diff options
author | dougb <dougb@FreeBSD.org> | 2007-12-02 19:10:41 +0000 |
---|---|---|
committer | dougb <dougb@FreeBSD.org> | 2007-12-02 19:10:41 +0000 |
commit | a71024a14b827f5b701147352017a851b29079f1 (patch) | |
tree | 53a2dee8ac1ac0a8ab5297f2d49a8f8514d535f4 /contrib/bind9/FAQ.xml | |
parent | e9f5980a15892cbb50c32cfaab95f2dcb23cebcd (diff) | |
download | FreeBSD-src-a71024a14b827f5b701147352017a851b29079f1.zip FreeBSD-src-a71024a14b827f5b701147352017a851b29079f1.tar.gz |
Vendor import of BIND 9.4.2
Diffstat (limited to 'contrib/bind9/FAQ.xml')
-rw-r--r-- | contrib/bind9/FAQ.xml | 1006 |
1 files changed, 498 insertions, 508 deletions
diff --git a/contrib/bind9/FAQ.xml b/contrib/bind9/FAQ.xml index 4e11b84..0f864ef 100644 --- a/contrib/bind9/FAQ.xml +++ b/contrib/bind9/FAQ.xml @@ -1,11 +1,10 @@ -<?xml-stylesheet href="common.css" type="text/css"?> <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []> <!-- - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - - Permission to use, copy, modify, and distribute this software for any + - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - @@ -18,7 +17,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: FAQ.xml,v 1.4.4.8 2007/02/05 05:23:39 marka Exp $ --> +<!-- $Id: FAQ.xml,v 1.4.4.16 2007/10/31 02:14:07 marka Exp $ --> <article class="faq"> <title>Frequently Asked Questions about BIND 9</title> @@ -39,69 +38,63 @@ </copyright> </articleinfo> <qandaset defaultlabel='qanda'> + + <qandadiv><title>Compilation and Installation Questions</title> + <qandaentry> <question> <para> - Why doesn't -u work on Linux 2.2.x when I build with - --enable-threads? + I'm trying to compile BIND 9, and "make" is failing due to + files not being found. Why? </para> </question> <answer> <para> - Linux threads do not fully implement the Posix threads - (pthreads) standard. In particular, setuid() operates only - on the current thread, not the full process. Because of - this limitation, BIND 9 cannot use setuid() on Linux as it - can on all other supported platforms. setuid() cannot be - called before creating threads, since the server does not - start listening on reserved ports until after threads have - started. - </para> - <para> - In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability - to preserve capabilities across a setuid() call is present. - This allows BIND 9 to call setuid() early, while retaining - the ability to bind reserved ports. This is a Linux-specific - hack. - </para> - <para> - On a 2.2 kernel, BIND 9 does drop many root privileges, so - it should be less of a security risk than a root process - that has not dropped privileges. - </para> - <para> - If Linux threads ever work correctly, this restriction will - go away. - </para> - <para> - Configuring BIND9 with the --disable-threads option (the - default) causes a non-threaded version to be built, which - will allow -u to be used. + Using a parallel or distributed "make" to build BIND 9 is + not supported, and doesn't work. If you are using one of + these, use normal make or gmake instead. </para> </answer> </qandaentry> - + <qandaentry> <question> <para> - Why do I get the following errors: -<programlisting>general: errno2result.c:109: unexpected error: -general: unable to convert errno to isc_result: 14: Bad address -client: UDP client handler shutting down due to fatal receive error: unexpected error</programlisting> + Isn't "make install" supposed to generate a default named.conf? </para> </question> <answer> <para> - This is the result of a Linux kernel bug. + Short Answer: No. </para> <para> - See: - <ulink url="http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2">http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2</ulink> + Long Answer: There really isn't a default configuration which fits + any site perfectly. There are lots of decisions that need to + be made and there is no consensus on what the defaults should be. + For example FreeBSD uses /etc/namedb as the location where the + configuration files for named are stored. Others use /var/named. + </para> + <para> + What addresses to listen on? For a laptop on the move a lot + you may only want to listen on the loop back interfaces. + </para> + <para> + Who do you offer recursive service to? Is there are firewall + to consider? If so is it stateless or stateful. Are you + directly on the Internet? Are you on a private network? Are + you on a NAT'd network? The answers + to all these questions change how you configure even a + caching name server. </para> </answer> </qandaentry> + + </qandadiv> <!