aboutsummaryrefslogtreecommitdiff
path: root/contrib/bind/doc/misc/FAQ.2of2
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/bind/doc/misc/FAQ.2of2')
-rw-r--r--contrib/bind/doc/misc/FAQ.2of22071
1 files changed, 0 insertions, 2071 deletions
diff --git a/contrib/bind/doc/misc/FAQ.2of2 b/contrib/bind/doc/misc/FAQ.2of2
deleted file mode 100644
index f9594eef36bc..000000000000
--- a/contrib/bind/doc/misc/FAQ.2of2
+++ /dev/null
@@ -1,2071 +0,0 @@
-Path: senator-bedfellow.mit.edu!bloom-beacon.mit.edu!news.kodak.com!news-nysernet-16.sprintlink.net!news-in-east1.sprintlink.net!news.sprintlink.net!newshub.northeast.verio.net!news.idt.net!newsin.iconnet.net!IConNet!not-for-mail
-From: cdp2582@hertz.njit.edu (Chris Peckham)
-Newsgroups: comp.protocols.tcp-ip.domains,comp.answers,news.answers,comp.protocols.dns.bind
-Subject: comp.protocols.tcp-ip.domains Frequently Asked Questions (FAQ) (Part 2 of 2)
-Supersedes: <cptd-faq-2-911181667@njit.edu>
-Followup-To: comp.protocols.tcp-ip.domains
-Organization: NJIT.EDU - New Jersey Institute of Technology, Newark, NJ, USA
-Lines: 2050
-Sender: cdp@chipmunk.iconnet.net
-Approved: news-answers-request@MIT.EDU
-Distribution: world
-Expires: Wednesday, 20 Jan 99 11:47:26 EDT
-Message-ID: <cptd-faq-2-913826846@njit.edu>
-References: <cptd-faq-1-913826846@njit.edu>
-Reply-To: domain-faq@pfmc.net (comp.protocols.tcp-ip.domains FAQ comments)
-Keywords: BIND,DOMAIN,DNS
-X-Posting-Frequency: posted during the first week of each month
-Date: Wed, 16 Dec 1998 16:47:32 GMT
-NNTP-Posting-Host: chipmunk.iconnet.net
-NNTP-Posting-Date: Wed, 16 Dec 1998 11:47:32 EDT
-Xref: senator-bedfellow.mit.edu comp.protocols.tcp-ip.domains:22180 comp.answers:34269 news.answers:146737 comp.protocols.dns.bind:6040
-
-Posted-By: auto-faq 3.3 beta (Perl 5.004)
-Archive-name: internet/tcp-ip/domains-faq/part2
-
-(Continued from Part 1, where you'll find the introduction and
-table of contents.)
-
-
-===============================================================================
-
-Section 5. CONFIGURATION
-
- Q5.1 Upgrading from 4.9.x to 8.x
- Q5.2 Changing a Secondary server to a Primary server ?
- Q5.3 Moving a Primary server to another server
- Q5.4 How do I subnet a Class B Address ?
- Q5.5 Subnetted domain name service
- Q5.6 Recommended format/style of DNS files
- Q5.7 DNS on a system not connected to the Internet
- Q5.8 Multiple Domain configuration
- Q5.9 wildcard MX records
- Q5.10 How do you identify a wildcard MX record ?
- Q5.11 Why are fully qualified domain names recommended ?
- Q5.12 Distributing load using named
- Q5.13 Round robin IS NOT load balancing
- Q5.14 Order of returned records
- Q5.15 resolv.conf
- Q5.16 How do I delegate authority for sub-domains ?
- Q5.17 DNS instead of NIS on a Sun OS 4.1.x system
- Q5.18 Patches to add functionality to BIND
- Q5.19 How to serve multiple domains from one server
- Q5.20 hostname and domain name the same
- Q5.21 Restricting zone transfers
- Q5.22 DNS in firewalled and private networks
- Q5.23 Different DNS answers for same RR
-
------------------------------------------------------------------------------
-
-Question 5.1. Upgrading from 4.9.x to 8.x
-
-Date: Wed Jul 9 22:00:07 EDT 1997
-
-Q: Help ! How do I use the Completely new configuration syntax in BIND 8
-? I've attempted to upgrade bind from 4.9.5 to 8.1, but unfortunately it
-didn't seem to like the same config/zone files.. is this normal or should
-8.1 be able to read the same files as 4.9.5 did?
-
-A: If you then look in doc/html/config.html, you will find directions on
-how to convert a 4.9.x .boot file to 8.x .conf file, as well as directions
-on how to utilize all of the new features of the 8.x .conf file format.
-
------------------------------------------------------------------------------
-
-Question 5.2. Changing a Secondary server to a Primary server ?
-
-Date: Fri Jul 5 23:54:35 EDT 1996
-
-For 4.8.3, it's prudent to kill and restart following any changes to
-named.boot.
-
-In BIND 4.9.3, you only have to kill and restart named if you change a
-primary zone to a secondary or v-v, or if you delete a zone and remain
-authoritative for its parent. Every other case should be taken care of by
-a HUP. (Ed. note: 4.9.3b9 may still require you to kill and restart the
-server due to some bugs in the HUP code).
-
-You will also need to update the server information on the root servers.
-You can do this by filing a new domain registration form to inform
-InterNIC of the change. They will then update the root server's SOA
-records. This process usually takes 10-12 business days after they
-receive the request.
-
------------------------------------------------------------------------------
-
-Question 5.3. Moving a Primary server to another server
-
-Date: Fri Jul 5 23:54:35 EDT 1996
-
-The usual solution is to move the primary to ns.newserver.com, and have
-ns.oldserver.com be configured as a secondary server until the change to
-the root servers takes place after the request has been made to the
-InterNIC.
-
-If you are moving to a different ISP which will change your IP's, the
-recommend setting for the SOA that would minimize problems for your name
-servers using the old settings can be done as follows:
-
-Gradually lower the TTL value in your SOA (that's the last one of the five
-numbers) to always be equal to the time left until you change over.
-(assuming that none of your resource records have individual TTL's set, if
-so, do likewise with them.) So, the day before, lower to 43200 seconds
-(12 hours). Then lower every few hours to be the time remaining until
-the change-over. So, an hour before the change, you may just want to
-lower it all the way to 60 seconds or so. That way no one can cache
-information past the change-over.
-
-After the change, start gradually incrementing the TTL value, because
-you'll probably be making changes to work out problems. Once everything
-stabilizes, move the TTL up to whatever your normal values are.
-
-To minimize name servers from using the "old settings", you can do the
-same thing with the "refresh" interval in the SOA (the second number of
-the SOA). That will tell the secondaries to refresh every X seconds.
-Lower that value as you approach the changeover date. You probably don't
-want to go much below an hour or you'll start the primary thrashing as all
-the secondaries perpetually refresh.
-
-Also see the answer to the "How can I change the IP address of our server
-?" in the INTRODUCTION section.
-
------------------------------------------------------------------------------
-
-Question 5.4. How do I subnet a Class B Address ?
-
-Date: Mon Jun 15 23:21:39 EDT 1998
-
-That you need to subnet at all is something of a misconception. You can
-also think of a class B network as giving you 65,534 individual hosts, and
-such a network will work. You can also configure your class B as 16,384
-networks of 2 hosts each. That's obviously not very practical, but it
-needs to be made clear that you are not constrained by the size of an
-octet (remember that many older devices would not work in a network
-configured in this manner).
-
-So, the question is: why do you need to subnet? One reason is that it is
-easier to manage a subnetted network, and in fact, you can delegate the
-responsibility for address space management to local administrators on the
-various subnets. Also, IP based problems will end up localized rather
-than affecting your entire network.
-
-If your network is a large backbone with numerous segments individually
-branching off the backbone, that too suggests subnetting.
-
-Subnetting can also be used to improve routing conditions.
-
-You may wish to partition your network to disallow certain protocols on
-certain segments of your net. You can, for example, restrict IP or IPX to
-certain segments only by adding a router routing high level protocols,
-and across the router you may have to subnet.
-
-Finally, as far as how many subnets you need depends on the answer to the
-above question. As far as subnet masks are concerned, the mask can be
-anything from 255.0.0.0 to 255.255.255.252. You'll probably be looking at
-9 or 10 bits for the subnet (last octet 128 or 192 respectively). RFC
-1219 discusses the issue of subnetting very well and leaves the network
-administrator with a large amount of flexibility for future growth.
-
-(The following section was contributed by Berislav Todorovic.)
-
-A user or an ISP, having a whole /16 sized IP block (former "Class B")
-network assigned/allocated, has the responsibility of maintaining the
-reverse domain for the whole network. That policy is currently applied by
-all regional Internet registries (RIPE NCC, ARIN, APNIC). In other words,
-if you're assigned a whole "B class" (say, 10.91/16), you're in charge for
-the whole 91.10.IN-ADDR.ARPA zone. This zone may be organized using two
-methods, according to the network topology being in use.
-
-The first, "brute force" method is to place all PTR records directly into
-a single zone file. Example:
-
- $origin 91.10.in-addr.arpa
- @ IN SOA (usual stuff)
- IN NS ns1.mydomain.com.
- IN NS ns2.mydomain.com.
-
- 1.1 IN PTR one-1.mydomain.com. ; ---> 10.91.1.1
- 2.1 IN PTR one-2.mydomain.com. ; ---> 10.91.1.2
- ...
- 254.1 IN PTR one-254.mydomain.com. ; ---> 10.91.1.254
- 1.2 IN PTR two-1.mydomain.com. ; ---> 10.91.2.1
-
-While this approach may look simple in the networks with a central
-management authority (say, campus networks), maintaining such a zone file
-becomes more and more difficult in the more complex environment. Thus,
-this becomes a bad method. Furthermore, if you're an ISP, it is more
-likely that a /16 network will be subnetted and its subnets be assigned to
-your customers.
