BIND9 f&q_php Tutorials

This article is translated from an article on the BIND main website: http://www.isc.org/products/BIND/FAQ.html. It should be said that these problems are very typical, to bind 9 users of daily maintenance and management can provide a small help.

1. Why does the-u parameter not work when I use the BIND program compiled with the--enable-threads option on Linux 2.2.x?
A: The Linux thread does not fully implement the POSIX threading (pthreads) standard. In particular, setuid () can only work on the current thread and not on the entire process. Because of this limitation, bind 9 on Linux cannot use Setuid () as it does on other supported system platforms. Setuid () cannot be called until the thread is created, because the server can start listening on a reserved port only after it has been started.
For 2.2.18 or 2.3.99-pre3 and the updated kernel, you can still remain available after calling Setuid (). This allows bind 9 to call Setuid () earlier, while maintaining the ability to bind reserved ports. This is a special deal for Linux.
On the 2.2 kernel, BIND 9 does give up many root privileges, so it's more secure than a root process that doesn't give up permissions.
If the Linux thread is working properly, then this restriction will no longer exist.
Users can use the--disable-threads option (which is the default option) to compile BIND9, which generates a non-threaded version that the user can use with the-u option.

2, why named in the log will give the warning message "No TTL specified-using SOA minttl instead"?
Answer: Your zone file does not meet the RFC1035 standard. There are two ways you can work around this problem:
1) Add a line to the definition of the TTL at the beginning of the zone file, for example: $TTL 86400
2) include the TTL field in the first record of the zone file, for example: example.com. 86400 in SOA NS hostmaster

3. Why do I see 5 (or more) copies of named on Linux?
A: under PS each Linux thread will also appear as a process. The number of threads typically running is n+4, where n indicates the number of CPUs. Note that the use of the internal memory does not follow the principle of accumulation; if each process uses 10M of memory, all threads will use only 10M of memory.

4. Why do I still get a log of "permission denied" errors when accessing a configuration file or zone file, even if I run bind 9 as root on a Linux system?
A: On Linux, BIND 9 gives up most of the root privileges at startup, which includes the ability to open other user-owned files. Therefore, if the server is running as root, then the configuration file and the zone file should also be root-owned.

5. Why do I get an error similar to "Dns_zone_load:zone foo/in:loading Master file Bar:ran out of space"?
A: This is usually due to a missing quotation mark in the TXT record. Check that all TXT records contain full quotes.

6. How can I generate a usable core file from multithreaded named on Linux?
A: If the Linux kernel is a 2.4.7 or newer version, multi-threaded core export (dump) is available (that is, the correct thread will be exported). Otherwise, if you are using the 2.2 kernel, you need to apply the kernel patches in Contrib/linux/coredump-patch and recompile the kernel. This patch enables multithreaded programs to export the correct threads.

7. How can I restrict others from querying my server version?
A: Place the "version" option in the "Options" section of named.conf and set its value to a different version than the one you actually use. Note: This does not prevent attacks, but may prevent others from diagnosing your server problems, and it can also be a sign that someone else is identifying your server.

8. How can I restrict only remote users from querying server versions?
A: The following view statement intercepts the query when the internal view that contains the version information is last matched. The warning in the above question is equally applicable here.
View "chaos" chaos {
match-clients {;};
Allow-query {none;};
Zone "." {
Type hint;
File "/dev/null"; or any empty file
};
};

9. What does "no source of entropy found" or "could not open entropy source foo" mean?
A: The server requires an information entropy (entropy) source to perform a specific operation, which is usually related to DNSSEC. This information indicates that there is no information entropy source. On systems with/dev/random or similar devices, they are used by default. Information sources can also be defined by the Random-device option in named.conf.

10. I installed bind 9 and restarted named, but it is still bind 8, which is why?
A: BIND 9 is installed by default under/usr/local. Bind 8 is usually installed in/usr. Check if the correct named is running.

11, I try to use Tsig to verify the dynamic Update or zone transfer. I'm sure the key setting is correct, but the server still refuses to Tsig, why?
A: This may be a problem with clocks. Check the client's clock and the synchronization on the server (for example, using NTP).

12. I tried to compile bind 9, but "make" failed because some files could not be found. Why?
A: Using parallel or distributed "make" to compile bind 9 is not supported and does not work. If you do use one of them, it is recommended that you use a generic make or gmake instead.

