Frequently Asked Questions about BIND 9
2004
2005
2006
2007
Internet Systems Consortium, Inc. ("ISC")
2000
2001
2002
2003
Internet Software Consortium.
Why doesn't -u work on Linux 2.2.x when I build with
--enable-threads?
Linux threads do not fully implement the Posix threads
(pthreads) standard. In particular, setuid() operates only
on the current thread, not the full process. Because of
this limitation, BIND 9 cannot use setuid() on Linux as it
can on all other supported platforms. setuid() cannot be
called before creating threads, since the server does not
start listening on reserved ports until after threads have
started.
In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability
to preserve capabilities across a setuid() call is present.
This allows BIND 9 to call setuid() early, while retaining
the ability to bind reserved ports. This is a Linux-specific
hack.
On a 2.2 kernel, BIND 9 does drop many root privileges, so
it should be less of a security risk than a root process
that has not dropped privileges.
If Linux threads ever work correctly, this restriction will
go away.
Configuring BIND9 with the --disable-threads option (the
default) causes a non-threaded version to be built, which
will allow -u to be used.
Why do I get the following errors:
general: errno2result.c:109: unexpected error:
general: unable to convert errno to isc_result: 14: Bad address
client: UDP client handler shutting down due to fatal receive error: unexpected error
This is the result of a Linux kernel bug.
See:
http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2
Why does named log the warning message no TTL specified -
using SOA MINTTL instead
?
Your zone file is illegal according to RFC1035. It must either
have a line like:
$TTL 86400
at the beginning, or the first record in it must have a TTL field,
like the "84600" in this example:
example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )
Why do I see 5 (or more) copies of named on Linux?
Linux threads each show up as a process under ps. The
approximate number of threads running is n+4, where n is
the number of CPUs. Note that the amount of memory used
is not cumulative; if each process is using 10M of memory,
only a total of 10M is used.
Newer versions of Linux's ps command hide the individual threads
and require -L to display them.
Why does BIND 9 log permission denied
errors accessing
its configuration files or zones on my Linux system even
though it is running as root?
On Linux, BIND 9 drops most of its root privileges on
startup. This including the privilege to open files owned
by other users. Therefore, if the server is running as
root, the configuration files and zone files should also
be owned by root.
Why do I get errors like dns_zone_load: zone foo/IN: loading
master file bar: ran out of space
?
This is often caused by TXT records with missing close
quotes. Check that all TXT records containing quoted strings
have both open and close quotes.
How do I produce a usable core file from a multi-threaded
named on Linux?
If the Linux kernel is 2.4.7 or newer, multi-threaded core
dumps are usable (that is, the correct thread is dumped).
Otherwise, if using a 2.2 kernel, apply the kernel patch
found in contrib/linux/coredump-patch and rebuild the kernel.
This patch will cause multi-threaded programs to dump the
correct thread.
How do I restrict people from looking up the server version?
Put a "version" option containing something other than the
real version in the "options" section of named.conf. Note
doing this will not prevent attacks and may impede people
trying to diagnose problems with your server. Also it is
possible to "fingerprint" nameservers to determine their
version.
How do I restrict only remote users from looking up the
server version?
The following view statement will intercept lookups as the
internal view that holds the version information will be
matched last. The caveats of the previous answer still
apply, of course.
view "chaos" chaos {
match-clients { <those to be refused>; };
allow-query { none; };
zone "." {
type hint;
file "/dev/null"; // or any empty file
};
};
What do no source of entropy found
or could not
open entropy source foo
mean?
The server requires a source of entropy to perform certain
operations, mostly DNSSEC related. These messages indicate
that you have no source of entropy. On systems with
/dev/random or an equivalent, it is used by default. A
source of entropy can also be defined using the random-device
option in named.conf.
I installed BIND 9 and restarted named, but it's still BIND 8. Why?
BIND 9 is installed under /usr/local by default. BIND 8
is often installed under /usr. Check that the correct named
is running.
I'm trying to use TSIG to authenticate dynamic updates or
zone transfers. I'm sure I have the keys set up correctly,
but the server is rejecting the TSIG. Why?
This may be a clock skew problem. Check that the the clocks
on the client and server are properly synchronised (e.g.,
using ntp).
I'm trying to compile BIND 9, and "make" is failing due to
files not being found. Why?
Using a parallel or distributed "make" to build BIND 9 is
not supported, and doesn't work. If you are using one of
these, use normal make or gmake instead.
I have a BIND 9 master and a BIND 8.2.3 slave, and the
master is logging error messages like notify to 10.0.0.1#53
failed: unexpected end of input
. What's wrong?
