From 5bcf8f96cfec31d3c111db67a33579280ab2c559 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 23 Feb 2006 22:22:42 +0000 Subject: [PATCH] update example --- FAQ | 443 +++++++++++++++++++++++++++----------------------------- FAQ.xml | 6 +- 2 files changed, 216 insertions(+), 233 deletions(-) diff --git a/FAQ b/FAQ index 773e2b191b..4c4b7648f7 100644 --- a/FAQ +++ b/FAQ @@ -1,24 +1,23 @@ Frequently Asked Questions about BIND 9 --------------------------------------------------------------------------- +------------------------------------------------------------------------------- Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-threads? -A: Linux threads do not fully implement the Posix threads (pthreads) - standard. In particular, setuid() operates only on the current thread, not - the full process. Because of this limitation, BIND 9 cannot use setuid() - on Linux as it can on all other supported platforms. setuid() cannot be - called before creating threads, since the server does not start listening - on reserved ports until after threads have started. +A: Linux threads do not fully implement the Posix threads (pthreads) standard. In + particular, setuid() operates only on the current thread, not the full process. + Because of this limitation, BIND 9 cannot use setuid() on Linux as it can on + all other supported platforms. setuid() cannot be called before creating + threads, since the server does not start listening on reserved ports until + after threads have started. In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to preserve capabilities across a setuid() call is present. This allows BIND 9 to call - setuid() early, while retaining the ability to bind reserved ports. This - is a Linux-specific hack. + setuid() early, while retaining the ability to bind reserved ports. This is a + Linux-specific hack. - On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be - less of a security risk than a root process that has not dropped - privileges. + On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less of + a security risk than a root process that has not dropped privileges. If Linux threads ever work correctly, this restriction will go away. @@ -35,61 +34,60 @@ A: This is the result of a Linux kernel bug. See: http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2 -Q: Why does named log the warning message "no TTL specified - using SOA - MINTTL instead"? +Q: Why does named log the warning message "no TTL specified - using SOA MINTTL + instead"? A: Your zone file is illegal according to RFC1035. It must either have a line like: $TTL 86400 - at the beginning, or the first record in it must have a TTL field, like - the "84600" in this example: + at the beginning, or the first record in it must have a TTL field, like the + "84600" in this example: example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 ) Q: Why do I see 5 (or more) copies of named on Linux? -A: Linux threads each show up as a process under ps. The approximate number - of threads running is n+4, where n is the number of CPUs. Note that the - amount of memory used is not cumulative; if each process is using 10M of - memory, only a total of 10M is used. +A: Linux threads each show up as a process under ps. The approximate number of + threads running is n+4, where n is the number of CPUs. Note that the amount of + memory used is not cumulative; if each process is using 10M of memory, only a + total of 10M is used. Q: Why does BIND 9 log "permission denied" errors accessing its configuration files or zones on my Linux system even though it is running as root? -A: On Linux, BIND 9 drops most of its root privileges on startup. This - including the privilege to open files owned by other users. Therefore, if - the server is running as root, the configuration files and zone files - should also be owned by root. +A: On Linux, BIND 9 drops most of its root privileges on startup. This including + the privilege to open files owned by other users. Therefore, if the server is + running as root, the configuration files and zone files should also be owned by + root. -Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file - bar: ran out of space"? +Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file bar: + ran out of space"? -A: This is often caused by TXT records with missing close quotes. Check that - all TXT records containing quoted strings have both open and close quotes. +A: This is often caused by TXT records with missing close quotes. Check that all + TXT records containing quoted strings have both open and close quotes. Q: How do I produce a usable core file from a multithreaded named on Linux? A: If the Linux kernel is 2.4.7 or newer, multithreaded core dumps are usable (that is, the correct thread is dumped). Otherwise, if using a 2.2 kernel, - apply the kernel patch found in contrib/linux/coredump-patch and rebuild - the kernel. This patch will cause multithreaded programs to dump the - correct thread. + apply the kernel patch found in contrib/linux/coredump-patch and