Merge from vendor branch ZLIB:

[dragonfly.git] / contrib / bind-9.2.4rc7 / FAQ

Frequently Asked Questions about BIND 9


Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-threads?

A: Linux threads do not fully implement the Posix threads (pthreads) standard.
In particular, setuid() operates only on the current thread, not the full
process.  Because of this limitation, BIND 9 cannot use setuid() on Linux as it
can on all other supported platforms.  setuid() cannot be called before
creating threads, since the server does not start listening on reserved ports
until after threads have started.

  In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to preserve
capabilities across a setuid() call is present.  This allows BIND 9 to call
setuid() early, while retaining the ability to bind reserved ports.  This is
a Linux-specific hack.

  On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less
of a security risk than a root process that has not dropped privileges.

  If Linux threads ever work correctly, this restriction will go away.

  Configuring BIND9 with the --disable-threads option (the default) causes a
non-threaded version to be built, which will allow -u to be used.


Q: Why does named log the warning message "no TTL specified - using SOA
MINTTL instead"?

A: Your zone file is illegal according to RFC1035.  It must either
have a line like

   $TTL 86400

at the beginning, or the first record in it must have a TTL field,
like the "84600" in this example:

   example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )

Q: Why do I see 5 (or more) copies of named on Linux?

A: Linux threads each show up as a process under ps.  The approximate
number of threads running is n+4, where n is the number of CPUs.  Note that
the amount of memory used is not cumulative; if each process is using 10M of
memory, only a total of 10M is used.


Q: Why does BIND 9 log "permission denied" errors accessing its
configuration files or zones on my Linux system even though it is running
as root?

A: On Linux, BIND 9 drops most of its root privileges on startup.
This including the privilege to open files owned by other users.
Therefore, if the server is running as root, the configuration files
and zone files should also be owned by root.


Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file
bar: ran out of space"

A: This is often caused by TXT records with missing close quotes.  Check that
all TXT records containing quoted strings have both open and close quotes.


Q: How do I produce a usable core file from a multithreaded named on Linux?

A: If the Linux kernel is 2.4.7 or newer, multithreaded core dumps
are usable (that is, the correct thread is dumped).  Otherwise, if using
a 2.2 kernel, apply the kernel patch found in contrib/linux/coredump-patch
and rebuild the kernel.  This patch will cause multithreaded programs to dump
the correct thread.


Q: How do I restrict people from looking up the server version?

A: Put a "version" option containing something other than the real
version in the "options" section of named.conf.  Note doing this will
not prevent attacks and may impede people trying to diagnose problems
with your server.  Also it is possible to "fingerprint" nameservers to
determine their version.


Q: How do I restrict only remote users from looking up the server
version?

A: The following view statement will intercept lookups as the internal
view that holds the version information will be matched last.  The
caveats of the previous answer still apply, of course.

  view "chaos" chaos {
          match-clients { <those to be refused>; };
          allow-query { none; };
          zone "." {
                  type hint;
                  file "/dev/null";  // or any empty file
          };
  };


Q: What do "no source of entropy found" or "could not open entropy source foo"
mean?

A: The server requires a source of entropy to perform certain operations,
mostly DNSSEC related.  These messages indicate that you have no source
of entropy.  On systems with /dev/random or an equivalent, it is used by
default.  A source of entropy can also be defined using the random-device
option in named.conf.


Q: I installed BIND 9 and restarted named, but it's still BIND 8.  Why?

A: BIND 9 is installed under /usr/local by default.  BIND 8 is often
installed under /usr.  Check that the correct named is running.


Q: I'm trying to use TSIG to authenticate dynamic updates or zone
transfers.  I'm sure I have the keys set up correctly, but the server
is rejecting the TSIG.  Why?

A: This may be a clock skew problem.  Check that the the clocks on
the client and server are properly synchronized (e.g., using ntp).


Q: I'm trying to compile BIND 9, and "make" is failing due to files not
being found.  Why?

A: Using a parallel or distributed "make" to build BIND 9 is not
supported, and doesn't work.  If you are using one of these, use
normal make or gmake instead.


Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is
logging error messages like "notify to 10.0.0.1#53 failed: unexpected
end of input".  What's wrong?

A: This error message is caused by a known bug in BIND 8.2.3 and is fixed
in BIND 8.2.4.  It can be safely ignored - the notify has been acted on by
the slave despite the error message.


Q: I keep getting log messages like the following.  Why?

