A: This is often caused by TXT records with missing close quotes. Check that all
TXT records containing quoted strings have both open and close quotes.
-Q: How do I produce a usable core file from a multithreaded named on Linux?
+Q: How do I produce a usable core file from a multi-threaded named on Linux?
-A: If the Linux kernel is 2.4.7 or newer, multithreaded core dumps are usable
+A: If the Linux kernel is 2.4.7 or newer, multi-threaded core dumps are usable
(that is, the correct thread is dumped). Otherwise, if using a 2.2 kernel,
apply the kernel patch found in contrib/linux/coredump-patch and rebuild the
- kernel. This patch will cause multithreaded programs to dump the correct
+ kernel. This patch will cause multi-threaded programs to dump the correct
thread.
Q: How do I restrict people from looking up the server version?
named-checkzone example.com tmp
A CNAME record cannot exist with the same name as another record except for the
- DNSSEC records which prove its existance (NSEC).
+ DNSSEC records which prove its existence (NSEC).
RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other data
should be present; this ensures that the data for a canonical name and its
A: This error is produced when a line in the master file contains leading white
space (tab/space) but the is no current record owner name to inherit the name
from. Usually this is the result of putting white space before a comment.
- Forgeting the "@" for the SOA record or indenting the master file.
+ Forgetting the "@" for the SOA record or indenting the master file.
Q: Why are my logs in GMT (UTC).
-A: You are running chrooted (-t) and have not supplied local timzone information
+A: You are running chrooted (-t) and have not supplied local timezone information
in the chroot area.
FreeBSD: /etc/localtime
masters { 192.168.4.12; };
};
-Q: How do I intergrate BIND 9 and Solaris SMF
+Q: How do I integrate BIND 9 and Solaris SMF
A: Sun has a blog entry describing how to do this.
You would have to add both the CNAME and address records (A/AAAA) as glue to
the parent zone and have CNAMEs be followed when doing additional section
- processing to make it work. No namesever implementation supports either of
+ processing to make it work. No nameserver implementation supports either of
these requirements.
Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA" mean?
A: If the IN-ADDR.ARPA name covered refers to a internal address space you are
using then you have failed to follow RFC 1918 usage rules and are leaking
queries to the Internet. You should establish your own zones for these
- addresses to prevent you quering the Internet's name servers for these
+ addresses to prevent you querying the Internet's name servers for these
addresses. Please see http://as112.net/ for details of the problems you are
causing and the counter measures that have had to be deployed.
Red Hat have adopted the National Security Agency's SELinux security policy (
see http://www.nsa.gov/selinux ) and recommendations for BIND security , which
are more secure than running named in a chroot and make use of the bind-chroot
- environment unecessary .
+ environment unnecessary .
By default, named is not allowed by the SELinux policy to write, create or
delete any files EXCEPT in these directories:
in different locations, you can do so by changing the context of the custom
file locations .
- To create a custom configuration file location, eg. '/root/named.conf', to use
+ To create a custom configuration file location, e.g. '/root/named.conf', to use
with the 'named -c' option, do:
# chcon system_u:object_r:named_conf_t /root/named.conf
- To create a custom modifiable named data location, eg. '/var/log/named' for a
+ To create a custom modifiable named data location, e.g. '/var/log/named' for a
log file, do:
# chcon system_u:object_r:named_cache_t /var/log/named
- To create a custom zone file location, eg. /root/zones/, do:
+ To create a custom zone file location, e.g. /root/zones/, do:
# chcon system_u:object_r:named_zone_t /root/zones/{.,*}
(which sets the default timezone for the machine) and possibly a directory
which has all the conversion rules for the world (e.g. /usr/share/zoneinfo).
When updating the OS do not forget to update any chroot areas as well. See your
- OS's documetation for more details.
+ OS's documentation for more details.
The local timezone conversion rules can also be done on a individual basis by
- setting the TZ envirionment variable appropriately. See your OS's documentation
+ setting the TZ environment variable appropriately. See your OS's documentation
for more details.
Q: Why do we get the following warning at run time:
Rather than fix sendto() to just have BSD behaviour they added SO_BSDCOMPAT to
turn BSD behaviour on/off on a per socket basis.
- Later they decided to make BSD behaviour the default and to aggressively
- trackdown application that used SO_BSDCOMPAT by issuing a warning. This is the
- sort of things vendors do in alpha/beta stages of a release so that their code
- is clean. They then turn the warning *off* for release code.
+ Later they decided to make BSD behaviour the default and to aggressively track
+ down applications that used SO_BSDCOMPAT by issuing a warning. This is the sort
+ of things vendors do in alpha/beta stages of a release so that their code is
+ clean. They then turn the warning *off* for release code.
We still have customers that have kernels that require SO_BSDCOMPAT to operate.
We therefore cannot remove the setsockopt(SO_BSDCOMPAT) call.
In short, the Linux developers should either, remove the #define for
SO_BSDCOMPAT, and/or remove the warning.
+Q: Isn't "make install" supposed to generate a default named.conf?
+
+A: Short Answer: No.
+
+ Long Answer: There really isn't a default configuration which fits any site
+ perfectly. There are lots of decisions that need to be made and there is no
+ consensus on what the defaults should be. For example FreeBSD uses /etc/namedb
+ as the location where the configuration files for named are stored. Others use
+ /var/named.
+
+ What addresses to listen on? For a laptop on the move a lot you may only want
+ to listen on the loop back interfaces.