rebuild the + kernel. This patch will cause multithreaded programs to dump the correct + thread. Q: How do I restrict people from looking up the server version? -A: Put a "version" option containing something other than the real version in - the "options" section of named.conf. Note doing this will not prevent - attacks and may impede people trying to diagnose problems with your - server. Also it is possible to "fingerprint" nameservers to determine - their version. +A: Put a "version" option containing something other than the real version in the + "options" section of named.conf. Note doing this will not prevent attacks and + may impede people trying to diagnose problems with your server. Also it is + possible to "fingerprint" nameservers to determine their version. Q: How do I restrict only remote users from looking up the server version? -A: The following view statement will intercept lookups as the internal view - that holds the version information will be matched last. The caveats of - the previous answer still apply, of course. +A: The following view statement will intercept lookups as the internal view that + holds the version information will be matched last. The caveats of the previous + answer still apply, of course. view "chaos" chaos { match-clients { ; }; @@ -100,126 +98,120 @@ A: The following view statement will intercept lookups as the internal view }; }; -Q: What do "no source of entropy found" or "could not open entropy source - foo" mean? +Q: What do "no source of entropy found" or "could not open entropy source foo" + mean? -A: The server requires a source of entropy to perform certain operations, - mostly DNSSEC related. These messages indicate that you have no source of - entropy. On systems with /dev/random or an equivalent, it is used by - default. A source of entropy can also be defined using the random-device - option in named.conf. +A: The server requires a source of entropy to perform certain operations, mostly + DNSSEC related. These messages indicate that you have no source of entropy. On + systems with /dev/random or an equivalent, it is used by default. A source of + entropy can also be defined using the random-device option in named.conf. Q: I installed BIND 9 and restarted named, but it's still BIND 8. Why? A: BIND 9 is installed under /usr/local by default. BIND 8 is often installed under /usr. Check that the correct named is running. -Q: I'm trying to use TSIG to authenticate dynamic updates or zone transfers. - I'm sure I have the keys set up correctly, but the server is rejecting the - TSIG. Why? +Q: I'm trying to use TSIG to authenticate dynamic updates or zone transfers. I'm + sure I have the keys set up correctly, but the server is rejecting the TSIG. + Why? -A: This may be a clock skew problem. Check that the the clocks on the client - and server are properly synchronised (e.g., using ntp). +A: This may be a clock skew problem. Check that the the clocks on the client and + server are properly synchronised (e.g., using ntp). Q: I'm trying to compile BIND 9, and "make" is failing due to files not being found. Why? -A: Using a parallel or distributed "make" to build BIND 9 is not supported, - and doesn't work. If you are using one of these, use normal make or gmake - instead. +A: Using a parallel or distributed "make" to build BIND 9 is not supported, and + doesn't work. If you are using one of these, use normal make or gmake instead. -Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is logging - error messages like "notify to 10.0.0.1#53 failed: unexpected end of - input". What's wrong? +Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is logging error + messages like "notify to 10.0.0.1#53 failed: unexpected end of input". What's + wrong? -A: This error message is caused by a known bug in BIND 8.2.3 and is fixed in - BIND 8.2.4. It can be safely ignored - the notify has been acted on by the - slave despite the error message. +A: This error message is caused by a known bug in BIND 8.2.3 and is fixed in BIND + 8.2.4. It can be safely ignored - the notify has been acted on by the slave + despite the error message. Q: I keep getting log messages like the following. Why? - Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN': - update failed: 'RRset exists (value dependent)' prerequisite not satisfied - (NXRRSET) + Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN': update + failed: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) -A: DNS updates allow the update request to test to see if certain conditions - are met prior to proceeding with the update. The message above is saying - that conditions were not met and the update is not proceeding. See doc/rfc - /rfc2136.txt for more details on prerequisites. +A: DNS updates allow the update request to test to see if certain conditions are + met prior to proceeding with the update. The message above is saying that + conditions were not met and the update is not proceeding. See doc/rfc/ + rfc2136.txt for more details on prerequisites. Q: I keep getting log messages like the following. Why? Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied A: Someone is trying to update your DNS data using the RFC2136 Dynamic Update - protocol. Windows 2000 machines have a habit of sending dynamic update - requests to DNS servers without being specifically configured to do so. If - the update requests are coming from a Windows 2000 machine, see http:// - support.microsoft.com/support/kb/articles/q246/8/04.asp for information - about how to turn them off. + protocol. Windows 2000 machines have a habit of sending dynamic update requests + to DNS servers without being specifically configured to do so. If the update + requests are coming from a Windows 2000 machine, see http:// + support.microsoft.com/support/kb/articles/q246/8/04.asp for information about + how to turn them off. Q: I see a log message like the following. Why? couldn't open pid file '/var/run/named.pid': Permission denied -A: You are most likely running named as a non-root user, and that user does - not have permission to write in /var/run. The common ways of fixing this - are to create a /var/run/named directory owned by the named user and set - pid-file to "/var/run/named/named.pid", or set pid-file to "named.pid", - which will put the file in the directory specified by the directory option - (which, in this case, must be writable by the named user). +A: You are most likely running named as a non-root user, and that user does not + have permission to write in /var/run. The common ways of fixing this are to + create a /var/run/named directory owned by the named user and set pid-file to " + /var/run/named/named.pid", or set pid-file to "named.pid", which will put the + file in the directory specified by the directory option (which, in this case, + must be writable by the named user). -Q: When I do a "dig . ns", many of the A records for the root servers are - missing. Why? +Q: When I do a "dig . ns", many of the A records for the root servers are missing. + Why? -A: This is normal and harmless. It is a somewhat confusing side effect of the - way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 makes to - avoid promoting glue into answers. +A: This is normal and harmless. It is a somewhat confusing side effect of the way + BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 makes to avoid + promoting glue into answers. - When BIND 9 first starts up and primes its cache, it receives the root - server addresses as additional data in an authoritative response from a - root server, and these records are eligible for inclusion as additional - data in responses. Subsequently it receives a subset of the root server - addresses as additional data in a non-authoritative (referral) response - from a root server. This causes the addresses to now be considered - non-authoritative (glue) data, which is not eligible for inclusion in - responses. + When BIND 9 first starts up and primes its cache, it receives the root server + addresses as additional data in an authoritative response from a root server, + and these records are eligible for inclusion as additional data in responses. + Subsequently it receives a subset of the root server addresses as additional + data in a non-authoritative (referral) response from a root server. This causes + the addresses to now be considered non-authoritative (glue) data, which is not + eligible for inclusion in responses. The server does have a complete set of root server addresses cached at all - times, it just may not include all of them as additional data, depending - on whether they were last received as answers or as glue. You can always - look up the addresses with explicit queries like "dig a.root-servers.net - A". + times, it just may not include all of them as additional data, depending on + whether they were last received as answers or as glue. You can always look up + the addresses with explicit queries like "dig a.root-servers.net A". Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail. Why? -A: This may be caused by a bug in the Windows 2000 DNS server where DNS - messages larger than 16K are not handled properly. This can be worked - around by setting the option "transfer-format one-answer;". Also check - whether your zone contains domain names with embedded spaces or other - special characters, like "John\032Doe\213s\032Computer", since such names - have been known to cause Windows 2000 slaves to incorrectly reject the - zone. +A: This may be caused by a bug in the Windows 2000 DNS server where DNS messages + larger than 16K are not handled properly. This can be worked around by setting + the option "transfer-format one-answer;". Also check whether your zone contains + domain names with embedded spaces or other special characters, like "John\ + 032Doe\213s\032Computer", since such names have been known to cause Windows + 2000 slaves to incorrectly reject the zone. Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP? -A: A zone can be updated either by editing zone files and reloading the - server or by dynamic update, but not both. If you have enabled dynamic - update for a zone using the "allow-update" option, you are not supposed to - edit the zone file by hand, and the server will not attempt to reload it. +A: A zone can be updated either by editing zone files and reloading the server or + by dynamic update, but not both. If you have enabled dynamic update for a zone + using the "allow-update" option, you are not supposed to edit the zone file by + hand, and the server will not attempt to reload it. -Q: I can query the nameserver from the nameserver but not from other - machines. Why? +Q: I can query the nameserver from the nameserver but not from other machines. + Why? -A: This is usually the result of the firewall configuration stopping the - queries and / or the replies. +A: This is usually the result of the firewall configuration stopping the queries + and / or the replies. -Q: How can I make a server a slave for both an internal and an external view - at the same time? When I tried, both views on the slave were transferred - from the same view on the master. +Q: How can I make a server a slave for both an internal and an external view at + the same time? When I tried, both views on the slave were transferred from the + same view on the master. -A: You will need to give the master and slave multiple IP addresses and use - those to make sure you reach the correct view on the other machine. +A: You will need to give the master and slave multiple IP addresses and use those + to make sure you reach the correct view on the other machine. Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias) internal: @@ -247,8 +239,8 @@ A: You will need to give the master and slave multiple IP addresses and use transfer-source 10.0.1.4; query-source address 10.0.1.4; - You put the external address on the alias so that all the other dns - clients on these boxes see the internal view by default. + You put the external address on the alias so that all the other dns clients on + these boxes see the internal view by default. A: BIND 9.3 and later: Use TSIG to select the appropriate view. @@ -263,7 +255,7 @@ A: BIND 9.3 and later: Use TSIG to select the appropriate view. }; view "external" { match-clients { key external; any; }; - server 10.0.0.2 { keys external; }; + server 10.0.1.2 { keys external; }; recursion no; ... }; @@ -279,7 +271,7 @@ A: BIND 9.3 and later: Use TSIG to select the appropriate view. }; view "external" { match-clients { key external; any; }; - server 10.0.0.1 { keys external; }; + server 10.0.1.1 { keys external; }; recursion no; ... }; @@ -287,8 +279,8 @@ A: BIND 9.3 and later: Use TSIG to select the appropriate view. Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there. A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to use - certain interrupts as a source of random events. You can make this - permanent by setting rand_irqs in /etc/rc.conf. + certain interrupts as a source of random events. You can make this permanent by + setting rand_irqs in /etc/rc.conf. /etc/rc.conf rand_irqs="3 14 15" @@ -297,37 +289,34 @@ A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to use Q: Why is named listening on UDP port other than 53? -A: Named uses a system selected port to make queries of other nameservers. - This behaviour can be overridden by using query-source to lock down the - port and/or address. See also notify-source and transfer-source. +A: Named uses a system selected port to make queries of other nameservers. This + behaviour can be overridden by using query-source to lock down the port and/or + address. See also notify-source and transfer-source. -Q: I get error messages like "multiple RRs of singleton type" and "CNAME and - other data" when transferring a zone. What does this mean? +Q: I get error messages like "multiple RRs of singleton type" and "CNAME and other + data" when transferring a zone. What does this mean? A: These indicate a malformed master zone. You can identify the exact records - involved by transferring the zone using dig then running named-checkzone - on it. + involved by transferring the zone using dig then running named-checkzone on it. dig axfr example.com @master-server > tmp named-checkzone example.com tmp - A CNAME record cannot exist with the same name as another record except - for the DNSSEC records which prove its existance (NSEC). + A CNAME record cannot exist with the same name as another record except for the + DNSSEC records which prove its existance (NSEC). - RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other - data should be present; this ensures that the data for a canonical name - and its aliases cannot be different. This rule also insures that a cached - CNAME can be used without checking with an authoritative server for other - RR types." + RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other data + should be present; this ensures that the data for a canonical name and its + aliases cannot be different. This rule also insures that a cached CNAME can be + used without checking with an authoritative server for other