-- Compilation and Installation Questions --> + + <qandadiv><title>Configuration and Setup Questions</title> <qandaentry> + <!-- configuration, log --> <question> <para> Why does named log the warning message <quote>no TTL specified - @@ -127,48 +120,9 @@ example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )</programlis </informalexample> </answer> </qandaentry> - - <qandaentry> - <question> - <para> - Why do I see 5 (or more) copies of named on Linux? - </para> - </question> - <answer> - <para> - Linux threads each show up as a process under ps. The - approximate number of threads running is n+4, where n is - the number of CPUs. Note that the amount of memory used - is not cumulative; if each process is using 10M of memory, - only a total of 10M is used. - </para> - <para> - Newer versions of Linux's ps command hide the individual threads - and require -L to display them. - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - Why does BIND 9 log <quote>permission denied</quote> errors accessing - its configuration files or zones on my Linux system even - though it is running as root? - </para> - </question> - <answer> - <para> - On Linux, BIND 9 drops most of its root privileges on - startup. This including the privilege to open files owned - by other users. Therefore, if the server is running as - root, the configuration files and zone files should also - be owned by root. - </para> - </answer> - </qandaentry> - + <qandaentry> + <!-- configuration --> <question> <para> Why do I get errors like <quote>dns_zone_load: zone foo/IN: loading @@ -185,25 +139,7 @@ example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )</programlis </qandaentry> <qandaentry> - <question> - <para> - How do I produce a usable core file from a multi-threaded - named on Linux? - </para> - </question> - <answer> - <para> - If the Linux kernel is 2.4.7 or newer, multi-threaded core - dumps are usable (that is, the correct thread is dumped). - Otherwise, if using a 2.2 kernel, apply the kernel patch - found in contrib/linux/coredump-patch and rebuild the kernel. - This patch will cause multi-threaded programs to dump the - correct thread. - </para> - </answer> - </qandaentry> - - <qandaentry> + <!-- security --> <question> <para> How do I restrict people from looking up the server version? @@ -222,6 +158,7 @@ example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )</programlis </qandaentry> <qandaentry> + <!-- security --> <question> <para> How do I restrict only remote users from looking up the @@ -250,6 +187,7 @@ view "chaos" chaos { </qandaentry> <qandaentry> + <!-- configuration --> <question> <para> What do <quote>no source of entropy found</quote> or <quote>could not @@ -269,21 +207,7 @@ view "chaos" chaos { </qandaentry> <qandaentry> - <question> - <para> - I installed BIND 9 and restarted named, but it's still BIND 8. Why? - </para> - </question> - <answer> - <para> - BIND 9 is installed under /usr/local by default. BIND 8 - is often installed under /usr. Check that the correct named - is running. - </para> - </answer> - </qandaentry> - - <qandaentry> + <!-- configuration --> <question> <para> I'm trying to use TSIG to authenticate dynamic updates or @@ -303,87 +227,6 @@ view "chaos" chaos { <qandaentry> <question> <para> - I'm trying to compile BIND 9, and "make" is failing due to - files not being found. Why? - </para> - </question> - <answer> - <para> - Using a parallel or distributed "make" to build BIND 9 is - not supported, and doesn't work. If you are using one of - these, use normal make or gmake instead. - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - I have a BIND 9 master and a BIND 8.2.3 slave, and the - master is logging error messages like <quote>notify to 10.0.0.1#53 - failed: unexpected end of input</quote>. What's wrong? - </para> - </question> - <answer> - <para> - This error message is caused by a known bug in BIND 8.2.3 - and is fixed in BIND 8.2.4. It can be safely ignored - the - notify has been acted on by the slave despite the error - message. - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - I keep getting log messages like the following. Why? - </para> - <para> - Dec 4 23:47:59 client 10.0.0.1#1355: updating zone - 'example.com/IN': update failed: 'RRset exists (value - dependent)' prerequisite