This error message is caused by a known bug in BIND 8.2.3
and is fixed in BIND 8.2.4. It can be safely ignored - the
notify has been acted on by the slave despite the error
message.
I keep getting log messages like the following. Why?
Dec 4 23:47:59 client 10.0.0.1#1355: updating zone
'example.com/IN': update failed: 'RRset exists (value
dependent)' prerequisite not satisfied (NXRRSET)
DNS updates allow the update request to test to see if
certain conditions are met prior to proceeding with the
update. The message above is saying that conditions were
not met and the update is not proceeding. See doc/rfc/rfc2136.txt
for more details on prerequisites.
I keep getting log messages like the following. Why?
Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
Someone is trying to update your DNS data using the RFC2136
Dynamic Update protocol. Windows 2000 machines have a habit
of sending dynamic update requests to DNS servers without
being specifically configured to do so. If the update
requests are coming from a Windows 2000 machine, see
http://support.microsoft.com/support/kb/articles/q246/8/04.asp
for information about how to turn them off.
I see a log message like the following. Why?
couldn't open pid file '/var/run/named.pid': Permission denied
You are most likely running named as a non-root user, and
that user does not have permission to write in /var/run.
The common ways of fixing this are to create a /var/run/named
directory owned by the named user and set pid-file to
"/var/run/named/named.pid", or set pid-file to "named.pid",
which will put the file in the directory specified by the
directory option (which, in this case, must be writable by
the named user).
When I do a "dig . ns", many of the A records for the root
servers are missing. Why?
This is normal and harmless. It is a somewhat confusing
side effect of the way BIND 9 does RFC2181 trust ranking
and of the efforts BIND 9 makes to avoid promoting glue
into answers.
When BIND 9 first starts up and primes its cache, it receives
the root server addresses as additional data in an authoritative
response from a root server, and these records are eligible
for inclusion as additional data in responses. Subsequently
it receives a subset of the root server addresses as
additional data in a non-authoritative (referral) response
from a root server. This causes the addresses to now be
considered non-authoritative (glue) data, which is not
eligible for inclusion in responses.
The server does have a complete set of root server addresses
cached at all times, it just may not include all of them
as additional data, depending on whether they were last
received as answers or as glue. You can always look up the
addresses with explicit queries like "dig a.root-servers.net A".
Zone transfers from my BIND 9 master to my Windows 2000
slave fail. Why?
This may be caused by a bug in the Windows 2000 DNS server
where DNS messages larger than 16K are not handled properly.
This can be worked around by setting the option "transfer-format
one-answer;". Also check whether your zone contains domain
names with embedded spaces or other special characters,
like "John\032Doe\213s\032Computer", since such names have
been known to cause Windows 2000 slaves to incorrectly
reject the zone.
Why don't my zones reload when I do an "rndc reload" or SIGHUP?
A zone can be updated either by editing zone files and
reloading the server or by dynamic update, but not both.
If you have enabled dynamic update for a zone using the
"allow-update" option, you are not supposed to edit the
zone file by hand, and the server will not attempt to reload
it.
I can query the nameserver from the nameserver but not from other
machines. Why?
This is usually the result of the firewall configuration stopping
the queries and / or the replies.
How can I make a server a slave for both an internal and
an external view at the same time? When I tried, both views
on the slave were transferred from the same view on the master.
You will need to give the master and slave multiple IP
addresses and use those to make sure you reach the correct
view on the other machine.
Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
internal:
match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
notify-source 10.0.1.1;
transfer-source 10.0.1.1;
query-source address 10.0.1.1;
external:
match-clients { any; };
recursion no; // don't offer recursion to the world
notify-source 10.0.1.2;
transfer-source 10.0.1.2;
query-source address 10.0.1.2;
Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
internal:
match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
notify-source 10.0.1.3;
transfer-source 10.0.1.3;
query-source address 10.0.1.3;
external:
match-clients { any; };
recursion no; // don't offer recursion to the world
notify-source 10.0.1.4;
transfer-source 10.0.1.4;
query-source address 10.0.1.4;
You put the external address on the alias so that all the other
dns clients on these boxes see the internal view by default.
BIND 9.3 and later: Use TSIG to select the appropriate view.
Master 10.0.1.1:
key "external" {
algorithm hmac-md5;
secret "xxxxxxxx";
};
view "internal" {
match-clients { !key external; 10.0.1/24; };
...
};
view "external" {
match-clients { key external; any; };
server 10.0.1.2 { keys external; };
recursion no;
...
