mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-23 11:18:54 +00:00
676 lines
26 KiB
Plaintext
676 lines
26 KiB
Plaintext
Frequently Asked Questions about BIND 9
|
|
|
|
Copyright © 2004-2007 Internet Systems Consortium, Inc. ("ISC")
|
|
|
|
Copyright © 2000-2003 Internet Software Consortium.
|
|
|
|
-------------------------------------------------------------------------------
|
|
|
|
Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-threads?
|
|
|
|
A: Linux threads do not fully implement the Posix threads (pthreads) standard. In
|
|
particular, setuid() operates only on the current thread, not the full process.
|
|
Because of this limitation, BIND 9 cannot use setuid() on Linux as it can on
|
|
all other supported platforms. setuid() cannot be called before creating
|
|
threads, since the server does not start listening on reserved ports until
|
|
after threads have started.
|
|
|
|
In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to preserve
|
|
capabilities across a setuid() call is present. This allows BIND 9 to call
|
|
setuid() early, while retaining the ability to bind reserved ports. This is a
|
|
Linux-specific hack.
|
|
|
|
On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less of
|
|
a security risk than a root process that has not dropped privileges.
|
|
|
|
If Linux threads ever work correctly, this restriction will go away.
|
|
|
|
Configuring BIND9 with the --disable-threads option (the default) causes a
|
|
non-threaded version to be built, which will allow -u to be used.
|
|
|
|
Q: Why do I get the following errors:
|
|
|
|
general: errno2result.c:109: unexpected error:
|
|
general: unable to convert errno to isc_result: 14: Bad address
|
|
client: UDP client handler shutting down due to fatal receive error: unexpected error
|
|
|
|
A: This is the result of a Linux kernel bug.
|
|
|
|
See: http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2
|
|
|
|
Q: Why does named log the warning message "no TTL specified - using SOA MINTTL
|
|
instead"?
|
|
|
|
A: Your zone file is illegal according to RFC1035. It must either have a line
|
|
like:
|
|
|
|
$TTL 86400
|
|
|
|
at the beginning, or the first record in it must have a TTL field, like the
|
|
"84600" in this example:
|
|
|
|
example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )
|
|
|
|
Q: Why do I see 5 (or more) copies of named on Linux?
|
|
|
|
A: Linux threads each show up as a process under ps. The approximate number of
|
|
threads running is n+4, where n is the number of CPUs. Note that the amount of
|
|
memory used is not cumulative; if each process is using 10M of memory, only a
|
|
total of 10M is used.
|
|
|
|
Newer versions of Linux's ps command hide the individual threads and require -L
|
|
to display them.
|
|
|
|
Q: Why does BIND 9 log "permission denied" errors accessing its configuration
|
|
files or zones on my Linux system even though it is running as root?
|
|
|
|
A: On Linux, BIND 9 drops most of its root privileges on startup. This including
|
|
the privilege to open files owned by other users. Therefore, if the server is
|
|
running as root, the configuration files and zone files should also be owned by
|
|
root.
|
|
|
|
Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file bar:
|
|
ran out of space"?
|
|
|
|
A: This is often caused by TXT records with missing close quotes. Check that all
|
|
TXT records containing quoted strings have both open and close quotes.
|
|
|
|
Q: How do I produce a usable core file from a multithreaded named on Linux?
|
|
|
|
A: If the Linux kernel is 2.4.7 or newer, multithreaded core dumps are usable
|
|
(that is, the correct thread is dumped). Otherwise, if using a 2.2 kernel,
|
|
apply the kernel patch found in contrib/linux/coredump-patch and rebuild the
|
|
kernel. This patch will cause multithreaded programs to dump the correct
|
|
thread.
|
|
|
|
Q: How do I restrict people from looking up the server version?
