4 Frequently Asked Questions about BIND 9
7 Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-threads?
9 A: Linux threads do not fully implement the Posix threads (pthreads) standard.
10 In particular, setuid() operates only on the current thread, not the full
11 process. Because of this limitation, BIND 9 cannot use setuid() on Linux as it
12 can on all other supported platforms. setuid() cannot be called before
13 creating threads, since the server does not start listening on reserved ports
14 until after threads have started.
16 In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to preserve
17 capabilities across a setuid() call is present. This allows BIND 9 to call
18 setuid() early, while retaining the ability to bind reserved ports. This is
19 a Linux-specific hack.
21 On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less
22 of a security risk than a root process that has not dropped privileges.
24 If Linux threads ever work correctly, this restriction will go away.
26 Configuring BIND9 with the --disable-threads option (the default) causes a
27 non-threaded version to be built, which will allow -u to be used.
30 Q: Why does named log the warning message "no TTL specified - using SOA
33 A: Your zone file is illegal according to RFC1035. It must either
38 at the beginning, or the first record in it must have a TTL field,
39 like the "84600" in this example:
41 example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )
43 Q: Why do I see 5 (or more) copies of named on Linux?
45 A: Linux threads each show up as a process under ps. The approximate
46 number of threads running is n+4, where n is the number of CPUs. Note that
47 the amount of memory used is not cumulative; if each process is using 10M of
48 memory, only a total of 10M is used.
51 Q: Why does BIND 9 log "permission denied" errors accessing its
52 configuration files or zones on my Linux system even though it is running
55 A: On Linux, BIND 9 drops most of its root privileges on startup.
56 This including the privilege to open files owned by other users.
57 Therefore, if the server is running as root, the configuration files
58 and zone files should also be owned by root.
61 Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file
62 bar: ran out of space"
64 A: This is often caused by TXT records with missing close quotes. Check that
65 all TXT records containing quoted strings have both open and close quotes.
68 Q: How do I produce a usable core file from a multithreaded named on Linux?
70 A: If the Linux kernel is 2.4.7 or newer, multithreaded core dumps
71 are usable (that is, the correct thread is dumped). Otherwise, if using
72 a 2.2 kernel, apply the kernel patch found in contrib/linux/coredump-patch
73 and rebuild the kernel. This patch will cause multithreaded programs to dump
77 Q: How do I restrict people from looking up the server version?
79 A: Put a "version" option containing something other than the real
80 version in the "options" section of named.conf. Note doing this will
81 not prevent attacks and may impede people trying to diagnose problems
82 with your server. Also it is possible to "fingerprint" nameservers to
83 determine their version.
86 Q: How do I restrict only remote users from looking up the server
89 A: The following view statement will intercept lookups as the internal
90 view that holds the version information will be matched last. The
91 caveats of the previous answer still apply, of course.
94 match-clients { <those to be refused>; };
95 allow-query { none; };
98 file "/dev/null"; // or any empty file
103 Q: What do "no source of entropy found" or "could not open entropy source foo"
106 A: The server requires a source of entropy to perform certain operations,
107 mostly DNSSEC related. These messages indicate that you have no source
108 of entropy. On systems with /dev/random or an equivalent, it is used by
109 default. A source of entropy can also be defined using the random-device
110 option in named.conf.
113 Q: I installed BIND 9 and restarted named, but it's still BIND 8. Why?
115 A: BIND 9 is installed under /usr/local by default. BIND 8 is often
116 installed under /usr. Check that the correct named is running.
119 Q: I'm trying to use TSIG to authenticate dynamic updates or zone
120 transfers. I'm sure I have the keys set up correctly, but the server
121 is rejecting the TSIG. Why?
123 A: This may be a clock skew problem. Check that the the clocks on
124 the client and server are properly synchronized (e.g., using ntp).
127 Q: I'm trying to compile BIND 9, and "make" is failing due to files not
130 A: Using a parallel or distributed "make" to build BIND 9 is not
131 supported, and doesn't work. If you are using one of these, use
132 normal make or gmake instead.
135 Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is
136 logging error messages like "notify to 10.0.0.1#53 failed: unexpected
137 end of input". What's wrong?
139 A: This error message is caused by a known bug in BIND 8.2.3 and is fixed
140 in BIND 8.2.4. It can be safely ignored - the notify has been acted on by
141 the slave despite the error message.
