From 91be6c5ba2e6b8eebfab7a9e653444b221a58af7 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 30 Nov 2005 03:20:40 +0000 Subject: [PATCH] update --- FAQ | 263 ++++++++++++++++++++++++++++++-------------------------- FAQ.xml | 23 ++++- 2 files changed, 162 insertions(+), 124 deletions(-) diff --git a/FAQ b/FAQ index 9b806cbde5..421d6ba9f3 100644 --- a/FAQ +++ b/FAQ @@ -1,56 +1,67 @@ Frequently Asked Questions about BIND 9 -------------------------------------------------------------------------------- +-------------------------------------------------------------------------- Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-threads? -A: Linux threads do not fully implement the Posix threads (pthreads) standard. - In particular, setuid() operates only on the current thread, not the full - process. Because of this limitation, BIND 9 cannot use setuid() on Linux as - it can on all other supported platforms. setuid() cannot be called before - creating threads, since the server does not start listening on reserved - ports until after threads have started. +A: Linux threads do not fully implement the Posix threads (pthreads) + standard. In particular, setuid() operates only on the current thread, not + the full process. Because of this limitation, BIND 9 cannot use setuid() + on Linux as it can on all other supported platforms. setuid() cannot be + called before creating threads, since the server does not start listening + on reserved ports until after threads have started. In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to preserve capabilities across a setuid() call is present. This allows BIND 9 to call - setuid() early, while retaining the ability to bind reserved ports. This is - a Linux-specific hack. + setuid() early, while retaining the ability to bind reserved ports. This + is a Linux-specific hack. - On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less - of a security risk than a root process that has not dropped privileges. + On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be + less of a security risk than a root process that has not dropped + privileges. If Linux threads ever work correctly, this restriction will go away. Configuring BIND9 with the --disable-threads option (the default) causes a non-threaded version to be built, which will allow -u to be used. -Q: Why does named log the warning message "no TTL specified - using SOA MINTTL - instead"? +Q: Why do I get the following errors: + + general: errno2result.c:109: unexpected error: + general: unable to convert errno to isc_result: 14: Bad address + client: UDP client handler shutting down due to fatal receive error: unexpected error + +A: This is the result of a Linux kernel bug. + + See: http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2 + +Q: Why does named log the warning message "no TTL specified - using SOA + MINTTL instead"? A: Your zone file is illegal according to RFC1035. It must either have a line like: $TTL 86400 - at the beginning, or the first record in it must have a TTL field, like the - "84600" in this example: + at the beginning, or the first record in it must have a TTL field, like + the "84600" in this example: example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 ) Q: Why do I see 5 (or more) copies of named on Linux? -A: Linux threads each show up as a process under ps. The approximate number of - threads running is n+4, where n is the number of CPUs. Note that the amount - of memory used is not cumulative; if each process is using 10M of memory, - only a total of 10M is used. +A: Linux threads each show up as a process under ps. The approximate number + of threads running is n+4, where n is the number of CPUs. Note that the + amount of memory used is not cumulative; if each process is using 10M of + memory, only a total of 10M is used. Q: Why does BIND 9 log "permission denied" errors accessing its configuration files or zones on my Linux system even though it is running as root? A: On Linux, BIND 9 drops most of its root privileges on startup. This including the privilege to open files owned by other users. Therefore, if - the server is running as root, the configuration files and zone files should - also be owned by root. + the server is running as root, the configuration files and zone files + should also be owned by root. Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file bar: ran out of space"? @@ -62,22 +73,23 @@ Q: How do I produce a usable core file from a multithreaded named on Linux? A: If the Linux kernel is 2.4.7 or newer, multithreaded core dumps are usable (that is, the correct thread is dumped). Otherwise, if using a 2.2 kernel, - apply the kernel patch found in contrib/linux/coredump-patch and rebuild the - kernel. This patch will cause multithreaded programs to dump the correct - thread. + apply the kernel patch found in contrib/linux/coredump-patch and rebuild + the kernel. This patch will cause multithreaded programs to dump the + correct thread. Q: How do I restrict people from looking up the server version? A: Put a "version" option containing something other than the real version in the "options" section of named.conf. Note doing this will not prevent - attacks and may impede people trying to diagnose problems with your server. - Also it is possible to "fingerprint" nameservers to determine their version. + attacks and may impede people trying to diagnose problems with your + server. Also it is possible to "fingerprint" nameservers to determine + their version. Q: How do I restrict only remote users from looking up the server version? A: The following view statement will intercept lookups as the internal view - that holds the version information will be matched last. The caveats of the - previous answer still apply, of course. + that holds the version information