Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-threads?
-A: Linux threads do not fully implement the Posix threads (pthreads) standard.
- In particular, setuid() operates only on the current thread, not the full
- process. Because of this limitation, BIND 9 cannot use setuid() on Linux as
- it can on all other supported platforms. setuid() cannot be called before
- creating threads, since the server does not start listening on reserved
- ports until after threads have started.
+A: Linux threads do not fully implement the Posix threads (pthreads) standard. In
+ particular, setuid() operates only on the current thread, not the full process.
+ Because of this limitation, BIND 9 cannot use setuid() on Linux as it can on
+ all other supported platforms. setuid() cannot be called before creating
+ threads, since the server does not start listening on reserved ports until
+ after threads have started.
In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to preserve
capabilities across a setuid() call is present. This allows BIND 9 to call
- setuid() early, while retaining the ability to bind reserved ports. This is
- a Linux-specific hack.
+ setuid() early, while retaining the ability to bind reserved ports. This is a
+ Linux-specific hack.
- On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less
- of a security risk than a root process that has not dropped privileges.
+ On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less of
+ a security risk than a root process that has not dropped privileges.
If Linux threads ever work correctly, this restriction will go away.
Configuring BIND9 with the --disable-threads option (the default) causes a
non-threaded version to be built, which will allow -u to be used.
+Q: Why do I get the following errors:
+
+ general: errno2result.c:109: unexpected error:
+ general: unable to convert errno to isc_result: 14: Bad address
+ client: UDP client handler shutting down due to fatal receive error: unexpected error
+
+A: This is the result of a Linux kernel bug.
+
+ See: http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2
+
Q: Why does named log the warning message "no TTL specified - using SOA MINTTL
instead"?
Q: Why do I see 5 (or more) copies of named on Linux?
A: Linux threads each show up as a process under ps. The approximate number of
- threads running is n+4, where n is the number of CPUs. Note that the amount
- of memory used is not cumulative; if each process is using 10M of memory,
- only a total of 10M is used.
+ threads running is n+4, where n is the number of CPUs. Note that the amount of
+ memory used is not cumulative; if each process is using 10M of memory, only a
+ total of 10M is used.
Q: Why does BIND 9 log "permission denied" errors accessing its configuration
files or zones on my Linux system even though it is running as root?
-A: On Linux, BIND 9 drops most of its root privileges on startup. This
- including the privilege to open files owned by other users. Therefore, if
- the server is running as root, the configuration files and zone files should
- also be owned by root.
+A: On Linux, BIND 9 drops most of its root privileges on startup. This including
+ the privilege to open files owned by other users. Therefore, if the server is
+ running as root, the configuration files and zone files should also be owned by
+ root.
-Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file
- bar: ran out of space"?
+Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file bar:
+ ran out of space"?
-A: This is often caused by TXT records with missing close quotes. Check that
- all TXT records containing quoted strings have both open and close quotes.
+A: This is often caused by TXT records with missing close quotes. Check that all
+ TXT records containing quoted strings have both open and close quotes.
Q: How do I produce a usable core file from a multithreaded named on Linux?
Q: How do I restrict people from looking up the server version?
-A: Put a "version" option containing something other than the real version in
- the "options" section of named.conf. Note doing this will not prevent
- attacks and may impede people trying to diagnose problems with your server.
- Also it is possible to "fingerprint" nameservers to determine their version.
+A: Put a "version" option containing something other than the real version in the
+ "options" section of named.conf. Note doing this will not prevent attacks and
+ may impede people trying to diagnose problems with your server. Also it is
+ possible to "fingerprint" nameservers to determine their version.
Q: How do I restrict only remote users from looking up the server version?
-A: The following view statement will intercept lookups as the internal view
- that holds the version information will be matched last. The caveats of the
- previous answer still apply, of course.
+A: The following view statement will intercept lookups as the internal view that
+ holds the version information will be matched last. The caveats of the previous
+ answer still apply, of course.
view "chaos" chaos {
match-clients { <those to be refused>; };
Q: What do "no source of entropy found" or "could not open entropy source foo"
mean?