-
-Therefore, another "smarter" approach is to delegate portions of the
-reverse domain 91.10.IN-ADDR.ARPA to the end users of the subnets of
-10.91/16. There would only be NS records in the zone file, while PTR
-record insertion would be the responsibility of the end users. For
-example, if you assign:
-
- * 10.91.0.0/22 (10.91.0.0 - 10.91.3.255) to Customer-A.COM
- * 10.91.4.0/23 (10.91.4.0 - 10.91.5.255) to Customer-B.COM
- * 10.91.7.0/24 (10.91.7.0 - 10.91.7.255) to Customer-C.COM
-
-then each customer will maintain zone files for the reverse domains of
-their own networks (say, Customer C will maintain the zone
-7.91.10.IN-ADDR.ARPA, customer B their 2 zones, Customer A their own 4
-zones). In this constellation, the zone file for reverse domain
-91.10.IN-ADDR.ARPA will look like this:
-
- $origin 91.10.in-addr.arpa
- @ IN SOA (usual stuff)
- IN NS ns1.mydomain.com.
- IN NS ns2.mydomain.com.
-
- ; --- Customer-A.COM
-
-
- 0 IN NS ns.customer-A.com.
- IN NS ns1.mydomain.com.
- 1 IN NS ns.customer-A.com.
- IN NS ns1.mydomain.com.
- 2 IN NS ns.customer-A.com.
- IN NS ns1.mydomain.com.
- 3 IN NS ns.customer-A.com.
- IN NS ns1.mydomain.com.
-
- ; --- Customer-B.COM
-
- 4 IN NS ns.customer-B.com.
- IN NS ns1.mydomain.com.
- 5 IN NS ns.customer-B.com.
- IN NS ns1.mydomain.com.
-
- ; --- Customer-C.COM
-
- 7 IN NS ns.customer-C.com.
- IN NS ns1.mydomain.com.
-
-The zone file of the Customer C reverse domain would look like this:
-
- $origin 7.91.10.in-addr.arpa
- @ IN SOA (usual stuff)
- IN NS ns.customer-C.com.
- IN NS ns1.mydomain.com.
-
- 1 IN PTR one.customer-C.com.
- 2 IN PTR two.customer-C.com.
- 3 IN PTR three.customer-C.com.
- ...
-
------------------------------------------------------------------------------
-
-Question 5.5. Subnetted domain name service
-
-Date: Thu Jul 16 10:50:41 EDT 1998
-
-If you are looking for some examples of handling subnetted class C
-networks as separate DNS domains, see RFC 2317 for more information.
-
-Details follow- You need to delegate down to the fourth octet, so you will
-have one domain per IP address ! Here is how you can subdelegate a
-in-addr.arpa address for non-byte aligned subnet masks:
-
-Take as an example the net 192.1.1.x, and example subnet mask
-255.255.255.240.
-
-We first define the domain for the class C net,
-
- $origin 1.1.192.in-addr.arpa
- @ SOA (usual stuff)
- @ ns some.nameserver
- ns some.other.nameserver
- ; delegate a subdomain
- one ns one.nameserver
- ns some.nameserver
- ; delegate another
- two ns two.nameserver
- ns some.nameserver
- ; CNAME pointers to subdomain one
- 0 CNAME 0.one
- 1 CNAME 1.one
- ; through
- 15 CNAME 15.one
- ; CNAME pointers to subdomain two
- 16 CNAME 16.two
- 17 CNAME 17.two
- 31 CNAME 31.two
- ; CNAME as many as required.
-
-Now, in the delegated nameserver, one.nameserver
-
- $origin one.1.1.192.in-addr.arpa
- @ SOA (usual stuff)
- NS one.nameserver
- NS some.nameserver ; secondary for us
- 0 PTR onenet.one.domain
- 1 PTR onehost.one.domain
- ; through
- 15 PTR lasthost.one.domain
-
-And similar for the two.1.1.192.in-addr.arpa delegated domain.
-
-There is additional documentation and a perl script that may be used for
-this purpose available for anonymous ftp from:
-
-ftp.is.co.za : /networking/ip/dns/gencidrzone/gencidrzone
-
------------------------------------------------------------------------------
-
-Question 5.6. Recommended format/style of DNS files
-
-Date: Sun Nov 27 23:32:41 EST 1994
-
-This answer is quoted from an article posted by Paul Vixie:
-
- I've gone back and forth on the question of whether the BOG should
- include a section on this topic. I know what I myself prefer, but
- I'm wary of ramming my own stylistic preferences down the throat of
- every BOG reader. But since you ask :-)...
-
- Create /var/named. If your system is too old to have a /var, either
- create one or use /usr/local/adm/named instead. Put your named.boot
- in it, and make /etc/named.boot a symlink to it. If your system
- doesn't have symlinks, you're S-O-L (but you knew that). In
- named.boot, put a "directory" directive that specifies your actual
- BIND working directory:
-
- directory /var/named
-
- All relative pathnames used in "primary", "secondary", and "cache"
- directives will be evaluated relative to this directory. Create two
- subdirectories, /var/named/pri and /var/named/sec. Whenever you add
- a "primary" directive to your named.boot, use "pri/WHATEVER" as the
- path name. And then put the primary zone file into "pri/WHATEVER".
- Likewise when you add "secondary" directives, use "sec/WHATEVER" and
- BIND (really named-xfer) will create the files in that
- subdirectory.
-
- (Variations: (1) make a midlevel directory "zones" and put "pri" and
- "sec" into it; (2) if you tend to pick up a lot of secondaries from
- a few hosts, group them together in their own subdirectories --
- something like /var/named/zones/uucp if you're a UUCP Project name
- server.)
-
- For your forward files, name them after the zone. dec.com becomes
- "/var/named/zones/pri/dec.com". For your reverse files, name them
- after the network number. 0.1.16.in-addr.arpa becomes
- "/var/named/zones/pri/16.1.0".
-
- When creating or maintaining primary zone files, try to use the same
- SOA values everywhere, except for the serial number which varies per
- zone. Put a $ORIGIN directive at the top of the primary zone file,
- not because its needed (it's not since the default origin is the
- zone named in the "primary" directive) but because it make it easier
- to remember what you're working on when you have a lot of primary
- zones. Put some comments up there indicating contact information
- for the real owner if you're proxying. Use RCS and put the "Id"
- in a ";" comment near the top of the zone file.
-
- The SOA and other top level information should all be listed
- together. But don't put IN on every line, it defaults nicely. For
- example:
-
-==============
-@ IN SOA gw.home.vix.com. postmaster.vix.com. (
- 1994082501 ; serial
- 3600 ; refresh (1 hour)
- 1800 ; retry (30 mins)
- 604800 ; expire (7 days)
- 3600 ) ; minimum (1 hour)
-
- NS gw.home.vix.com.
- NS ns.uu.net.
- NS uucp-gw-1.pa.dec.com.
- NS uucp-gw-2.pa.dec.com.
-
- MX 10 gw.home.vix.com.
- MX 20 uucp-gw-1.pa.dec.com.
- MX 20 uucp-gw-1.pa.dec.com.
-==============
-
- I don't necessarily recommend those SOA values. Not every zone is
- as volatile as the example shown. I do recommend that serial number
- format; it's in date format with a 2-digit per-day revision number.
- This format will last us until 2147 A.D. at which point I expect a
- better solution will have been found :-). (Note that it would last
- until 4294 A.D. except that there are some old BINDs out there that
- use a signed quantity for representing serial number internally; I
- suppose that as long as none of these are still running after 2047
- A.D., that we can use the above serial number format until 4294
- A.D., at which point a better solution will HAVE to be found.)
-
- You'll note that I use a tab stop for "IN" even though I never again
- specify it. This leaves room for names longer than 7 bytes without
- messing up the columns. You might also note that I've put the MX
- priority and destination in the same tab stop; this is because both
- are part of the RRdata and both are very different from MX which is
- an RRtype. Some folks seem to prefer to group "MX" and the priority
- together in one tab stop. While this looks neat it's very confusing
- to newcomers and for them it violates the law of least
- astonishment.
-
- If you have a multi-level zone (one which contains names that have
- dots in them), you can use additional $ORIGIN statements but I
- recommend against it since there is no "back" operator. That is,
- given the above example you can add:
-
-=============
-$ORIGIN home
-gw A 192.5.5.1
-=============
-
- The problem with this is that subsequent RR's had better be
- somewhere under the "home.vix.com" name or else the $ORIGIN that
- introduces them will have to use a fully qualified name. FQDN
- $ORIGIN's aren't bad and I won't be mad if you use them.
- Unqualified ones as shown above are real trouble. I usually stay
- away from them and just put the whole name in:
-
-=============
-gw.home A 192.5.5.1
-=============
-
- In your reverse zones, you're usually in some good luck because the
- owner name is usually a single short token or sometimes two.
-
-=============
-$ORIGIN 5.5.192.in-addr.arpa.
-@ IN SOA ...
- NS ...
-1 PTR gw.home.vix.com.
-=========================================
-$ORIGIN 1.16.in-addr.arpa.
-@ IN SOA ...
- NS ...
-2.0 PTR gatekeeper.dec.com.
-=============
-
- It is usually pretty hard to keep your forward and reverse zones in
- sync. You can avoid that whole problem by just using "h2n" (see
- the ORA book, DNS and BIND, and its sample toolkit, included in the
- BIND distribution or on ftp.uu.net (use the QUOTE SITE EXEC INDEX
- command there to find this -- I never can remember where it's at).