will be matched last. The caveats of + the previous answer still apply, of course. view "chaos" chaos { match-clients { ; }; @@ -88,8 +100,8 @@ A: The following view statement will intercept lookups as the internal view }; }; -Q: What do "no source of entropy found" or "could not open entropy source foo" - mean? +Q: What do "no source of entropy found" or "could not open entropy source + foo" mean? A: The server requires a source of entropy to perform certain operations, mostly DNSSEC related. These messages indicate that you have no source of @@ -112,13 +124,13 @@ A: This may be a clock skew problem. Check that the the clocks on the client Q: I'm trying to compile BIND 9, and "make" is failing due to files not being found. Why? -A: Using a parallel or distributed "make" to build BIND 9 is not supported, and - doesn't work. If you are using one of these, use normal make or gmake +A: Using a parallel or distributed "make" to build BIND 9 is not supported, + and doesn't work. If you are using one of these, use normal make or gmake instead. Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is logging - error messages like "notify to 10.0.0.1#53 failed: unexpected end of input". - What's wrong? + error messages like "notify to 10.0.0.1#53 failed: unexpected end of + input". What's wrong? A: This error message is caused by a known bug in BIND 8.2.3 and is fixed in BIND 8.2.4. It can be safely ignored - the notify has been acted on by the @@ -126,14 +138,14 @@ A: This error message is caused by a known bug in BIND 8.2.3 and is fixed in Q: I keep getting log messages like the following. Why? - Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN': update - failed: 'RRset exists (value dependent)' prerequisite not satisfied + Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN': + update failed: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) A: DNS updates allow the update request to test to see if certain conditions are met prior to proceeding with the update. The message above is saying - that conditions were not met and the update is not proceeding. See doc/rfc/ - rfc2136.txt for more details on prerequisites. + that conditions were not met and the update is not proceeding. See doc/rfc + /rfc2136.txt for more details on prerequisites. Q: I keep getting log messages like the following. Why? @@ -150,12 +162,12 @@ Q: I see a log message like the following. Why? couldn't open pid file '/var/run/named.pid': Permission denied -A: You are most likely running named as a non-root user, and that user does not - have permission to write in /var/run. The common ways of fixing this are to - create a /var/run/named directory owned by the named user and set pid-file - to "/var/run/named/named.pid", or set pid-file to "named.pid", which will - put the file in the directory specified by the directory option (which, in - this case, must be writable by the named user). +A: You are most likely running named as a non-root user, and that user does + not have permission to write in /var/run. The common ways of fixing this + are to create a /var/run/named directory owned by the named user and set + pid-file to "/var/run/named/named.pid", or set pid-file to "named.pid", + which will put the file in the directory specified by the directory option + (which, in this case, must be writable by the named user). Q: When I do a "dig . ns", many of the A records for the root servers are missing. Why? @@ -165,43 +177,46 @@ A: This is normal and harmless. It is a somewhat confusing side effect of the avoid promoting glue into answers. When BIND 9 first starts up and primes its cache, it receives the root - server addresses as additional data in an authoritative response from a root - server, and these records are eligible for inclusion as additional data in - responses. Subsequently it receives a subset of the root server addresses as - additional data in a non-authoritative (referral) response from a root - server. This causes the addresses to now be considered non-authoritative - (glue) data, which is not eligible for inclusion in responses. + server addresses as additional data in an authoritative response from a + root server, and these records are eligible for inclusion as additional + data in responses. Subsequently it receives a subset of the root server + addresses as additional data in a non-authoritative (referral) response + from a root server. This causes the addresses to now be considered + non-authoritative (glue) data, which is not eligible for inclusion in + responses. The server does have a complete set of root server addresses cached at all - times, it just may not include all of them as additional data, depending on - whether they were last received as answers or as glue. You can always look - up the addresses with explicit queries like "dig a.root-servers.net A". + times, it just may not include all of them as additional data, depending + on whether they were last received as answers or as glue. You can always + look up the addresses with explicit queries like "dig a.root-servers.net + A". Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail. Why? A: This may be caused by a bug in the Windows 2000 DNS server where DNS - messages larger than 16K are not handled properly. This can be worked around - by setting the option "transfer-format one-answer;". Also check whether your - zone contains domain names with embedded spaces or other special characters, - like "John\032Doe\213s\032Computer", since such names have been known to - cause Windows 2000 slaves to incorrectly reject the zone. + messages larger than 16K are not handled properly. This can be worked + around by setting the option "transfer-format one-answer;". Also check + whether your zone contains domain names with embedded spaces or other + special characters, like "John\032Doe\213s\032Computer", since such names + have been known to cause Windows 2000 slaves to incorrectly reject the + zone. Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP? -A: A zone can be updated either by editing zone files and reloading the server - or by dynamic update, but not both. If you have enabled dynamic update for a - zone using the "allow-update" option, you are not supposed to edit the zone - file by hand, and the server will not attempt to reload it. +A: A zone can be updated either by editing zone files and reloading the + server or by dynamic update, but not both. If you have enabled dynamic + update for a zone using the "allow-update" option, you are not supposed to + edit the zone file by hand, and the server will not attempt to reload it. -Q: I can query the nameserver from the nameserver but not from other machines. - Why? +Q: I can query the nameserver from the nameserver but not from other + machines. Why? A: This is usually the result of the firewall configuration stopping the queries and / or the replies. -Q: How can I make a server a slave for both an internal and an external view at - the same time? When I tried, both views on the slave were transferred from - the same view on the master. +Q: How can I make a server a slave for both an internal and an external view + at the same time? When I tried, both views on the slave were transferred + from the same view on the master. A: You will need to give the master and slave multiple IP addresses and use those to make sure you reach the correct view on the other machine. @@ -232,8 +247,8 @@ A: You will need to give the master and slave multiple IP addresses and use transfer-source 10.0.1.4; query-source address 10.0.1.4; - You put the external address on the alias so that all the other dns clients - on these boxes see the internal view by default. + You put the external address on the alias so that all the other dns + clients on these boxes see the internal view by default. A: BIND 9.3 and later: Use TSIG to select the appropriate view. @@ -272,8 +287,8 @@ A: BIND 9.3 and later: Use TSIG to select the appropriate view. Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there. A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to use - certain interrupts as a source of random events. You can make this permanent - by setting rand_irqs in /etc/rc.conf. + certain interrupts as a source of random events. You can make this + permanent by setting rand_irqs in /etc/rc.conf. /etc/rc.conf rand_irqs="3 14 15" @@ -282,35 +297,37 @@ A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to use Q: Why is named listening on UDP port other than 53? -A: Named uses a system selected port to make queries of other nameservers. This - behaviour can be overridden by using query-source to lock down the port and/ - or address. See also notify-source and transfer-source. +A: Named uses a system selected port to make queries of other nameservers. + This behaviour can be overridden by using query-source to lock down the + port and/or address. See also notify-source and transfer-source. Q: I get error messages like "multiple RRs of singleton type" and "CNAME and other data" when transferring a zone. What does this mean? A: These indicate a malformed master zone. You can identify the exact records - involved by transferring the zone using dig then running named-checkzone on - it. + involved by transferring the zone using dig then running named-checkzone + on it. dig axfr example.com @master-server > tmp named-checkzone example.com tmp - A CNAME record cannot exist with the same name as another record except for - the DNSSEC records which prove its existance (NSEC). + A CNAME record cannot exist with the same name as another record except + for the DNSSEC records which prove its existance (NSEC). - RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other data - should be present; this ensures that the data for a canonical name and its - aliases cannot be different. This rule also insures that a cached CNAME can - be used without checking with an authoritative server for other RR types." + RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other + data should be present; this ensures that the data for a canonical name + and its aliases cannot be different. This rule also insures that a cached + CNAME can be used without checking with an authoritative server for other + RR types." -Q: I get error messages like "named.conf:99: unexpected end of input" where 99 - is the last line of named.conf. +Q: I get error messages like "named.conf:99: unexpected end of input" where + 99 is the last line of named.conf. -A: Some text editors (notepad and wordpad) fail to put a line title indication - (e.g. CR/LF) on the last line of a text file. This can be fixed by "adding" - a blank line to the end of the file. Named expects to see EOF immediately - after EOL and treats text files where this is not met as truncated. +A: Some text editors (notepad and wordpad) fail to put a line title + indication (e.g. CR/LF) on the last line of a text file. This can be fixed + by "adding" a blank line to the end of the file. Named expects to see EOF + immediately after EOL and treats text files where this is not met as + truncated. Q: I get warning messages like "zone example.com/IN: refresh: failure trying master 1.2.3.4#53: timed out". @@ -366,13 +383,14 @@ A: You choose one view to be master and the second a slave and transfer the }; }; -Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading master - file primaries/wireless.ietf56.ietf.org: no owner". +Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading + master file primaries/wireless.ietf56.ietf.org: no owner". -A: This error is produced when a line in the master file contains leading white - space (tab/space) but the is