-A: The server requires a source of entropy to perform certain operations,
- mostly DNSSEC related. These messages indicate that you have no source of
- entropy. On systems with /dev/random or an equivalent, it is used by
- default. A source of entropy can also be defined using the random-device
- option in named.conf.
+A: The server requires a source of entropy to perform certain operations, mostly
+ DNSSEC related. These messages indicate that you have no source of entropy. On
+ systems with /dev/random or an equivalent, it is used by default. A source of
+ entropy can also be defined using the random-device option in named.conf.
Q: I installed BIND 9 and restarted named, but it's still BIND 8. Why?
A: BIND 9 is installed under /usr/local by default. BIND 8 is often installed
under /usr. Check that the correct named is running.
-Q: I'm trying to use TSIG to authenticate dynamic updates or zone transfers.
- I'm sure I have the keys set up correctly, but the server is rejecting the
- TSIG. Why?
+Q: I'm trying to use TSIG to authenticate dynamic updates or zone transfers. I'm
+ sure I have the keys set up correctly, but the server is rejecting the TSIG.
+ Why?
-A: This may be a clock skew problem. Check that the the clocks on the client
- and server are properly synchronised (e.g., using ntp).
+A: This may be a clock skew problem. Check that the the clocks on the client and
+ server are properly synchronised (e.g., using ntp).
Q: I'm trying to compile BIND 9, and "make" is failing due to files not being
found. Why?
A: Using a parallel or distributed "make" to build BIND 9 is not supported, and
- doesn't work. If you are using one of these, use normal make or gmake
- instead.
+ doesn't work. If you are using one of these, use normal make or gmake instead.
-Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is logging
- error messages like "notify to 10.0.0.1#53 failed: unexpected end of input".
- What's wrong?
+Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is logging error
+ messages like "notify to 10.0.0.1#53 failed: unexpected end of input". What's
+ wrong?
-A: This error message is caused by a known bug in BIND 8.2.3 and is fixed in
- BIND 8.2.4. It can be safely ignored - the notify has been acted on by the
- slave despite the error message.
+A: This error message is caused by a known bug in BIND 8.2.3 and is fixed in BIND
+ 8.2.4. It can be safely ignored - the notify has been acted on by the slave
+ despite the error message.
Q: I keep getting log messages like the following. Why?
Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN': update
- failed: 'RRset exists (value dependent)' prerequisite not satisfied
- (NXRRSET)
+ failed: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
-A: DNS updates allow the update request to test to see if certain conditions
- are met prior to proceeding with the update. The message above is saying
- that conditions were not met and the update is not proceeding. See doc/rfc/
+A: DNS updates allow the update request to test to see if certain conditions are
+ met prior to proceeding with the update. The message above is saying that
+ conditions were not met and the update is not proceeding. See doc/rfc/
rfc2136.txt for more details on prerequisites.
Q: I keep getting log messages like the following. Why?
Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
A: Someone is trying to update your DNS data using the RFC2136 Dynamic Update
- protocol. Windows 2000 machines have a habit of sending dynamic update
- requests to DNS servers without being specifically configured to do so. If
- the update requests are coming from a Windows 2000 machine, see http://
- support.microsoft.com/support/kb/articles/q246/8/04.asp for information
- about how to turn them off.
+ protocol. Windows 2000 machines have a habit of sending dynamic update requests
+ to DNS servers without being specifically configured to do so. If the update
+ requests are coming from a Windows 2000 machine, see http://
+ support.microsoft.com/support/kb/articles/q246/8/04.asp for information about
+ how to turn them off.
Q: I see a log message like the following. Why?
A: You are most likely running named as a non-root user, and that user does not
have permission to write in /var/run. The common ways of fixing this are to
- create a /var/run/named directory owned by the named user and set pid-file
- to "/var/run/named/named.pid", or set pid-file to "named.pid", which will
- put the file in the directory specified by the directory option (which, in
- this case, must be writable by the named user).
-
-Q: When I do a "dig . ns", many of the A records for the root servers are
- missing. Why?
-
-A: This is normal and harmless. It is a somewhat confusing side effect of the
- way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 makes to
- avoid promoting glue into answers.