144 Q: I keep getting log messages like the following. Why?
146 Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN':
147 update failed: 'RRset exists (value dependent)' prerequisite not
150 A: DNS updates allow the update request to test to see if certain
151 conditions are met prior to proceeding with the update. The message
152 above is saying that conditions were not met and the update is not
153 proceeding. See doc/rfc/rfc2136.txt for more details on prerequisites.
156 Q: I keep getting log messages like the following. Why?
158 Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
160 A: Someone is trying to update your DNS data using the RFC2136 Dynamic
161 Update protocol. Windows 2000 machines have a habit of sending dynamic
162 update requests to DNS servers without being specifically configured to
163 do so. If the update requests are coming from a Windows 2000 machine,
164 see <http://support.microsoft.com/support/kb/articles/q246/8/04.asp>
165 for information about how to turn them off.
168 Q: I see a log message like the following. Why?
170 couldn't open pid file '/var/run/named.pid': Permission denied
172 A: You are most likely running named as a non-root user, and that user
173 does not have permission to write in /var/run. The common ways of
174 fixing this are to create a /var/run/named directory owned by the named
175 user and set pid-file to "/var/run/named/named.pid", or set
176 pid-file to "named.pid", which will put the file in the directory
177 specified by the directory option (which, in this case, must be writable
181 Q: When I do a "dig . ns", many of the A records for the root
182 servers are missing. Why?
184 A: This is normal and harmless. It is a somewhat confusing side effect
185 of the way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9
186 makes to avoid promoting glue into answers.
188 When BIND 9 first starts up and primes its cache, it receives the root
189 server addresses as additional data in an authoritative response from
190 a root server, and these records are eligible for inclusion as
191 additional data in responses. Subsequently it receives a subset of
192 the root server addresses as additional data in a non-authoritative
193 (referral) response from a root server. This causes the addresses to
194 now be considered non-authoritative (glue) data, which is not eligible
195 for inclusion in responses.
197 The server does have a complete set of root server addresses cached
198 at all times, it just may not include all of them as additional data,
199 depending on whether they were last received as answers or as glue.
200 You can always look up the addresses with explicit queries like
201 "dig a.root-servers.net A".
204 Q: Zone transfers from my BIND 9 master to my Windows 2000 slave
207 A: This may be caused by a bug in the Windows 2000 DNS server where
208 DNS messages larger than 16K are not handled properly. This can be
209 worked around by setting the option "transfer-format one-answer;".
210 Also check whether your zone contains domain names with embedded
211 spaces or other special characters, like "John\032Doe\213s\032Computer",
212 since such names have been known to cause Windows 2000 slaves to
213 incorrectly reject the zone.
216 Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?
218 A: A zone can be updated either by editing zone files and reloading
219 the server or by dynamic update, but not both. If you have enabled
220 dynamic update for a zone using the "allow-update" option, you are not
221 supposed to edit the zone file by hand, and the server will not
222 attempt to reload it.
225 Q: I can query the nameserver from the nameserver but not from other
228 A: This is usually the result of the firewall configuration stopping
229 the queries and / or the replies.
232 Q: How can I make a server a slave for both an internal and
233 an external view at the same time? When I tried, both views
234 on the slave were transferred from the same view on the master.
236 A: You will need to give the master and slave multiple IP addresses and
237 use those to make sure you reach the correct view on the other machine.
240 Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
242 match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
243 notify-source 10.0.1.1;
244 transfer-source 10.0.1.1;
245 query-source address 10.0.1.1;
247 match-clients { any; };
248 recursion no; // don't offer recursion to the world
249 notify-source 10.0.1.2;
250 transfer-source 10.0.1.2;
251 query-source address 10.0.1.2;
253 Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
255 match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
256 notify-source 10.0.1.3;
257 transfer-source 10.0.1.3;
258 query-source address 10.0.1.3;
260 match-clients { any; };
261 recursion no; // don't offer recursion to the world
262 notify-source 10.0.1.4;
263 transfer-source 10.0.1.4;
264 query-source address 10.0.1.4;
266 You put the external address on the alias so that all the other
267 dns clients on these boxes see the internal view by default.