|
|
|
|
A: Put a "version" option containing something other than the real version in the
|
|
"options" section of named.conf. Note doing this will not prevent attacks and
|
|
may impede people trying to diagnose problems with your server. Also it is
|
|
possible to "fingerprint" nameservers to determine their version.
|
|
|
|
Q: How do I restrict only remote users from looking up the server version?
|
|
|
|
A: The following view statement will intercept lookups as the internal view that
|
|
holds the version information will be matched last. The caveats of the previous
|
|
answer still apply, of course.
|
|
|
|
view "chaos" chaos {
|
|
match-clients { <those to be refused>; };
|
|
allow-query { none; };
|
|
zone "." {
|
|
type hint;
|
|
file "/dev/null"; // or any empty file
|
|
};
|
|
};
|
|
|
|
Q: What do "no source of entropy found" or "could not open entropy source foo"
|
|
mean?
|
|
|
|
A: The server requires a source of entropy to perform certain operations, mostly
|
|
DNSSEC related. These messages indicate that you have no source of entropy. On
|
|
systems with /dev/random or an equivalent, it is used by default. A source of
|
|
entropy can also be defined using the random-device option in named.conf.
|
|
|
|
Q: I installed BIND 9 and restarted named, but it's still BIND 8. Why?
|
|
|
|
A: BIND 9 is installed under /usr/local by default. BIND 8 is often installed
|
|
under /usr. Check that the correct named is running.
|
|
|
|
Q: I'm trying to use TSIG to authenticate dynamic updates or zone transfers. I'm
|
|
sure I have the keys set up correctly, but the server is rejecting the TSIG.
|
|
Why?
|
|
|
|
A: This may be a clock skew problem. Check that the the clocks on the client and
|
|
server are properly synchronised (e.g., using ntp).
|
|
|
|
Q: I'm trying to compile BIND 9, and "make" is failing due to files not being
|
|
found. Why?
|
|
|
|
A: Using a parallel or distributed "make" to build BIND 9 is not supported, and
|
|
doesn't work. If you are using one of these, use normal make or gmake instead.
|
|
|
|
Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is logging error
|
|
messages like "notify to 10.0.0.1#53 failed: unexpected end of input". What's
|
|
wrong?
|
|
|
|
A: This error message is caused by a known bug in BIND 8.2.3 and is fixed in BIND
|
|
8.2.4. It can be safely ignored - the notify has been acted on by the slave
|
|
despite the error message.
|
|
|
|
Q: I keep getting log messages like the following. Why?
|
|
|
|
Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN': update
|
|
failed: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
|
|
|
|
A: DNS updates allow the update request to test to see if certain conditions are
|
|
met prior to proceeding with the update. The message above is saying that
|
|
conditions were not met and the update is not proceeding. See doc/rfc/
|
|
rfc2136.txt for more details on prerequisites.
|
|
|
|
Q: I keep getting log messages like the following. Why?
|
|
|
|
Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
|
|
|
|
A: Someone is trying to update your DNS data using the RFC2136 Dynamic Update
|
|
protocol. Windows 2000 machines have a habit of sending dynamic update requests
|
|
to DNS servers without being specifically configured to do so. If the update
|
|
requests are coming from a Windows 2000 machine, see http://
|
|
support.microsoft.com/support/kb/articles/q246/8/04.asp for information about
|
|
how to turn them off.
|
|
|
|
Q: I see a log message like the following. Why?
|
|
|
|
couldn't open pid file '/var/run/named.pid': Permission denied
|
|
|
|
A: You are most likely running named as a non-root user, and that user does not
|
|
have permission to write in /var/run. The common ways of fixing this are to
|
|
create a /var/run/named directory owned by the named user and set pid-file to "
|
|
/var/run/named/named.pid", or set pid-file to "named.pid", which will put the
|
|
file in the directory specified by the directory option (which, in this case,
|
|
must be writable by the named user).
|
|
|
|
Q: When I do a "dig . ns", many of the A records for the root servers are missing.
|
|
Why?