-
- When BIND 9 first starts up and primes its cache, it receives the root
- server addresses as additional data in an authoritative response from a root
- server, and these records are eligible for inclusion as additional data in
- responses. Subsequently it receives a subset of the root server addresses as
- additional data in a non-authoritative (referral) response from a root
- server. This causes the addresses to now be considered non-authoritative
- (glue) data, which is not eligible for inclusion in responses.
+ create a /var/run/named directory owned by the named user and set pid-file to "
+ /var/run/named/named.pid", or set pid-file to "named.pid", which will put the
+ file in the directory specified by the directory option (which, in this case,
+ must be writable by the named user).
+
+Q: When I do a "dig . ns", many of the A records for the root servers are missing.
+ Why?
+
+A: This is normal and harmless. It is a somewhat confusing side effect of the way
+ BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 makes to avoid
+ promoting glue into answers.
+
+ When BIND 9 first starts up and primes its cache, it receives the root server
+ addresses as additional data in an authoritative response from a root server,
+ and these records are eligible for inclusion as additional data in responses.
+ Subsequently it receives a subset of the root server addresses as additional
+ data in a non-authoritative (referral) response from a root server. This causes
+ the addresses to now be considered non-authoritative (glue) data, which is not
+ eligible for inclusion in responses.
The server does have a complete set of root server addresses cached at all
times, it just may not include all of them as additional data, depending on
- whether they were last received as answers or as glue. You can always look
- up the addresses with explicit queries like "dig a.root-servers.net A".
+ whether they were last received as answers or as glue. You can always look up
+ the addresses with explicit queries like "dig a.root-servers.net A".
Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail. Why?
-A: This may be caused by a bug in the Windows 2000 DNS server where DNS
- messages larger than 16K are not handled properly. This can be worked around
- by setting the option "transfer-format one-answer;". Also check whether your
- zone contains domain names with embedded spaces or other special characters,
- like "John\032Doe\213s\032Computer", since such names have been known to
- cause Windows 2000 slaves to incorrectly reject the zone.
+A: This may be caused by a bug in the Windows 2000 DNS server where DNS messages
+ larger than 16K are not handled properly. This can be worked around by setting
+ the option "transfer-format one-answer;". Also check whether your zone contains
+ domain names with embedded spaces or other special characters, like "John\
+ 032Doe\213s\032Computer", since such names have been known to cause Windows
+ 2000 slaves to incorrectly reject the zone.
Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?
-A: A zone can be updated either by editing zone files and reloading the server
- or by dynamic update, but not both. If you have enabled dynamic update for a
- zone using the "allow-update" option, you are not supposed to edit the zone
- file by hand, and the server will not attempt to reload it.
+A: A zone can be updated either by editing zone files and reloading the server or
+ by dynamic update, but not both. If you have enabled dynamic update for a zone
+ using the "allow-update" option, you are not supposed to edit the zone file by
+ hand, and the server will not attempt to reload it.
Q: I can query the nameserver from the nameserver but not from other machines.
Why?
-A: This is usually the result of the firewall configuration stopping the
- queries and / or the replies.
+A: This is usually the result of the firewall configuration stopping the queries
+ and / or the replies.
Q: How can I make a server a slave for both an internal and an external view at
- the same time? When I tried, both views on the slave were transferred from
- the same view on the master.
+ the same time? When I tried, both views on the slave were transferred from the
+ same view on the master.
-A: You will need to give the master and slave multiple IP addresses and use
- those to make sure you reach the correct view on the other machine.
+A: You will need to give the master and slave multiple IP addresses and use those
+ to make sure you reach the correct view on the other machine.
Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
internal:
transfer-source 10.0.1.4;
query-source address 10.0.1.4;
- You put the external address on the alias so that all the other dns clients
- on these boxes see the internal view by default.
+ You put the external address on the alias so that all the other dns clients on
+ these boxes see the internal view by default.
A: BIND 9.3 and later: Use TSIG to select the appropriate view.
};
view "external" {
match-clients { key external; any; };
- server 10.0.0.2 { keys external; };
+ server 10.0.1.2 { keys external; };
recursion no;
...
