ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

update example

Browse Source
This commit is contained in:
Mark Andrews
2006-02-23 22:34:13 +00:00
parent 317cc1a488
commit 445dff4f5f
2 changed files with 435 additions and 145 deletions
Download Patch File Download Diff File Expand all files Collapse all files

386
FAQ
View File

@@ -4,26 +4,36 @@ Frequently Asked Questions about BIND 9
Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-threads?
A: Linux threads do not fully implement the Posix threads (pthreads) standard.
In particular, setuid() operates only on the current thread, not the full
process. Because of this limitation, BIND 9 cannot use setuid() on Linux as
it can on all other supported platforms. setuid() cannot be called before
creating threads, since the server does not start listening on reserved
ports until after threads have started.
A: Linux threads do not fully implement the Posix threads (pthreads) standard. In
particular, setuid() operates only on the current thread, not the full process.
Because of this limitation, BIND 9 cannot use setuid() on Linux as it can on
all other supported platforms. setuid() cannot be called before creating
threads, since the server does not start listening on reserved ports until
after threads have started.
In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to preserve
capabilities across a setuid() call is present. This allows BIND 9 to call
setuid() early, while retaining the ability to bind reserved ports. This is
a Linux-specific hack.
setuid() early, while retaining the ability to bind reserved ports. This is a
Linux-specific hack.
On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less
of a security risk than a root process that has not dropped privileges.
On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less of
a security risk than a root process that has not dropped privileges.
If Linux threads ever work correctly, this restriction will go away.
Configuring BIND9 with the --disable-threads option (the default) causes a
non-threaded version to be built, which will allow -u to be used.
Q: Why do I get the following errors:
general: errno2result.c:109: unexpected error:
general: unable to convert errno to isc_result: 14: Bad address
client: UDP client handler shutting down due to fatal receive error: unexpected error
A: This is the result of a Linux kernel bug.
See: http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2
Q: Why does named log the warning message "no TTL specified - using SOA MINTTL
instead"?
@@ -40,23 +50,23 @@ A: Your zone file is illegal according to RFC1035. It must either have a line
Q: Why do I see 5 (or more) copies of named on Linux?
A: Linux threads each show up as a process under ps. The approximate number of
threads running is n+4, where n is the number of CPUs. Note that the amount
of memory used is not cumulative; if each process is using 10M of memory,
only a total of 10M is used.
threads running is n+4, where n is the number of CPUs. Note that the amount of
memory used is not cumulative; if each process is using 10M of memory, only a
total of 10M is used.
Q: Why does BIND 9 log "permission denied" errors accessing its configuration
files or zones on my Linux system even though it is running as root?
A: On Linux, BIND 9 drops most of its root privileges on startup. This
including the privilege to open files owned by other users. Therefore, if
the server is running as root, the configuration files and zone files should
also be owned by root.
A: On Linux, BIND 9 drops most of its root privileges on startup. This including
the privilege to open files owned by other users. Therefore, if the server is
running as root, the configuration files and zone files should also be owned by
root.
Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file
bar: ran out of space"?
Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file bar:
ran out of space"?
A: This is often caused by TXT records with missing close quotes. Check that
all TXT records containing quoted strings have both open and close quotes.
A: This is often caused by TXT records with missing close quotes. Check that all
TXT records containing quoted strings have both open and close quotes.
Q: How do I produce a usable core file from a multithreaded named on Linux?
@@ -68,16 +78,16 @@ A: If the Linux kernel is 2.4.7 or newer, multithreaded core dumps are usable
Q: How do I restrict people from looking up the server version?
A: Put a "version" option containing something other than the real version in
the "options" section of named.conf. Note doing this will not prevent
attacks and may impede people trying to diagnose problems with your server.
Also it is possible to "fingerprint" nameservers to determine their version.
A: Put a "version" option containing something other than the real version in the
"options" section of named.conf. Note doing this will not prevent attacks and
may impede people trying to diagnose problems with your server. Also it is
possible to "fingerprint" nameservers to determine their version.
Q: How do I restrict only remote users from looking up the server version?