};
Slave 10.0.1.2:
key "external" {
algorithm hmac-md5;
secret "xxxxxxxx";
};
view "internal" {
match-clients { !key external; 10.0.1/24; };
...
};
view "external" {
match-clients { key external; any; };
server 10.0.1.1 { keys external; };
recursion no;
...
};
I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
/dev/random is not configured. Use rndcontrol(8) to tell
the kernel to use certain interrupts as a source of random
events. You can make this permanent by setting rand_irqs
in /etc/rc.conf.
/etc/rc.conf
rand_irqs="3 14 15"
See also
http://people.freebsd.org/~dougb/randomness.html
Why is named listening on UDP port other than 53?
Named uses a system selected port to make queries of other
nameservers. This behaviour can be overridden by using
query-source to lock down the port and/or address. See
also notify-source and transfer-source.
I get error messages like multiple RRs of singleton type
and CNAME and other data
when transferring a zone. What
does this mean?
These indicate a malformed master zone. You can identify
the exact records involved by transferring the zone using
dig then running named-checkzone on it.
dig axfr example.com @master-server > tmp
named-checkzone example.com tmp
A CNAME record cannot exist with the same name as another record
except for the DNSSEC records which prove its existence (NSEC).
RFC 1034, Section 3.6.2: If a CNAME RR is present at a node,
no other data should be present; this ensures that the data for a
canonical name and its aliases cannot be different. This rule also
insures that a cached CNAME can be used without checking with an
authoritative server for other RR types.
I get error messages like named.conf:99: unexpected end
of input
where 99 is the last line of named.conf.
Some text editors (notepad and wordpad) fail to put a line
title indication (e.g. CR/LF) on the last line of a
text file. This can be fixed by "adding" a blank line to
the end of the file. Named expects to see EOF immediately
after EOL and treats text files where this is not met as
truncated.
I get warning messages like zone example.com/IN: refresh:
failure trying master 1.2.3.4#53: timed out
.
Check that you can make UDP queries from the slave to the master
dig +norec example.com soa @1.2.3.4
You could be generating queries faster than the slave can
cope with. Lower the serial query rate.
serial-query-rate 5; // default 20
How do I share a dynamic zone between multiple views?
You choose one view to be master and the second a slave and
transfer the zone between views.
Master 10.0.1.1:
key "external" {
algorithm hmac-md5;
secret "xxxxxxxx";
};
key "mykey" {
algorithm hmac-md5;
secret "yyyyyyyy";
};
view "internal" {
match-clients { !external; 10.0.1/24; };
server 10.0.1.1 {
/* Deliver notify messages to external view. */
keys { external; };
};
zone "example.com" {
type master;
file "internal/example.db";
allow-update { key mykey; };
notify-also { 10.0.1.1; };
};
};
view "external" {
match-clients { external; any; };
zone "example.com" {
type slave;
file "external/example.db";
masters { 10.0.1.1; };
transfer-source { 10.0.1.1; };
// allow-update-forwarding { any; };
// allow-notify { ... };
};
};
I get a error message like zone wireless.ietf56.ietf.org/IN:
loading master file primaries/wireless.ietf56.ietf.org: no
owner
.
This error is produced when a line in the master file
contains leading white space (tab/space) but the is no
current record owner name to inherit the name from. Usually
this is the result of putting white space before a comment.
Forgetting the "@" for the SOA record or indenting the master
file.
Why are my logs in GMT (UTC).
You are running chrooted (-t) and have not supplied local timezone
information in the chroot area.
FreeBSD: /etc/localtime
Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
OSF: /etc/zoneinfo/localtime
See also tzset(3) and zic(8).
I get the error message named: capset failed: Operation
not permitted
when starting named.
The capability module, part of "Linux Security Modules/LSM",
has not been loaded into the kernel. See insmod(8).
I get rndc: connect failed: connection refused
when
I try to run rndc.
This is usually a configuration error.
First ensure that named is running and no errors are being
reported at startup (/var/log/messages or equivalent).
Running "named -g <usual arguments>" from a title
can help at this point.
Secondly ensure that named is configured to use rndc either
by "rndc-confgen -a", rndc-confgen or manually. The
Administrators Reference manual has details on how to do
this.
Old versions of rndc-confgen used localhost rather than
127.0.0.1 in /etc/rndc.conf for the default server. Update
/etc/rndc.conf if necessary so that the default server
listed in /etc/rndc.conf matches the addresses used in
named.conf. "localhost" has two address (127.0.0.1 and
::1).