not satisfied (NXRRSET) - </para> - </question> - <answer> - <para> - DNS updates allow the update request to test to see if - certain conditions are met prior to proceeding with the - update. The message above is saying that conditions were - not met and the update is not proceeding. See doc/rfc/rfc2136.txt - for more details on prerequisites. - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - I keep getting log messages like the following. Why? - </para> - <para> - Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied - </para> - </question> - <answer> - <para> - Someone is trying to update your DNS data using the RFC2136 - Dynamic Update protocol. Windows 2000 machines have a habit - of sending dynamic update requests to DNS servers without - being specifically configured to do so. If the update - requests are coming from a Windows 2000 machine, see - <ulink - url="http://support.microsoft.com/support/kb/articles/q246/8/04.asp"> - http://support.microsoft.com/support/kb/articles/q246/8/04.asp - </ulink> - for information about how to turn them off. - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> I see a log message like the following. Why? </para> <para> @@ -403,81 +246,7 @@ view "chaos" chaos { </para> </answer> </qandaentry> - - <qandaentry> - <question> - <para> - When I do a "dig . ns", many of the A records for the root - servers are missing. Why? - </para> - </question> - <answer> - <para> - This is normal and harmless. It is a somewhat confusing - side effect of the way BIND 9 does RFC2181 trust ranking - and of the efforts BIND 9 makes to avoid promoting glue - into answers. - </para> - <para> - When BIND 9 first starts up and primes its cache, it receives - the root server addresses as additional data in an authoritative - response from a root server, and these records are eligible - for inclusion as additional data in responses. Subsequently - it receives a subset of the root server addresses as - additional data in a non-authoritative (referral) response - from a root server. This causes the addresses to now be - considered non-authoritative (glue) data, which is not - eligible for inclusion in responses. - </para> - <para> - The server does have a complete set of root server addresses - cached at all times, it just may not include all of them - as additional data, depending on whether they were last - received as answers or as glue. You can always look up the - addresses with explicit queries like "dig a.root-servers.net A". - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - Zone transfers from my BIND 9 master to my Windows 2000 - slave fail. Why? - </para> - </question> - <answer> - <para> - This may be caused by a bug in the Windows 2000 DNS server - where DNS messages larger than 16K are not handled properly. - This can be worked around by setting the option "transfer-format - one-answer;". Also check whether your zone contains domain - names with embedded spaces or other special characters, - like "John\032Doe\213s\032Computer", since such names have - been known to cause Windows 2000 slaves to incorrectly - reject the zone. - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - Why don't my zones reload when I do an "rndc reload" or SIGHUP? - </para> - </question> - <answer> - <para> - A zone can be updated either by editing zone files and - reloading the server or by dynamic update, but not both. - If you have enabled dynamic update for a zone using the - "allow-update" option, you are not supposed to edit the - zone file by hand, and the server will not attempt to reload - it. - </para> - </answer> - </qandaentry> - + <qandaentry> <question> <para> @@ -492,7 +261,7 @@ view "chaos" chaos { </para> </answer> </qandaentry> - + <qandaentry> <question> <para> @@ -580,50 +349,7 @@ Slave 10.0.1.2: </informalexample> </answer> </qandaentry> - - <qandaentry> - <question> - <para> - I have FreeBSD 4.x and "rndc-confgen -a" just sits there. - </para> - </question> - <answer> - <para> - /dev/random is not configured. Use rndcontrol(8) to tell - the kernel to use certain interrupts as a source of random - events. You can make this permanent by setting rand_irqs - in /etc/rc.conf. - </para> - <informalexample> - <programlisting> -/etc/rc.conf -rand_irqs="3 14 15"</programlisting> - </informalexample> - <para> - See also - <ulink url="http://people.freebsd.org/~dougb/randomness.html"> - http://people.freebsd.org/~dougb/randomness.html - </ulink> - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - Why is named listening on UDP port other than 53? - </para> - </question> - <answer> - <para> - Named uses a system selected port to make queries of other - nameservers. This behaviour can be overridden by using - query-source to lock down the port and/or address. See - also notify-source and transfer-source. - </para> - </answer> - </qandaentry> - + <qandaentry> <question> <para> @@ -656,7 +382,7 @@ named-checkzone example.com tmp</programlisting> </para> </answer> </qandaentry> - + <qandaentry> <question> <para> @@ -675,33 +401,7 @@ named-checkzone example.com tmp</programlisting> </para> </answer> </qandaentry> - - <qandaentry> - <question> - <para> - I get warning messages like <quote>zone example.com/IN: refresh: - failure trying master 1.2.3.4#53: timed out</quote>. - </para> - </question> - <answer> - <para> - Check that you can make UDP queries from the slave to the master - </para> - <informalexample> - <programlisting> -dig +norec example.com soa @1.2.3.4</programlisting> - </informalexample> - <para> - You could be generating queries faster than the slave can - cope with. Lower the serial query rate. - </para> - <informalexample> - <programlisting> -serial-query-rate 5; // default 20</programlisting> - </informalexample> - </answer> - </qandaentry> - + <qandaentry> <question> <para> @@ -727,7 +427,7 @@ Master 10.0.1.1: }; view "internal" { - match-clients { !external; 10.0.1/24; }; + match-clients { !key external; 10.0.1/24; }; server 10.0.1.1 { /* Deliver notify messages to external view. */ keys { external; }; @@ -741,7 +441,7 @@ Master 10.0.1.1: }; view "external" { - match-clients { external; any; }; + match-clients { key external; any; }; zone "example.com" { type slave; file "external/example.db"; @@ -768,8 +468,8 @@ Master 10.0.1.1: This error is produced when a line in the master file contains leading white space (tab/space) but the is no current record owner name to inherit the name from. Usually - this is the result of putting white space before a comment. - Forgetting the "@" for the SOA record or indenting the master + this is the result of putting white space before a comment, + forgetting the "@" for the SOA record, or indenting the master file. </para> </answer> @@ -796,22 +496,7 @@ Master 10.0.1.1: </para> </answer> </qandaentry> - - <qandaentry> - <question> - <para> - I get the error message <quote>named: capset failed: Operation - not permitted</quote> when starting named. - </para> - </question> - <answer> - <para> - The capability module, part of "Linux Security Modules/LSM", - has not been loaded into the kernel. See insmod(8). - </para> - </answer> - </qandaentry> - + <qandaentry> <question> <para> @@ -851,46 +536,7 @@ Master 10.0.1.1: </para> </answer> </qandaentry> - - <qandaentry> - <question> - <para> - I don't get RRSIG's returned when I use "dig +dnssec". - </para> - </question> - <answer> - <para> - You need to ensure DNSSEC is enabled (dnssec-enable yes;). - </para> - </answer> - </qandaentry> - - <qandaentry> - <question> - <para> - I get <quote>Error 1067</quote> when starting named under Windows. - </para> - </question> - <answer> - <para> - This is the service manager saying that named exited. You - need to examine the Application log in the EventViewer to - find out why. - </para> - <para> - Common causes are that you failed to create "named.conf" - (usually "C:\windows\dns\etc\named.conf") or failed to - specify the directory in named.conf. - </para> - <informalexample> - <programlisting> -options { - Directory "C:\windows\dns\etc"; -};</programlisting> - </informalexample> - </answer> - </qandaentry> - + <qandaentry> <question> <para> @@ -942,26 +588,238 @@ zone "example.net" { </informalexample> </answer> </qandaentry> + + <qandaentry> + <question> + <para> + I want to forward all DNS queries from my caching nameserver to + another server. But there are some domains which have to be + served locally, via rbldnsd. + </para> + <para> + How do I achieve this ? + </para> + </question> + <answer> + <programlisting> +options { + forward only; + forwarders { <ip.of.primary.nameserver>; }; +}; + +zone "sbl-xbl.spamhaus.org" { + type forward; forward only; + forwarders { <ip.of.rbldns.server> port 530; }; +}; + +zone "list.dsbl.org" { + type forward; forward only; + forwarders { <ip.of.rbldns.server> port 