269 A: (BIND 9.3 and later) Use TSIG to select the appropriate view.
277 match-clients { !key external; 10.0.1/24; };
281 match-clients { key external; any; };
282 server 10.0.0.2 { keys external; };
293 match-clients { !key external; 10.0.1/24; };
296 match-clients { key external; any; };
297 server 10.0.0.1 { keys external; };
303 Q: I have Freebsd 4.x and "rndc-confgen -a" just sits there.
305 A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel
306 to use certain interrupts as a source of random events. You can make this
307 permanent by setting rand_irqs in /etc/rc.conf.
313 See also http://people.freebsd.org/~dougb/randomness.html
316 Q: Why is named listening on UDP port other than 53?
318 A: Named uses a system selected port to make queries of other nameservers.
319 This behaviour can be overridden by using query-source to lock down the
320 port and/or address. See also notify-source and transfer-source.
323 Q: I get error messages like "multiple RRs of singleton type" and
324 "CNAME and other data" when transferring a zone. What does this mean?
326 A: These indicate a malformed master zone. You can identify the
327 exact records involved by transferring the zone using dig then
328 running named-checkzone on it.
331 dig axfr example.com @master-server > tmp
332 named-checkzone example.com tmp
335 Q: I get error messages like "named.conf:99: unexpected end of input" where
336 99 is the last line of named.conf.
338 A: Some text editors (notepad and wordpad) fail to put a line termination
339 indication (e.g. CR/LF) on the last line of a text file. This can be fixed
340 by "adding" a blank line to the end of the file. Named expects to see EOF
341 immediately after EOL and treats text files where this is not met as truncated.
344 Q: I get warning messages like "zone example.com/IN: refresh: failure trying master
345 1.2.3.4#53: timed out".
347 A: Check that you can make UDP queries from the slave to the master
349 dig +norec example.com soa @1.2.3.4
351 A: You could be generating queries faster than the slave can cope with. Lower
352 the serial query rate.
354 serial-query-rate 5; // default 20
356 Q: How do I share a dynamic zone between multiple views?
358 A: You choose one view to be master and the second a slave and transfer
359 the zone between views.
373 match-clients { !external; 10.0.1/24; };
375 /* Deliver notify messages to external view. */
380 file "internal/example.db";
381 allow-update { key mykey; };
382 notify-also { 10.0.1.1; };
387 match-clients { external; any; };
390 file "external/example.db";
391 masters { 10.0.1.1; };
392 transfer-source { 10.0.1.1; };
393 // allow-update-forwarding { any; };
394 // allow-notify { ... };
398 Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading master
399 file primaries/wireless.ietf56.ietf.org: no owner".
401 A: This error is produced when a line in the master file contains leading
402 white space (tab/space) but the is no current record owner name to inherit
403 the name from. Usually this is the result of putting white space before
404 a comment. Forgeting the "@" for the SOA record or indenting the master
408 Q: Why are my logs in GMT (UTC).
410 A: You are running chrooted (-t) and have not supplied local timzone
411 information in the chroot area.
413 FreeBSD: /etc/localtime
414 Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
415 OSF: /etc/zoneinfo/localtime
417 See also tzset(3) and zic(8).
420 Q: I get the error message "named: capset failed: Operation not permitted"
423 A: The capset module has not been loaded into the kernel. See insmod(8).
426 Q: I get "rndc: connect failed: connection refused" when I try to run
429 A: This is usually a configuration error.
431 First ensure that named is running and no errors are being
432 reported at startup (/var/log/messages or equivalent). Running
433 "named -g <usual arguements>" from a terminal can help at this
436 Secondly ensure that named is configured to use rndc either by
437 "rndc-confgen -a", rndc-confgen or manually. The Administators
438 Reference manual has details on how to do this.
440 Old versions of rndc-confgen used localhost rather than 127.0.0.1
441 in /etc/rndc.conf for the default server. Update /etc/rndc.conf
442 if necessary so that the default server listed in /etc/rndc.conf
443 matches the addresses used in named.conf. "localhost" has two
444 address (127.0.0.1 and ::1).
446 If you use "rndc-confgen -a" and named is running with -t or -u
447 ensure that /etc/rndc.conf has the correct ownership and that
448 a copy is in the chroot area. You can do this by re-running
449 "rndc-confgen -a" with appropriate -t and -u arguements.