   Dec  4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN':
   update failed: 'RRset exists (value dependent)' prerequisite not
   satisfied (NXRRSET)

A: DNS updates allow the update request to test to see if certain
conditions are met prior to proceeding with the update.  The message
above is saying that conditions were not met and the update is not
proceeding.  See doc/rfc/rfc2136.txt for more details on prerequisites.


Q: I keep getting log messages like the following.  Why?

   Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied

A: Someone is trying to update your DNS data using the RFC2136 Dynamic
Update protocol.  Windows 2000 machines have a habit of sending dynamic
update requests to DNS servers without being specifically configured to
do so.  If the update requests are coming from a Windows 2000 machine,
see <http://support.microsoft.com/support/kb/articles/q246/8/04.asp>
for information about how to turn them off.


Q: I see a log message like the following.  Why?

   couldn't open pid file '/var/run/named.pid': Permission denied

A: You are most likely running named as a non-root user, and that user
does not have permission to write in /var/run.  The common ways of
fixing this are to create a /var/run/named directory owned by the named
user and set pid-file to "/var/run/named/named.pid", or set
pid-file to "named.pid", which will put the file in the directory
specified by the directory option (which, in this case, must be writable
by the named user).


Q: When I do a "dig . ns", many of the A records for the root
servers are missing.  Why?

A: This is normal and harmless.  It is a somewhat confusing side effect
of the way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9
makes to avoid promoting glue into answers.

When BIND 9 first starts up and primes its cache, it receives the root
server addresses as additional data in an authoritative response from
a root server, and these records are eligible for inclusion as
additional data in responses.  Subsequently it receives a subset of
the root server addresses as additional data in a non-authoritative
(referral) response from a root server.  This causes the addresses to
now be considered non-authoritative (glue) data, which is not eligible
for inclusion in responses.

The server does have a complete set of root server addresses cached
at all times, it just may not include all of them as additional data,
depending on whether they were last received as answers or as glue.
You can always look up the addresses with explicit queries like
"dig a.root-servers.net A".


Q: Zone transfers from my BIND 9 master to my Windows 2000 slave
fail.  Why?

A: This may be caused by a bug in the Windows 2000 DNS server where
DNS messages larger than 16K are not handled properly.  This can be
worked around by setting the option "transfer-format one-answer;".
Also check whether your zone contains domain names with embedded
spaces or other special characters, like "John\032Doe\213s\032Computer",
since such names have been known to cause Windows 2000 slaves to
incorrectly reject the zone.


Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?

A: A zone can be updated either by editing zone files and reloading
the server or by dynamic update, but not both.  If you have enabled
dynamic update for a zone using the "allow-update" option, you are not
supposed to edit the zone file by hand, and the server will not
attempt to reload it.


Q: I can query the nameserver from the nameserver but not from other
machines.  Why?

A: This is usually the result of the firewall configuration stopping
the queries and / or the replies.


Q: How can I make a server a slave for both an internal and
an external view at the same time?  When I tried, both views
on the slave were transferred from the same view on the master.

A: You will need to give the master and slave multiple IP addresses and
use those to make sure you reach the correct view on the other machine.

        e.g.
        Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
            internal:
                match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
                notify-source 10.0.1.1;
                transfer-source 10.0.1.1;
                query-source address 10.0.1.1;
            external:
                match-clients { any; };
                recursion no;   // don't offer recursion to the world
                notify-source 10.0.1.2;
                transfer-source 10.0.1.2;
                query-source address 10.0.1.2;

        Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
            internal:
                match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
                notify-source 10.0.1.3;
                transfer-source 10.0.1.3;
                query-source address 10.0.1.3;
            external:
                match-clients { any; };
                recursion no;   // don't offer recursion to the world
                notify-source 10.0.1.4;
                transfer-source 10.0.1.4;
                query-source address 10.0.1.4;

        You put the external address on the alias so that all the other
        dns clients on these boxes see the internal view by default.

A: (BIND 9.3 and later) Use TSIG to select the appropriate view.

        Master 10.0.1.1:
        key "external" {
                algorithm hmac-md5;
                secret "xxxxxxxx";
        };
        view "internal" {
                match-clients { !key external; 10.0.1/24; };
                ...
        };
        view "external" {
                match-clients { key external; any; };
                server 10.0.0.2 { keys external; };
                recursion no;
                ...
        };

        Slave 10.0.1.2:
        key "external" {
                 algorithm hmac-md5;
                 secret "xxxxxxxx";
        };
        view "internal" {
                match-clients { !key external; 10.0.1/24; };
        };
        view "external" {
                match-clients { key external; any; };
                server 10.0.0.1 { keys external; };
                recursion no;
                ...
        };


Q: I have Freebsd 4.x and "rndc-confgen -a" just sits there.