- "h2n" and many tools like it can just read your old /etc/hosts file
- and churn it into DNS zone files. (May I recommend
- contrib/decwrl/mkdb.pl from the BIND distribution?) However, if you
- (like me) prefer to edit these things by hand, you need to follow
- the simple convention of making all of your holes consistent. If
- you use 192.5.5.1 and 192.5.5.3 but not (yet) 192.5.5.2, then in
- your forward file you will have something like
-
-=============
-...
-gw.home A 192.5.5.1
-;avail A 192.5.5.2
-pc.home A 192.5.5.3
-=============
-
- and in your reverse file you will have something like
-
-=============
-...
-1 PTR gw.home.vix.com.
-;2 PTR avail
-3 PTR pc.home.vix.com.
-=============
-
- This convention will allow you to keep your sanity and make fewer
- errors. Any kind of automation (h2n, mkdb, or your own
- perl/tcl/awk/python tools) will help you maintain a consistent
- universe even if it's also a complex one. Editing by hand doesn't
- have to be deadly but you MUST take care.
-
------------------------------------------------------------------------------
-
-Question 5.7. DNS on a system not connected to the Internet
-
-Date: Sun Nov 27 23:32:41 EST 1994
-
-You need to create your own root domain name server until you connect to
-the internet. Your roots need to delegate to mydomain.com and any
-in-addr.arpa subdomains you might have, and that's about it. As soon as
-you're connected, rip out the fake roots and use the real ones.
-
-It does not actually have to be another server pretending to be the root.
-You can set up the name server so that it is primary for each domain above
-you and leave them empty (i.e. you are foo.bar.com - claim to be primary
-for bar.com and com)
-
-If you connect intermittently and want DNS to work when you are connected,
-and "fail" when you are not, you can point the resolver at the name server
-at the remote site and if the connection (SLIP/PPP) isn't up, the resolver
-doesn't have a route to the remote server and since there's only one name
-server in resolv.conf, the resolver quickly backs off the using
-/etc/hosts. No problem. You could do the same with multiple name server
-and a resolver that did configurable /etc/hosts fallback.
-
------------------------------------------------------------------------------
-
-Question 5.8. Multiple Domain configuration
-
-Date: Fri Dec 2 15:40:49 EST 1994
-
-If you want to have multiple domain names pointing to the same
-destination, such as:
-
- ftp ftp.biff.com connects user to -> ftp.biff.com
- ftp ftp.fred.com connects user to -> ftp.biff.com
- ftp ftp.bowser.com connects user to -> ftp.biff.com
-
-You may do this by using CNAMEs:
-
- ftp.bowser.com. IN CNAME ftp.biff.com.
-
-You can also do the same thing with multiple A records.
-
------------------------------------------------------------------------------
-
-Question 5.9. wildcard MX records
-
-Date: Sun Nov 27 23:32:41 EST 1994
-
-Does BIND not understand wildcard MX records such as the following?
-
- *.foo.com MX 0 mail.foo.com.
-
-No. It just doesn't work.
-
-Explicit RR's at one level of specificity will, by design, "block" a
-wildcard at a lesser level of specificity. I suspect that you have an RR
-(an A RR, perhaps?) for "bar.foo.com" which is blocking the application of
-your "*.foo.com" wildcard. The initial MX query is thus failing (NOERROR
-but an answer count of 0), and the backup query finds the A RR for
-"bar.foo.com" and uses it to deliver the mail directly (which is what you
-DIDN'T want it to do). Adding an explicit MX RR for the host is therefore
-the right way to handle this situation.
-
-See RFC 1034, Section 4.3.3 ("Wildcards") for more information on this
-"blocking" behavior, along with an illustrative example. See also RFC 974
-for an explanation of standard mailer behavior in the face of an "empty"
-response to one's MX query.
-
-Basically, what it boils down to is, there is no point in trying to use a
-wildcard MX for a host which is otherwise listed in the DNS.
-
-It just doesn't work.
-
------------------------------------------------------------------------------
-
-Question 5.10. How do you identify a wildcard MX record ?
-
-Date: Thu Dec 1 11:10:39 EST 1994
-
-You don't really need to "identify" a wildcard MX RR. The precedence for
-u@dom is:
-
- exact match MX
- exact match A
- wildcard MX
-
-One way to implement this is to query for ("dom",IN,MX) and if the answer
-name that comes back is "*." something, you know it's a wildcard,
-therefore you know there is no exact match MX, and you therefore query for
-("dom",IN,A) and if you get something, use it. if you don't, use the
-previous wildcard response.
-
-RFC 974 explains this pretty well.
-
------------------------------------------------------------------------------
-
-Question 5.11. Why are fully qualified domain names recommended ?
-
-Date: Sun Nov 27 23:32:41 EST 1994
-
-The documentation for BIND 4.9.2 says that the hostname should be set to
-the full domain style name (i.e host.our.domain rather than host). What
-advantages are there in this, and are there any adverse consequences if we
-don't?
-
-Paul Vixie likes to do it :-) He lists a few reasons -
-
-* Sendmail can be configured to just use Dj$w rather than Dj$w.mumble
- where "mumble" is something you have to edit in by hand. Granted, most
- people use "mumble" elsewhere in their config files ("tack on local
- domain", etc) but why should it be a requirement ?
-* The real reason is that not doing it violates a very useful invariant:
- gethostbyname(gethostname) == gethostbyaddr(primary_interface_address)
-
-
- If you take an address and go "backwards" through the PTR's with it,
- you'll get a FQDN, and if you push that back through the A RR's, you get
- the same address. Or you should. Many multi-homed hosts violate this
- uncaringly.
-
- If you take a non-FQDN hostname and push it "forwards" through the A
- RR's, you get an address which, if you push it through the PTR's, comes
- back as a FQDN which is not the same as the hostname you started with.
- Consider the fact that, absent NIS/YP, there is no "domainname" command
- analogous to the "hostname" command. (NIS/YP's doesn't count, of
- course, since it's sometimes-but-only-rarely the same as the Internet
- domain or subdomain above a given host's name.) The "domain" keyword in
- resolv.conf doesn't specify the parent domain of the current host; it
- specifies the default domain of queries initiated on the current host,
- which can be a very different thing. (As of RFC 1535 and BIND 4.9.2's
- compliance with it, most people use "search" in resolv.conf, which
- overrides "domain", anyway.)
-
- What this means is that there is NO authoritative way to
- programmatically discover your host's FQDN unless it is set in the
- hostname, or unless every application is willing to grovel the "netstat
- -in" tables, find what it hopes is the primary address, and do a PTR
- query on it.
-
- FQDN /bin/hostnames are, intuitively or not, the simplest way to go.
-
------------------------------------------------------------------------------
-
-Question 5.12. Distributing load using named
-
-Date: Thu Jul 16 10:42:05 EDT 1998
-
-When you attempt to distribute the load on a system using named, the first
-response be cached, and then later queries use the cached value (This
-would be for requests that come through the same server). Therefore, it
-can be useful to use a lower TTL on records where this is important. You
-can use values like 300 or 500 seconds.
-
-If your local caching server has ROUND_ROBIN, it does not matter what the
-authoritative servers have -- every response from the cache is rotated.
-
-But if it doesn't, and the authoritative server site is depending on this
-feature (or the old "shuffle-A") to do load balancing, then if one doesn't
-use small TTLs, one could conceivably end up with a really nasty
-situation, e.g., hundreds of workstations at a branch campus pounding on
-the same front end at the authoritative server's site during class
-registration.
-
-Not nice.
-
-Paul Vixie has an example of the ROUND_ROBIN code in action. Here is
-something that he wrote regarding his example:
-
- I want users to be distributed evenly among those 3 hosts.
-
- Believe it or not :-), BIND offers an ugly way to do this. I offer
- for your collective amusement the following snippet from the
- ugly.vix.com zone file:
-
- hydra cname hydra1
- cname hydra2
- cname hydra3
- hydra1 a 10.1.0.1
- a 10.1.0.2
- a 10.1.0.3
- hydra2 a 10.2.0.1
- a 10.2.0.2
- a 10.2.0.3
- hydra3 a 10.3.0.1
- a 10.3.0.2
- a 10.3.0.3
-
- Note that having multiple CNAME RR's at a given name is
- meaningless according to the DNS RFCs but BIND doesn't mind (in
- fact it doesn't even complain). If you call
- gethostbyname("hydra.ugly.vix.com") (try it!) you will get
- results like the following. Note that there are two round robin
- rotations going on: one at ("hydra",CNAME) and one at each
- ("hydra1",A) et al. I used a layer of CNAME's above the layer of
- A's to keep the response size down. If you don't have nine
- addresses you probably don't care and would just use a pile of
- CNAME's pointing directly at real host names.
-
- {hydra.ugly.vix.com
- name: hydra2.ugly.vix.com
- aliases: hydra.ugly.vix.com
- addresses: 10.2.0.2 10.2.0.3 10.2.0.1
-
- {hydra.ugly.vix.com
- name: hydra3.ugly.vix.com
- aliases: hydra.ugly.vix.com
- addresses: 10.3.0.2 10.3.0.3 10.3.0.1
-
- {hydra.ugly.vix.com
- name: hydra1.ugly.vix.com
- aliases: hydra.ugly.vix.com
- addresses: 10.1.0.2 10.1.0.3 10.1.0.1
-
- {hydra.ugly.vix.com
- name: hydra2.ugly.vix.com
- aliases: hydra.ugly.vix.com
- addresses: 10.2.0.3 10.2.0.1 10.2.0.2
-
- {hydra.ugly.vix.com
- name: hydra3.ugly.vix.com
- aliases: hydra.ugly.vix.com
- addresses: 10.3.0.3 10.3.0.1 10.3.0.2
-
-Please note that this is not a recommended practice and will not work with
-modern BIND unless you have the entry "multiple-cnames yes" in your
-named.conf file.