RR types." -Q: I get error messages like "named.conf:99: unexpected end of input" where - 99 is the last line of named.conf. +Q: I get error messages like "named.conf:99: unexpected end of input" where 99 is + the last line of named.conf. -A: Some text editors (notepad and wordpad) fail to put a line title - indication (e.g. CR/LF) on the last line of a text file. This can be fixed - by "adding" a blank line to the end of the file. Named expects to see EOF - immediately after EOL and treats text files where this is not met as - truncated. +A: Some text editors (notepad and wordpad) fail to put a line title indication + (e.g. CR/LF) on the last line of a text file. This can be fixed by "adding" a + blank line to the end of the file. Named expects to see EOF immediately after + EOL and treats text files where this is not met as truncated. Q: I get warning messages like "zone example.com/IN: refresh: failure trying master 1.2.3.4#53: timed out". @@ -336,15 +325,15 @@ A: Check that you can make UDP queries from the slave to the master dig +norec example.com soa @1.2.3.4 - You could be generating queries faster than the slave can cope with. Lower - the serial query rate. + You could be generating queries faster than the slave can cope with. Lower the + serial query rate. serial-query-rate 5; // default 20 Q: How do I share a dynamic zone between multiple views? -A: You choose one view to be master and the second a slave and transfer the - zone between views. +A: You choose one view to be master and the second a slave and transfer the zone + between views. Master 10.0.1.1: key "external" { @@ -383,19 +372,18 @@ A: You choose one view to be master and the second a slave and transfer the }; }; -Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading - master file primaries/wireless.ietf56.ietf.org: no owner". +Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading master + file primaries/wireless.ietf56.ietf.org: no owner". -A: This error is produced when a line in the master file contains leading - white space (tab/space) but the is no current record owner name to inherit - the name from. Usually this is the result of putting white space before a - comment. Forgeting the "@" for the SOA record or indenting the master - file. +A: This error is produced when a line in the master file contains leading white + space (tab/space) but the is no current record owner name to inherit the name + from. Usually this is the result of putting white space before a comment. + Forgeting the "@" for the SOA record or indenting the master file. Q: Why are my logs in GMT (UTC). -A: You are running chrooted (-t) and have not supplied local timzone - information in the chroot area. +A: You are running chrooted (-t) and have not supplied local timzone information + in the chroot area. FreeBSD: /etc/localtime Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo @@ -403,8 +391,8 @@ A: You are running chrooted (-t) and have not supplied local timzone See also tzset(3) and zic(8). -Q: I get the error message "named: capset failed: Operation not permitted" - when starting named. +Q: I get the error message "named: capset failed: Operation not permitted" when + starting named. A: The capability module, part of "Linux Security Modules/LSM", has not been loaded into the kernel. See insmod(8). @@ -413,23 +401,23 @@ Q: I get "rndc: connect failed: connection refused" when I try to run rndc. A: This is usually a configuration error. - First ensure that named is running and no errors are being reported at - startup (/var/log/messages or equivalent). Running "named -g " from a title can help at this point. + First ensure that named is running and no errors are being reported at startup + (/var/log/messages or equivalent). Running "named -g " from a + title can help at this point. - Secondly ensure that named is configured to use rndc either by - "rndc-confgen -a", rndc-confgen or manually. The Administrators Reference - manual has details on how to do this. + Secondly ensure that named is configured to use rndc either by "rndc-confgen + -a", rndc-confgen or manually. The Administrators Reference manual has details + on how to do this. Old versions of rndc-confgen used localhost rather than 127.0.0.1 in /etc/ - rndc.conf for the default server. Update /etc/rndc.conf if necessary so - that the default server listed in /etc/rndc.conf matches the addresses - used in named.conf. "localhost" has two address (127.0.0.1 and ::1). + rndc.conf for the default server. Update /etc/rndc.conf if necessary so that + the default server listed in /etc/rndc.conf matches the addresses used in + named.conf. "localhost" has two address (127.0.0.1 and ::1). - If you use "rndc-confgen -a" and named is running with -t or -u ensure - that /etc/rndc.conf has the correct ownership and that a copy is in the - chroot area. You can do this by re-running "rndc-confgen -a" with - appropriate -t and -u arguments. + If you use "rndc-confgen -a" and named is running with -t or -u ensure that / + etc/rndc.conf has the correct ownership