A: The following view statement will intercept lookups as the internal view
that holds the version information will be matched last. The caveats of the
previous answer still apply, of course.
A: The following view statement will intercept lookups as the internal view that
holds the version information will be matched last. The caveats of the previous
answer still apply, of course.
view "chaos" chaos {
match-clients { <those to be refused>; };
@@ -91,48 +101,45 @@ A: The following view statement will intercept lookups as the internal view
Q: What do "no source of entropy found" or "could not open entropy source foo"
mean?
A: The server requires a source of entropy to perform certain operations,
mostly DNSSEC related. These messages indicate that you have no source of
entropy. On systems with /dev/random or an equivalent, it is used by
default. A source of entropy can also be defined using the random-device
option in named.conf.
A: The server requires a source of entropy to perform certain operations, mostly
DNSSEC related. These messages indicate that you have no source of entropy. On
systems with /dev/random or an equivalent, it is used by default. A source of
entropy can also be defined using the random-device option in named.conf.
Q: I installed BIND 9 and restarted named, but it's still BIND 8. Why?
A: BIND 9 is installed under /usr/local by default. BIND 8 is often installed
under /usr. Check that the correct named is running.
Q: I'm trying to use TSIG to authenticate dynamic updates or zone transfers.
I'm sure I have the keys set up correctly, but the server is rejecting the
TSIG. Why?
Q: I'm trying to use TSIG to authenticate dynamic updates or zone transfers. I'm
sure I have the keys set up correctly, but the server is rejecting the TSIG.
Why?
A: This may be a clock skew problem. Check that the the clocks on the client
and server are properly synchronised (e.g., using ntp).
A: This may be a clock skew problem. Check that the the clocks on the client and
server are properly synchronised (e.g., using ntp).
Q: I'm trying to compile BIND 9, and "make" is failing due to files not being
found. Why?
A: Using a parallel or distributed "make" to build BIND 9 is not supported, and
doesn't work. If you are using one of these, use normal make or gmake
instead.
doesn't work. If you are using one of these, use normal make or gmake instead.
Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is logging
error messages like "notify to 10.0.0.1#53 failed: unexpected end of input".
What's wrong?
Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is logging error
messages like "notify to 10.0.0.1#53 failed: unexpected end of input". What's
wrong?
A: This error message is caused by a known bug in BIND 8.2.3 and is fixed in
BIND 8.2.4. It can be safely ignored - the notify has been acted on by the
slave despite the error message.
A: This error message is caused by a known bug in BIND 8.2.3 and is fixed in BIND
8.2.4. It can be safely ignored - the notify has been acted on by the slave
despite the error message.
Q: I keep getting log messages like the following. Why?
Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN': update
failed: 'RRset exists (value dependent)' prerequisite not satisfied
(NXRRSET)
failed: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
A: DNS updates allow the update request to test to see if certain conditions
are met prior to proceeding with the update. The message above is saying
that conditions were not met and the update is not proceeding. See doc/rfc/
A: DNS updates allow the update request to test to see if certain conditions are
met prior to proceeding with the update. The message above is saying that
conditions were not met and the update is not proceeding. See doc/rfc/
rfc2136.txt for more details on prerequisites.
Q: I keep getting log messages like the following. Why?
@@ -140,11 +147,11 @@ Q: I keep getting log messages like the following. Why?
Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
A: Someone is trying to update your DNS data using the RFC2136 Dynamic Update
protocol. Windows 2000 machines have a habit of sending dynamic update
requests to DNS servers without being specifically configured to do so. If
the update requests are coming from a Windows 2000 machine, see http://
support.microsoft.com/support/kb/articles/q246/8/04.asp for information
about how to turn them off.
protocol. Windows 2000 machines have a habit of sending dynamic update requests
to DNS servers without being specifically configured to do so. If the update
requests are coming from a Windows 2000 machine, see http://
support.microsoft.com/support/kb/articles/q246/8/04.asp for information about
how to turn them off.
Q: I see a log message like the following. Why?
@@ -152,59 +159,59 @@ Q: I see a log message like the following. Why?