530; }; +}; + </programlisting> + </answer> + </qandaentry> <qandaentry> <question> <para> - How do I integrate BIND 9 and Solaris SMF + Can you help me understand how BIND 9 uses memory to store + DNS zones? + </para> + <para> + Some times it seems to take several times the amount of + memory it needs to store the zone. </para> </question> <answer> <para> - Sun has a blog entry describing how to do this. + When reloading a zone named my have multiple copies of + the zone in memory at one time. The zone it is serving + and the one it is loading. If reloads are ultra fast it + can have more still. + </para> + <para> + e.g. Ones that are transferring out, the one that it is + serving and the one that is loading. + </para> + <para> + BIND 8 destroyed the zone before loading and also killed + off outgoing transfers of the zone. + </para> + <para> + The new strategy allows slaves to get copies of the new + zone regardless of how often the master is loaded compared + to the transfer time. The slave might skip some intermediate + versions but the transfers will complete and it will keep + reasonably in sync with the master. + </para> + <para> + The new strategy also allows the master to recover from + syntax and other errors in the master file as it still + has an in-core copy of the old contents. + </para> + </answer> + </qandaentry> + + </qandadiv> <!-- Configuration and Setup Questions --> + + <qandadiv><title>General Questions</title> + + <qandaentry> + <question> + <para> + I keep getting log messages like the following. Why? + </para> + <para> + Dec 4 23:47:59 client 10.0.0.1#1355: updating zone + 'example.com/IN': update failed: 'RRset exists (value + dependent)' prerequisite not satisfied (NXRRSET) + </para> + </question> + <answer> + <para> + DNS updates allow the update request to test to see if + certain conditions are met prior to proceeding with the + update. The message above is saying that conditions were + not met and the update is not proceeding. See doc/rfc/rfc2136.txt + for more details on prerequisites. </para> + </answer> + </qandaentry> + + <qandaentry> + <question> <para> + I keep getting log messages like the following. Why? + </para> + <para> + Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied + </para> + </question> + <answer> + <para> + Someone is trying to update your DNS data using the RFC2136 + Dynamic Update protocol. Windows 2000 machines have a habit + of sending dynamic update requests to DNS servers without + being specifically configured to do so. If the update + requests are coming from a Windows 2000 machine, see <ulink - url="http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris"> - http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris + url="http://support.microsoft.com/support/kb/articles/q246/8/04.asp"> + http://support.microsoft.com/support/kb/articles/q246/8/04.asp </ulink> + for information about how to turn them off. </para> </answer> </qandaentry> + + <qandaentry> + <question> + <para> + When I do a "dig . ns", many of the A records for the root + servers are missing. Why? + </para> + </question> + <answer> + <para> + This is normal and harmless. It is a somewhat confusing + side effect of the way BIND 9 does RFC2181 trust ranking + and of the efforts BIND 9 makes to avoid promoting glue + into answers. + </para> + <para> + When BIND 9 first starts up and primes its cache, it receives + the root server addresses as additional data in an authoritative + response from a root server, and these records are eligible + for inclusion as additional data in responses. Subsequently + it receives a subset of the root server addresses as + additional data in a non-authoritative (referral) response + from a root server. This causes the addresses to now be + considered non-authoritative (glue) data, which is not + eligible for inclusion in responses. + </para> + <para> + The server does have a complete set of root server addresses + cached at all times, it just may not include all of them + as additional data, depending on whether they were last + received as answers or as glue. You can always look up the + addresses with explicit queries like "dig a.root-servers.net A". + </para> + </answer> + </qandaentry> + + <qandaentry> + <question> + <para> + Why don't my zones reload when I do an "rndc reload" or SIGHUP? + </para> + </question> + <answer> + <para> + A zone can be updated either by editing zone files and + reloading the server or by