and that a copy is in the chroot area. + You can do this by re-running "rndc-confgen -a" with appropriate -t and -u + arguments. Q: I don't get RRSIG's returned when I use "dig +dnssec". @@ -437,12 +425,11 @@ A: You need to ensure DNSSEC is enabled (dnssec-enable yes;). Q: I get "Error 1067" when starting named under Windows. -A: This is the service manager saying that named exited. You need to examine - the Application log in the EventViewer to find out why. +A: This is the service manager saying that named exited. You need to examine the + Application log in the EventViewer to find out why. - Common causes are that you failed to create "named.conf" (usually "C:\ - windows\dns\etc\named.conf") or failed to specify the directory in - named.conf. + Common causes are that you failed to create "named.conf" (usually "C:\windows\ + dns\etc\named.conf") or failed to specify the directory in named.conf. options { Directory "C:\windows\dns\etc"; @@ -457,18 +444,18 @@ A: These indicate a filesystem permission error preventing named creating / "dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied" - Named needs write permission on the directory containing the file. Named - writes the new cache file to a temporary file then renames it to the name - specified in named.conf to ensure that the contents are always complete. - This is to prevent named loading a partial zone in the event of power - failure or similar interrupting the write of the master file. + Named needs write permission on the directory containing the file. Named writes + the new cache file to a temporary file then renames it to the name specified in + named.conf to ensure that the contents are always complete. This is to prevent + named loading a partial zone in the event of power failure or similar + interrupting the write of the master file. Note file names are relative to the directory specified in options and any chroot directory ([/][]). - If named is invoked as "named -t /chroot/DNS" with the following - named.conf then "/chroot/DNS/var/named/sl" needs to be writable by the - user named is running as. + If named is invoked as "named -t /chroot/DNS" with the following named.conf + then "/chroot/DNS/var/named/sl" needs to be writable by the user named is + running as. options { directory "/var/named"; @@ -488,28 +475,27 @@ A: Sun has a blog entry describing how to do this. Q: Can a NS record refer to a CNAME. -A: No. The rules for glue (copies of the *address* records in the parent - zones) and additional section processing do not allow it to work. +A: No. The rules for glue (copies of the *address* records in the parent zones) + and additional section processing do not allow it to work. - You would have to add both the CNAME and address records (A/AAAA) as glue - to the parent zone and have CNAMEs be followed when doing additional - section processing to make it work. No namesever implementation supports - either of these requirements. + You would have to add both the CNAME and address records (A/AAAA) as glue to + the parent zone and have CNAMEs be followed when doing additional section + processing to make it work. No namesever implementation supports either of + these requirements. -Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA" - mean? +Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA" mean? -A: If the IN-ADDR.ARPA name covered refers to a internal address space you - are using then you have failed to follow RFC 1918 usage rules and are - leaking queries to the Internet. You should establish your own zones for - these addresses to prevent you quering the Internet's name servers for - these addresses. Please see http://as112.net/ for details of the problems - you are causing and the counter measures that have had to be deployed. +A: If the IN-ADDR.ARPA name covered refers to a internal address space you are + using then you have failed to follow RFC 1918 usage rules and are leaking + queries to the Internet. You should establish your own zones for these + addresses to prevent you quering the Internet's name servers for these + addresses. Please see http://as112.net/ for details of the problems you are + causing and the counter measures that have had to be deployed. If you are not using these private addresses then a client has queried for them. You can just ignore the messages, get the offending client to stop - sending you these messages as they are most probably leaking them or setup - your own zones empty zones to serve answers to these queries. + sending you these messages as they are most probably leaking them or setup your + own zones empty zones to serve answers to these queries. zone "10.IN-ADDR.ARPA" { type master; @@ -553,10 +539,10 @@ Q: I'm running BIND on Red Hat Enterprise Linux or Fedora Core - A: Red Hat Security Enhanced Linux (SELinux) policy security protections : - Red Hat have adopted the National Security Agency's SELinux security - policy ( see http://www.nsa.gov/selinux ) and recommendations for BIND - security , which are more secure than running named in a