A: You are most likely running named as a non-root user, and that user does not
have permission to write in /var/run. The common ways of fixing this are to
create a /var/run/named directory owned by the named user and set pid-file
to "/var/run/named/named.pid", or set pid-file to "named.pid", which will
put the file in the directory specified by the directory option (which, in
this case, must be writable by the named user).
create a /var/run/named directory owned by the named user and set pid-file to "
/var/run/named/named.pid", or set pid-file to "named.pid", which will put the
file in the directory specified by the directory option (which, in this case,
must be writable by the named user).
Q: When I do a "dig . ns", many of the A records for the root servers are
missing. Why?
Q: When I do a "dig . ns", many of the A records for the root servers are missing.
Why?
A: This is normal and harmless. It is a somewhat confusing side effect of the
way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 makes to
avoid promoting glue into answers.
A: This is normal and harmless. It is a somewhat confusing side effect of the way
BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 makes to avoid
promoting glue into answers.
When BIND 9 first starts up and primes its cache, it receives the root
server addresses as additional data in an authoritative response from a root
server, and these records are eligible for inclusion as additional data in
responses. Subsequently it receives a subset of the root server addresses as
additional data in a non-authoritative (referral) response from a root
server. This causes the addresses to now be considered non-authoritative
(glue) data, which is not eligible for inclusion in responses.
When BIND 9 first starts up and primes its cache, it receives the root server
addresses as additional data in an authoritative response from a root server,
and these records are eligible for inclusion as additional data in responses.
Subsequently it receives a subset of the root server addresses as additional
data in a non-authoritative (referral) response from a root server. This causes
the addresses to now be considered non-authoritative (glue) data, which is not
eligible for inclusion in responses.
The server does have a complete set of root server addresses cached at all
times, it just may not include all of them as additional data, depending on
whether they were last received as answers or as glue. You can always look
up the addresses with explicit queries like "dig a.root-servers.net A".
whether they were last received as answers or as glue. You can always look up
the addresses with explicit queries like "dig a.root-servers.net A".
Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail. Why?
A: This may be caused by a bug in the Windows 2000 DNS server where DNS
messages larger than 16K are not handled properly. This can be worked around
by setting the option "transfer-format one-answer;". Also check whether your
zone contains domain names with embedded spaces or other special characters,
like "John\032Doe\213s\032Computer", since such names have been known to
cause Windows 2000 slaves to incorrectly reject the zone.
A: This may be caused by a bug in the Windows 2000 DNS server where DNS messages
larger than 16K are not handled properly. This can be worked around by setting
the option "transfer-format one-answer;". Also check whether your zone contains
domain names with embedded spaces or other special characters, like "John\
032Doe\213s\032Computer", since such names have been known to cause Windows
2000 slaves to incorrectly reject the zone.
Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?
A: A zone can be updated either by editing zone files and reloading the server
or by dynamic update, but not both. If you have enabled dynamic update for a
zone using the "allow-update" option, you are not supposed to edit the zone
file by hand, and the server will not attempt to reload it.
A: A zone can be updated either by editing zone files and reloading the server or
by dynamic update, but not both. If you have enabled dynamic update for a zone
using the "allow-update" option, you are not supposed to edit the zone file by
hand, and the server will not attempt to reload it.
Q: I can query the nameserver from the nameserver but not from other machines.
Why?
A: This is usually the result of the firewall configuration stopping the
queries and / or the replies.
A: This is usually the result of the firewall configuration stopping the queries
and / or the replies.
Q: How can I make a server a slave for both an internal and an external view at
the same time? When I tried, both views on the slave were transferred from
the same view on the master.
the same time? When I tried, both views on the slave were transferred from the
same view on the master.
A: You will need to give the master and slave multiple IP addresses and use
those to make sure you reach the correct view on the other machine.
A: You will need to give the master and slave multiple IP addresses and use those
to make sure you reach the correct view on the other machine.
Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
internal:
@@ -232,8 +239,8 @@ A: You will need to give the master and slave multiple IP addresses and use
transfer-source 10.0.1.4;
query-source address 10.0.1.4;
You put the external address on the alias so that all the other dns clients
on these boxes see the internal view by default.