-
------------------------------------------------------------------------------
-
-Question 5.13. Round robin IS NOT load balancing
-
-Date: Mon Mar 9 22:10:51 EST 1998
-
-Round robin != load balancing. It's a very crude attempt at load
-balancing, and a method that is possible without breaking DNS protocols.
-If a host is down that is included in a round robin list, then
-connections to that particular host will fail. In addition, true load
-balancing should take into consideration the actual LOAD on the system.
-
-Information on one such technique, implemented by Roland J. Schemers III
-at Stanford, may be found at
-http://www-leland.stanford.edu/~schemers/docs/lbnamed/lbnamed.html.
-
-Additional information may be found in RFC 1794. MultiNet for OpenVMS
-also includes this feature.
-
------------------------------------------------------------------------------
-
-Question 5.14. Order of returned records
-
-Date: Tue Apr 8 20:21:02 EDT 1997
-
-Sorting, is the *resolver's* responsibility. RFC 1123:
-
-
- 6.1.3.4 Multihomed Hosts
-
- When the host name-to-address function encounters a host
- with multiple addresses, it SHOULD rank or sort the
- addresses using knowledge of the immediately connected
- network number(s) and any other applicable performance or
- history information.
-
- DISCUSSION:
- The different addresses of a multihomed host generally
- imply different Internet paths, and some paths may be
- preferable to others in performance, reliability, or
- administrative restrictions. There is no general way
- for the domain system to determine the best path. A
- recommended approach is to base this decision on local
- configuration information set by the system
- administrator.
-
-In BIND 4.9.x's resolver code, the "sortlist" directive in resolv.conf
-can be used to configure this. The directive may also be used in the
-named.boot as well.
-
------------------------------------------------------------------------------
-
-Question 5.15. resolv.conf
-
-Date: Fri Feb 10 15:46:17 EST 1995
-
-The question was asked one time, "Why should I use 'real' IP addresses in
-/etc/resolv.conf and not 0.0.0.0 or 127.0.0.1" ?
-
-Paul Vixie writes on the issue of the contents of resolv.conf:
-
- It's historical. Some kernels can't unbind a UDP socket's source
- address, and some resolver versions (notably not including BIND
- 4.9.2 or 4.9.3's) try to do this. The result can be wide area
- network traffic with 127.0.0.1 as the source address. Rather than
- giving out a long and detailed map of version/vendor combinations of
- kernels/BINDs that have/don't this problem, I just tell folks not to
- use 127.0.0.1 at all.
-
- 0.0.0.0 is just an alias for the first interface address assigned
- after a system boot, and if that interface is a up-and-down point to
- point link (PPP, SLIP, whatever), there's no guarantee that you'll
- be able to reach yourself via 0.0.0.0 during the entire lifetime of
- any system instance. On most kernels you can finesse this by adding
- static routes to 127.0.0.1 for each of your interface addresses, but
- some kernels don't like that trick and rather than give a detailed
- map of which ones work and which ones don't, I just globally
- recommend against 0.0.0.0.
-
- If you know enough to know that 127.0.0.1 or 0.0.0.0 is safe on your
- kernel and resolver, then feel free to use them. If you don't know
- for sure that it is safe, don't use them. I never use them (except
- on my laptop, whose hostname is "localhost" and whose 0.0.0.0 is
- 127.0.0.1 since I ifconfig my lo0 before any other interface). The
- operational advantage to using a real IP address rather than an
- wormhole like 0.0.0.0 or 127.0.0.1, is that you can then "rdist" or
- otherwise share identical copies of your resolv.conf on all the
- systems on any given subnet, not all of which will be servers.
-
-The problem was with older versions of the resolver (4.8.X). If you
-listed 127.0.0.1 as the first entry in resolv.conf, and for whatever
-reason the local name server wasn't running and the resolver fell back to
-the second name server listed, it would send queries to the name server
-with the source IP address set to 127.0.0.1 (as it was set when the
-resolver was trying to send to 127.0.0.1--you use the loopback address to
-send to the loopback address).
-
------------------------------------------------------------------------------
-
-Question 5.16. How do I delegate authority for sub-domains ?
-
-Date: Mon Nov 10 22:57:54 EST 1997
-
-When you start having a very big domain that can be broken into logical
-and separate entities that can look after their own DNS information, you
-will probably want to do this. Maintain a central area for the things
-that everyone needs to see and delegate the authority for the other parts
-of the organization so that they can manage themselves.
-
-Another essential piece of information is that every domain that exists
-must have it NS records associated with it. These NS records denote the
-name servers that are queried for information about that zone. For your
-zone to be recognized by the outside world, the server responsible for the
-zone above you must have created a NS record for your your new servers
-(NOTE that the new servers DO NOT have to be in the new domain). For
-example, putting the computer club onto the network and giving them
-control over their own part of the domain space we have the following.
-
-The machine authorative for gu.uwa.edu.au is mackerel and the machine
-authorative for ucc.gu.uwa.edu.au is marlin.
-
-in mackerel's data for gu.uwa.edu.au we have the following
-
- @ IN SOA ...
- IN A 130.95.100.3
- IN MX mackerel.gu.uwa.edu.au.
- IN MX uniwa.uwa.edu.au.
-
- marlin IN A 130.95.100.4
-
- ucc IN NS marlin.gu.uwa.edu.au.
- IN NS mackerel.gu.uwa.edu.au.
-
-Marlin is also given an IP in our domain as a convenience. If they blow
-up their name serving there is less that can go wrong because people can
-still see that machine which is a start. You could place "marlin.ucc" in
-the first column and leave the machine totally inside the ucc domain as
-well.
-
-The second NS line is because mackerel will be acting as secondary name
-server for the ucc.gu domain. Do not include this line if you are not
-authorative for the information included in the sub-domain.
-
-To delegate authority for PTR records, the same concepts apply.
-
- stub 10.168.192.in-addr.arpa <subdomain server addr> db.192.168.10
-
-may be added to your primary server's named.boot in recent versions of
-bind. In other versions (and recent ones :-) ), the following lines may
-be added to the db.192.168.10 zone file to perform the same function:
-
- xxx IN NS <server1>
- xxx IN NS <server2>
- xxx IN NS <server3> ; if needed
-...
- xxx IN NS <serverN> ; if needed
-
------------------------------------------------------------------------------
-
-Question 5.17. DNS instead of NIS on a Sun OS 4.1.x system
-
-Date: Sat Dec 7 01:14:17 EST 1996
-
-Comments relating to running bind 4.9.x on a Sun OS 4.1.x system and the
-effect on sendmail, ftp, telnet and other TCP/IP services bypassing NIS
-and directly using named is documented quite well in the
-comp.sys.sun.admin FAQ in questions one and two. You can get them from:
-
-* ftp.ece.uc.edu : /pub/sun-faq/FAQs/sun-faq.general
-* http://www.cis.ohio-state.edu/hypertext/faq/usenet/comp-sys-sun-faq
-
-as well as from rtfm.mit.edu in the usual place, etc.
-
------------------------------------------------------------------------------
-
-Question 5.18. Patches to add functionality to BIND
-
-Date: Wed Jan 14 11:57:20 EST 1998
-
-There are others, but these are listed here:
-
-* When using the round robin DNS and assigning 3 IPs to a host (for
- example), a process to guarantee that all 3 IPs are reachable may be
- found at
- http://www-leland.stanford.edu/~schemers/docs/lbnamed/lbnamed.html
-
-* Patches for 4.9.3-REL that will support the IPv6 AAAA record format may
- be found at ftp.inria.fr : /network/ipv6/
-
- This is built into more recent versions of BIND (after 4.9.5?)
-
-* A patch for 4.9.3-REL that will allow you to turn off forwarding of
- information from my server may be found at ftp.vix.com :
- /pub/bind/release/4.9.3/contrib/noforward.tar.gz
-
- Also look at
-
- ftp.is.co.za : /networking/ip/dns/bind/contrib/noforward.tar.gz
-
-* How do I tell a server to listen to a particular interface to listen and
- respond to DNS queries on ?
-
- Mark Andrews has a patch that will tell a 4.9.4 server to listen to a
- particular interface and respond to DNS queries. It may be found at an
- unofficial location: http://www.ultra.net/~jzp/andrews.patch.txt
-
- This is built into BIND 8.1.1.
-
-* A patch to implement "selective forwarding" from Todd Aven at
- http://www.dns.net/dnsrd/servers.html.
-
------------------------------------------------------------------------------
-
-Question 5.19. How to serve multiple domains from one server
-
-Date: Tue Nov 5 23:44:02 EST 1996
-
-Most name server implementations allow information about multiple domains
-to be kept on one server, and questions about those domains to be
-answered by that one server. For instance, there are many large servers
-on the Internet that each serve information about more than 1000
-different domains.
-
-To be completely accurate, a server contains information about zones,
-which are parts of domains that are kept as a single unit. [Ed note: for
-a definition of zones and domains, see Section 2: The Name Service in the
-"Name Server Operations Guide" included with the BIND 4.9.5 distribution.]
-
-In the configuration of the name server, the additional zones need to be
-specified. An important consideration is whether a particular server is
-primary or secondary for any specific zone--a secondary server maintains
-only a copy of the zone, periodically refreshing its copy from another,
-specified, server. In BIND, to set up a server as a secondary server for
-the x.y.z zone, to the configuration file /etc/named.boot add the line
-
- secondary x.y.z 10.0.0.1 db.x.y.z
-
-where 10.0.0.1 is the IP address of the server that the zone will be
-copied from, and db.x.y.z is a local filename that will contain the copy
-of the zone.