13. I have a bind 9 master server and a bind 8.2.3 slave server, and the master server logs an error message that resembles "notify to 10.0.0.1#53 failed:unexpected end of input". What's the problem?
A: This error message is caused by a known bug in Bind 8.2.3, which is fixed in bind 8.2.4. You can ignore it at all-regardless of the error message, notify is working properly.

14, I continue to get the following log information, why?
DEC 4 23:47:59 client 10.0.0.1#1355:updating zone example.com/in:update Failed:rrset exists (value dependent) Prerequis Ite not satisfied (Nxrrset)
A: The DNS update allows the update request to be tested before the update is made to confirm that a specific condition is satisfied. The above information indicates that the condition is not met and cannot proceed with the update. See Doc/rfc/rfc2136.txt For more information on the prerequisites.

15, I continue to get the following log information, why?
June 12:00:00.000 Client 10.0.0.1#1234:update denied
Answer: Someone is trying to update your DNS data using the RFC2136 Dynamic update protocol. Windows 2000 machines have the habit of sending a dynamic update request to a DNS server without having to configure it beforehand. If the update request is from a Windows 2000 machine, see To learn how to turn it off.

16, I see the following log information, why?
Couldnt open PID File/var/run/named.pid:permission denied
A: It is possible that you are running named with a non-root user, and that user does not have write access to/var/run. The usual fix is to create the/var/run/named directory owned by the named user and set the PID file to "/var/run/named/named.pid", or set the PID file to "Named.pid", This will place the file in the directory specified by the directory option (in which case the directory must be writable by the named user).

17, when I was executing "dig." NS ", many of the A records about the root server were lost. Why?
A: This is a normal situation, and there is no major impediment. There are some confusing side effects in the bind 9 implementation of the RFC 2181 trust level (ranking) method and bind 9 's effort to avoid the related data (glue) entering the answer.
When bind 9 starts and initializes its buffering for the first time, it receives additional data from the root server address as the root server's authoritative response, and those records conform to the criteria contained in the response as additional data. It then receives a subset of the root server address as additional data for the non-authoritative (recommended) response of the root server. This causes these addresses to now be treated as non-authoritative (related) data, which are not suitable for inclusion in the response.
The server does always have a full set of root server addresses as buffers, but it is possible to not include all of the addresses as additional data, depending on whether they receive the response or the related data at the end. You can usually use explicit queries such as "Dig a.root-servers.net a" to find these addresses.

18. The transfer of zone from the BIND 9 master server to Windows 2000 failed from the server. Why?
A: This may be due to a bug in the Windows $ DNS server, and on Windows machines, DNS messages larger than 16K will not be processed correctly. This can be done by setting the option "Transfer-format one-answer;" To solve. You can also check if your zone contains embedded spaces or other special characters, such as "John2doe3s2computer", because, depending on the known information, these names also cause Windows 2000 to incorrectly reject zones from the server.

19. Why is my zone file not re-loaded when I execute "rndc reload" or Sighup?
A: You can either update the zone file by editing the zone file and reboot the server, or through dynamic update, but you cannot use both methods. If you have used the "allow-update" option for zone to activate dynamic updates, then you cannot edit the zone file manually, and the server will no longer attempt to reload the zone file.

20, I can query the name server on the domain name server, but can not be found on other machines. Why?
A: This is usually caused by a firewall configuration that prevents queries and/or responses.

21. How can I get the server to be a slave server for both internal and external views? When I try to do this, the same view on the primary server is transferred from two views on the server.
A: You should set multiple IP addresses for the master server and from the server. For example:
Primary server: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
Internal
match-clients {!10.0.1.2;!10.0.1.4; 10.0.1/24;};
Notify-source 10.0.1.1;
Transfer-source 10.0.1.1;
Query-source address 10.0.1.1;
External
match-clients {any;};
Recursion No; Dont offer recursion
Notify-source 10.0.1.2;
Transfer-source 10.0.1.2;
Query-source address 10.0.1.2;
From server: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
Inte

http://www.bkjia.com/PHPjc/508511.html www.bkjia.com true http://www.bkjia.com/PHPjc/508511.html techarticle This article is translated from an article on the BIND main website: http://www.isc.org/products/BIND/FAQ.html. It should be said that these problems are very typical, the daily maintenance and management of BIND 9 users can provide ...