};
};
view "external" {
match-clients { key external; any; };
- server 10.0.0.1 { keys external; };
+ server 10.0.1.1 { keys external; };
recursion no;
...
};
Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to use
- certain interrupts as a source of random events. You can make this permanent
- by setting rand_irqs in /etc/rc.conf.
+ certain interrupts as a source of random events. You can make this permanent by
+ setting rand_irqs in /etc/rc.conf.
/etc/rc.conf
rand_irqs="3 14 15"
Q: Why is named listening on UDP port other than 53?
A: Named uses a system selected port to make queries of other nameservers. This
- behaviour can be overridden by using query-source to lock down the port and/
- or address. See also notify-source and transfer-source.
+ behaviour can be overridden by using query-source to lock down the port and/or
+ address. See also notify-source and transfer-source.
-Q: I get error messages like "multiple RRs of singleton type" and "CNAME and
- other data" when transferring a zone. What does this mean?
+Q: I get error messages like "multiple RRs of singleton type" and "CNAME and other
+ data" when transferring a zone. What does this mean?
A: These indicate a malformed master zone. You can identify the exact records
- involved by transferring the zone using dig then running named-checkzone on
- it.
+ involved by transferring the zone using dig then running named-checkzone on it.
dig axfr example.com @master-server > tmp
named-checkzone example.com tmp
- A CNAME record cannot exist with the same name as another record except for
- the DNSSEC records which prove its existance (NSEC).
+ A CNAME record cannot exist with the same name as another record except for the
+ DNSSEC records which prove its existance (NSEC).
RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other data
should be present; this ensures that the data for a canonical name and its
- aliases cannot be different. This rule also insures that a cached CNAME can
- be used without checking with an authoritative server for other RR types."
+ aliases cannot be different. This rule also insures that a cached CNAME can be
+ used without checking with an authoritative server for other RR types."
-Q: I get error messages like "named.conf:99: unexpected end of input" where 99
- is the last line of named.conf.
+Q: I get error messages like "named.conf:99: unexpected end of input" where 99 is
+ the last line of named.conf.
A: Some text editors (notepad and wordpad) fail to put a line title indication
- (e.g. CR/LF) on the last line of a text file. This can be fixed by "adding"
- a blank line to the end of the file. Named expects to see EOF immediately
- after EOL and treats text files where this is not met as truncated.
+ (e.g. CR/LF) on the last line of a text file. This can be fixed by "adding" a
+ blank line to the end of the file. Named expects to see EOF immediately after
+ EOL and treats text files where this is not met as truncated.
Q: I get warning messages like "zone example.com/IN: refresh: failure trying
master 1.2.3.4#53: timed out".
dig +norec example.com soa @1.2.3.4
- You could be generating queries faster than the slave can cope with. Lower
- the serial query rate.
+ You could be generating queries faster than the slave can cope with. Lower the
+ serial query rate.
serial-query-rate 5; // default 20
Q: How do I share a dynamic zone between multiple views?
-A: You choose one view to be master and the second a slave and transfer the
- zone between views.
+A: You choose one view to be master and the second a slave and transfer the zone
+ between views.
Master 10.0.1.1:
key "external" {
file primaries/wireless.ietf56.ietf.org: no owner".
A: This error is produced when a line in the master file contains leading white
- space (tab/space) but the is no current record owner name to inherit the
- name from. Usually this is the result of putting white space before a
- comment. Forgeting the "@" for the SOA record or indenting the master file.
+ space (tab/space) but the is no current record owner name to inherit the name
+ from. Usually this is the result of putting white space before a comment.
+ Forgeting the "@" for the SOA record or indenting the master file.
Q: Why are my logs in GMT (UTC).
-A: You are running chrooted (-t) and have not supplied local timzone
- information in the chroot area.
+A: You are running chrooted (-t) and have not supplied local timzone information
+ in the chroot area.
FreeBSD: /etc/localtime
Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
A: This is usually a configuration error.
- First ensure that named is running and no errors are being reported at
- startup (/var/log/messages or equivalent). Running "named -g <usual
- arguments>" from a title can help at this point.