dynamic update, but not both. + If you have enabled dynamic update for a zone using the + "allow-update" option, you are not supposed to edit the + zone file by hand, and the server will not attempt to reload + it. + </para> + </answer> + </qandaentry> + + <qandaentry> + <question> + <para> + Why is named listening on UDP port other than 53? + </para> + </question> + <answer> + <para> + Named uses a system selected port to make queries of other + nameservers. This behaviour can be overridden by using + query-source to lock down the port and/or address. See + also notify-source and transfer-source. + </para> + </answer> + </qandaentry> + + <qandaentry> + <question> + <para> + I get warning messages like <quote>zone example.com/IN: refresh: + failure trying master 1.2.3.4#53: timed out</quote>. + </para> + </question> + <answer> + <para> + Check that you can make UDP queries from the slave to the master + </para> + <informalexample> + <programlisting> +dig +norec example.com soa @1.2.3.4</programlisting> + </informalexample> + <para> + You could be generating queries faster than the slave can + cope with. Lower the serial query rate. + </para> + <informalexample> + <programlisting> +serial-query-rate 5; // default 20</programlisting> + </informalexample> + </answer> + </qandaentry> + <qandaentry> + <question> + <para> + I don't get RRSIG's returned when I use "dig +dnssec". + </para> + </question> + <answer> + <para> + You need to ensure DNSSEC is enabled (dnssec-enable yes;). + </para> + </answer> + </qandaentry> + <qandaentry> <question> <para> @@ -1045,10 +903,175 @@ empty: </para> </answer> </qandaentry> + + <qandaentry> + <question> + <para> + Will named be affected by the 2007 changes to daylight savings + rules in the US. + </para> + </question> + <answer> + <para> + No, so long as the machines internal clock (as reported + by "date -u") remains at UTC. The only visible change + if you fail to upgrade your OS, if you are in a affected + area, will be that log messages will be a hour out during + the period where the old rules do not match the new rules. + </para> + <para> + For most OS's this change just means that you need to + update the conversion rules from UTC to local time. + Normally this involves updating a file in /etc (which + sets the default timezone for the machine) and possibly + a directory which has all the conversion rules for the + world (e.g. /usr/share/zoneinfo). When updating the OS + do not forget to update any chroot areas as well. + See your OS's documentation for more details. + </para> + <para> + The local timezone conversion rules can also be done on + a individual basis by setting the TZ environment variable + appropriately. See your OS's documentation for more + details. + </para> + </answer> + </qandaentry> + + <qandaentry> + <question> + <para> + Is there a bugzilla (or other tool) database that mere + mortals can have (read-only) access to for bind? + </para> + </question> + <answer> + <para> + No. The BIND 9 bug database is kept closed for a number + of reasons. These include, but are not limited to, that + the database contains proprietory information from people + reporting bugs. The database has in the past and may in + future contain unfixed bugs which are capable of bringing + down most of the Internet's DNS infrastructure. + </para> + <para> + The release pages for each version contain up to date + lists of bugs that have been fixed post release. That + is as close as we can get to providing a bug database. + </para> + </answer> + </qandaentry> + + </qandadiv> <!-- General Questions --> + + <qandadiv><title>Operating-System Specific Questions</title> + + <qandadiv><title>HPUX</title> + + <qandaentry> + <question> + <para>I get the following error trying to configure BIND: +<programlisting>checking if unistd.h or sys/types.h defines fd_set... no +configure: error: need either working unistd.h or sys/select.h</programlisting> + </para> + </question> + <answer> + <para> + You have attempted to configure BIND with the bundled C compiler. + This compiler does not meet the minimum compiler requirements to + for building BIND. You need to install a ANSI C compiler and / or + teach configure how to find the ANSI C compiler. The later can + be done by adjusting the PATH environment variable and / or + specifying the compiler via CC. + </para> + <informalexample> + <programlisting>./configure CC=<compiler> ...