You put the external address on the alias so that all the other dns clients on
these boxes see the internal view by default.
A: BIND 9.3 and later: Use TSIG to select the appropriate view.
@@ -248,7 +255,7 @@ A: BIND 9.3 and later: Use TSIG to select the appropriate view.
};
view "external" {
match-clients { key external; any; };
server 10.0.0.2 { keys external; };
server 10.0.1.2 { keys external; };
recursion no;
...
};
@@ -264,7 +271,7 @@ A: BIND 9.3 and later: Use TSIG to select the appropriate view.
};
view "external" {
match-clients { key external; any; };
server 10.0.0.1 { keys external; };
server 10.0.1.1 { keys external; };
recursion no;
...
};
@@ -272,8 +279,8 @@ A: BIND 9.3 and later: Use TSIG to select the appropriate view.
Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to use
certain interrupts as a source of random events. You can make this permanent
by setting rand_irqs in /etc/rc.conf.
certain interrupts as a source of random events. You can make this permanent by
setting rand_irqs in /etc/rc.conf.
/etc/rc.conf
rand_irqs="3 14 15"
@@ -283,34 +290,33 @@ A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to use
Q: Why is named listening on UDP port other than 53?
A: Named uses a system selected port to make queries of other nameservers. This
behaviour can be overridden by using query-source to lock down the port and/
or address. See also notify-source and transfer-source.
behaviour can be overridden by using query-source to lock down the port and/or
address. See also notify-source and transfer-source.
Q: I get error messages like "multiple RRs of singleton type" and "CNAME and
other data" when transferring a zone. What does this mean?
Q: I get error messages like "multiple RRs of singleton type" and "CNAME and other
data" when transferring a zone. What does this mean?
A: These indicate a malformed master zone. You can identify the exact records
involved by transferring the zone using dig then running named-checkzone on
it.
involved by transferring the zone using dig then running named-checkzone on it.
dig axfr example.com @master-server > tmp
named-checkzone example.com tmp
A CNAME record cannot exist with the same name as another record except for
the DNSSEC records which prove its existance (NSEC).
A CNAME record cannot exist with the same name as another record except for the
DNSSEC records which prove its existance (NSEC).
RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other data
should be present; this ensures that the data for a canonical name and its
aliases cannot be different. This rule also insures that a cached CNAME can
be used without checking with an authoritative server for other RR types."
aliases cannot be different. This rule also insures that a cached CNAME can be
used without checking with an authoritative server for other RR types."
Q: I get error messages like "named.conf:99: unexpected end of input" where 99
is the last line of named.conf.
Q: I get error messages like "named.conf:99: unexpected end of input" where 99 is
the last line of named.conf.
A: Some text editors (notepad and wordpad) fail to put a line title indication
(e.g. CR/LF) on the last line of a text file. This can be fixed by "adding"
a blank line to the end of the file. Named expects to see EOF immediately
after EOL and treats text files where this is not met as truncated.
(e.g. CR/LF) on the last line of a text file. This can be fixed by "adding" a
blank line to the end of the file. Named expects to see EOF immediately after
EOL and treats text files where this is not met as truncated.
Q: I get warning messages like "zone example.com/IN: refresh: failure trying
master 1.2.3.4#53: timed out".
@@ -319,15 +325,15 @@ A: Check that you can make UDP queries from the slave to the master
dig +norec example.com soa @1.2.3.4
You could be generating queries faster than the slave can cope with. Lower
the serial query rate.
You could be generating queries faster than the slave can cope with. Lower the
serial query rate.
serial-query-rate 5; // default 20
Q: How do I share a dynamic zone between multiple views?
A: You choose one view to be master and the second a slave and transfer the
zone between views.
A: You choose one view to be master and the second a slave and transfer the zone
between views.
Master 10.0.1.1:
key "external" {
@@ -370,14 +376,14 @@ Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading master
file primaries/wireless.ietf56.ietf.org: no owner".
