Linux threads do not fully implement the Posix threads (pthreads) standard.
In particular, setuid() operates only on the current thread, not the full
process. Because of this limitation, BIND 9 cannot use setuid() on Linux as it
can on all other supported platforms. setuid() cannot be called before
creating threads, since the server does not start listening on reserved ports
until after threads have started.
In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to preserve
capabilities across a setuid() call is present. This allows BIND 9 to call
setuid() early, while retaining the ability to bind reserved ports. This is
a Linux-specific hack.
On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less
of a security risk than a root process that has not dropped privileges.
If Linux threads ever work correctly, this restriction will go away.
Configuring BIND9 with the --disable-threads option (the default) causes a
non-threaded version to be built, which will allow -u to be used.
Your zone file is illegal according to RFC1035. It must either
have a line like
Linux threads each show up as a process under ps. The approximate
number of threads running is n+4, where n is the number of CPUs. Note that
the amount of memory used is not cumulative; if each process is using 10M of
memory, only a total of 10M is used.
On Linux, BIND 9 drops most of its root privileges on startup.
This including the privilege to open files owned by other users.
Therefore, if the server is running as root, the configuration files
and zone files should also be owned by root.
This is often caused by TXT records with missing close quotes. Check that
all TXT records containing quoted strings have both open and close quotes.
If the Linux kernel is 2.4.7 or newer, multithreaded core dumps
are usable (that is, the correct thread is dumped). Otherwise, if using
a 2.2 kernel, apply the kernel patch found in contrib/linux/coredump-patch
and rebuild the kernel. This patch will cause multithreaded programs to dump
the correct thread.
Put a "version" option containing something other than the real
version in the "options" section of named.conf. Note doing this will
not prevent attacks and may impede people trying to diagnose problems
with your server. Also it is possible to "fingerprint" nameservers to
determine their version.
The following view statement will intercept lookups as the internal
view that holds the version information will be matched last. The
caveats of the previous answer still apply, of course.
The server requires a source of entropy to perform certain operations,
mostly DNSSEC related. These messages indicate that you have no source
of entropy. On systems with /dev/random or an equivalent, it is used by
default. A source of entropy can also be defined using the random-device
option in named.conf.
BIND 9 is installed under /usr/local by default. BIND 8 is often
installed under /usr. Check that the correct named is running.
This may be a clock skew problem. Check that the the clocks on
the client and server are properly synchronized (e.g., using ntp).
Using a parallel or distributed "make" to build BIND 9 is not
supported, and doesn't work. If you are using one of these, use
normal make or gmake instead.
This error message is caused by a known bug in BIND 8.2.3 and is fixed
in BIND 8.2.4. It can be safely ignored - the notify has been acted on by
the slave despite the error message.
DNS updates allow the update request to test to see if certain
conditions are met prior to proceeding with the update. The message
above is saying that conditions were not met and the update is not
proceeding. See doc/rfc/rfc2136.txt for more details on prerequisites.
Someone is trying to update your DNS data using the RFC2136 Dynamic
Update protocol. Windows 2000 machines have a habit of sending dynamic
update requests to DNS servers without being specifically configured to
do so. If the update requests are coming from a Windows 2000 machine,
see <http://support.microsoft.com/support/kb/articles/q246/8/04.asp>
for information about how to turn them off.
You are most likely running named as a non-root user, and that user
does not have permission to write in /var/run. The common ways of
fixing this are to create a /var/run/named directory owned by the named
user and set pid-file to "/var/run/named/named.pid", or set
pid-file to "named.pid", which will put the file in the directory
specified by the directory option (which, in this case, must be writable
by the named user).
This is normal and harmless. It is a somewhat confusing side effect
of the way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9
makes to avoid promoting glue into answers.
When BIND 9 first starts up and primes its cache, it receives the root
server addresses as additional data in an authoritative response from
a root server, and these records are eligible for inclusion as
additional data in responses. Subsequently it receives a subset of
the root server addresses as additional data in a non-authoritative
(referral) response from a root server. This causes the addresses to
now be considered non-authoritative (glue) data, which is not eligible
for inclusion in responses.
The server does have a complete set of root server addresses cached
at all times, it just may not include all of them as additional data,
depending on whether they were last received as answers or as glue.
You can always look up the addresses with explicit queries like
"dig a.root-servers.net A".
This may be caused by a bug in the Windows 2000 DNS server where
DNS messages larger than 16K are not handled properly. This can be
worked around by setting the option "transfer-format one-answer;".
Also check whether your zone contains domain names with embedded
spaces or other special characters, like "John\032Doe\213s\032Computer",
since such names have been known to cause Windows 2000 slaves to
incorrectly reject the zone.
A zone can be updated either by editing zone files and reloading
the server or by dynamic update, but not both. If you have enabled
dynamic update for a zone using the "allow-update" option, you are not
supposed to edit the zone file by hand, and the server will not
attempt to reload it.
This is usually the result of the firewall configuration stopping
the queries and / or the replies.
You will need to give the master and slave multiple IP addresses and
use those to make sure you reach the correct view on the other machine.
You put the external address on the alias so that all the other
dns clients on these boxes see the internal view by default.
You probably have "default-server localhost" in /etc/rndc.conf,
your /etc/hosts or DNS maps "localhost" to both the IPv4 loopback
address 127.0.0.1 and the IPv6 loopback address ::1, and you do not
have IPv6 fully operational. Change the "default-server localhost" to
"default-server 127.0.0.1" to make sure rdnc does not try to contact
the name server using IPv6.
/dev/random is not configured. Use rndcontrol(8) to tell the kernel
to use certain interrupts as a source of random events. You can make this
permanent by setting rand_irqs in /etc/rc.conf.
Named uses a system selected port to make queries of other nameservers.
This behaviour can be overridden by using query-source to lock down the
port and/or address.
These indicate a malformed master zone. You can identify the
exact records involved by transferring the zone using dig then
running named-checkzone on it.
Some text editors (notepad and wordpad) fail to put a line termination
indication (e.g. CR/LF) on the last line of a text file. This can be fixed
by "adding" a blank line to the end of the file. Named expects to see EOF
immediately after EOL and treats text files where this is not met as truncated.
Frequently Asked Questions about BIND 9
$TTL 86400
at the beginning, or the first record in it must have a TTL field,
like the "84600" in this example:
example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )
view "chaos" chaos {
match-clients {
};
allow-query { none; };
zone "." {
type hint;
};
file "/dev/null"; // or any empty file
Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN':
update failed: 'RRset exists (value dependent)' prerequisite not
satisfied (NXRRSET)
Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
couldn't open pid file '/var/run/named.pid': Permission denied
Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
internal:
match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
external:
notify-source 10.0.1.1;
transfer-source 10.0.1.1;
query-source address 10.0.1.1;
match-clients { any; };
recursion no; // don't offer recursion to the world
notify-source 10.0.1.2;
transfer-source 10.0.1.2;
query-source address 10.0.1.2;
Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
internal:
match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
external:
notify-source 10.0.1.3;
transfer-source 10.0.1.3;
query-source address 10.0.1.3;
match-clients { any; };
recursion no; // don't offer recursion to the world
notify-source 10.0.1.4;
transfer-source 10.0.1.4;
query-source address 10.0.1.4;
/etc/rc.conf
rand_irqs="3 14 15"
dig axfr example.com @master-server > tmp
named-checkzone example.com tmp
dig +norec example.com soa @1.2.3.4
serial-query-rate 5; // default 20
This web site and its contents - ©2003 Internet Software Consortium
Questions or comments regarding this web site can be sent to webmaster@isc.org