Frequently Asked Questions - BIND

Frequently asked questions about the ISC BIND project.

General Questions
What has changed in the behavior of "allow-recursion" and "allow-query-cache"

SC Support Bulletin: July 2007
Document last updated: 2007-07-30

There has been some confusion surrounding the changes to the "allow-recursion" and "allow-query-cache" options made with BIND 9.4.1-P1.

This document will attempt to clarify the change and the impact that it makes on BIND servers.

In BIND 9.3, there was no segregation of queries between cache and authoritative data.

The release of BIND 9.4 added fine-grained differentiation between queries against authoritative data ("allow-query") and cached data ("allow-query-cache"). This allows more precise control, particularly if you do not want your clients to use any cached data, for example, in an authoritative-only nameserver.

Prior to the release of BIND 9.4.1-P1, the default action of "allow-recursion" and "allow-query-cache" was to permit the query. The P1 patch to BIND 9.4.1 caused two changes in this behavior:

  1. If not explicitly set, the ACLs for "allow-query-cache" and "allow-recursion" were set to "localnets; localhost;".
  2. If either "allow-query-cache" or "allow-recursion" was set, the other would be set the same value.

Upgrading from the BIND 9.3 branch to BIND 9.4.1-P1 will significantly restrict those servers that were previously recursive servers for more than "localhost; localnets;" unless configuration changes are made.

To retain the behavior prior to BIND 9.4.1-P1, the following entries should be created in your named.conf file:

Code:

 options {
     ...
     allow-recursion { any; };
     allow-query { any; };
     allow-query-cache { any; };
     ...
 };

We strongly advise against this configuration because clients spoofing queries can use your servers to launch distributed denial-of-service attacks.

The recommended method is to create ACLs that match hosts that should be allowed access to cache and recursion on the servers. For example, if you wanted to provided recursion and access to the cache to clients you trusted, you could list them in an ACL such as the following:

Code:

 acl "trusted" {
     192.168.0.0/16;
     10.153.154.0/24;
     localhost;
     localnets;
 };
 
 options {
     ...
     allow-query { any; };
     allow-recursion { trusted; };
     allow-query-cache { trusted; };
     ...
 };

This example ACL includes 192.168.0.0/16 and 10.153.154.0/24 as sample networks that would require access. You must replace these sample networks with networks that correctly reflect your environment. This will allow anyone to query your server for authoritative data, but only those hosts within the "trusted" ACL access to your cache and recursion.

What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA" mean?

If the IN-ADDR.ARPA name covered refers to a internal address space you are using then you have failed to follow RFC 1918 usage rules and are leaking queries to the Internet. You should establish your own zones for these addresses to prevent you querying the Internet's name servers for these addresses. Please see http://public.as112.net/ for details of the problems you are causing and the counter measures that have had to be deployed.

If you are not using these private addresses then a client has queried for them. You can just ignore the messages, get the offending client to stop sending you these messages as they are most probably leaking them, or setup your own zones empty zones to serve answers to these queries.

zone "10.IN-ADDR.ARPA" {
        type master;
        file "empty";
};

zone "16.172.IN-ADDR.ARPA" {
        type master;
        file "empty";
};

...

zone "31.172.IN-ADDR.ARPA" {
        type master;
        file "empty";
};

zone "168.192.IN-ADDR.ARPA" {
        type master;
        file "empty";
};

empty:

@ 10800 IN SOA <name-of-server>. <contact-email>. (
        1 3600 1200 604800 10800 )
@ 10800 IN NS <name-of-server>.

Future versions of named are likely to do this automatically.

I keep getting log messages like the following. Why? Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied

Someone is trying to update your DNS data using the RFC2136 Dynamic Update protocol. Windows 2000 machines have a habit of sending dynamic update requests to DNS servers without being specifically configured to do so. If the update requests are coming from a Windows 2000 machine, see
<http://support.microsoft.com/support/kb/articles/q246/8/04.asp> for information about how to turn them off.