-
-If this is a question related to how to set up multiple IP numbers on one
-system, which you do not need to do to act as a domain server for
-multiple domains, see
-
-http://www.thesphere.com/%7Edlp/TwoServers/.
-
------------------------------------------------------------------------------
-
-Question 5.20. hostname and domain name the same
-
-Date: Wed Jul 9 21:47:36 EDT 1997
-
-Q: I have a subdomain sub.foobar.com. I would like to name a host
-sub.foobar.com. It should also be the mail relay for all hosts in
-sub.foobar.com. How do I do this ?
-
-A: You would add an A record for sub.foobar.com, and multiple MX records
-pointing to this host (sub.foobar.com). For example:
-
-sub.foobar.com. IN A 1.2.3.4 ; address of host
-;
-foo.sub.foobar.com. IN MX 10 sub.foobar.com.
-bar.sub.foobar.com. IN MX 10 sub.foobar.com.
-
-The host, sub.foobar.com, may also need to be to configured to understand
-that mail addressed to user@sub.foobar.com and possibly other sub.foobar.com
-hosts should be treated as local.
-
------------------------------------------------------------------------------
-
-Question 5.21. Restricting zone transfers
-
-Date: Wed Jan 14 12:16:35 EST 1998
-
-Q: How do I restrict my zone transfers to my secondaries or other trusted
-hosts?
-
-A: Use the 'xfrnets' directive within the named.boot file or the
-'secure_zone' TXT RR within a zone file. The BOG has more information on
-both of these options.
-
-As an example within an 4.9.x named.boot file:
-
- xfernets 10.1.2.0&255.255.255.0 44.66.10.0&255.255.255.0
-
-
-Only Nameservers on these networks will be able to do zone transfers from
-the server with this configuration.
-
-Please note that 'secure_zone' restricts all access to the containing
-zone, as well as restricting zone transfers :-) .
-
-BIND 8.x supports restricting zone transfers on a per-zone basis in the
-named.conf file, whereas BIND 4.9.x only supports xfrnets as a global
-option.
-
------------------------------------------------------------------------------
-
-Question 5.22. DNS in firewalled and private networks
-
-Date: Mon Sep 14 22:15:16 EDT 1998
-
-(The following section was contributed by Berislav Todorovic)
-
-When talking about private networks, we distinguish between two cases:
-
-* Networks consisting of firewall-separated private and public subnetworks
-
- * Same domain name used in private and public part of the network
- * Different domain names used in the public and private subnetwork
-
-* Closed networks, not connected the Internet at all
-
-* The first case of the "Same domain name", we're talking about DNS
- configuration, usually referred to as "split DNS". In this case, two
- different DNS servers (or two separate DNS processes on the same
- multi-homed machine) have to be configured. One of them ("private DNS")
- will serve the internal network and will contain data about all hosts in
- the private part of the network. The other one ("public DNS") will serve
- Internet users and will contain only the most necessary RR's for
- Internet users (like MX records for email exchange, A and CNAME records
- for public Web servers, records for other publicly accessible hosts
- etc.). Both of them will be configured as primary for the same corporate
- domain (e.g. DOMAIN.COM). The public DNS will be delegated with the
- appropriate NIC as authoritative for domain DOMAIN.COM.
-
- Private DNS - resolves names from DOMAIN.COM for hosts inside the
- private network. If asked for a name outside DOMAIN.COM, they should
- forward the request to the public DNS (forwarders line should be used in
- the boot file). They should NEVER contact a root DNS on the Internet.
- The boot file for the private DNS should, therefore, be:
-
- primary domain.com ZONE.domain.com
- primary 1.10.in-addr.arpa REV.10.1
- forwarders 172.16.12.10
- slave
- Public DNS - resolves names from DOMAIN.COM for hosts on the public part
- of the network. If asked for a name outside DOMAIN.COM they should
- contact root DNS servers or (optionally) forward the request to a
- forwarder on the ISP network. Boot file for the public DNS should be of
- the form:
-
- primary domain.com ZONE.domain.com
- primary 12.16.172.in-addr.arpa REV.172.16.12
- ... (other domains)
- Zone files for domain DOMAIN.COM on the public and private DNS should
- be:
-
- ; --- Public DNS - zone file for DOMAIN.COM
-
- domain.com. IN SOA ns.domain.com. hostmaster.domain.com. ( ... )
- IN NS ns.domain.com.
- IN NS ns.provider.net.
- IN MX 10 mail.provider.net.
-
- ns IN A 172.16.12.10
- www IN A 172.16.12.12
- ftp IN A 172.16.12.13
- ...
-
- ; --- Private DNS - zone file for DOMAIN.COM
-
- domain.com. IN SOA ns1.domain.com. hostmaster.domain.com. ( ... )
- IN NS ns1.domain.com.
- IN NS ns2.domain.com.
- wks1-1 IN A 10.1.1.1
- wks1-2 IN A 10.1.1.2
- ...
-
- The second case of the "Same domain name", is simpler than the previous
- case: in the internal network, a separate domain name might be used.
- Recommended domain name syntax is "name.local" (e.g. DOMAIN.LOCAL).
- Sample configuration:
-
- ; --- Private DNS - named.boot
-
- primary domain.local ZONE.domain.local
- ...
- forwarders 172.16.12.10
- slave
-
- ; --- Public DNS - named.boot
-
- primary domain.com ZONE.domain.com
- ...
- IMPLEMENTATION NOTES
-
- Location of the DNS service in both cases is irrelevant. Usually, they
- are located on two different physical servers, each of them connected to
- the appropriate part of the network (private, public). Certain savings
- may be done if public DNS service is hosted on the ISP network - in that
- case, the user will need only one (private) DNS server.
-
- Finally, both public and private DNS, in some cases, may be placed on
- the servers in the private network, behind the firewall. With a Cisco
- PIX, a statical public/private IP address mapping in this case would be
- needed. Two servers for the same domain could be even placed on the
- same physical server, with two different DNS processes running on
- different IP interfaces. Note that BIND 8 is needed in the latter case.
-
-* If the network is not connected to the Internet at all, only private DNS
- servers are needed. However, due to the lack of Internet connectivity,
- internal servers will fail to contact the root DNS servers every time a
- user types, by mistake, an address outside the corporate domain
- DOMAIN.COM. Some older servers won't even work if they can't reach root
- servers. To overcome this, it is most proper to create a so-called "fake
- root zone" on one or more DNS servers in the corporation. That would
- make all DNS servers within the corporation think there is only one or
- two DNS servers in the world, all located on the corporation network.
- Only domain names used within the corporation (DOMAIN.COM, appropriate
- inverse domains etc.) should be entered in the fake root zone file. Note
- that no cache line in the boot file of the "root" DNS makes sense.
- Sample configuration:
-
- ; --- named.boot
-
- primary domain.com ZONE.domain.com
- primary 1.10.in-addr.arpa REV.10.1
- priamry . ZONE.root
- ... (other data; NOTE - do *NOT* place any "cache" line here !!!)
-
- ; --- ZONE.root - fake root zone file, containing only corporation domains
-
- . IN NS ns.domain.com. hostmaster.domain.com. ( ... )
- IN NS ns.domain.com.
- IN NS ns2.domain.com.
-
- domain.com. IN NS ns.domain.com.
- ns.domain.com. IN A 10.1.1.1
- domain.com. IN NS ns2.domain.com.
- ns2.domain.com. IN A 10.1.1.2
-
- 1.10.in-addr.arpa. IN NS ns.domain.com.
- IN NS ns2.domain.com.
-
- Other zone files follow standard configuration.
-
------------------------------------------------------------------------------
-
-Question 5.23. Different DNS answers for same RR
-
-Date: Mon Sep 14 22:15:16 EDT 1998
-
-(The following section was contributed by Berislav Todorovic)
-
-Many times there is a need for a DNS server to send different answers for
-same RR's, depending on the IP address of the request sender. For example,
-many coprporations wish to make their customers to use the "geographically
-closest" Web server when accessing corporate Web pages. A corporation may
-impose the following policy: if someone asked for the IP address of
-WWW.DOMAIN.COM, they may want to:
-
-* Answer that the IP address is 172.16.2.3, if the request came from one
- of the following IP networks: 172.1/16, 172.2/16 or 172.10/16.
-* Answer that the IP address is 172.16.1.1, if the request came from the
- IP address 172.16/16 or 172.17.128/18.
-* By default, for all other requests send the answer that the IP address
- is 172.16.2.3.
-
-The example above will need a DNS to send different A RR's, depending on
-the source of queries. A similar approach may be imposed for MX's, CNAME's
-etc. The question which arise here is: IS IT POSSIBLE?
-
-[Ed note: There are commercial products such as Cisco's Distributed
-Director that also will address this issue]
-
-The simple answer to the question is: NOT DIRECTLY. This is true if
-standard DNS software (e.g. BIND) is used on the DNS servers. However,
-there are two workarounds which may solve this problem:
-
-* Using two DNS servers on different UDP ports + UDP redirector
-* Using two DNS servers on different IP addresses + NAT on the router
-
-Solution 1: (tested on a Linux system and should work on other Unix boxes
-as well). Software needed is:
-
-* BIND 8
-* udprelay - a package which redirects traffic to other UDP port
- (sunsite.unc.edu: /pub/Linux/system/network/misc/udprelay-0.2.tar.Z ).