+ First ensure that named is running and no errors are being reported at startup
+ (/var/log/messages or equivalent). Running "named -g <usual arguments>" from a
+ title can help at this point.
Secondly ensure that named is configured to use rndc either by "rndc-confgen
- -a", rndc-confgen or manually. The Administrators Reference manual has
- details on how to do this.
+ -a", rndc-confgen or manually. The Administrators Reference manual has details
+ on how to do this.
Old versions of rndc-confgen used localhost rather than 127.0.0.1 in /etc/
rndc.conf for the default server. Update /etc/rndc.conf if necessary so that
the default server listed in /etc/rndc.conf matches the addresses used in
named.conf. "localhost" has two address (127.0.0.1 and ::1).
- If you use "rndc-confgen -a" and named is running with -t or -u ensure that
- /etc/rndc.conf has the correct ownership and that a copy is in the chroot
- area. You can do this by re-running "rndc-confgen -a" with appropriate -t
- and -u arguments.
+ If you use "rndc-confgen -a" and named is running with -t or -u ensure that /
+ etc/rndc.conf has the correct ownership and that a copy is in the chroot area.
+ You can do this by re-running "rndc-confgen -a" with appropriate -t and -u
+ arguments.
Q: I don't get RRSIG's returned when I use "dig +dnssec".
Q: I get "Error 1067" when starting named under Windows.
-A: This is the service manager saying that named exited. You need to examine
- the Application log in the EventViewer to find out why.
+A: This is the service manager saying that named exited. You need to examine the
+ Application log in the EventViewer to find out why.
- Common causes are that you failed to create "named.conf" (usually "C:\
- windows\dns\etc\named.conf") or failed to specify the directory in
- named.conf.
+ Common causes are that you failed to create "named.conf" (usually "C:\windows\
+ dns\etc\named.conf") or failed to specify the directory in named.conf.
options {
Directory "C:\windows\dns\etc";
"dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"
- Named needs write permission on the directory containing the file. Named
- writes the new cache file to a temporary file then renames it to the name
- specified in named.conf to ensure that the contents are always complete.
- This is to prevent named loading a partial zone in the event of power
- failure or similar interrupting the write of the master file.
+ Named needs write permission on the directory containing the file. Named writes
+ the new cache file to a temporary file then renames it to the name specified in
+ named.conf to ensure that the contents are always complete. This is to prevent
+ named loading a partial zone in the event of power failure or similar
+ interrupting the write of the master file.
Note file names are relative to the directory specified in options and any
chroot directory ([<chroot dir>/][<options dir>]).
If you are not using these private addresses then a client has queried for
them. You can just ignore the messages, get the offending client to stop
- sending you these messages as they are most probably leaking them or setup
- your own zones empty zones to serve answers to these queries.
+ sending you these messages as they are most probably leaking them or setup your
+ own zones empty zones to serve answers to these queries.
zone "10.IN-ADDR.ARPA" {
type master;
Future versions of named are likely to do this automatically.
+Q: I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
+
+ Why can't named update slave zone database files?
+
+ Why can't named create DDNS journal files or update the master zones from
+ journals?
+
+ Why can't named create custom log files?
+
+A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
+
+ Red Hat have adopted the National Security Agency's SELinux security policy (
+ see http://www.nsa.gov/selinux ) and recommendations for BIND security , which
+ are more secure than running named in a chroot and make use of the bind-chroot
+ environment unecessary .
+
+ By default, named is not allowed by the SELinux policy to write, create or
+ delete any files EXCEPT in these directories:
+
+ $ROOTDIR/var/named/slaves
+ $ROOTDIR/var/named/data
+ $ROOTDIR/var/tmp
+
+
+ where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is installed.
+
+ The SELinux policy particularly does NOT allow named to modify the $ROOTDIR/var
+ /named directory, the default location for master zone database files.
+
+ SELinux policy overrules file access permissions - so even if all the files
+ under /var/named have ownership named:named and mode rw-rw-r--, named will
+ still not be able to write or create files except in the directories above,
+ with SELinux in Enforcing mode.