When I do a "dig . ns", many of the A records for the root servers are missing. Why?

This is normal and harmless. It is a somewhat confusing side effect of the way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 makes to avoid promoting glue into answers.

When BIND 9 first starts up and primes its cache, it receives the root server addresses as additional data in an authoritative response from a root server, and these records are eligible for inclusion as additional data in responses. Subsequently it receives a subset of the root server addresses as additional data in a non-authoritative (referral) response from a root server. This causes the addresses to now be considered non-authoritative (glue) data, which is not eligible for inclusion in responses.

The server does have a complete set of root server addresses cached at all times, it just may not include all of them as additional data, depending on whether they were last received as answers or as glue. You can always look up the addresses with explicit queries like "dig a.root-servers.net A".

Why don't my zones reload when I do an "rndc reload" or SIGHUP?

A zone can be updated either by editing zone files and reloading the server or by dynamic update, but not both. If you have enabled dynamic update for a zone using the "allow-update" option, you are not supposed to edit the zone file by hand, and the server will not attempt to reload it.

I get warning messages like "zone example.com/IN: refresh: failure trying master 1.2.3.4#53: timed out".

Check that you can make UDP queries from the slave to the master 

dig +norec example.com soa @1.2.3.4

You could be generating queries faster than the slave can cope with. Lower the serial query rate. 

serial-query-rate 5; // default 20
I don't get RRSIG's returned when I use "dig +dnssec" - why is this?

You need to ensure DNSSEC is enabled (dnssec-enable yes;) on the nameserver that you are querying.

Can a NS record refer to a CNAME.

No. The rules for glue (copies of the *address* records in the parent zones) and additional section processing do not allow it to work.

You would have to add both the CNAME and address records (A/AAAA) as glue to the parent zone and have CNAMEs be followed when doing additional section processing to make it work. No nameserver implementation supports either of these requirements.

Will named be affected by the 2007 changes to daylight savings rules in the US?

No, so long as the machines internal clock (as reported by "date -u") remains at UTC. The only visible change if you fail to upgrade your OS, if you are in a affected area, will be that log messages will be a hour out during the period where the old rules do not match the new rules.

For most OS's this change just means that you need to update the conversion rules from UTC to local time. Normally this involves updating a file in /etc (which sets the default timezone for the machine) and possibly a directory which has all the conversion rules for the world (e.g. /usr/share/zoneinfo). When updating the OS do not forget to update any chroot areas as well. See your OS's documentation for more details.

The local timezone conversion rules can also be done on a individual basis by setting the TZ environment variable appropriately. See your OS's documentation for more details.

Is there a bugzilla (or other tool) database that mere mortals can have (read-only) access to for bind?

No. The BIND 9 bug database is kept closed for a number of reasons. These include, but are not limited to, that the database contains proprietary information from people reporting bugs. The database has in the past and may in future contain unfixed bugs which are capable of bringing down most of the Internet's DNS infrastructure.

The release pages for each version contain up to date lists of bugs that have been fixed post release. That is as close as we can get to providing a bug database.

Please explain how BIND 9 uses memory to store DNS zones. Sometimes it seems to use several times the amount it needs.

When reloading a zone named my have multiple copies of the zone in memory at one time. The zone it is serving and the one it is loading. If reloads are ultra fast it can have more still.

e.g. Ones that are transferring out, the one that it is serving and the one that is loading.

BIND 8 destroyed the zone before loading and also killed off outgoing transfers of the zone.

The new strategy allows slaves to get copies of the new zone regardless of how often the master is loaded compared to the transfer time. The slave might skip some intermediate versions but the transfers will complete and it will keep reasonably in sync with the master.

The new strategy also allows the master to recover from syntax and other errors in the master file as it still has an in-core copy of the old contents.

Why is named listening on UDP port other than 53?