|
|
|
|
A: This is normal and harmless. It is a somewhat confusing side effect of the way
|
|
BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 makes to avoid
|
|
promoting glue into answers.
|
|
|
|
When BIND 9 first starts up and primes its cache, it receives the root server
|
|
addresses as additional data in an authoritative response from a root server,
|
|
and these records are eligible for inclusion as additional data in responses.
|
|
Subsequently it receives a subset of the root server addresses as additional
|
|
data in a non-authoritative (referral) response from a root server. This causes
|
|
the addresses to now be considered non-authoritative (glue) data, which is not
|
|
eligible for inclusion in responses.
|
|
|
|
The server does have a complete set of root server addresses cached at all
|
|
times, it just may not include all of them as additional data, depending on
|
|
whether they were last received as answers or as glue. You can always look up
|
|
the addresses with explicit queries like "dig a.root-servers.net A".
|
|
|
|
Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail. Why?
|
|
|
|
A: This may be caused by a bug in the Windows 2000 DNS server where DNS messages
|
|
larger than 16K are not handled properly. This can be worked around by setting
|
|
the option "transfer-format one-answer;". Also check whether your zone contains
|
|
domain names with embedded spaces or other special characters, like "John\
|
|
032Doe\213s\032Computer", since such names have been known to cause Windows
|
|
2000 slaves to incorrectly reject the zone.
|
|
|
|
Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?
|
|
|
|
A: A zone can be updated either by editing zone files and reloading the server or
|
|
by dynamic update, but not both. If you have enabled dynamic update for a zone
|
|
using the "allow-update" option, you are not supposed to edit the zone file by
|
|
hand, and the server will not attempt to reload it.
|
|
|
|
Q: I can query the nameserver from the nameserver but not from other machines.
|
|
Why?
|
|
|
|
A: This is usually the result of the firewall configuration stopping the queries
|
|
and / or the replies.
|
|
|
|
Q: How can I make a server a slave for both an internal and an external view at
|
|
the same time? When I tried, both views on the slave were transferred from the
|
|
same view on the master.
|
|
|
|
A: You will need to give the master and slave multiple IP addresses and use those
|
|
to make sure you reach the correct view on the other machine.
|
|
|
|
Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
|
|
internal:
|
|
match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
|
|
notify-source 10.0.1.1;
|
|
transfer-source 10.0.1.1;
|
|
query-source address 10.0.1.1;
|
|
external:
|
|
match-clients { any; };
|
|
recursion no; // don't offer recursion to the world
|
|
notify-source 10.0.1.2;
|
|
transfer-source 10.0.1.2;
|
|
query-source address 10.0.1.2;
|
|
|
|
Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
|
|
internal:
|
|
match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
|
|
notify-source 10.0.1.3;
|
|
transfer-source 10.0.1.3;
|
|
query-source address 10.0.1.3;
|
|
external:
|
|
match-clients { any; };
|
|
recursion no; // don't offer recursion to the world
|
|
notify-source 10.0.1.4;
|
|
transfer-source 10.0.1.4;
|
|
query-source address 10.0.1.4;
|
|
|
|
You put the external address on the alias so that all the other dns clients on
|
|
these boxes see the internal view by default.
|
|
|
|
A: BIND 9.3 and later: Use TSIG to select the appropriate view.
|
|
|
|
Master 10.0.1.1:
|
|
key "external" {
|
|
algorithm hmac-md5;
|
|
secret "xxxxxxxx";
|
|
};
|
|
view "internal" {
|
|
match-clients { !key external; 10.0.1/24; };
|
|
...
|
|
};
|
|
view "external" {
|
|
match-clients { key external; any; };
|
|
server 10.0.1.2 { keys external; };
|
|
recursion no;
|
|
...
|
|
};
|
|
|
|
Slave 10.0.1.2:
|
|
key "external" {
|
|
algorithm hmac-md5;
|
|
secret "xxxxxxxx";
|
|
};
|
|
view "internal" {
|
|
match-clients { !key external; 10.0.1/24; };
|
|
...