</programlisting> + </informalexample> + </answer> + </qandaentry> + + </qandadiv> <!-- HPUX --> + + <qandadiv><title>Linux</title> + + <qandaentry> + <question> + <para> + Why do I get the following errors: +<programlisting>general: errno2result.c:109: unexpected error: +general: unable to convert errno to isc_result: 14: Bad address +client: UDP client handler shutting down due to fatal receive error: unexpected error</programlisting> + </para> + </question> + <answer> + <para> + This is the result of a Linux kernel bug. + </para> + <para> + See: + <ulink url="http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2">http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2</ulink> + </para> + </answer> + </qandaentry> <qandaentry> <question> <para> + Why do I see 5 (or more) copies of named on Linux? + </para> + </question> + <answer> + <para> + Linux threads each show up as a process under ps. The + approximate number of threads running is n+4, where n is + the number of CPUs. Note that the amount of memory used + is not cumulative; if each process is using 10M of memory, + only a total of 10M is used. + </para> + <para> + Newer versions of Linux's ps command hide the individual threads + and require -L to display them. + </para> + </answer> + </qandaentry> + + <qandaentry> + <question> + <para> + Why does BIND 9 log <quote>permission denied</quote> errors accessing + its configuration files or zones on my Linux system even + though it is running as root? + </para> + </question> + <answer> + <para> + On Linux, BIND 9 drops most of its root privileges on + startup. This including the privilege to open files owned + by other users. Therefore, if the server is running as + root, the configuration files and zone files should also + be owned by root. + </para> + </answer> + </qandaentry> + + <qandaentry> + <question> + <para> + I get the error message <quote>named: capset failed: Operation + not permitted</quote> when starting named. + </para> + </question> + <answer> + <para> + The capability module, part of "Linux Security Modules/LSM", + has not been loaded into the kernel. See insmod(8). + </para> + </answer> + </qandaentry> + + <qandaentry> + <question> + <para> I'm running BIND on Red Hat Enterprise Linux or Fedora Core - </para> <para> @@ -1210,148 +1233,115 @@ named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,d </para> </answer> </qandaentry> - + + </qandadiv> <!-- Linux --> + + <qandadiv><title>Windows</title> + <qandaentry> <question> <para> - I want to forward all DNS queries from my caching nameserver to - another server. But there are some domains which have to be - served locally, via rbldnsd. - </para> - <para> - How do I achieve this ? + Zone transfers from my BIND 9 master to my Windows 2000 + slave fail. Why? </para> </question> <answer> - <programlisting> -options { - forward only; - forwarders { <ip.of.primary.nameserver>; }; -}; - -zone "sbl-xbl.spamhaus.org" { - type forward; forward only; - forwarders { <ip.of.rbldns.server> port 530; }; -}; - -zone "list.dsbl.org" { - type forward; forward only; - forwarders { <ip.of.rbldns.server> port 530; }; -}; - </programlisting> + <para> + This may be caused by a bug in the Windows 2000 DNS server + where DNS messages larger than 16K are not handled properly. + This can be worked around by setting the option "transfer-format + one-answer;". Also check whether your zone contains domain + names with embedded spaces or other special characters, + like "John\032Doe\213s\032Computer", since such names have + been known to cause Windows 2000 slaves to incorrectly + reject the zone. + </para> </answer> </qandaentry> - + <qandaentry> <question> <para> - Will named be affected by the 2007 changes to daylight savings - rules in the US. + I get <quote>Error 1067</quote> when starting named under Windows. </para> </question> <answer> <para> - No, so long as the machines internal clock (as reported - by "date -u") remains at UTC. The only visible change - if you fail to upgrade your OS, if you are in a affected - area, will be that log messages will be a hour out during - the period where the old rules do not match the new rules. - </para> - <para> - For most OS's this change just means that you need to - update the conversion rules from UTC to local time. - Normally this involves updating a file in /etc (which - sets the default timezone for the machine) and possibly - a directory which has all the conversion