Named uses a system selected port to make queries of other nameservers. This behavior can be overridden by using query-source to lock down the port and/or address. See also notify-source and transfer-source.

Why do queries for NSEC3 records fail to return the NSEC3 record?

NSEC3 records are strictly meta data and can only be returned in the authority section. This is done so that signing the zone using NSEC3 records does not bring names into existance that do not exist in the unsigned version of the zone.

Compilation and Installation Questions
Isn't "make install" supposed to generate a default named.conf?

Short Answer: No.

Long Answer: There really isn't a default configuration which fits any site perfectly. There are lots of decisions that need to be made and there is no consensus on what the defaults should be. For example FreeBSD uses /etc/namedb as the location where the configuration files for named are stored. Others use /var/named.

What addresses to listen on? For a laptop on the move a lot you may only want to listen on the loop back interfaces.

Who do you offer recursive service to? Is there are firewall to consider? If so is it stateless or stateful. Are you directly on the Internet? Are you on a private network? Are you on a NAT'd network? The answers to all these questions change how you configure even a caching name server.

I'm trying to compile BIND 9 and "make" is failing due to files not being found. Why?

Using a parallel or distributed "make" to build BIND 9 is not supported, and doesn't work. If you are using one of these, use normal make or gmake instead.

Configuration and Setup Questions
How do I share a dynamic zone between multiple views?

You choose one view to be master and the second a slave and transfer the zone between views.

Master 10.0.1.1: 

key "external" {
algorithm hmac-md5;
secret "xxxxxxxx";
};
key "mykey" {
algorithm hmac-md5;
secret "yyyyyyyy";
};
view "internal" {
match-clients { !key external; 10.0.1/24; };
server 10.0.1.1 {
/* Deliver notify messages to external view. */
keys { external; };
};

zone "example.com" {
type master;
file "internal/example.db";
allow-update { key mykey; };
also-notify { 10.0.1.1; };
};
};

view "external" {
match-clients { key external; any; };
zone "example.com" {
type slave;
file "external/example.db";
masters { 10.0.1.1; };
transfer-source { 10.0.1.1; };
// allow-update-forwarding { any; };
// allow-notify { ... };
};
};
I want to use IPv6 locally but I don't have an external IPv6 connection. External lookups are slow.

You can use server clauses to stop named making external lookups over IPv6. 

server fd81:ec6c:bd62::/48 { bogus no; };  // site ULA prefix
server ::/0 { bogus yes; };
My slave server for both an internal and an external view has both views transferred from the same master view - how to resolve?

BIND 9.3 and later: Use TSIG to select the appropriate view.

Master 10.0.1.1: 

           key "external" {
                   algorithm hmac-md5;
                   secret "xxxxxxxx";
           };
           view "internal" {
                   match-clients { !key external; 10.0.1/24; };
                   ...
           };
           view "external" {
                   match-clients { key external; any; };
                   server 10.0.1.2 { keys external; };
                   recursion no;
                   ...
           };

Slave 10.0.1.2: 

           key "external" {
                   algorithm hmac-md5;
                   secret "xxxxxxxx";
           };
           view "internal" {
                   match-clients { !key external; 10.0.1/24; };

                   ...
           };
           view "external" {
                   match-clients { key external; any; };
                   server 10.0.1.1 { keys external; };
                   recursion no;
                   ...
           };

Before BIND 9.3: You will need to give the master and slave multiple IP addresses and use those to make sure you reach the correct view on the other machine.

Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)

internal: 

 match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
 notify-source 10.0.1.1;
 transfer-source 10.0.1.1;
 query-source address 10.0.1.1;

external: 

 match-clients { any; };
 recursion no; // don't offer recursion to the world
 notify-source 10.0.1.2;
 transfer-source 10.0.1.2;
 query-source address 10.0.1.2;

Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)

internal: 

 match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
 notify-source 10.0.1.3;
 transfer-source 10.0.1.3;
 query-source address 10.0.1.3;

external: 

 match-clients { any; };
 recursion no; // don't offer recursion to the world
 notify-source 10.0.1.4;
 transfer-source 10.0.1.4;
 query-source address 10.0.1.4;

You put the external address on the alias so that all the other DNS clients on these boxes see the internal view by default.