|
|
};
|
|
view "external" {
|
|
match-clients { key external; any; };
|
|
server 10.0.1.1 { keys external; };
|
|
recursion no;
|
|
...
|
|
};
|
|
|
|
Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
|
|
|
|
A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to use
|
|
certain interrupts as a source of random events. You can make this permanent by
|
|
setting rand_irqs in /etc/rc.conf.
|
|
|
|
/etc/rc.conf
|
|
rand_irqs="3 14 15"
|
|
|
|
See also http://people.freebsd.org/~dougb/randomness.html
|
|
|
|
Q: Why is named listening on UDP port other than 53?
|
|
|
|
A: Named uses a system selected port to make queries of other nameservers. This
|
|
behaviour can be overridden by using query-source to lock down the port and/or
|
|
address. See also notify-source and transfer-source.
|
|
|
|
Q: I get error messages like "multiple RRs of singleton type" and "CNAME and other
|
|
data" when transferring a zone. What does this mean?
|
|
|
|
A: These indicate a malformed master zone. You can identify the exact records
|
|
involved by transferring the zone using dig then running named-checkzone on it.
|
|
|
|
dig axfr example.com @master-server > tmp
|
|
named-checkzone example.com tmp
|
|
|
|
A CNAME record cannot exist with the same name as another record except for the
|
|
DNSSEC records which prove its existance (NSEC).
|
|
|
|
RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other data
|
|
should be present; this ensures that the data for a canonical name and its
|
|
aliases cannot be different. This rule also insures that a cached CNAME can be
|
|
used without checking with an authoritative server for other RR types."
|
|
|
|
Q: I get error messages like "named.conf:99: unexpected end of input" where 99 is
|
|
the last line of named.conf.
|
|
|
|
A: Some text editors (notepad and wordpad) fail to put a line title indication
|
|
(e.g. CR/LF) on the last line of a text file. This can be fixed by "adding" a
|
|
blank line to the end of the file. Named expects to see EOF immediately after
|
|
EOL and treats text files where this is not met as truncated.
|
|
|
|
Q: I get warning messages like "zone example.com/IN: refresh: failure trying
|
|
master 1.2.3.4#53: timed out".
|
|
|
|
A: Check that you can make UDP queries from the slave to the master
|
|
|
|
dig +norec example.com soa @1.2.3.4
|
|
|
|
You could be generating queries faster than the slave can cope with. Lower the
|
|
serial query rate.
|
|
|
|
serial-query-rate 5; // default 20
|
|
|
|
Q: How do I share a dynamic zone between multiple views?
|
|
|
|
A: You choose one view to be master and the second a slave and transfer the zone
|
|
between views.
|
|
|
|
Master 10.0.1.1:
|
|
key "external" {
|
|
algorithm hmac-md5;
|
|
secret "xxxxxxxx";
|
|
};
|
|
|
|
key "mykey" {
|
|
algorithm hmac-md5;
|
|
secret "yyyyyyyy";
|
|
};
|
|
|
|
view "internal" {
|
|
match-clients { !external; 10.0.1/24; };
|
|
server 10.0.1.1 {
|
|
/* Deliver notify messages to external view. */
|
|
keys { external; };
|
|
};
|
|
zone "example.com" {
|
|
type master;
|
|
file "internal/example.db";
|
|
allow-update { key mykey; };
|
|
notify-also { 10.0.1.1; };
|
|
};
|
|
};
|
|
|
|
view "external" {
|
|
match-clients { external; any; };
|
|
zone "example.com" {
|
|
type slave;
|
|
file "external/example.db";
|
|
masters { 10.0.1.1; };
|
|
transfer-source { 10.0.1.1; };
|
|
// allow-update-forwarding { any; };
|
|
// allow-notify { ... };
|
|
};
|
|
};
|
|
|
|
Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading master
|
|
file primaries/wireless.ietf56.ietf.org: no owner".