A: This error is produced when a line in the master file contains leading white
space (tab/space) but the is no current record owner name to inherit the
name from. Usually this is the result of putting white space before a
comment. Forgeting the "@" for the SOA record or indenting the master file.
space (tab/space) but the is no current record owner name to inherit the name
from. Usually this is the result of putting white space before a comment.
Forgeting the "@" for the SOA record or indenting the master file.
Q: Why are my logs in GMT (UTC).
A: You are running chrooted (-t) and have not supplied local timzone
information in the chroot area.
A: You are running chrooted (-t) and have not supplied local timzone information
in the chroot area.
FreeBSD: /etc/localtime
Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
@@ -395,23 +401,23 @@ Q: I get "rndc: connect failed: connection refused" when I try to run rndc.
A: This is usually a configuration error.
First ensure that named is running and no errors are being reported at
startup (/var/log/messages or equivalent). Running "named -g <usual
arguments>" from a title can help at this point.
First ensure that named is running and no errors are being reported at startup
(/var/log/messages or equivalent). Running "named -g <usual arguments>" from a
title can help at this point.
Secondly ensure that named is configured to use rndc either by "rndc-confgen
-a", rndc-confgen or manually. The Administrators Reference manual has
details on how to do this.
-a", rndc-confgen or manually. The Administrators Reference manual has details
on how to do this.
Old versions of rndc-confgen used localhost rather than 127.0.0.1 in /etc/
rndc.conf for the default server. Update /etc/rndc.conf if necessary so that
the default server listed in /etc/rndc.conf matches the addresses used in
named.conf. "localhost" has two address (127.0.0.1 and ::1).
If you use "rndc-confgen -a" and named is running with -t or -u ensure that
/etc/rndc.conf has the correct ownership and that a copy is in the chroot
area. You can do this by re-running "rndc-confgen -a" with appropriate -t
and -u arguments.
If you use "rndc-confgen -a" and named is running with -t or -u ensure that /
etc/rndc.conf has the correct ownership and that a copy is in the chroot area.
You can do this by re-running "rndc-confgen -a" with appropriate -t and -u
arguments.
Q: I don't get RRSIG's returned when I use "dig +dnssec".
@@ -419,12 +425,11 @@ A: You need to ensure DNSSEC is enabled (dnssec-enable yes;).
Q: I get "Error 1067" when starting named under Windows.
A: This is the service manager saying that named exited. You need to examine
the Application log in the EventViewer to find out why.
A: This is the service manager saying that named exited. You need to examine the
Application log in the EventViewer to find out why.
Common causes are that you failed to create "named.conf" (usually "C:\
windows\dns\etc\named.conf") or failed to specify the directory in
named.conf.
Common causes are that you failed to create "named.conf" (usually "C:\windows\
dns\etc\named.conf") or failed to specify the directory in named.conf.
options {
Directory "C:\windows\dns\etc";
@@ -439,11 +444,11 @@ A: These indicate a filesystem permission error preventing named creating /
"dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"
Named needs write permission on the directory containing the file. Named
writes the new cache file to a temporary file then renames it to the name
specified in named.conf to ensure that the contents are always complete.
This is to prevent named loading a partial zone in the event of power
failure or similar interrupting the write of the master file.
Named needs write permission on the directory containing the file. Named writes
the new cache file to a temporary file then renames it to the name specified in
named.conf to ensure that the contents are always complete. This is to prevent
named loading a partial zone in the event of power failure or similar
interrupting the write of the master file.
Note file names are relative to the directory specified in options and any
chroot directory ([<chroot dir>/][<options dir>]).
@@ -489,8 +494,8 @@ A: If the IN-ADDR.ARPA name covered refers to a internal address space you are
If you are not using these private addresses then a client has queried for
them. You can just ignore the messages, get the offending client to stop
sending you these messages as they are most probably leaking them or setup
your own zones empty zones to serve answers to these queries.
sending you these messages as they are most probably leaking them or setup your
own zones empty zones to serve answers to these queries.
zone "10.IN-ADDR.ARPA" {
type master;
@@ -523,3 +528,102 @@ A: If the IN-ADDR.ARPA name covered refers to a internal address space you are
Future versions of named are likely to do this automatically.