I get error messages like "multiple RRs of singleton type" and "CNAME and other data" when transferring a zone?

These indicate a malformed master zone. You can identify the exact records involved by transferring the zone using dig then running named-checkzone on it. 

dig axfr example.com @master-server > tmp
named-checkzone example.com tmp

A CNAME record cannot exist with the same name as another record except for the DNSSEC records which prove its existence (NSEC).

RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other data should be present; this ensures that the data for a canonical name and its aliases cannot be different. This rule also insures that a cached CNAME can be used without checking with an authoritative server for other RR types."

I see errors like "zone wireless.ietf56.ietf.org/IN: loading master file primaries/wireless.ietf56.ietf.org: no owner".

This error is produced when a line in the master file contains leading white space (tab/space) but the is no current record owner name to inherit the name from. Usually this is the result of putting white space before a comment, forgetting the "@" for the SOA record, or indenting the master file.

I get "rndc: connect failed: connection refused" when I try to run rndc.

This is usually a configuration error.

First ensure that named is running and no errors are being reported at startup (/var/log/messages or equivalent). Running "named -g <usual arguments>" from a title can help at this point.

Secondly ensure that named is configured to use rndc either by "rndc-confgen -a", rndc-confgen or manually. The Administrators Reference manual has details on how to do this.

Old versions of rndc-confgen used localhost rather than 127.0.0.1 in /etc/rndc.conf for the default server. Update /etc/rndc.conf if necessary so that the default server listed in /etc/rndc.conf matches the addresses used in named.conf. "localhost" has two address (127.0.0.1 and ::1).

If you use "rndc-confgen -a" and named is running with -t or -u ensure that /etc/rndc.conf has the correct ownership and that a copy is in the chroot area. You can do this by re-running "rndc-confgen -a" with appropriate -t and -u arguments.

I get "transfer of 'example.net/IN' from 192.168.4.12#53: failed while receiving responses: permission denied" error messages.

These indicate a filesystem permission error preventing named creating / renaming the temporary file. These will usually also have other associated error messages like 

"dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"

Named needs write permission on the directory containing the file. Named writes the new cache file to a temporary file then renames it to the name specified in named.conf to ensure that the contents are always complete. This is to prevent named loading a partial zone in the event of power failure or similar interrupting the write of the master file.

Note file names are relative to the directory specified in options and any chroot directory ([<chroot dir>/][<options dir>]).

If named is invoked as "named -t /chroot/DNS" with the following named.conf then "/chroot/DNS/var/named/sl" needs to be writable by the user named is running as. 

options { directory "/var/named";};zone "example.net" { type slave; file "sl/example.net"; masters { 192.168.4.12; };};
I want to forward all DNS queries from my caching nameserver to another server but configure exceptions for some domains - how?

Forwarding can be configured globally and per zone. This is useful where the global policy differs from the configuration required for some of the zones hosted or handled by the nameserver. Many combinations are possible, including no global forwarding except for that configured for specific zones. Similarly it's possible to configure global forwarding but disable it for select zones.

The example below shows a global forwarding policy coupled with special handling for rbldnsd: 

options {
        forward only;
        forwarders { <ip.of.primary.nameserver>; };
};

zone "sbl-xbl.spamhaus.org" {
        type forward;
        forward only;
        forwarders { <ip.of.rbldns.server> port 530; };
};

zone "list.dsbl.org" {
        type forward;
        forward only;
        forwarders { <ip.of.rbldns.server> port 530; };
};
Why does named log the warning message "no TTL specified - using SOA MINTTL instead"?

