Bind9 f & amp; q

This article is translated from an article on the main website of BIND: http://www.isc.org/products/bind/faq.html. It should be said that these problems are very typical and can provide a lot of help for the daily maintenance and management of BIND 9 users.

1. Why does the-u Parameter not work when I use a bind program compiled with the -- enable-threads option on Linux 2.2.x?
A: Linux threads have not fully implemented the Posix thread (pthreads) standard. In particular, setuid () can only work for the current thread, rather than the whole process. Because of this restriction, BIND 9 on Linux cannot use setuid () like other supported system platforms (). You cannot call setuid () before creating a thread, because the server can start listening to the reserved port only after the thread starts.
For 2.2.18, 2.3.99-pre3, and the updated kernel, the availability is maintained after setuid () is called. This allows BIND 9 to call setuid () earlier, while maintaining the ability to BIND reserved ports. This is a special process for Linux.
On the 2.2 kernel, BIND 9 does give up a lot of root permissions, so it is safer than the root processes that do not give up permissions.
If the Linux thread is working properly, this restriction will no longer exist.
You can use the -- disable-threads option (this is the default option) to compile BIND9. This will generate a non-thread version, and you can use the-u option.

2. Why does the named log provide a warning message "no TTL specified-using soa minttl instead "?
A: Your zone file does not comply with the RFC1035 standard. You can solve this problem in two ways:
1) add a line of TTL definition at the beginning of the zone file, for example, $ TTL 86400
2) The first record IN the zone file contains the TTL field, for example, example.com. 86400 in soa ns hostmaster.

3. Why do I see five (or more) named copies on Linux?
A: In ps, each Linux thread is displayed as a process. Generally, the number of running threads is n + 4. Here n indicates the number of CPUs. Note that the use of internal memory does not follow the principle of accumulation; if each process uses 10 MB of memory, then all threads only use 10 MB of memory.

4. Why do I still get the "permission denied" error log when accessing the configuration file or zone file even if I run BIND 9 as a root on Linux?
A: In Linux, BIND 9 gives up most of the root permissions at startup, including the permission to open the files of other users. Therefore, if the server runs as root, the configuration file and zone file should also be owned by root.

5. Why do I get an error message similar to "dns_zone_load: zone foo/IN: loading master file bar: ran out of space?
A: This is usually because a quotation mark is missing in the TXT record. Check whether all TXT records contain full quotation marks.

6. How can I generate an available core file from multi-thread named on Linux?
A: If the Linux kernel is 2.4.7 or an updated version, multi-threaded core export (dump) is available (that is, the correct thread will be exported ). Otherwise, if you use the 2.2 kernel, you need to apply the kernel patch in contrib/linux/coredump-patch and re-compile the kernel. This patch allows the multi-threaded program to export the correct thread.

7. How can I restrict others from querying my server version?
A: place the "version" option in the "options" section of named. conf and set the value to another version different from the version you actually use. Note: In this case, attacks cannot be avoided, but may impede others' attempts to diagnose your server problems, which may also become a sign for others' identification of your server.

8. How can I limit that only remote users can query Server versions?
A: When an internal view with version information is finally matched, the following view statement intercepts the query. The warning in the above answer is also applicable here.
View "chaos" chaos {
Match-clients {;};
Allow-query {none ;};
Zone "."{
Type hint;
File "/dev/null"; // or any empty file
};
};

9. What does "no source of entropy found" or "cocould not open entropy source foo" mean?
A: The server needs an information entropy (entropy) source to perform specific operations. This is usually related to DNSSEC. These information prompts that there is no information entropy source. On systems with/dev/random or similar devices, they are used by default. Information sources can also be defined using the random-device option in named. conf.

10. I have installed BIND 9 and restarted named, but it is still BIND 8. Why?
A: BIND 9 is installed in/usr/local by default. BIND 8 is usually installed in/usr. Check whether the correct named is running.

11. I tried to use TSIG to verify dynamic updates or zone transmission. I'm sure the key settings are correct, but the server still rejects TSIG. Why?
A: The clock may be inaccurate. Check whether the client clock is synchronized with the server (for example, ntp ).