|
|
|
|
A: This error is produced when a line in the master file contains leading white
|
|
space (tab/space) but the is no current record owner name to inherit the name
|
|
from. Usually this is the result of putting white space before a comment.
|
|
Forgeting the "@" for the SOA record or indenting the master file.
|
|
|
|
Q: Why are my logs in GMT (UTC).
|
|
|
|
A: You are running chrooted (-t) and have not supplied local timzone information
|
|
in the chroot area.
|
|
|
|
FreeBSD: /etc/localtime
|
|
Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
|
|
OSF: /etc/zoneinfo/localtime
|
|
|
|
See also tzset(3) and zic(8).
|
|
|
|
Q: I get the error message "named: capset failed: Operation not permitted" when
|
|
starting named.
|
|
|
|
A: The capability module, part of "Linux Security Modules/LSM", has not been
|
|
loaded into the kernel. See insmod(8).
|
|
|
|
Q: I get "rndc: connect failed: connection refused" when I try to run rndc.
|
|
|
|
A: This is usually a configuration error.
|
|
|
|
First ensure that named is running and no errors are being reported at startup
|
|
(/var/log/messages or equivalent). Running "named -g <usual arguments>" from a
|
|
title can help at this point.
|
|
|
|
Secondly ensure that named is configured to use rndc either by "rndc-confgen
|
|
-a", rndc-confgen or manually. The Administrators Reference manual has details
|
|
on how to do this.
|
|
|
|
Old versions of rndc-confgen used localhost rather than 127.0.0.1 in /etc/
|
|
rndc.conf for the default server. Update /etc/rndc.conf if necessary so that
|
|
the default server listed in /etc/rndc.conf matches the addresses used in
|
|
named.conf. "localhost" has two address (127.0.0.1 and ::1).
|
|
|
|
If you use "rndc-confgen -a" and named is running with -t or -u ensure that /
|
|
etc/rndc.conf has the correct ownership and that a copy is in the chroot area.
|
|
You can do this by re-running "rndc-confgen -a" with appropriate -t and -u
|
|
arguments.
|
|
|
|
Q: I don't get RRSIG's returned when I use "dig +dnssec".
|
|
|
|
A: You need to ensure DNSSEC is enabled (dnssec-enable yes;).
|
|
|
|
Q: I get "Error 1067" when starting named under Windows.
|
|
|
|
A: This is the service manager saying that named exited. You need to examine the
|
|
Application log in the EventViewer to find out why.
|
|
|
|
Common causes are that you failed to create "named.conf" (usually "C:\windows\
|
|
dns\etc\named.conf") or failed to specify the directory in named.conf.
|
|
|
|
options {
|
|
Directory "C:\windows\dns\etc";
|
|
};
|
|
|
|
Q: I get "transfer of 'example.net/IN' from 192.168.4.12#53: failed while
|
|
receiving responses: permission denied" error messages.
|
|
|
|
A: These indicate a filesystem permission error preventing named creating /
|
|
renaming the temporary file. These will usually also have other associated
|
|
error messages like
|
|
|
|
"dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"
|
|
|
|
Named needs write permission on the directory containing the file. Named writes
|
|
the new cache file to a temporary file then renames it to the name specified in
|
|
named.conf to ensure that the contents are always complete. This is to prevent
|
|
named loading a partial zone in the event of power failure or similar
|
|
interrupting the write of the master file.
|
|
|
|
Note file names are relative to the directory specified in options and any
|
|
chroot directory ([<chroot dir>/][<options dir>]).
|
|
|
|
If named is invoked as "named -t /chroot/DNS" with the following named.conf
|
|
then "/chroot/DNS/var/named/sl" needs to be writable by the user named is
|
|
running as.