Your zone file is illegal according to RFC1035. It must either have a line like: 

$TTL 86400

at the beginning, or the first record in it must have a TTL field, like the "84600" in this example: 

example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )
Why do I get errors like "dns_zone_load: zone foo/IN: loading master file bar: ran out of space"?

This is often caused by TXT records with missing close quotes. Check that all TXT records containing quoted strings have both open and close quotes.

Why are my logs in GMT (UTC). 
You are running chrooted (-t) and have not supplied local timezone information in the chroot area.

FreeBSD: /etc/localtime

Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo

OSF: /etc/zoneinfo/localtime



See also tzset(3) and zic(8). 
How do I restrict people from looking up the server version?

Put a "version" option containing something other than the real version in the "options" section of named.conf. Note doing this will not prevent attacks and may impede people trying to diagnose problems with your server. Also, it is often possible to "fingerprint" nameservers to determine their version from the way they respond to specific queries.

How do I restrict only remote users from looking up the server version?

The following view statement will intercept lookups as the internal view that holds the version information will be matched last. The caveats of the previous answer still apply, of course. 

view "chaos" chaos {
     match-clients { <those to be refused>; };
     allow-query { none; };
     zone "." {
             type hint;
             file "/dev/null";  // or any empty file
     };
};
What do "no source of entropy found" or "could not open entropy source foo" mean?

The server requires a source of entropy to perform certain operations, mostly DNSSEC related. These messages indicate that you have no source of entropy. On systems with /dev/random or an equivalent, it is used by default. A source of entropy can also be defined using the random-device option in named.conf.

I'm trying to use TSIG to authenticate dynamic updates or zone transfers but the server is rejecting the TSIG - why?

If you are sure that the keys are configured correctly then this may be a clock skew problem. Check that the the clocks on the client and server are properly synchronized (e.g., using ntp).

I can query the nameserver from the nameserver but not from other machines. Why?

This may be the result of the firewall configuration stopping the queries and/or the replies. Also check the 'allow-query', 'allow-recursion', 'allow-query-cache' options as well as any 'listen-on' statements in your nameserver's configuration. The default settings can be confirmed for your version of BIND by checking the Administrator Reference Manual.

I see a log message like the following. Why? couldn't open pid file '/var/run/named.pid': Permission denied

You are most likely running named as a non-root user, and that user does not have permission to write in /var/run. The common ways of fixing this are to create a /var/run/named directory owned by the named user and set pid-file to "/var/run/named/named.pid", or set pid-file to "named.pid", which will put the file in the directory specified by the directory option (which, in this case, must be writable by the named user).

Operating-System Specific Questions
Apple Mac OS X
How do I run BIND 9 on Apple Mac OS X?

If you run Tiger(Mac OS 10.4) or later then this is all you need to do:

% sudo rndc-confgen  > /etc/rndc.conf

Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.:

key "rndc-key" { algorithm hmac-md5; secret "uvceheVuqf17ZwIcTydddw==";};

Then start the relevant service:

% sudo service org.isc.named start

This is persistent upon a reboot, so you will have to do it only once.

Alternatively you can just generate /etc/rndc.key by running:

% sudo rndc-confgen -a

Then start the relevant service:

% sudo service org.isc.named start

Named will look for /etc/rndc.key when it starts if it doesn't have a controls section or the existing controls are missing keys sub-clauses. This is persistent upon a reboot, so you will have to do it only once.

FreeBSD
I have FreeBSD 4.x and "rndc-confgen -a" just sits there.

/dev/random is not configured. Use rndcontrol(8) to tell the kernel to use certain interrupts as a source of random events. You can make this permanent by setting rand_irqs in /etc/rc.conf. 

rand_irqs="3 14 15"

See also
<http://people.freebsd.org/~dougb/randomness.html>.

HPUX
I get the following error trying to configure BIND: checking if unistd.h or sys/types.h defines fd_set...

