diff options
Diffstat (limited to 'FAQ.xml')
| -rw-r--r-- | FAQ.xml | 253 |
1 files changed, 241 insertions, 12 deletions
@@ -1,7 +1,7 @@ <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []> <!-- - - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -17,7 +17,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: FAQ.xml,v 1.4.4.16 2007/10/31 02:14:07 marka Exp $ --> +<!-- $Id: FAQ.xml,v 1.4.4.24 2008/09/10 01:32:25 tbox Exp $ --> <article class="faq"> <title>Frequently Asked Questions about BIND 9</title> @@ -27,6 +27,7 @@ <year>2005</year> <year>2006</year> <year>2007</year> + <year>2008</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -392,6 +393,11 @@ named-checkzone example.com tmp</programlisting> </question> <answer> <para> + There are unbalanced quotes in named.conf. + </para> + </answer> + <answer> + <para> Some text editors (notepad and wordpad) fail to put a line title indication (e.g. CR/LF) on the last line of a text file. This can be fixed by "adding" a blank line to @@ -660,9 +666,98 @@ zone "list.dsbl.org" { </para> </answer> </qandaentry> + + <qandaentry> + <question> + <para> + I want to use IPv6 locally but I don't have a external IPv6 + connection. External lookups are slow. + </para> + </question> + <answer> + <para> + You can use server clauses to stop named making external lookups + over IPv6. + </para> + <programlisting> +server fd81:ec6c:bd62::/48 { bogus no; }; // site ULA prefix +server ::/0 { bogus yes; }; +</programlisting> + </answer> + </qandaentry> </qandadiv> <!-- Configuration and Setup Questions --> + <qandadiv><title>Operations Questions</title> + + <qandaentry> + <question> + <para> + How to change the nameservers for a zone? + </para> + </question> + <answer> + <para> + Step 1: Ensure all nameservers, new and old, are serving the + same zone content. + </para> + <para> + Step 2: Work out the maximum TTL of the NS RRset in the parent and child + zones. This is the time it will take caches to be clear of a + particular version of the NS RRset. + If you are just removing nameservers you can skip to Step 6. + </para> + <para> + Step 3: Add new nameservers to the NS RRset for the zone and + wait until all the servers for the zone are answering with this + new NS RRset. + </para> + <para> + Step 4: Inform the parent zone of the new NS RRset then wait for all the + parent servers to be answering with the new NS RRset. + </para> + <para> + Step 5: Wait for cache to be clear of the old NS RRset. + See Step 2 for how long. + If you are just adding nameservers you are done. + </para> + <para> + Step 6: Remove any old nameservers from the zones NS RRset and + wait for all the servers for the zone to be serving the new NS RRset. + </para> + <para> + Step 7: Inform the parent zone of the new NS RRset then wait for all the + parent servers to be answering with the new NS RRset. + </para> + <para> + Step 8: Wait for cache to be clear of the old NS RRset. + See Step 2 for how long. + </para> + <para> + Step 9: Turn off the old nameservers or remove the zone entry from + the configuration of the old nameservers. + </para> + <para> + Step 10: Increment the serial number and wait for the change to + be visible in all nameservers for the zone. This ensures that + zone transfers are still working after the old servers are + decommissioned. + </para> + <para> + Note: the above procedure is designed to be transparent + to dns clients. Decommissioning the old servers too early + will result in some clients not being able to look up + answers in the zone. + </para> + <para> + Note: while it is possible to run the addition and removal + stages together it is not recommended. + </para> + </answer> + </qandaentry> + + </qandadiv> <!-- Operations Questions --> + <qandadiv><title>General Questions</title> <qandaentry> @@ -705,8 +800,7 @@ zone "list.dsbl.org" { requests are coming from a Windows 2000 machine, see <ulink url="http://support.microsoft.com/support/kb/articles/q246/8/04.asp"> - http://support.microsoft.com/support/kb/articles/q246/8/04.asp - </ulink> + <http://support.microsoft.com/support/kb/articles/q246/8/04.asp></ulink> for information about how to turn them off. </para> </answer> @@ -856,7 +950,7 @@ serial-query-rate 5; // default 20</programlisting> usage rules and are leaking queries to the Internet. You should establish your own zones for these addresses to prevent you querying the Internet's name servers for these addresses. - Please see <ulink url="http://as112.net/">http://as112.net/</ulink> + Please see <ulink url="http://as112.net/"><http://as112.net/></ulink> for details of the problems you are causing and the counter measures that have had to be deployed. </para> @@ -962,6 +1056,23 @@ empty: </answer> </qandaentry> + <qandaentry> + <question> + <para> + Why do queries for NSEC3 records fail to return the NSEC3 record? + </para> + </question> + <answer> + <para> + NSEC3 records are strictly meta data and can only be + returned in the authority section. This is done so that + signing the zone using NSEC3 records does not bring names + into existance that do not exist in the unsigned version + of the zone. + </para> + </answer> + </qandaentry> + </qandadiv> <!