no current record owner name to inherit the - name from. Usually this is the result of putting white space before a - comment. Forgeting the "@" for the SOA record or indenting the master file. +A: This error is produced when a line in the master file contains leading + white space (tab/space) but the is no current record owner name to inherit + the name from. Usually this is the result of putting white space before a + comment. Forgeting the "@" for the SOA record or indenting the master + file. Q: Why are my logs in GMT (UTC). @@ -385,8 +403,8 @@ A: You are running chrooted (-t) and have not supplied local timzone See also tzset(3) and zic(8). -Q: I get the error message "named: capset failed: Operation not permitted" when - starting named. +Q: I get the error message "named: capset failed: Operation not permitted" + when starting named. A: The capability module, part of "Linux Security Modules/LSM", has not been loaded into the kernel. See insmod(8). @@ -399,19 +417,19 @@ A: This is usually a configuration error. startup (/var/log/messages or equivalent). Running "named -g " from a title can help at this point. - Secondly ensure that named is configured to use rndc either by "rndc-confgen - -a", rndc-confgen or manually. The Administrators Reference manual has - details on how to do this. + Secondly ensure that named is configured to use rndc either by + "rndc-confgen -a", rndc-confgen or manually. The Administrators Reference + manual has details on how to do this. Old versions of rndc-confgen used localhost rather than 127.0.0.1 in /etc/ - rndc.conf for the default server. Update /etc/rndc.conf if necessary so that - the default server listed in /etc/rndc.conf matches the addresses used in - named.conf. "localhost" has two address (127.0.0.1 and ::1). + rndc.conf for the default server. Update /etc/rndc.conf if necessary so + that the default server listed in /etc/rndc.conf matches the addresses + used in named.conf. "localhost" has two address (127.0.0.1 and ::1). - If you use "rndc-confgen -a" and named is running with -t or -u ensure that - /etc/rndc.conf has the correct ownership and that a copy is in the chroot - area. You can do this by re-running "rndc-confgen -a" with appropriate -t - and -u arguments. + If you use "rndc-confgen -a" and named is running with -t or -u ensure + that /etc/rndc.conf has the correct ownership and that a copy is in the + chroot area. You can do this by re-running "rndc-confgen -a" with + appropriate -t and -u arguments. Q: I don't get RRSIG's returned when I use "dig +dnssec". @@ -448,9 +466,9 @@ A: These indicate a filesystem permission error preventing named creating / Note file names are relative to the directory specified in options and any chroot directory ([/][]). - If named is invoked as "named -t /chroot/DNS" with the following named.conf - then "/chroot/DNS/var/named/sl" needs to be writable by the user named is - running as. + If named is invoked as "named -t /chroot/DNS" with the following + named.conf then "/chroot/DNS/var/named/sl" needs to be writable by the + user named is running as. options { directory "/var/named"; @@ -470,22 +488,23 @@ A: Sun has a blog entry describing how to do this. Q: Can a NS record refer to a CNAME. -A: No. The rules for glue (copies of the *address* records in the parent zones) - and additional section processing do not allow it to work. +A: No. The rules for glue (copies of the *address* records in the parent + zones) and additional section processing do not allow it to work. - You would have to add both the CNAME and address records (A/AAAA) as glue to - the parent zone and have CNAMEs be followed when doing additional section - processing to make it work. No namesever implementation supports either of - these requirements. + You would have to add both the CNAME and address records (A/AAAA) as glue + to the parent zone and have CNAMEs be followed when doing additional + section processing to make it work. No namesever implementation supports + either of these requirements. -Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA" mean? +Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA" + mean? -A: If the IN-ADDR.ARPA name covered refers to a internal address space you are - using then you have failed to follow RFC 1918 usage rules and are leaking - queries to the Internet. You should establish your own zones for these - addresses to prevent you quering the Internet's name servers for these - addresses. Please see http://as112.net/ for details of the problems you are - causing and the counter measures that have had to be deployed. +A: If the IN-ADDR.ARPA name covered refers to a internal address space you + are using then you have failed to follow RFC 1918 usage rules and are + leaking queries to the Internet. You should establish your own zones for + these addresses to prevent you quering the Internet's name servers for + these addresses. Please see http://as112.net/ for details of the problems + you are causing and the counter measures that have had to be deployed. If you are not using these private addresses then a client has queried for them. You can just ignore the messages, get the offending client to stop diff --git a/FAQ.xml b/FAQ.xml index 2d50906392..e7d1a3713b 100644 --- a/FAQ.xml +++ b/FAQ.xml @@ -17,7 +17,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - +
Frequently Asked Questions about BIND 9 @@ -64,6 +64,26 @@ + + + + Why do I get the following errors: +general: errno2result.c:109: unexpected error: +general: unable to convert errno to isc_result: 14: Bad address +client: UDP client handler shutting down due to fatal receive error: unexpected error + + + + + This is the result of a Linux kernel bug. + + + See: + http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2 + + + + @@ -1002,6 +1022,5 @@ empty: -