chroot and make - use of the bind-chroot environment unecessary . + Red Hat have adopted the National Security Agency's SELinux security policy ( + see http://www.nsa.gov/selinux ) and recommendations for BIND security , which + are more secure than running named in a chroot and make use of the bind-chroot + environment unecessary . By default, named is not allowed by the SELinux policy to write, create or delete any files EXCEPT in these directories: @@ -566,21 +552,18 @@ A: Red Hat Security Enhanced Linux (SELinux) policy security protections : $ROOTDIR/var/tmp - where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is - installed. + where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is installed. - The SELinux policy particularly does NOT allow named to modify the - $ROOTDIR/var/named directory, the default location for master zone - database files. + The SELinux policy particularly does NOT allow named to modify the $ROOTDIR/var + /named directory, the default location for master zone database files. - SELinux policy overrules file access permissions - so even if all the - files under /var/named have ownership named:named and mode rw-rw-r--, - named will still not be able to write or create files except in the - directories above, with SELinux in Enforcing mode. + SELinux policy overrules file access permissions - so even if all the files + under /var/named have ownership named:named and mode rw-rw-r--, named will + still not be able to write or create files except in the directories above, + with SELinux in Enforcing mode. - So, to allow named to update slave or DDNS zone files, it is best to - locate them in $ROOTDIR/var/named/slaves, with named.conf zone statements - such as: + So, to allow named to update slave or DDNS zone files, it is best to locate + them in $ROOTDIR/var/named/slaves, with named.conf zone statements such as: zone "slave.zone." IN { type slave; @@ -594,8 +577,8 @@ A: Red Hat Security Enhanced Linux (SELinux) policy security protections : }; - To allow named to create its cache dump and statistics files, for example, - you could use named.conf options statements such as: + To allow named to create its cache dump and statistics files, for example, you + could use named.conf options statements such as: options { ... @@ -605,10 +588,10 @@ A: Red Hat Security Enhanced Linux (SELinux) policy security protections : }; - You can also tell SELinux to allow named to update any zone database - files, by setting the SELinux tunable boolean parameter - 'named_write_master_zones=1', using the system-config-securitylevel GUI, - using the 'setsebool' command, or in /etc/selinux/targeted/booleans. + You can also tell SELinux to allow named to update any zone database files, by + setting the SELinux tunable boolean parameter 'named_write_master_zones=1', + using the system-config-securitylevel GUI, using the 'setsebool' command, or in + /etc/selinux/targeted/booleans. You can disable SELinux protection for named entirely by setting the 'named_disable_trans=1' SELinux tunable boolean parameter. @@ -620,18 +603,18 @@ A: Red Hat Security Enhanced Linux (SELinux) policy security protections : named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}} - If you want to retain use of the SELinux policy for named, and put named - files in different locations, you can do so by changing the context of the - custom file locations . + If you want to retain use of the SELinux policy for named, and put named files + in different locations, you can do so by changing the context of the custom + file locations . - To create a custom configuration file location, eg. '/root/named.conf', to - use with the 'named -c' option, do: + To create a custom configuration file location, eg. '/root/named.conf', to use + with the 'named -c' option, do: # chcon system_u:object_r:named_conf_t /root/named.conf - To create a custom modifiable named data location, eg. '/var/log/named' - for a log file, do: + To create a custom modifiable named data location, eg. '/var/log/named' for a + log file, do: # chcon system_u:object_r:named_cache_t /var/log/named @@ -641,6 +624,6 @@ A: Red Hat Security Enhanced Linux (SELinux) policy security protections : # chcon system_u:object_r:named_zone_t /root/zones/{.,*} - See these man-pages for more information : selinux(8), named_selinux(8), - chcon(1), setsebool(8) + See these man-pages for more information : selinux(8), named_selinux(8), chcon + (1), setsebool(8) diff --git a/FAQ.xml b/FAQ.xml index 460cb01ce8..3622882155 100644 --- a/FAQ.xml +++ b/FAQ.xml @@ -17,7 +17,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - +
Frequently Asked Questions about BIND 9 @@ -536,7 +536,7 @@ Master 10.0.1.1: }; view "external" { match-clients { key external; any; }; - server 10.0.0.2 { keys external; }; + server 10.0.1.2 { keys external; }; recursion no; ... }; @@ -552,7 +552,7 @@ Slave 10.0.1.2: }; view "external" { match-clients { key external; any; }; - server 10.0.0.1 { keys external; }; + server 10.0.1.1 { keys external; }; recursion no; ... };