More of the error you may see: checking if unistd.h or sys/types.h defines fd_set... noconfigure: error: need either working unistd.h or sys/select.h

The reason for it is that you have attempted to configure BIND with the bundled C compiler. This compiler does not meet the minimum compiler requirements to for building BIND. You need to install a ANSI C compiler and / or teach configure how to find the ANSI C compiler. The later can be done by adjusting the PATH environment variable and / or specifying the compiler via CC.

./configure CC=<compiler> ...

Linux
Why do I get the following errors: general: errno2result.c:109: unexpected error:general: unable to convert errno to isc_result

In more detail - this is what you might see:

general: errno2result.c:109: unexpected error:
general: unable to convert errno to isc_result: 14: Bad addressclient: UDP client handler shutting down due to fatal receive error: unexpected error

It is the result of a Linux kernel bug.

See:
<http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2>

Why does named lock up when it attempts to connect over IPSEC tunnels?

This is due to a kernel bug where the fact that a socket is marked non-blocking is ignored. It is reported that setting xfrm_larval_drop to 1 helps but this may have negative side effects. See:
<https://bugzilla.redhat.com/show_bug.cgi?id=427629> and
<http://lkml.org/lkml/2007/12/4/260>.

xfrm_larval_drop can be set to 1 by the following procedure:

echo "1" > proc/sys/net/core/xfrm_larval_drop

Why do I see 5 (or more) copies of named on Linux?

Linux threads each show up as a process under ps. The approximate number of threads running is n+4, where n is the number of CPUs. Note that the amount of memory used is not cumulative; if each process is using 10M of memory, only a total of 10M is used.

Newer versions of Linux's ps command hide the individual threads and require -L to display them.

Why does BIND 9 log "permission denied" errors accessing its configuration files or zones on my Linux system?

You may see these "permission denied" errors even though named is running as root.

On Linux, BIND 9 drops most of its root privileges on startup. This including the privilege to open files owned by other users. Therefore, if the server is running as root, the configuration files and zone files should also be owned by root.

I get the error message "named: capset failed: Operation not permitted" when starting named.

The capability module, part of "Linux Security Modules/LSM", has not been loaded into the kernel. See insmod(8), modprobe(8).

The relevant modules can be loaded by running:

modprobe commoncap
modprobe capability
Why can't named update slave zone database files, slave journal files and master zones from journals?

This is a problem that has been reported when running BIND on Red Hat Enterprise Linux or Fedora Core. Specifically problems are encountered with updating slave zone database files, creating DDNS journal files and updating master zones from journals. It also manifests itself as named being unable to create custom log files.

Red Hat Security Enhanced Linux (SELinux) policy security protections :

Red Hat have adopted the National Security Agency's SELinux security policy (see
<http://www.nsa.gov/selinux>) and recommendations for BIND security , which are more secure than running named in a chroot and make use of the bind-chroot environment unnecessary .

By default, named is not allowed by the SELinux policy to write, create or delete any files EXCEPT in these directories:

$ROOTDIR/var/named/slaves$ROOTDIR/var/named/data$ROOTDIR/var/tmp

where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is installed.

 

The SELinux policy particularly does NOT allow named to modify the $ROOTDIR/var/named directory, the default location for master zone database files.

SELinux policy overrules file access permissions - so even if all the files under /var/named have ownership named:named and mode rw-rw-r--, named will still not be able to write or create files except in the directories above, with SELinux in Enforcing mode.

So, to allow named to update slave or DDNS zone files, it is best to locate them in $ROOTDIR/var/named/slaves, with named.conf zone statements such as:

zone "slave.zone." IN { type slave; file "slaves/slave.zone.db"; ...}; zone "ddns.zone." IN { type master; allow-updates {...}; file "slaves/ddns.zone.db";};

 

To allow named to create its cache dump and statistics files, for example, you could use named.conf options statements such as:

options { ... dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; ...};

 

You can also tell SELinux to allow named to update any zone database files, by setting the SELinux tunable boolean parameter 'named_write_master_zones=1', using the system-config-securitylevel GUI, using the 'setsebool' command, or in /etc/selinux/targeted/booleans.