|
|
|
|
options {
|
|
directory "/var/named";
|
|
};
|
|
|
|
zone "example.net" {
|
|
type slave;
|
|
file "sl/example.net";
|
|
masters { 192.168.4.12; };
|
|
};
|
|
|
|
Q: How do I intergrate BIND 9 and Solaris SMF
|
|
|
|
A: Sun has a blog entry describing how to do this.
|
|
|
|
http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris
|
|
|
|
Q: Can a NS record refer to a CNAME.
|
|
|
|
A: No. The rules for glue (copies of the *address* records in the parent zones)
|
|
and additional section processing do not allow it to work.
|
|
|
|
You would have to add both the CNAME and address records (A/AAAA) as glue to
|
|
the parent zone and have CNAMEs be followed when doing additional section
|
|
processing to make it work. No namesever implementation supports either of
|
|
these requirements.
|
|
|
|
Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA" mean?
|
|
|
|
A: If the IN-ADDR.ARPA name covered refers to a internal address space you are
|
|
using then you have failed to follow RFC 1918 usage rules and are leaking
|
|
queries to the Internet. You should establish your own zones for these
|
|
addresses to prevent you quering the Internet's name servers for these
|
|
addresses. Please see http://as112.net/ for details of the problems you are
|
|
causing and the counter measures that have had to be deployed.
|
|
|
|
If you are not using these private addresses then a client has queried for
|
|
them. You can just ignore the messages, get the offending client to stop
|
|
sending you these messages as they are most probably leaking them or setup your
|
|
own zones empty zones to serve answers to these queries.
|
|
|
|
zone "10.IN-ADDR.ARPA" {
|
|
type master;
|
|
file "empty";
|
|
};
|
|
|
|
zone "16.172.IN-ADDR.ARPA" {
|
|
type master;
|
|
file "empty";
|
|
};
|
|
|
|
...
|
|
|
|
zone "31.172.IN-ADDR.ARPA" {
|
|
type master;
|
|
file "empty";
|
|
};
|
|
|
|
zone "168.192.IN-ADDR.ARPA" {
|
|
type master;
|
|
file "empty";
|
|
};
|
|
|
|
empty:
|
|
@ 10800 IN SOA <name-of-server>. <contact-email>. (
|
|
1 3600 1200 604800 10800 )
|
|
@ 10800 IN NS <name-of-server>.
|
|
|
|
Note
|
|
|
|
Future versions of named are likely to do this automatically.
|
|
|
|
Q: I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
|
|
|
|
Why can't named update slave zone database files?
|
|
|
|
Why can't named create DDNS journal files or update the master zones from
|
|
journals?
|
|
|
|
Why can't named create custom log files?
|
|
|
|
A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
|
|
|
|
Red Hat have adopted the National Security Agency's SELinux security policy (
|
|
see http://www.nsa.gov/selinux ) and recommendations for BIND security , which
|
|
are more secure than running named in a chroot and make use of the bind-chroot
|
|
environment unecessary .
|
|
|
|
By default, named is not allowed by the SELinux policy to write, create or
|
|
delete any files EXCEPT in these directories:
|
|
|
|
$ROOTDIR/var/named/slaves
|
|
$ROOTDIR/var/named/data
|
|
$ROOTDIR/var/tmp
|
|
|
|
|
|
where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is installed.
|
|
|
|
The SELinux policy particularly does NOT allow named to modify the $ROOTDIR/var
|
|
/named directory, the default location for master zone database files.
|
|
|
|
SELinux policy overrules file access permissions - so even if all the files
|
|
under /var/named have ownership named:named and mode rw-rw-r--, named will
|
|
still not be able to write or create files except in the directories above,
|
|
with SELinux in Enforcing mode.
|
|
|
|
So, to allow named to update slave or DDNS zone files, it is best to locate
|
|
them in $ROOTDIR/var/named/slaves, with named.conf zone statements such as:
|
|
|
|
zone "slave.zone." IN {
|
|
type slave;
|
|
file "slaves/slave.zone.db";
|
|
...