+
+ So, to allow named to update slave or DDNS zone files, it is best to locate
+ them in $ROOTDIR/var/named/slaves, with named.conf zone statements such as:
+
+ zone "slave.zone." IN {
+ type slave;
+ file "slaves/slave.zone.db";
+ ...
+ };
+ zone "ddns.zone." IN {
+ type master;
+ allow-updates {...};
+ file "slaves/ddns.zone.db";
+ };
+
+
+ To allow named to create its cache dump and statistics files, for example, you
+ could use named.conf options statements such as:
+
+ options {
+ ...
+ dump-file "/var/named/data/cache_dump.db";
+ statistics-file "/var/named/data/named_stats.txt";
+ ...
+ };
+
+
+ You can also tell SELinux to allow named to update any zone database files, by
+ setting the SELinux tunable boolean parameter 'named_write_master_zones=1',
+ using the system-config-securitylevel GUI, using the 'setsebool' command, or in
+ /etc/selinux/targeted/booleans.
+
+ You can disable SELinux protection for named entirely by setting the
+ 'named_disable_trans=1' SELinux tunable boolean parameter.
+
+ The SELinux named policy defines these SELinux contexts for named:
+
+ named_zone_t : for zone database files - $ROOTDIR/var/named/*
+ named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
+ named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
+
+
+ If you want to retain use of the SELinux policy for named, and put named files
+ in different locations, you can do so by changing the context of the custom
+ file locations .
+
+ To create a custom configuration file location, eg. '/root/named.conf', to use
+ with the 'named -c' option, do:
+
+ # chcon system_u:object_r:named_conf_t /root/named.conf
+
+
+ To create a custom modifiable named data location, eg. '/var/log/named' for a
+ log file, do:
+
+ # chcon system_u:object_r:named_cache_t /var/log/named
+
+
+ To create a custom zone file location, eg. /root/zones/, do:
+
+ # chcon system_u:object_r:named_zone_t /root/zones/{.,*}
+
+
+ See these man-pages for more information : selinux(8), named_selinux(8), chcon
+ (1), setsebool(8)
+
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: FAQ.xml,v 1.4.6.3 2005/11/02 22:53:51 marka Exp $ -->
+<!-- $Id: FAQ.xml,v 1.4.6.4 2006/02/23 22:34:05 marka Exp $ -->
<article class="faq">
<title>Frequently Asked Questions about BIND 9</title>
</answer>
</qandaentry>
+ <qandaentry>
+ <question>
+ <para>
+ Why do I get the following errors:
+<programlisting>general: errno2result.c:109: unexpected error:
+general: unable to convert errno to isc_result: 14: Bad address
+client: UDP client handler shutting down due to fatal receive error: unexpected error</programlisting>
+ </para>
+ </question>
+ <answer>
+ <para>
+ This is the result of a Linux kernel bug.
+ </para>
+ <para>
+ See:
+ <ulink url="http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2">http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2</ulink>
+ </para>
+ </answer>
+ </qandaentry>
+
<qandaentry>
<question>
<para>
};
view "external" {
match-clients { key external; any; };
- server 10.0.0.2 { keys external; };
+ server 10.0.1.2 { keys external; };
recursion no;
...
};
};
view "external" {
match-clients { key external; any; };
- server 10.0.0.1 { keys external; };
+ server 10.0.1.1 { keys external; };
recursion no;
...
};</programlisting>
1 3600 1200 604800 10800 )
@ 10800 IN NS <name-of-server>.</programlisting>
</informalexample>
+ <para>
<note>
Future versions of named are likely to do this automatically.
</note>
+ </para>
</answer>
</qandaentry>
+ <qandaentry>
+ <question>
+ <para>
+ I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
+ </para>
+ <para>
+ Why can't named update slave zone database files?
+ </para>
+ <para>
+ Why can't named create DDNS journal files or update
+ the master zones from journals?
+ </para>
+ <para>
+ Why can't named create custom log files?
+ </para>
+ </question>
+
+ <answer>
+ <para>
+ Red Hat Security Enhanced Linux (SELinux) policy security
+ protections :
+ </para>
+
+ <para>
+ Red Hat have adopted the National Security Agency's
+ SELinux security policy ( see http://www.nsa.gov/selinux
+ ) and recommendations for BIND security , which are more
+ secure than running named in a chroot and make use of
+ the bind-chroot environment unecessary .