You can disable SELinux protection for named entirely by setting the 'named_disable_trans=1' SELinux tunable boolean parameter.

The SELinux named policy defines these SELinux contexts for named:

named_zone_t : for zone database files - $ROOTDIR/var/named/*named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}

 

If you want to retain use of the SELinux policy for named, and put named files in different locations, you can do so by changing the context of the custom file locations .

To create a custom configuration file location, e.g. '/root/named.conf', to use with the 'named -c' option, do:

# chcon system_u:object_r:named_conf_t /root/named.conf

 

To create a custom modifiable named data location, e.g. '/var/log/named' for a log file, do:

# chcon system_u:object_r:named_cache_t /var/log/named

 

To create a custom zone file location, e.g. /root/zones/, do:

# chcon system_u:object_r:named_zone_t /root/zones/{.,*}

 

See these man-pages for more information : selinux(8), named_selinux(8), chcon(1), setsebool(8)

Listening on individual IPv6 interfaces does not work.

This is usually due to "/proc/net/if_inet6" not being available in the chroot file system. Mount another instance of "proc" in the chroot file system.

This can be be made permanent by adding a second instance to /etc/fstab.

proc /proc           proc defaults 0 0
proc /var/named/proc proc defaults 0 0
Solaris
How do I integrate BIND 9 and Solaris SMF

Sun has a blog entry describing how to do this.

<http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris>

Windows
I get "Error 1067" when starting named under Windows.

This is the service manager saying that named exited. You need to examine the Application log in the EventViewer to find out why.

Common causes are that you failed to create "named.conf" (usually "C:\windows\dns\etc\named.conf") or failed to specify the directory in named.conf. 

options { Directory "C:\windows\dns\etc";};
Zone transfers from my BIND 9 master to my Windows 2000 slave fail. Why?

This may be caused by a bug in the Windows 2000 DNS server where DNS messages larger than 16K are not handled properly. This can be worked around by setting the option "transfer-format one-answer;". Also check whether your zone contains domain names with embedded spaces or other special characters, like "John\032Doe\213s\032Computer", since such names have been known to cause Windows 2000 slaves to incorrectly reject the zone.

Operations Questions
How to change the nameservers for a zone?

Step 1: Ensure all nameservers, new and old, are serving the same zone content.

Step 2: Work out the maximum TTL of the NS RRset in the parent and child zones. This is the time it will take caches to be clear of a particular version of the NS RRset. If you are just removing nameservers you can skip to Step 6.

Step 3: Add new nameservers to the NS RRset for the zone and wait until all the servers for the zone are answering with this new NS RRset.

Step 4: Inform the parent zone of the new NS RRset then wait for all the parent servers to be answering with the new NS RRset.

Step 5: Wait for cache to be clear of the old NS RRset. See Step 2 for how long. If you are just adding nameservers you are done.

Step 6: Remove any old nameservers from the zones NS RRset and wait for all the servers for the zone to be serving the new NS RRset.

Step 7: Inform the parent zone of the new NS RRset then wait for all the parent servers to be answering with the new NS RRset.

Step 8: Wait for cache to be clear of the old NS RRset. See Step 2 for how long.

Step 9: Turn off the old nameservers or remove the zone entry from the configuration of the old nameservers.

Step 10: Increment the serial number and wait for the change to be visible in all nameservers for the zone. This ensures that zone transfers are still working after the old servers are decommissioned.

Note: the above procedure is designed to be transparent to dns clients. Decommissioning the old servers too early will result in some clients not being able to look up answers in the zone.

Note: while it is possible to run the addition and removal stages together it is not recommended.

What is BIND?

BIND is open-source software that implements the Domain Name System (DNS) protocols for the Internet. It is a reference implementation of those protocols, and it is also production-grade software, suitable for use in high-volume and high-reliability applications.