-- General Questions --> <qandadiv><title>Operating-System Specific Questions</title> @@ -1009,7 +1120,31 @@ client: UDP client handler shutting down due to fatal receive error: unexpected </para> <para> See: - <ulink url="http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2">http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2</ulink> + <ulink url="http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2"><http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2></ulink> + </para> + </answer> + </qandaentry> + + <qandaentry> + <question> + <para> + Why does named lock up when it attempts to connect over IPSEC tunnels? + </para> + </question> + <answer> + <para> + This is due to a kernel bug where the fact that a socket is marked + non-blocking is ignored. It is reported that setting + xfrm_larval_drop to 1 helps but this may have negative side effects. + See: +<ulink url="https://bugzilla.redhat.com/show_bug.cgi?id=427629"><https://bugzilla.redhat.com/show_bug.cgi?id=427629></ulink> + and +<ulink url="http://lkml.org/lkml/2007/12/4/260"><http://lkml.org/lkml/2007/12/4/260></ulink>. + </para> + <para> + xfrm_larval_drop can be set to 1 by the following procedure: +<programlisting> +echo "1" > proc/sys/net/core/xfrm_larval_drop</programlisting> </para> </answer> </qandaentry> @@ -1064,7 +1199,13 @@ client: UDP client handler shutting down due to fatal receive error: unexpected <answer> <para> The capability module, part of "Linux Security Modules/LSM", - has not been loaded into the kernel. See insmod(8). + has not been loaded into the kernel. See insmod(8), modprobe(8). + </para> + <para> + The relevant modules can be loaded by running: +<programlisting> +modprobe commoncap +modprobe capability</programlisting> </para> </answer> </qandaentry> @@ -1094,8 +1235,9 @@ client: UDP client handler shutting down due to fatal receive error: unexpected <para> Red Hat have adopted the National Security Agency's - SELinux security policy ( see http://www.nsa.gov/selinux - ) and recommendations for BIND security , which are more + SELinux security policy (see <ulink + url="http://www.nsa.gov/selinux"><http://www.nsa.gov/selinux></ulink>) + and recommendations for BIND security , which are more secure than running named in a chroot and make use of the bind-chroot environment unnecessary . </para> @@ -1233,6 +1375,30 @@ named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,d </para> </answer> </qandaentry> + + <qandaentry> + <question> + <para> + Listening on individual IPv6 interfaces does not work. + </para> + </question> + <answer> + <para> + This is usually due to "/proc/net/if_inet6" not being available + in the chroot file system. Mount another instance of "proc" + in the chroot file system. + </para> + <para> + This can be be made permanent by adding a second instance to + /etc/fstab. + <informalexample> + <programlisting> +proc /proc proc defaults 0 0 +proc /var/named/proc proc defaults 0 0</programlisting> + </informalexample> + </para> + </answer> + </qandaentry> </qandadiv> <!-- Linux --> @@ -1310,8 +1476,7 @@ rand_irqs="3 14 15"</programlisting> <para> See also <ulink url="http://people.freebsd.org/~dougb/randomness.html"> - http://people.freebsd.org/~dougb/randomness.html - </ulink> + <http://people.freebsd.org/~dougb/randomness.html></ulink>. </para> </answer> </qandaentry> @@ -1333,13 +1498,77 @@ rand_irqs="3 14 15"</programlisting> <para> <ulink url="http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris"> - http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris + <http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris> </ulink> </para> </answer> </qandaentry> </qandadiv> + + <qandadiv><title>Apple Mac OS X</title> + + <qandaentry> + <question> + <para> + How do I run BIND 9 on Apple Mac OS X? + </para> + </question> + <answer> + <para> + If you run Tiger(Mac OS 10.4) or later then this is all you need to do: + </para> + <informalexample> + <programlisting> +% sudo rndc-confgen > /etc/rndc.conf</programlisting> + </informalexample> + <para> + Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.: + </para> + <informalexample> + <programlisting> +key "rndc-key" { + algorithm hmac-md5; + secret "uvceheVuqf17ZwIcTydddw=="; +};</programlisting> + </informalexample> + <para> + Then start the relevant service: + </para> + <informalexample> + <programlisting> +% sudo service org.isc.named start</programlisting> + </informalexample> + <para> + This is persistent upon a reboot, so you will have to do it only once. + </para> + </answer> + + <answer> + <para> + Alternatively you can just generate /etc/rndc.key by running: + </para> + <informalexample> + <programlisting> +% sudo rndc-confgen -a</programlisting> + </informalexample> + <para> + Then start the relevant service: + </para> + <informalexample> + <programlisting> +% sudo service org.isc.named start</programlisting> + </informalexample> + <para> + Named will look for /etc/rndc.key when it starts if it + doesn't have a controls section or the existing controls are + missing keys sub-clauses. This is persistent upon a + reboot, so you will have to do it only once. + </para> + </answer> + </qandaentry> + + </qandadiv> </qandadiv> <!-- Operating-System Specific Questions --> |