12. I tried to compile BIND 9, but "make" failed because some files could not be found. Why?
A: using parallel or distributed "make" to compile BIND 9 is not supported and cannot work. If you are using either of them, we recommend that you use make or gmake.

13. I have a BIND 9 master server and a BIND 8.2.3 slave server, while the master server records a failure similar to "Running y to 10.0.0.1 #53: unexpected end of input "error message. What's the problem?
A: This error message is caused by a known bug in BIND 8.2.3, which has been fixed in BIND 8.2.4. You can ignore it at all-regardless of the error message, notify is working properly.

14. I keep getting the following log information. Why?
Dec 4 23:47:59 client 10.0.0.1 #1355: updating zone example.com/IN: update failed: RRset exists (value dependent) prerequisite not satisfied (NXRRSET)
A: The DNS update program allows the update request to be tested before the update to confirm whether the specified conditions are met. The above information cannot be updated because the conditions are not met. See doc/rfc/rfc2136.txt for more information about the prerequisites.

15. I keep getting the following log information. Why?
Jun 21 12:00:00. 000 client 10.0.0.1 #1234: update denied
A: Someone is trying to update your DNS data using the RFC2136 dynamic update protocol. Windows 2000 machines have the habit of sending dynamic update requests to DNS servers without prior configuration. If the update request comes from a Windows 2000 machine, see
16. I see the following log information. Why?
Couldnt open pid file/var/run/named. pid: Permission denied
A: It is very likely that you are running named as a non-root user, and this user has no write permission for/var/run. The usual solution is to create the/var/run/named directory owned by the named user and set the pid file to "/var/run/named. pid, or set the pid file to "named. pid ", which puts the file in the directory specified by the directory option (in this case, the directory must be writable to the named user.

17. When I run "dig. ns", many A records about the root server are lost. Why?
A: This is a normal situation and does not cause any problems. BIND 9 implements the trust ranking (RFC 2181) method in BIND 9 and BIND 9's efforts to prevent related data (glue) from entering the answer, which is somewhat confusing.
When BIND 9 is started for the first time and initializes its buffer, it receives additional data from the root server address as the root server's authoritative response, and these records comply with the conditions contained in the response as additional data. Subsequently, it receives a subset of the root server address as additional data for the root server's unauthoritative (recommended) response. As a result, these addresses are now considered non-authoritative (related) data and are not suitable for inclusion in the response.
Servers always have a complete set of root server addresses as the buffer, but may not include all addresses as the additional data, depending on whether they finally receive the response or related data. You can usually use explicit queries such as dig a.root-servers.net A to find these addresses.

18. failed to transfer zone from BIND 9 master server to Windows 2000 slave server. Why?
A: This may be caused by a bug in the Windows 2000 DNS server. On Windows machines, DNS messages larger than 16 KB cannot be correctly processed. This can be solved by setting the option "transfer-format one-answer. You can also check whether your zone contains embedded spaces or other special characters, such as "John2Doe3s2Computer", because according to known information, these names may also cause the Windows 2000 slave server to incorrectly reject the zone.

19. Why does my zone file not reload when I execute "rndc reload" or SIGHUP?
A: You can either edit the zone file and reboot the server to update the zone file or dynamically update the file. However, you cannot use either of the two methods at the same time. If you have already used the "allow-update" option for the zone to activate dynamic updates, you cannot manually edit the zone file. At this time, the server will no longer try to reload the zone file.

20. I can query the Domain Name Server on the Domain Name Server, but I cannot find it on other machines. Why?
A: This is usually the result of firewall configuration blocking queries and/or responses.

21. How can I make the server serve as an internal and external view slave server at the same time? When I try to do this, the two views on the server transmit the same view on the master server.
A: You should set multiple IP addresses for the master server and slave server. For example:
Master server: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
Internal:
Match-clients {! 10.0.1.2 ;! 10.0.1.4; 10.0.1/24 ;};
Optional Y-source 10.0.1.1;
Transfer-source 10.0.1.1;
Query-source address 10.0.1.1;
External:
Match-clients {any ;};
Recursion no; // dont offer recursion to the world
Optional Y-source 10.0.1.2;
Transfer-source 10.0.1.2;
Query-source address 10.0.1.2;
Slave server: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
Inte