rules for the - world (e.g. /usr/share/zoneinfo). When updating the OS - do not forget to update any chroot areas as well. - See your OS's documentation for more details. + This is the service manager saying that named exited. You + need to examine the Application log in the EventViewer to + find out why. </para> <para> - The local timezone conversion rules can also be done on - a individual basis by setting the TZ environment variable - appropriately. See your OS's documentation for more - details. + Common causes are that you failed to create "named.conf" + (usually "C:\windows\dns\etc\named.conf") or failed to + specify the directory in named.conf. </para> + <informalexample> + <programlisting> +options { + Directory "C:\windows\dns\etc"; +};</programlisting> + </informalexample> </answer> </qandaentry> - + + </qandadiv> <!-- Windows --> + + <qandadiv><title>FreeBSD</title> + <qandaentry> <question> <para> - Why do we get the following warning at run time: -<programlisting>kernel: process `named' is using obsolete setsockopt SO_BSDCOMPAT</programlisting> + I have FreeBSD 4.x and "rndc-confgen -a" just sits there. </para> </question> <answer> <para> - The early Linux kernels broke sendto() by having it return - that a ICMP unreachable had be received for non connected - UDP sockets. This made non connected UDP sockets work like - connected UDP socket which is fine when you are only talking - to one destination. Named however talks to multiple - destinations and it caused problems. - </para> - <para> - Rather than fix sendto() to just have BSD behaviour they added - SO_BSDCOMPAT to turn BSD behaviour on/off on a per socket basis. - </para> - <para> - Later they decided to make BSD behaviour the default and - to aggressively track down applications that used SO_BSDCOMPAT - by issuing a warning. This is the sort of things vendors - do in alpha/beta stages of a release so that their code is - clean. They then turn the warning *off* for release code. - </para> - <para> - We still have customers that have kernels that require - SO_BSDCOMPAT to operate. We therefore cannot remove the - setsockopt(SO_BSDCOMPAT) call. - </para> - <para> - Now most/all portable applications that use SO_BSDCOMPAT use it - conditionally manner so just removing SO_BSDCOMPAT from the - header file would be safe as long as the binary was not to - be moved between systems. BIND's use is conditional. + /dev/random is not configured. Use rndcontrol(8) to tell + the kernel to use certain interrupts as a source of random + events. You can make this permanent by setting rand_irqs + in /etc/rc.conf. </para> + <informalexample> + <programlisting> +/etc/rc.conf +rand_irqs="3 14 15"</programlisting> + </informalexample> <para> - In short, the Linux developers should either, remove the #define for - SO_BSDCOMPAT, and/or remove the warning. + See also + <ulink url="http://people.freebsd.org/~dougb/randomness.html"> + http://people.freebsd.org/~dougb/randomness.html + </ulink> </para> </answer> </qandaentry> - + + </qandadiv> <!-- FreeBSD --> + + <qandadiv><title>Solaris</title> + <qandaentry> <question> <para> - Isn't "make install" supposed to generate a default named.conf? + How do I integrate BIND 9 and Solaris SMF </para> </question> <answer> <para> - Short Answer: No. - </para> - <para> - Long Answer: There really isn't a default configuration which fits - any site perfectly. There are lots of decisions that need to - be made and there is no consensus on what the defaults should be. - For example FreeBSD uses /etc/namedb as the location where the - configuration files for named are stored. Others use /var/named. - </para> - <para> - What addresses to listen on? For a laptop on the move a lot - you may only want to listen on the loop back interfaces. + Sun has a blog entry describing how to do this. </para> <para> - Who do you offer recursive service to? Is there are firewall - to consider? If so is it stateless or stateful. Are you - directly on the Internet? Are you on a private network? Are - you on a NAT'd network? The answers - to all these questions change how you configure even a - caching name server. + <ulink + url="http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris"> + http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris + </ulink> </para> </answer> </qandaentry> + + </qandadiv> + + </qandadiv> <!-- Operating-System Specific Questions --> </qandaset> </article> |