Q: I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
Why can't named update slave zone database files?
Why can't named create DDNS journal files or update the master zones from
journals?
Why can't named create custom log files?
A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
Red Hat have adopted the National Security Agency's SELinux security policy (
see http://www.nsa.gov/selinux ) and recommendations for BIND security , which
are more secure than running named in a chroot and make use of the bind-chroot
environment unecessary .
By default, named is not allowed by the SELinux policy to write, create or
delete any files EXCEPT in these directories:
$ROOTDIR/var/named/slaves
$ROOTDIR/var/named/data
$ROOTDIR/var/tmp
where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is installed.
The SELinux policy particularly does NOT allow named to modify the $ROOTDIR/var
/named directory, the default location for master zone database files.
SELinux policy overrules file access permissions - so even if all the files
under /var/named have ownership named:named and mode rw-rw-r--, named will
still not be able to write or create files except in the directories above,
with SELinux in Enforcing mode.
So, to allow named to update slave or DDNS zone files, it is best to locate
them in $ROOTDIR/var/named/slaves, with named.conf zone statements such as:
zone "slave.zone." IN {
type slave;
file "slaves/slave.zone.db";
...
};
zone "ddns.zone." IN {
type master;
allow-updates {...};
file "slaves/ddns.zone.db";
};
To allow named to create its cache dump and statistics files, for example, you
could use named.conf options statements such as:
options {
...
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
...
};
You can also tell SELinux to allow named to update any zone database files, by
setting the SELinux tunable boolean parameter 'named_write_master_zones=1',
using the system-config-securitylevel GUI, using the 'setsebool' command, or in
/etc/selinux/targeted/booleans.
You can disable SELinux protection for named entirely by setting the
'named_disable_trans=1' SELinux tunable boolean parameter.
The SELinux named policy defines these SELinux contexts for named:
named_zone_t : for zone database files - $ROOTDIR/var/named/*
named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
If you want to retain use of the SELinux policy for named, and put named files
in different locations, you can do so by changing the context of the custom
file locations .
To create a custom configuration file location, eg. '/root/named.conf', to use
with the 'named -c' option, do:
# chcon system_u:object_r:named_conf_t /root/named.conf
To create a custom modifiable named data location, eg. '/var/log/named' for a
log file, do:
# chcon system_u:object_r:named_cache_t /var/log/named
To create a custom zone file location, eg. /root/zones/, do:
# chcon system_u:object_r:named_zone_t /root/zones/{.,*}
See these man-pages for more information : selinux(8), named_selinux(8), chcon
(1), setsebool(8)

194
FAQ.xml
View File

@@ -1,7 +1,7 @@
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
<!--
- Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: FAQ.xml,v 1.4.8.3 2005/11/02 22:54:05 marka Exp $ -->
<!-- $Id: FAQ.xml,v 1.4.8.4 2006/02/23 22:34:13 marka Exp $ -->
<article class="faq">
<title>Frequently Asked Questions about BIND 9</title>
@@ -64,6 +64,26 @@
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
Why do I get the following errors:
<programlisting>general: errno2result.c:109: unexpected error:
general: unable to convert errno to isc_result: 14: Bad address
client: UDP client handler shutting down due to fatal receive error: unexpected error</programlisting>
</para>
</question>
<answer>
<para>
This is the result of a Linux kernel bug.
</para>
<para>
See:
<ulink url="http://marc.theaimsgroup.com/?l=linux-netdev&amp;m=113081708031466&amp;w=2">http://marc.theaimsgroup.com/?l=linux-netdev&amp;m=113081708031466&amp;w=2</ulink>
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
@@ -516,7 +536,7 @@ Master 10.0.1.1:
};
view "external" {
match-clients { key external; any; };
server 10.0.0.2 { keys external; };
server 10.0.1.2 { keys external; };
recursion no;
...
};
@@ -532,7 +552,7 @@ Slave 10.0.1.2:
};
view "external" {
match-clients { key external; any; };
server 10.0.0.1 { keys external; };
server 10.0.1.1 { keys external; };
recursion no;
...