If you use "rndc-confgen -a" and named is running with -t or -u
ensure that /etc/rndc.conf has the correct ownership and that
a copy is in the chroot area. You can do this by re-running
"rndc-confgen -a" with appropriate -t and -u arguments.
I don't get RRSIG's returned when I use "dig +dnssec".
You need to ensure DNSSEC is enabled (dnssec-enable yes;).
I get Error 1067
when starting named under Windows.
This is the service manager saying that named exited. You
need to examine the Application log in the EventViewer to
find out why.
Common causes are that you failed to create "named.conf"
(usually "C:\windows\dns\etc\named.conf") or failed to
specify the directory in named.conf.
options {
Directory "C:\windows\dns\etc";
};
I get transfer of 'example.net/IN' from 192.168.4.12#53:
failed while receiving responses: permission denied
error
messages.
These indicate a filesystem permission error preventing
named creating / renaming the temporary file. These will
usually also have other associated error messages like
"dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"
Named needs write permission on the directory containing
the file. Named writes the new cache file to a temporary
file then renames it to the name specified in named.conf
to ensure that the contents are always complete. This is
to prevent named loading a partial zone in the event of
power failure or similar interrupting the write of the
master file.
Note file names are relative to the directory specified in
options and any chroot directory ([<chroot
dir>/][<options dir>]).
If named is invoked as "named -t /chroot/DNS" with
the following named.conf then "/chroot/DNS/var/named/sl"
needs to be writable by the user named is running as.
options {
directory "/var/named";
};
zone "example.net" {
type slave;
file "sl/example.net";
masters { 192.168.4.12; };
};
How do I integrate BIND 9 and Solaris SMF
Sun has a blog entry describing how to do this.
http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris
Can a NS record refer to a CNAME.
No. The rules for glue (copies of the *address* records
in the parent zones) and additional section processing do
not allow it to work.
You would have to add both the CNAME and address records
(A/AAAA) as glue to the parent zone and have CNAMEs be
followed when doing additional section processing to make
it work. No nameserver implementation supports either of
these requirements.
What does RFC 1918 response from Internet for
0.0.0.10.IN-ADDR.ARPA
mean?
If the IN-ADDR.ARPA name covered refers to a internal address
space you are using then you have failed to follow RFC 1918
usage rules and are leaking queries to the Internet. You
should establish your own zones for these addresses to prevent
you querying the Internet's name servers for these addresses.
Please see http://as112.net/
for details of the problems you are causing and the counter
measures that have had to be deployed.
If you are not using these private addresses then a client
has queried for them. You can just ignore the messages,
get the offending client to stop sending you these messages
as they are most probably leaking them or setup your own zones
empty zones to serve answers to these queries.
zone "10.IN-ADDR.ARPA" {
type master;
file "empty";
};
zone "16.172.IN-ADDR.ARPA" {
type master;
file "empty";
};
...
zone "31.172.IN-ADDR.ARPA" {
type master;
file "empty";
};
zone "168.192.IN-ADDR.ARPA" {
type master;
file "empty";
};
empty:
@ 10800 IN SOA <name-of-server>. <contact-email>. (
1 3600 1200 604800 10800 )
@ 10800 IN NS <name-of-server>.
Future versions of named are likely to do this automatically.
I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
Why can't named update slave zone database files?
Why can't named create DDNS journal files or update
the master zones from journals?
Why can't named create custom log files?
Red Hat Security Enhanced Linux (SELinux) policy security
protections :
Red Hat have adopted the National Security Agency's
SELinux security policy ( see http://www.nsa.gov/selinux
) and recommendations for BIND security , which are more
secure than running named in a chroot and make use of
the bind-chroot environment unnecessary .
By default, named is not allowed by the SELinux policy
to write, create or delete any files EXCEPT in these
directories:
$ROOTDIR/var/named/slaves
$ROOTDIR/var/named/data
$ROOTDIR/var/tmp
where $ROOTDIR may be set in /etc/sysconfig/named if
bind-chroot is installed.
The SELinux policy particularly does NOT allow named to modify
the $ROOTDIR/var/named directory, the default location for master
zone database files.
SELinux policy overrules file access permissions - so
even if all the files under /var/named have ownership
named:named and mode rw-rw-r--, named will still not be
able to write or create files except in the directories
above, with SELinux in Enforcing mode.
So, to allow named to update slave or DDNS zone files,
it is best to locate them in $ROOTDIR/var/named/slaves,
with named.conf zone statements such as:
zone "slave.zone." IN {
type slave;
file "slaves/slave.zone.db";
...