+
+ Who do you offer recursive service to? Is there are firewall to consider? If so
+ is it stateless or stateful. Are you directly on the Internet? Are you on a
+ private network? Are you on a NAT'd network? The answers to all these questions
+ change how you configure even a caching name server.
+
+<?xml-stylesheet href="common.css" type="text/css"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
<!--
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: FAQ.xml,v 1.4.8.7 2007/01/31 23:54:15 marka Exp $ -->
+<!-- $Id: FAQ.xml,v 1.4.8.8 2007/02/05 05:24:11 marka Exp $ -->
<article class="faq">
<title>Frequently Asked Questions about BIND 9</title>
<qandaentry>
<question>
<para>
- How do I produce a usable core file from a multithreaded
+ How do I produce a usable core file from a multi-threaded
named on Linux?
</para>
</question>
<answer>
<para>
- If the Linux kernel is 2.4.7 or newer, multithreaded core
+ If the Linux kernel is 2.4.7 or newer, multi-threaded core
dumps are usable (that is, the correct thread is dumped).
Otherwise, if using a 2.2 kernel, apply the kernel patch
found in contrib/linux/coredump-patch and rebuild the kernel.
- This patch will cause multithreaded programs to dump the
+ This patch will cause multi-threaded programs to dump the
correct thread.
</para>
</answer>
</informalexample>
<para>
A CNAME record cannot exist with the same name as another record
- except for the DNSSEC records which prove its existance (NSEC).
+ except for the DNSSEC records which prove its existence (NSEC).
</para>
<para>
RFC 1034, Section 3.6.2: <quote>If a CNAME RR is present at a node,
contains leading white space (tab/space) but the is no
current record owner name to inherit the name from. Usually
this is the result of putting white space before a comment.
- Forgeting the "@" for the SOA record or indenting the master
+ Forgetting the "@" for the SOA record or indenting the master
file.
</para>
</answer>
</question>
<answer>
<para>
- You are running chrooted (-t) and have not supplied local timzone
+ You are running chrooted (-t) and have not supplied local timezone
information in the chroot area.
</para>
<simplelist>
<qandaentry>
<question>
<para>
- How do I intergrate BIND 9 and Solaris SMF
+ How do I integrate BIND 9 and Solaris SMF
</para>
</question>
<answer>
You would have to add both the CNAME and address records
(A/AAAA) as glue to the parent zone and have CNAMEs be
followed when doing additional section processing to make
- it work. No namesever implementation supports either of
+ it work. No nameserver implementation supports either of
these requirements.
</para>
</answer>
space you are using then you have failed to follow RFC 1918
usage rules and are leaking queries to the Internet. You
should establish your own zones for these addresses to prevent
- you quering the Internet's name servers for these addresses.
+ you querying the Internet's name servers for these addresses.
Please see <ulink url="http://as112.net/">http://as112.net/</ulink>
for details of the problems you are causing and the counter
measures that have had to be deployed.
SELinux security policy ( see http://www.nsa.gov/selinux
) and recommendations for BIND security , which are more
secure than running named in a chroot and make use of
- the bind-chroot environment unecessary .
+ the bind-chroot environment unnecessary .
</para>
<para>
</para>
<para>
- To create a custom configuration file location, eg.
+ To create a custom configuration file location, e.g.
'/root/named.conf', to use with the 'named -c' option,
do:
<informalexample>
</para>
<para>
- To create a custom modifiable named data location, eg.
+ To create a custom modifiable named data location, e.g.
'/var/log/named' for a log file, do:
<informalexample>
<programlisting>
</para>
<para>
- To create a custom zone file location, eg. /root/zones/, do:
+ To create a custom zone file location, e.g. /root/zones/, do:
<informalexample>
<programlisting>
# chcon system_u:object_r:named_zone_t /root/zones/{.,*}
a directory which has all the conversion rules for the
world (e.g. /usr/share/zoneinfo). When updating the OS
do not forget to update any chroot areas as well.
- See your OS's documetation for more details.
+ See your OS's documentation for more details.
</para>
<para>
The local timezone conversion rules can also be done on
- a individual basis by setting the TZ envirionment variable
+ a individual basis by setting the TZ environment variable
appropriately. See your OS's documentation for more
details.
</para>
</para>
<para>
Later they decided to make BSD behaviour the default and
- to aggressively trackdown application that used SO_BSDCOMPAT
+ to aggressively track down applications that used SO_BSDCOMPAT
by issuing a warning. This is the sort of things vendors
do in alpha/beta stages of a release so that their code is
clean. They then turn the warning *off* for release code.
</answer>
</qandaentry>
+ <qandaentry>
+ <question>
+ <para>
+ Isn't "make install" supposed to generate a default named.conf?
+ </para>
+ </question>
+ <answer>
+ <para>
+ Short Answer: No.
+ </para>
+ <para>
+ Long Answer: There really isn't a default configuration which fits
+ any site perfectly. There are lots of decisions that need to
+ be made and there is no consensus on what the defaults should be.
+ For example FreeBSD uses /etc/namedb as the location where the
+ configuration files for named are stored. Others use /var/named.
+ </para>
+ <para>
+ What addresses to listen on? For a laptop on the move a lot
+ you may only want to listen on the loop back interfaces.
+ </para>
+ <para>
+ Who do you offer recursive service to? Is there are firewall
+ to consider? If so is it stateless or stateful. Are you
+ directly on the Internet? Are you on a private network? Are
+ you on a NAT'd network? The answers
+ to all these questions change how you configure even a
+ caching name server.
+ </para>
+ </answer>
+ </qandaentry>
+
</qandaset>
</article>
projects / thirdparty / bind9.git / commitdiff