|
|
};
|
|
zone "ddns.zone." IN {
|
|
type master;
|
|
allow-updates {...};
|
|
file "slaves/ddns.zone.db";
|
|
};
|
|
|
|
|
|
To allow named to create its cache dump and statistics files, for example, you
|
|
could use named.conf options statements such as:
|
|
|
|
options {
|
|
...
|
|
dump-file "/var/named/data/cache_dump.db";
|
|
statistics-file "/var/named/data/named_stats.txt";
|
|
...
|
|
};
|
|
|
|
|
|
You can also tell SELinux to allow named to update any zone database files, by
|
|
setting the SELinux tunable boolean parameter 'named_write_master_zones=1',
|
|
using the system-config-securitylevel GUI, using the 'setsebool' command, or in
|
|
/etc/selinux/targeted/booleans.
|
|
|
|
You can disable SELinux protection for named entirely by setting the
|
|
'named_disable_trans=1' SELinux tunable boolean parameter.
|
|
|
|
The SELinux named policy defines these SELinux contexts for named:
|
|
|
|
named_zone_t : for zone database files - $ROOTDIR/var/named/*
|
|
named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
|
|
named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
|
|
|
|
|
|
If you want to retain use of the SELinux policy for named, and put named files
|
|
in different locations, you can do so by changing the context of the custom
|
|
file locations .
|
|
|
|
To create a custom configuration file location, eg. '/root/named.conf', to use
|
|
with the 'named -c' option, do:
|
|
|
|
# chcon system_u:object_r:named_conf_t /root/named.conf
|
|
|
|
|
|
To create a custom modifiable named data location, eg. '/var/log/named' for a
|
|
log file, do:
|
|
|
|
# chcon system_u:object_r:named_cache_t /var/log/named
|
|
|
|
|
|
To create a custom zone file location, eg. /root/zones/, do:
|
|
|
|
# chcon system_u:object_r:named_zone_t /root/zones/{.,*}
|
|
|
|
|
|
See these man-pages for more information : selinux(8), named_selinux(8), chcon
|
|
(1), setsebool(8)
|
|
|
|
Q: I want to forward all DNS queries from my caching nameserver to another server.
|
|
But there are some domains which have to be served locally, via rbldnsd.
|
|
|
|
How do I achieve this ?
|
|
|
|
A: options {
|
|
forward only;
|
|
forwarders { <ip.of.primary.nameserver>; };
|
|
};
|
|
|
|
zone "sbl-xbl.spamhaus.org" {
|
|
type forward; forward only;
|
|
forwarders { <ip.of.rbldns.server> port 530; };
|
|
};
|
|
|
|
zone "list.dsbl.org" {
|
|
type forward; forward only;
|
|
forwarders { <ip.of.rbldns.server> port 530; };
|
|
};
|
|
|
|
|
|
Q: Will named be affected by the 2007 changes to daylight savings rules in the US.
|
|
|
|
A: No, so long as the machines internal clock (as reported by "date -u") remains
|
|
at UTC. The only visible change if you fail to upgrade your OS, if you are in a
|
|
affected area, will be that log messages will be a hour out during the period
|
|
where the old rules do not match the new rules.
|
|
|
|
For most OS's this change just means that you need to update the conversion
|
|
rules from UTC to local time. Normally this involves updating a file in /etc
|
|
(which sets the default timezone for the machine) and possibly a directory
|
|
which has all the conversion rules for the world (e.g. /usr/share/zoneinfo).
|
|
When updating the OS do not forget to update any chroot areas as well. See your
|
|
OS's documetation for more details.
|
|
|
|
The local timezone conversion rules can also be done on a individual basis by
|
|
setting the TZ envirionment variable appropriately. See your OS's documentation
|
|
for more details.
|
|
|