};
zone "ddns.zone." IN {
type master;
allow-updates {...};
file "slaves/ddns.zone.db";
};
To allow named to create its cache dump and statistics
files, for example, you could use named.conf options
statements such as:
options {
...
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
...
};
You can also tell SELinux to allow named to update any
zone database files, by setting the SELinux tunable boolean
parameter 'named_write_master_zones=1', using the
system-config-securitylevel GUI, using the 'setsebool'
command, or in /etc/selinux/targeted/booleans.
You can disable SELinux protection for named entirely by
setting the 'named_disable_trans=1' SELinux tunable boolean
parameter.
The SELinux named policy defines these SELinux contexts for named:
named_zone_t : for zone database files - $ROOTDIR/var/named/*
named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
If you want to retain use of the SELinux policy for named,
and put named files in different locations, you can do
so by changing the context of the custom file locations
.
To create a custom configuration file location, e.g.
'/root/named.conf', to use with the 'named -c' option,
do:
# chcon system_u:object_r:named_conf_t /root/named.conf
To create a custom modifiable named data location, e.g.
'/var/log/named' for a log file, do:
# chcon system_u:object_r:named_cache_t /var/log/named
To create a custom zone file location, e.g. /root/zones/, do:
# chcon system_u:object_r:named_zone_t /root/zones/{.,*}
See these man-pages for more information : selinux(8),
named_selinux(8), chcon(1), setsebool(8)
I want to forward all DNS queries from my caching nameserver to
another server. But there are some domains which have to be
served locally, via rbldnsd.
How do I achieve this ?
options {
forward only;
forwarders { <ip.of.primary.nameserver>; };
};
zone "sbl-xbl.spamhaus.org" {
type forward; forward only;
forwarders { <ip.of.rbldns.server> port 530; };
};
zone "list.dsbl.org" {
type forward; forward only;
forwarders { <ip.of.rbldns.server> port 530; };
};
Will named be affected by the 2007 changes to daylight savings
rules in the US.
No, so long as the machines internal clock (as reported
by "date -u") remains at UTC. The only visible change
if you fail to upgrade your OS, if you are in a affected
area, will be that log messages will be a hour out during
the period where the old rules do not match the new rules.
For most OS's this change just means that you need to
update the conversion rules from UTC to local time.
Normally this involves updating a file in /etc (which
sets the default timezone for the machine) and possibly
a directory which has all the conversion rules for the
world (e.g. /usr/share/zoneinfo). When updating the OS
do not forget to update any chroot areas as well.
See your OS's documentation for more details.
The local timezone conversion rules can also be done on
a individual basis by setting the TZ environment variable
appropriately. See your OS's documentation for more
details.
Why do we get the following warning at run time:
kernel: process `named' is using obsolete setsockopt SO_BSDCOMPAT
The early Linux kernels broke sendto() by having it return
that a ICMP unreachable had be received for non connected
UDP sockets. This made non connected UDP sockets work like
connected UDP socket which is fine when you are only talking
to one destination. Named however talks to multiple
destinations and it caused problems.
Rather than fix sendto() to just have BSD behaviour they added
SO_BSDCOMPAT to turn BSD behaviour on/off on a per socket basis.
Later they decided to make BSD behaviour the default and
to aggressively track down applications that used SO_BSDCOMPAT
by issuing a warning. This is the sort of things vendors
do in alpha/beta stages of a release so that their code is
clean. They then turn the warning *off* for release code.
We still have customers that have kernels that require
SO_BSDCOMPAT to operate. We therefore cannot remove the
setsockopt(SO_BSDCOMPAT) call.
Now most/all portable applications that use SO_BSDCOMPAT use it
conditionally manner so just removing SO_BSDCOMPAT from the
header file would be safe as long as the binary was not to
be moved between systems. BIND's use is conditional.
In short, the Linux developers should either, remove the #define for
SO_BSDCOMPAT, and/or remove the warning.
Isn't "make install" supposed to generate a default named.conf?
Short Answer: No.
Long Answer: There really isn't a default configuration which fits
any site perfectly. There are lots of decisions that need to
be made and there is no consensus on what the defaults should be.
For example FreeBSD uses /etc/namedb as the location where the
configuration files for named are stored. Others use /var/named.
What addresses to listen on? For a laptop on the move a lot
you may only want to listen on the loop back interfaces.
Who do you offer recursive service to? Is there are firewall
to consider? If so is it stateless or stateful. Are you
directly on the Internet? Are you on a private network? Are
you on a NAT'd network? The answers
to all these questions change how you configure even a
caching name server.