-
-Build and install udprelay and bring up two DNS servers on different UDP
-ports, using different configuration files (i.e., bring one on 5300 and
-the other one on 5400):
-
- // --- named.conf.5300
- options {
- directory "/var/named"
- listen-on port 5300 { any; };
- ... (other options)
- };
-
- zone "domain.com" {
- type master;
- file "domain.com.5300";
- };
-
- // --- named.conf.5400
-
- options {
- directory "/var/named"
- listen-on port 5400 { any; };
- ... (other options)
- };
-
- zone "domain.com" {
- type master;
- file "domain.com.5400";
- };
-
-
- ; domain.com.5300
- ... (SOA and other stuff)
-
- www IN A 172.16.2.3
-
- ; --- domain.com.5400
- ... (SOA and other stuff)
-
- www IN A 172.16.1.1
-
-As can be seen, there will be two separate zone files for DOMAIN.COM,
-depending on which UDP port the server listens to. Each zone file can
-contain different records. Now, when configure udprelay to forward UDP
-traffic from port 53 to 5300 or 5400, depending on the remote IP address:
-
- relay 172.1.0.0 mask 255.255.0.0 * 53 172.16.1.1 5300 53
- relay 172.2.0.0 mask 255.255.0.0 * 53 172.16.1.1 5300 53
- relay 172.10.0.0 mask 255.255.0.0 * 53 172.16.1.1 5300 53
- relay 172.16.0.0 mask 255.255.0.0 * 53 172.16.1.1 5400 53
- relay 172.17.0.0 mask 255.255.0.0 * 53 172.16.1.1 5400 53
- relay * * 53 172.16.1.1 5400 53
-After starting udprelay, all traffic coming to port 53 will be redirected
-to 5300 or 5400, depending on the source IP address.
-
-NOTE - This solution deals with the UDP part of DNS only. Zone xfers will
-be able to be done from one DNS server only, since this solution doesn't
-deal the TCP part of DNS. This is, thus, a partial solution but it works!
-
-Solution 2: Bring up two DNS servers on your network, using "private" IP
-addresses (RFC 1918), say ns1.domain.com (10.1.1.1) and ns2.domain.com
-(10.1.1.2). Both servers will have the same public address - 172.16.1.1,
-which will be used to access the servers. Configure them to be both
-primary for domain DOMAIN.COM. Let one of them (say, ns1) be the
-"default" DNS, which will be used in most of the cases. Establish NAT on
-the router, so it translates the public IP address 172.16.1.1 to 10.1.1.1
-and delegate your "default" DNS with the appropriate NIC, using its public
-address 172.16.1.1. Once you're assured everything works, setup your
-router to translate the public IP address 172.16.1.1 to either 10.1.1.1 or
-10.1.1.2, depending on the requestor IP address. After that, depending on
-the source IP address, the router will return one translation or the
-latter, thus forwarding the remote side to the appropriate DNS server.
-
-===============================================================================
-
-Section 6. PROBLEMS
-
- Q6.1 No address for root server
- Q6.2 Error - No Root Nameservers for Class XX
- Q6.3 Bind 4.9.x and MX querying?
- Q6.4 Do I need to define an A record for localhost ?
- Q6.5 MX records, CNAMES and A records for MX targets
- Q6.6 Can an NS record point to a CNAME ?
- Q6.7 Nameserver forgets own A record
- Q6.8 General problems (core dumps !)
- Q6.9 malloc and DECstations
- Q6.10 Can't resolve names without a "."
- Q6.11 Why does swapping kill BIND ?
- Q6.12 Resource limits warning in system
- Q6.13 ERROR:ns_forw: query...learnt
- Q6.14 ERROR:zone has trailing dot
- Q6.15 ERROR:Zone declared more then once
- Q6.16 ERROR:response from unexpected source
- Q6.17 ERROR:record too short from [zone name]
- Q6.18 ERROR:sysquery: findns error (3)
- Q6.19 ERROR:Err/TO getting serial# for XXX
- Q6.20 ERROR:zonename IN NS points to a CNAME
- Q6.21 ERROR:Masters for secondary zone [XX] unreachable
- Q6.22 ERROR:secondary zone [XX] expired
- Q6.23 ERROR:bad response to SOA query from [address]
- Q6.24 ERROR:premature EOF, fetching [zone]
- Q6.25 ERROR:Zone [XX] SOA serial# rcvd from [Y] is < ours
- Q6.26 ERROR:connect(IP/address) for zone [XX] failed
- Q6.27 ERROR:sysquery: no addrs found for NS
- Q6.28 ERROR:zone [name] rejected due to errors
-
------------------------------------------------------------------------------
-
-Question 6.1. No address for root server
-
-Date: Wed Jan 14 12:15:54 EST 1998
-
-Q: I've been getting the following messages lately from bind-4.9.2..
- ns_req: no address for root server
-
-We are behind a firewall and have the following for our named.cache file -
-
- ; list of servers
- . 99999999 IN NS POBOX.FOOBAR.COM.
- 99999999 IN NS FOOHOST.FOOBAR.COM.
- foobar.com. 99999999 IN NS pobox.foobar.com.
-
-You can't do that. Your nameserver contacts POBOX.FOOBAR.COM, gets the
-correct list of root servers from it, then tries again and fails because
-of your firewall.
-
-You will need a 'forwarder' definition, to ensure that all requests are
-forwarded to a host which can penetrate the firewall. And it is unwise to
-put phony data into 'named.cache'.
-
-Q: We are getting logging information in the form:
-
-Apr 8 08:05:22 gute named[107]: sysquery: no addrs found for root NS
- (A.ROOT-SERVERS.NET)
-Apr 8 08:05:22 gute named[107]: sysquery: no addrs found for root NS
- (B.ROOT-SERVERS.NET)
-Apr 8 08:05:22 gute named[107]: sysquery: no addrs found for root NS
- (C.ROOT-SERVERS.NET)
-...
-
-We are running bind 4.9.5PL1 Our system IS NOT behind a firewall. Any ideas ?
-
-This was discussed on the mailing list in November of 1996. The short
-answer was to ignore it as it was not a problem. That being said, you
-should upgrade to a newer version at this time if you are running a
-non-current version :-)
-
------------------------------------------------------------------------------
-
-Question 6.2. Error - No Root Nameservers for Class XX
-
-Date: Sun Nov 27 23:32:41 EST 1994
-
-Q: I've received errors before about "No root nameservers for class XX"
- but they've been because of network connectivity problems.
- I believe that Class 1 is Internet Class data.
- And I think I heard someone say that Class 4 is Hesiod??
- Does anyone know what the various Class numbers are?
-
-From RFC 1700:
-
- DOMAIN NAME SYSTEM PARAMETERS
- The Internet Domain Naming System (DOMAIN) includes several
- parameters. These are documented in [RFC1034] and [RFC1035]. The
- CLASS parameter is listed here. The per CLASS parameters are
- defined in separate RFCs as indicated.
-
- Domain System Parameters:
-
- Decimal Name References
- -------- ---- ----------
- 0 Reserved [PM1]
- 1 Internet (IN) [RFC1034,PM1]
- 2 Unassigned [PM1]
- 3 Chaos (CH) [PM1]
- 4 Hesoid (HS) [PM1]
- 5-65534 Unassigned [PM1]
- 65535 Reserved [PM1]
-
-DNS information for RFC 1700 was taken from
-
-ftp.isi.edu : /in-notes/iana/assignments/dns-parameters
-
-Hesiod is class 4, and there are no official root nameservers for class 4,
-so you can safely declare yourself one if you like. You might want to
-put up a packet filter so that no one outside your network is capable of
-making Hesiod queries of your machines, if you define yourself to be a
-root nameserver for class 4.
-
------------------------------------------------------------------------------
-
-Question 6.3. Bind 4.9.x and MX querying?
-
-Date: Sun Nov 27 23:32:41 EST 1994
-
-If you query a 4.9.x DNS server for MX records, a list of the MX records
-as well as a list of the authorative nameservers is returned. This
-happens because bind 4.9.2 returns the list of nameserver that are
-authorative for a domain in the response packet, along with their IP
-addresses in the additional section.
-
------------------------------------------------------------------------------
-
-Question 6.4. Do I need to define an A record for localhost ?
-
-Date: Sat Sep 9 00:36:01 EDT 1995
-
-Somewhere deep in the BOG (BIND Operations Guide) that came with 4.9.3
-(section 5.4.3), it says that you define this yourself (if need be) in
-the same zone files as your "real" IP addresses for your domain. Quoting
-the BOG:
-
-
- ... As implied by this PTR
- record, there should be a ``localhost.my.dom.ain''
- A record (with address 127.0.0.1) in every domain
- that contains hosts. ``localhost.'' will lose its
- trailing dot when 1.0.0.127.in-addr.arpa is queried
- for;...
-
-The sample files in the BIND distribution show you what needs to be done
-(see the BOG).
-
-Some HP boxen (especially those running HP OpenView) will also need
-"loopback" defined with this IP address. You may set it as a CNAME
-record pointing to the "localhost." record.
-
------------------------------------------------------------------------------
-
-Question 6.5. MX records, CNAMES and A records for MX targets
-
-Date: Sun Nov 27 23:32:41 EST 1994
-
-The O'Reilly "DNS and Bind" book warns against using non-canonical names
-in MX records, however, this warning is given in the context of mail hubs
-that MX to each other for backup purposes. How does this apply to mail
-spokes. RFC 974 has a similar warning, but where is it specifically
-prohibited to us an alias in an MX record ?
-
-Without the restrictions in the RFC, a MTA must request the A records for
-every MX listed to determine if it is in the MX list then reduce the list.
-This introduces many more lookups than would other wise be required. If
-you are behind a 1200 bps link YOU DON'T WANT TO DO THIS. The addresses
-associated with CNAMES are not passed as additional data so you will force
-additional traffic to result even if you are running a caching server
-locally.