A: /dev/random is not configured.  Use rndcontrol(8) to tell the kernel
to use certain interrupts as a source of random events.  You can make this
permanent by setting rand_irqs in /etc/rc.conf.

e.g.
        /etc/rc.conf
        rand_irqs="3 14 15"

See also http://people.freebsd.org/~dougb/randomness.html


Q: Why is named listening on UDP port other than 53?

A: Named uses a system selected port to make queries of other nameservers.
This behaviour can be overridden by using query-source to lock down the
port and/or address.  See also notify-source and transfer-source.


Q: I get error messages like "multiple RRs of singleton type" and
"CNAME and other data" when transferring a zone.  What does this mean?

A: These indicate a malformed master zone.  You can identify the
exact records involved by transferring the zone using dig then
running named-checkzone on it.

        e.g.
                dig axfr example.com @master-server > tmp
                named-checkzone example.com tmp


Q: I get error messages like "named.conf:99: unexpected end of input" where
99 is the last line of named.conf.

A: Some text editors (notepad and wordpad) fail to put a line termination
indication (e.g. CR/LF) on the last line of a text file.  This can be fixed
by "adding" a blank line to the end of the file.  Named expects to see EOF
immediately after EOL and treats text files where this is not met as truncated.


Q: I get warning messages like "zone example.com/IN: refresh: failure trying master
1.2.3.4#53: timed out".

A: Check that you can make UDP queries from the slave to the master

        dig +norec example.com soa @1.2.3.4

A: You could be generating queries faster than the slave can cope with.  Lower
the serial query rate.

        serial-query-rate 5; // default 20

Q: How do I share a dynamic zone between multiple views?

A: You choose one view to be master and the second a slave and transfer
the zone between views.

        Master 10.0.1.1:
        key "external" {
                algorithm hmac-md5;
                secret "xxxxxxxx";
        };

        key "mykey" {
                algorithm hmac-md5;
                secret "yyyyyyyy";
        };

        view "internal" {
                match-clients { !external; 10.0.1/24; };
                server 10.0.1.1 {
                        /* Deliver notify messages to external view. */
                        keys { external; };
                };
                zone "example.com" {
                        type master;
                        file "internal/example.db";
                        allow-update { key mykey; };
                        notify-also { 10.0.1.1; };
                };
        };

        view "external" {
                match-clients { external; any; };
                zone "example.com" {
                        type slave;
                        file "external/example.db";
                        masters { 10.0.1.1; };
                        transfer-source { 10.0.1.1; };
                        // allow-update-forwarding { any; };
                        // allow-notify { ... };
                };
        };

Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading master
file primaries/wireless.ietf56.ietf.org: no owner".

A: This error is produced when a line in the master file contains leading
white space (tab/space) but the is no current record owner name to inherit
the name from.  Usually this is the result of putting white space before
a comment.  Forgeting the "@" for the SOA record or indenting the master
file.


Q: Why are my logs in GMT (UTC).

A: You are running chrooted (-t) and have not supplied local timzone
information in the chroot area.

        FreeBSD: /etc/localtime
        Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
        OSF: /etc/zoneinfo/localtime

        See also tzset(3) and zic(8).


Q: I get the error message "named: capset failed: Operation not permitted"
when starting named.

A: The capset module has not been loaded into the kernel.  See insmod(8).


Q: I get "rndc: connect failed: connection refused" when I try to run
   rndc.

A: This is usually a configuration error.

   First ensure that named is running and no errors are being
   reported at startup (/var/log/messages or equivalent).  Running
   "named -g <usual arguements>" from a terminal can help at this
   point.

   Secondly ensure that named is configured to use rndc either by
   "rndc-confgen -a", rndc-confgen or manually.  The Administators
   Reference manual has details on how to do this.

   Old versions of rndc-confgen used localhost rather than 127.0.0.1
   in /etc/rndc.conf for the default server.  Update /etc/rndc.conf
   if necessary so that the default server listed in /etc/rndc.conf
   matches the addresses used in named.conf.  "localhost" has two
   address (127.0.0.1 and ::1).

   If you use "rndc-confgen -a" and named is running with -t or -u
   ensure that /etc/rndc.conf has the correct ownership and that
   a copy is in the chroot area.  You can do this by re-running
   "rndc-confgen -a" with appropriate -t and -u arguements.