};</programlisting>
@@ -997,11 +1017,177 @@ empty:
1 3600 1200 604800 10800 )
@ 10800 IN NS &lt;name-of-server&gt;.</programlisting>
</informalexample>
<para>
<note>
Future versions of named are likely to do this automatically.
</note>
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
</para>
<para>
Why can't named update slave zone database files?
</para>
<para>
Why can't named create DDNS journal files or update
the master zones from journals?
</para>
<para>
Why can't named create custom log files?
</para>
</question>
<answer>
<para>
Red Hat Security Enhanced Linux (SELinux) policy security
protections :
</para>
<para>
Red Hat have adopted the National Security Agency's
SELinux security policy ( see http://www.nsa.gov/selinux
) and recommendations for BIND security , which are more
secure than running named in a chroot and make use of
the bind-chroot environment unecessary .
</para>
<para>
By default, named is not allowed by the SELinux policy
to write, create or delete any files EXCEPT in these
directories:
<informalexample>
<programlisting>
$ROOTDIR/var/named/slaves
$ROOTDIR/var/named/data
$ROOTDIR/var/tmp
</programlisting>
</informalexample>
where $ROOTDIR may be set in /etc/sysconfig/named if
bind-chroot is installed.
</para>
<para>
The SELinux policy particularly does NOT allow named to modify
the $ROOTDIR/var/named directory, the default location for master
zone database files.
</para>
<para>
SELinux policy overrules file access permissions - so
even if all the files under /var/named have ownership
named:named and mode rw-rw-r--, named will still not be
able to write or create files except in the directories
above, with SELinux in Enforcing mode.
</para>
<para>
So, to allow named to update slave or DDNS zone files,
it is best to locate them in $ROOTDIR/var/named/slaves,
with named.conf zone statements such as:
<informalexample>
<programlisting>
zone "slave.zone." IN {
type slave;
file "slaves/slave.zone.db";
...
};
zone "ddns.zone." IN {
type master;
allow-updates {...};
file "slaves/ddns.zone.db";
};
</programlisting>
</informalexample>
</para>
<para>
To allow named to create its cache dump and statistics
files, for example, you could use named.conf options
statements such as:
<informalexample>
<programlisting>
options {
...
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
...
};
</programlisting>
</informalexample>
</para>
<para>
You can also tell SELinux to allow named to update any
zone database files, by setting the SELinux tunable boolean
parameter 'named_write_master_zones=1', using the
system-config-securitylevel GUI, using the 'setsebool'
command, or in /etc/selinux/targeted/booleans.
</para>
<para>
You can disable SELinux protection for named entirely by
setting the 'named_disable_trans=1' SELinux tunable boolean
parameter.
</para>
<para>
The SELinux named policy defines these SELinux contexts for named:
<informalexample>
<programlisting>
named_zone_t : for zone database files - $ROOTDIR/var/named/*
named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
</programlisting>
</informalexample>
</para>
<para>
If you want to retain use of the SELinux policy for named,
and put named files in different locations, you can do
so by changing the context of the custom file locations
.
</para>
<para>
To create a custom configuration file location, eg.
'/root/named.conf', to use with the 'named -c' option,
do:
<informalexample>
<programlisting>
# chcon system_u:object_r:named_conf_t /root/named.conf
</programlisting>
</informalexample>
</para>
<para>
To create a custom modifiable named data location, eg.
'/var/log/named' for a log file, do:
<informalexample>
<programlisting>
# chcon system_u:object_r:named_cache_t /var/log/named
</programlisting>
</informalexample>
</para>
<para>
To create a custom zone file location, eg. /root/zones/, do:
<informalexample>
<programlisting>
# chcon system_u:object_r:named_zone_t /root/zones/{.,*}
</programlisting>
</informalexample>
</para>
<para>
See these man-pages for more information : selinux(8),
named_selinux(8), chcon(1), setsebool(8)
</para>
</answer>
</qandaentry>
</qandaset>
</article>