-
-There is also the problem of how does the MTA find all of it's IP
-addresses. This is not straight forward. You have to be able to do this is
-you allow CNAMEs (or extra A's) as MX targets.
-
-The letter of the law is that an MX record should point to an A record.
-
-There is no "real" reason to use CNAMEs for MX targets or separate As for
-nameservers any more. CNAMEs for services other than mail should be used
-because there is no specified method for locating the desired server yet.
-
-People don't care what the names of MX targets are. They're invisible to
-the process anyway. If you have mail for "mary" redirected to "sue" is
-totally irrelevant. Having CNAMEs as the targets of MX's just needlessly
-complicates things, and is more work for the resolver.
-
-Having separate A's for nameservers like "ns.your.domain" is pointless
-too, since again nobody cares what the name of your nameserver is, since
-that too is invisible to the process. If you move your nameserver from
-"mary.your.domain" to "sue.your.domain" nobody need care except you and
-your parent domain administrator (and the InterNIC). Even less so for
-mail servers, since only you are affected.
-
-Q: Given the example -
-
- hello in cname realname
- mailx in mx 0 hello
-
- Now, while reading the operating manual of bind it clearly states
- that this is *not* valid. These two statements clearly contradict
- each other. Is there some later RFC than 974 that overrides what is
- said in there with respect to MX and CNAMEs? Anyone have the
- reference handy?
-
-A: This isn't what the BOG says at all. See below. You can have a CNAME
- that points to some other RR type; in fact, all CNAMEs have to point
- to other names (Canonical ones, hence the C in CNAME). What you
- can't have is an MX that points to a CNAME. MX RR's that point to
- names which have only CNAME RR's will not work in many cases, and
- RFC 974 intimates that it's a bad idea:
-
- Note that the algorithm to delete irrelevant RRs breaks if LOCAL has
- a alias and the alias is listed in the MX records for REMOTE. (E.g.
- REMOTE has an MX of ALIAS, where ALIAS has a CNAME of LOCAL). This
- can be avoided if aliases are never used in the data section of MX
- RRs.
-
- Here's the relevant BOG snippet:
-
- aliases {ttl addr-class CNAME Canonical name
- ucbmonet IN CNAME monet
-
- The Canonical Name resource record, CNAME, speci-
- fies an alias or nickname for the official, or
- canonical, host name. This record should be the
- only one associated with the alias name. All other
- resource records should be associated with the
- canonical name, not with the nickname. Any
- resource records that include a domain name as
- their value (e.g., NS or MX) must list the canoni-
- cal name, not the nickname.
-
------------------------------------------------------------------------------
-
-Question 6.6. Can an NS record point to a CNAME ?
-
-Date: Wed Mar 1 11:14:10 EST 1995
-
-Can I do this ? Is it legal ?
-
-
- @ SOA (.........)
- NS ns.host.this.domain.
- NS second.host.another.domain.
- ns CNAME third
- third IN A xxx.xxx.xxx.xxx
-
-No. Only one RR type is allowed to refer, in its data field, to a CNAME,
-and that's CNAME itself. So CNAMEs can refer to CNAMEs but NSs and MXs
-cannot.
-
-BIND 4.9.3 (Beta11 and later) explicitly syslogs this case rather than
-simply failing as pre-4.9 servers did. Here's a current example:
-
- Dec 7 00:52:18 gw named[17561]: "foobar.com IN NS" \
- points to a CNAME (foobar.foobar.com)
-
-Here is the reason why:
-
-Nameservers are not required to include CNAME records in the Additional
-Info section returned after a query. It's partly an implementation
-decision and partly a part of the spec. The algorithm described in RFC
-1034 (pp24,25; info also in RFC 1035, section 3.3.11, p 18) says 'Put
-whatever addresses are available into the additional section, using glue
-RRs [if necessary]'. Since NS records are speced to contain only primary
-names of hosts, not CNAMEs, then there's no reason for algorithm to
-mention them. If, on the other hand, it's decided to allow CNAMEs in NS
-records (and indeed in other records) then there's no reason that CNAME
-records might not be included along with A records. The Additional Info
-section is intended for any information that might be useful but which
-isn't strictly the answer to the DNS query processed. It's an
-implementation decision in as much as some servers used to follow CNAMEs
-in NS references.
-
------------------------------------------------------------------------------
-
-Question 6.7. Nameserver forgets own A record
-
-Date: Fri Dec 2 16:17:31 EST 1994
-
-Q: Lately, I've been having trouble with named 4.9.2 and 4.9.3.
- Periodically, the nameserver will seem to "forget" its own A record,
- although the other information stays intact. One theory I had was
- that somehow a site that the nameserver was secondary for was
- "corrupting" the A record somehow.
-
-A: This is invariably due to not removing ALL of the cached zones
- when you moved to 4.9.X. Remove ALL cached zones and restart
- your nameservers.
-
- You get "ignoreds" because the primaries for the relevant zones are
- running old versions of BIND which pass out more glue than is
- required. named-xfer trims off this extra glue.
-
------------------------------------------------------------------------------
-
-Question 6.8. General problems (core dumps !)
-
-Date: Sun Dec 4 22:21:22 EST 1994
-
-Paul Vixie says:
-
- I'm always interested in hearing about cases where BIND dumps core.
- However, I need a stack trace. Compile with -g and not -O (unless
- you are using gcc and know what you are doing) and then when it
- dumps core, get into dbx or gdb using the executable and the core
- file and use "bt" to get a stack trace. Send it to me
- <paul@vix.com> along with specific circumstances leading to or
- surrounding the crash (test data, tail of the debug log, tail of the
- syslog... whatever matters) and ideally you should save your core
- dump for a day or so in case I have questions you can answer via
- gdb/dbx.
-
------------------------------------------------------------------------------
-
-Question 6.9. malloc and DECstations
-
-Date: Mon Jan 2 14:19:22 EST 1995
-
-We have replaced malloc on our DECstations with a malloc that is more
-compact in memory usage, and this helped the operation of bind a lot. The
-source is now available for anonymous ftp from
-
-ftp.cs.wisc.edu : /pub/misc/malloc.tar.gz
-
------------------------------------------------------------------------------
-
-Question 6.10. Can't resolve names without a "."
-
-(Answer written by Mark Andrews) You are not using a RFC 1535 aware
-resolver. Depending upon the age of your resolver you could try adding a
-search directive to resolv.conf.
-
- e.g.
- domain <domain>
- search <domain> [<domain2> ...]
-
-If that doesn't work you can configure you server to serve the parent and
-grandparent domains as this is the default search list.
-
-"domain langley.af.mil" has an implicit "search langley.af.mil af.mil mil"
-in the old resolvers, and you are timing out trying to resolve the
-address with one of these domains tacked on.
-
-When resolving internic.net the following will be tried in order.
-
- internic.net.langley.af.mil
- internic.net.af.mil
- internic.net.mil
- internic.net.
-
-RFC 1535 aware resolvers try qualified address first.
-
- internic.net.
- internic.net.langley.af.mil
- internic.net.af.mil
- internic.net.mil
-
-RFC 1535 documents the problems associated with the old search
-algorithim, including security issues, and how to alleviate some of the
-problems.
-
------------------------------------------------------------------------------
-
-Question 6.11. Why does swapping kill BIND ?
-
-Date: Thu Jul 4 23:20:20 EDT 1996
-
-The question was:
-
- I've been diagnosing a problem with BIND 4.9.x (where x is usually 3BETA9
- or 3REL) for several months now. I finally tracked it down to swap space
- utilization on the unix boxes.
-
- This happens under (at least) under Linux 1.2.9 & 1.2.13, SunOS 4.1.3U1,
- 4.1.1, and Solaris 2.5. The symptom is that if these machines get into
- swap at all bind quits resolving most, if not all queries. Mind you that
- these machines are not "swapping hard", but rather we're talking about a
- several hundred K TEMPORARY deficiency. I have noticed while digging
- through various archives that there is some referral to "bind thrashing
- itself to death". Is this what is happening ?
-
-And the answer is:
-
- Yes it is. Bind can't tolerate having even a few pages swapped out.
- The time required to send responses climbs to several seconds/request,
- and the request queue fills and overflows.
-
- It's possible to shrink memory consumption a lot by undefining STATS
- and XSTATS, and recompiling. You could nuke DEBUG too, which will
- cut the code size down some, but probably not the data size. If that
- doesn't do the job then it sounds like you'll need to move DNS onto a
- separate box.
-
- BIND tends to touch all of its resident pages all of the time with
- normal activity... if you look at the RSS verses the total process
- size, you will always see the RSS within, usually, 90% of the total
- size of the process. This means that *any* paging of named-owned
- pages will stall named. Thus, a machine running a heavily accessed
- named process cannot afford to swap *at all*.
-
- (Paul Vixie continues on this subject):
- I plan to try to get BIND to exhibit slightly better locality of
- reference in some future release. Of course, I can only do this if
- the query names also exhibit some kind of hot spots. If someone
- queries all your names often, BIND will have to touch all of its VM
- pool that often. (Right now, BIND touches everything pretty often
- even if you're just hammering on some hot spots -- that's the part
- I'd like to fix. Malloc isn't cooperating.)
-
------------------------------------------------------------------------------
-
-Question 6.12. Resource limits warning in system
-
-Date: Sun Feb 15 22:04:43 EST 1998
-
-When bind-8.1.1 is started the following informational message appears in
-the syslog...
-
- Feb 13 14:19:35 ns1named[1986]:
- "cannot set resource limits on this system"
-
-What does this mean ?
-
-A: It means that BIND doesn't know how to implement the "coresize",
-"datasize", "stacksize", or "files" process limits on your OS.
