial query rate.
659 serial-query-rate 5; // default 20</programlisting>
667 How do I share a dynamic zone between multiple views?
672 You choose one view to be master and the second a slave and
673 transfer the zone between views.
689 match-clients { !external; 10.0.1/24; };
691 /* Deliver notify messages to external view. */
696 file "internal/example.db";
697 allow-update { key mykey; };
698 notify-also { 10.0.1.1; };
703 match-clients { external; any; };
706 file "external/example.db";
707 masters { 10.0.1.1; };
708 transfer-source { 10.0.1.1; };
709 // allow-update-forwarding { any; };
710 // allow-notify { ... };
720 I get a error message like <quote>zone wireless.ietf56.ietf.org/IN:
721 loading master file primaries/wireless.ietf56.ietf.org: no
727 This error is produced when a line in the master file
728 contains leading white space (tab/space) but the is no
729 current record owner name to inherit the name from. Usually
730 this is the result of putting white space before a comment.
731 Forgeting the "@" for the SOA record or indenting the master
740 Why are my logs in GMT (UTC).
745 You are running chrooted (-t) and have not supplied local timzone
746 information in the chroot area.
749 <member>FreeBSD: /etc/localtime</member>
750 <member>Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo</member>
751 <member>OSF: /etc/zoneinfo/localtime</member>
754 See also tzset(3) and zic(8).
762 I get the error message <quote>named: capset failed: Operation
763 not permitted</quote> when starting named.
768 The capability module, part of "Linux Security Modules/LSM",
769 has not been loaded into the kernel. See insmod(8).
777 I get <quote>rndc: connect failed: connection refused</quote> when
783 This is usually a configuration error.
786 First ensure that named is running and no errors are being
787 reported at startup (/var/log/messages or equivalent).
788 Running "named -g <usual arguments>" from a title
789 can help at this point.
792 Secondly ensure that named is configured to use rndc either
793 by "rndc-confgen -a", rndc-confgen or manually. The
794 Administrators Reference manual has details on how to do
798 Old versions of rndc-confgen used localhost rather than
799 127.0.0.1 in /etc/rndc.conf for the default server. Update
800 /etc/rndc.conf if necessary so that the default server
801 listed in /etc/rndc.conf matches the addresses used in
802 named.conf. "localhost" has two address (127.0.0.1 and
806 If you use "rndc-confgen -a" and named is running with -t or -u
807 ensure that /etc/rndc.conf has the correct ownership and that
808 a copy is in the chroot area. You can do this by re-running
809 "rndc-confgen -a" with appropriate -t and -u arguments.
817 I don't get RRSIG's returned when I use "dig +dnssec".
822 You need to ensure DNSSEC is enabled (dnssec-enable yes;).
830 I get <quote>Error 1067</quote> when starting named under Windows.
835 This is the service manager saying that named exited. You
836 need to examine the Application log in the EventViewer to
840 Common causes are that you failed to create "named.conf"
841 (usually "C:\windows\dns\etc\named.conf") or failed to
842 specify the directory in named.conf.
847 Directory "C:\windows\dns\etc";
856 I get <quote>transfer of 'example.net/IN' from 192.168.4.12#53:
857 failed while receiving responses: permission denied</quote> error
863 These indicate a filesystem permission error preventing
864 named creating / renaming the temporary file. These will
865 usually also have other associated error messages like
869 "dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"</programlisting>
872 Named needs write permission on the directory containing
873 the file. Named writes the new cache file to a temporary
874 file then renames it to the name specified in named.conf
875 to ensure that the contents are always complete. This is
876 to prevent named loading a partial zone in the event of
877 power failure or similar interrupting the write of the
881 Note file names are relative to the directory specified in
882 options and any chroot directory ([<chroot
883 dir>/][<options dir>]).
887 If named is invoked as "named -t /chroot/DNS" with
888 the following named.conf then "/chroot/DNS/var/named/sl"
889 needs to be writable by the user named is running as.
893 directory "/var/named";
898 file "sl/example.net";
899 masters { 192.168.4.12; };
908 How do I intergrate BIND 9 and Solaris SMF
913 Sun has a blog entry describing how to do this.
917 url="http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris">
918 http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris
927 Can a NS record refer to a CNAME.
932 No. The rules for glue (copies of the *address* records
933 in the parent zones) and additional section processing do
934 not allow it to work.
937 You would have to add both the CNAME and address records
938 (A/AAAA) as glue to the parent zone and have CNAMEs be
939 followed when doing additional section processing to make
940 it work. No namesever implementation supports either of
949 What does <quote>RFC 1918 response from Internet for
950 0.0.0.10.IN-ADDR.ARPA</quote> mean?
955 If the IN-ADDR.ARPA name covered refers to a internal address
956 space you are using then you have failed to follow RFC 1918
957 usage rules and are leaking queries to the Internet. You
958 should establish your own zones for these addresses to prevent
959 you quering the Internet's name servers for these addresses.
960 Please see <ulink url="http://as112.net/">http://as112.net/</ulink>
961 for details of the problems you are causing and the counter
962 measures that have had to be deployed.
965 If you are not using these private addresses then a client
966 has queried for them. You can just ignore the messages,
967 get the offending client to stop sending you these messages
968 as they are most probably leaking them or setup your own zones
969 empty zones to serve answers to these queries.
973 zone "10.IN-ADDR.ARPA" {
978 zone "16.172.IN-ADDR.ARPA" {
985 zone "31.172.IN-ADDR.ARPA" {
990 zone "168.192.IN-ADDR.ARPA" {
996 @ 10800 IN SOA <name-of-server>. <contact-email>. (
997 1 3600 1200 604800 10800 )
998 @ 10800 IN NS <name-of-server>.</programlisting>
1001 Future versions of named are likely to do this automatically.