+ </para>
+
+ <para>
+ By default, named is not allowed by the SELinux policy
+ to write, create or delete any files EXCEPT in these
+ directories:
+ <informalexample>
+ <programlisting>
+$ROOTDIR/var/named/slaves
+$ROOTDIR/var/named/data
+$ROOTDIR/var/tmp
+ </programlisting>
+ </informalexample>
+ where $ROOTDIR may be set in /etc/sysconfig/named if
+ bind-chroot is installed.
+ </para>
+
+ <para>
+ The SELinux policy particularly does NOT allow named to modify
+ the $ROOTDIR/var/named directory, the default location for master
+ zone database files.
+ </para>
+
+ <para>
+ SELinux policy overrules file access permissions - so
+ even if all the files under /var/named have ownership
+ named:named and mode rw-rw-r--, named will still not be
+ able to write or create files except in the directories
+ above, with SELinux in Enforcing mode.
+ </para>
+
+ <para>
+ So, to allow named to update slave or DDNS zone files,
+ it is best to locate them in $ROOTDIR/var/named/slaves,
+ with named.conf zone statements such as:
+ <informalexample>
+ <programlisting>
+zone "slave.zone." IN {
+ type slave;
+ file "slaves/slave.zone.db";
+ ...
+};
+zone "ddns.zone." IN {
+ type master;
+ allow-updates {...};
+ file "slaves/ddns.zone.db";
+};
+ </programlisting>
+ </informalexample>
+ </para>
+
+ <para>
+ To allow named to create its cache dump and statistics
+ files, for example, you could use named.conf options
+ statements such as:
+ <informalexample>
+ <programlisting>
+options {
+ ...
+ dump-file "/var/named/data/cache_dump.db";
+ statistics-file "/var/named/data/named_stats.txt";
+ ...
+};
+ </programlisting>
+ </informalexample>
+ </para>
+
+ <para>
+ You can also tell SELinux to allow named to update any
+ zone database files, by setting the SELinux tunable boolean
+ parameter 'named_write_master_zones=1', using the
+ system-config-securitylevel GUI, using the 'setsebool'
+ command, or in /etc/selinux/targeted/booleans.
+ </para>
+
+ <para>
+ You can disable SELinux protection for named entirely by
+ setting the 'named_disable_trans=1' SELinux tunable boolean
+ parameter.
+ </para>
+
+ <para>
+ The SELinux named policy defines these SELinux contexts for named:
+ <informalexample>
+ <programlisting>
+named_zone_t : for zone database files - $ROOTDIR/var/named/*
+named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
+named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
+ </programlisting>
+ </informalexample>
+ </para>
+
+ <para>
+ If you want to retain use of the SELinux policy for named,
+ and put named files in different locations, you can do
+ so by changing the context of the custom file locations
+ .
+ </para>
+
+ <para>
+ To create a custom configuration file location, eg.
+ '/root/named.conf', to use with the 'named -c' option,
+ do:
+ <informalexample>
+ <programlisting>
+# chcon system_u:object_r:named_conf_t /root/named.conf
+ </programlisting>
+ </informalexample>
+ </para>
+
+ <para>
+ To create a custom modifiable named data location, eg.
+ '/var/log/named' for a log file, do:
+ <informalexample>
+ <programlisting>
+# chcon system_u:object_r:named_cache_t /var/log/named
+ </programlisting>
+ </informalexample>
+ </para>
+
+ <para>
+ To create a custom zone file location, eg. /root/zones/, do:
+ <informalexample>
+ <programlisting>
+# chcon system_u:object_r:named_zone_t /root/zones/{.,*}
+ </programlisting>
+ </informalexample>
+ </para>
+
+ <para>
+ See these man-pages for more information : selinux(8),
+ named_selinux(8), chcon(1), setsebool(8)
+ </para>
+ </answer>
+ </qandaentry>
</qandaset>
</article>
projects / thirdparty / bind9.git / commitdiff