-
-If you're not using these options, you may ignore the message.
-
------------------------------------------------------------------------------
-
-Question 6.13. ERROR:ns_forw: query...learnt
-
-Date: Sun Feb 15 23:08:06 EST 1998
-
-The following message appears in syslog:
-
- Jan 22 21:59:55 server1 named[21386]: ns_forw: query(testval) contains
- our address (dns1.foobar.org:1.2.3.4) learnt (A=:NS=)
-
-what does it mean ?
-
-A: This means that when it was looking up the NS records for the domain
-containing "testval" (i.e. the root domain), it found an NS record
-pointing to dns1.foobar.org, and the A record for this is 1.2.3.4.
-This is server1's own IP address, but it's not authoritative for the
-root domain. The (A-:NS=) part of the message means that it didn't
-learn these NS records from any other machine.
-
-You may have listed dns1.foobar.org in your root server cache
-file, even though it's not configured as a root server.
-
-
-\question 09jul:linuxq ERROR:recvfrom: Connection refused
-
-Date: Wed Jul 9 21:57:40 EDT 1997
-
-DNS on my linux system is reporting the error
-
-\verbatim
-Mar 26 12:11:20 idg named[45]: recvfrom: Connection refused
-
-When I start or restart the named program I get no errors. What could be
-causing this ?
-
-A: Are you running the BETA9 version of bind 4.9.3 ? It is a bug that
-does no harm and the error reporting was corrected in later releases. You
-should upgrade to a newer version of bind.
-
------------------------------------------------------------------------------
-
-Question 6.14. ERROR:zone has trailing dot
-
-Date: Wed Jul 9 22:11:51 EDT 1997
-
-If syslog reports "zone has trailing dot", the zone information contains a
-trailing dot in the named.boot file where it does not belong.
-
-
- example:
- secondary domain.com. xxx.xxx.xxx.xxx S-domain.com
- ^
------------------------------------------------------------------------------
-
-Question 6.15. ERROR:Zone declared more then once
-
-Date: Wed Jul 9 22:12:45 EDT 1997
-
-If syslog reports "Zone declared more then once",
-
-A zone is specified multiple times in the named.boot file
-
- example:
- secondary domain.com 198.247.225.251 S-domain.com
- secondary zone.com 198.247.225.251 S-zone.com
- primary domain.com P-domain.com
-
- domain.com is declared twice, once as primary, and once as secondary
-
------------------------------------------------------------------------------
-
-Question 6.16. ERROR:response from unexpected source
-
-Date: Wed Jul 9 22:12:45 EDT 1997
-
-If syslog reports "response from unexpected source", BIND (pre 4.9.3) has
-a bug if implimented on a multi homed server. This error indicates that
-the response to a query came from an address other then the one sent to.
-So, if ace gets a response from an unexpected source, ace will ignore the
-response.
-
------------------------------------------------------------------------------
-
-Question 6.17. ERROR:record too short from [zone name]
-
-Date: Mon Jun 15 21:34:49 EDT 1998
-
-If syslog report "record too short from [zone name]", The secondary server
-is trying to pull a zone from the primary server. For some reason, the
-primary sent an incomplete zone. This usually is a problem at the primary
-server.
-
- To troubleshoot, try this:
-
- dig [zonename] axfr @[primary IP address]
-
- Often, this is caused by a line broken in the middle.
-
-When the primary server's "named.boot" file contains "xfrnets" entries
-for other servers and the secondary is not listed, this error can occur.
-Creating an "xfrnets" entry for the secondary will solve the error.
-
------------------------------------------------------------------------------
-
-Question 6.18. ERROR:sysquery: findns error (3)
-
-Date: Wed Jul 9 22:17:09 EDT 1997
-
-If syslog reports "sysquery: findns error (3)" or
-"qserial_query(zonename): sysquery FAILED", there is no ns record for the
-zone. or the NS record is not defined correctly.
-
------------------------------------------------------------------------------
-
-Question 6.19. ERROR:Err/TO getting serial# for XXX
-
-Date: Wed Jul 9 22:18:41 EDT 1997
-
-If syslog reports "Err/TO getting serial# for XXX", there could be a
-number of possible errors:
-
- - An incorrect IP address in named.boot,
- - A network reachibility problem,
- - The primary is lame for the zone.
-
-An external check to see if you can retrieve the SOA is the best way to
-work out which it is.
-
------------------------------------------------------------------------------
-
-Question 6.20. ERROR:zonename IN NS points to a CNAME
-
-Date: Wed Jul 9 22:20:29 EDT 1997
-
-If syslog reports "zonename IN NS points to a CNAME" or "zonename IN MX
-points to a CNAME", named is 'reminding' you that due to various RFCs, an
-NS or MX record cannot point to a CNAME.
-
- EXAMPLE 1
- ---------
- domain.com IN SOA (...stuff...)
- IN NS ns.domain.com.
- ns IN CNAME machine.domain.com.
- machine IN A 1.2.3.4
-
- The IN NS record points to ns, which is a CNAME for machine. This
- is what results in the above error
-
- EXAMPLE 2
- ---------
- domain.com IN SOA (...stuff...)
- IN MX mail.domain.com.
- mail IN CNAME machine.domain.com.
- machine IN A 1.2.3.4
-
- This would cause the MX variety of the error.
-
- The fix is point MX and NS records to a machine that is defined explicitly
- by an IN A record.
-
------------------------------------------------------------------------------
-
-Question 6.21. ERROR:Masters for secondary zone [XX] unreachable
-
-Date: Wed Jul 9 22:24:27 EDT 1997
-
-If syslog reports "Masters for secondary zone [XX] unreachable", the
-initial attempts to load a zone failed, and the name server is still
-trying. If this occurs multiple times, a problem exists, likely on the
-primary server. This is a fairly generic error, and could indicate a vast
-number of problems. It might be that named is not running on the primary
-server, or they do not have the correct zone file. If this keeps up long
-enough a zone might expire.
-
------------------------------------------------------------------------------
-
-Question 6.22. ERROR:secondary zone [XX] expired
-
-Date: Wed Jul 9 22:25:53 EDT 1997
-
-If syslog reports "secondary zone [XX] expired", there has been a
-expiration of a secondary zone on this server.
-
-An expired zone is one in which a transfer hasn't successfully been
-completed in the amount of time specified before a zone expires.
-
-This problem could be anything which prevents a zone transfer: The primary
-server is down, named isn't running on the primary, named.boot has the
-wrong IP address, etc.
-
------------------------------------------------------------------------------
-
-Question 6.23. ERROR:bad response to SOA query from [address]
-
-Date: Wed Jan 14 12:15:11 EST 1998
-
-If syslog reports "bad response to SOA query from [address], zone [name]",
-a syntax error may exist in the SOA record of the zone your server is
-attempting to pull.
-
-It may also indicate that the primary server is lame, possibly due to a
-syntax error somewhere in the zone file.
-
------------------------------------------------------------------------------
-
-Question 6.24. ERROR:premature EOF, fetching [zone]
-
-Date: Wed Jul 9 22:28:26 EDT 1997
-
-If syslog reports "premature EOF, fetching [zone]", a syntax error exists
-on the zone at the primary location, likely towards the End of File (EOF)
-location.
-
------------------------------------------------------------------------------
-
-Question 6.25. ERROR:Zone [XX] SOA serial# rcvd from [Y] is < ours
-
-Date: Wed Jul 9 22:30:03 EDT 1997
-
-If syslog reports "Zone [name] SOA serial# rcvd from [address] is < ours",
-the zone transfer failed because the primary machine has a lower serial
-number in the SOA record than the one on file on this server.
-
------------------------------------------------------------------------------
-
-Question 6.26. ERROR:connect(IP/address) for zone [XX] failed
-
-Date: Wed Jan 14 12:21:40 EST 1998
-
-If syslog reports "connect(address) for zone [name] failed: No route to
-host" or "connect(address) for zone [name] failed: Connection timed out",
-it could be that there is no route to the specified host or a slow primary
-system. Try a traceroute to the address specified to isolate the problem.
-The problem may be a mistyped IP address in named.boot.
-
-A very slow primary machine or a connection may have been initialized,
-then connectivity lost for some reason, etc. Try networking
-troubleshooting tools like ping and traceroute, then try connecting to
-port 53 using nslookup or dig.
-
-If syslog reports "connect(address) for zone [name] failed: Connection
-refused", the destination address is not allowing the connection. Either
-the destination is not running DNS (port 53), or possibly filtering the
-connection from you. It is also possible that the named.boot is pointing
-to the wrong address.
-
------------------------------------------------------------------------------
-
-Question 6.27. ERROR:sysquery: no addrs found for NS
-
-Date: Wed Jul 9 22:37:01 EDT 1997
-
-If syslog reports "sysquery: no addrs found for NS" , the IN NS record may
-be pointing to a host with no IN A record.
-
------------------------------------------------------------------------------
-
-Question 6.28. ERROR:zone [name] rejected due to errors
-
-Date: Wed Jul 9 22:37:51 EDT 1997
-
-If syslog reports "primary zone [name] rejected due to errors", there will
-likely be another more descriptive error along with this, like "zonefile:
-line 17: database format error". That zone file should be investigated
-for errors.
-
-===============================================================================
-
-Section 7. ACKNOWLEDGEMENTS
-
- Q7.1 How is this FAQ generated ?
- Q7.2 What formats are available ?
- Q7.3 Contributors
-
------------------------------------------------------------------------------
-
-Question 7.1. How is this FAQ generated ?
-
-Date: Mon Jun 15 21:45:53 EDT 1998
-
-This FAQ is maintained in BFNN (Bizzarre Format with No Name). This
-allows me to create ASCII, HTML, and GNU info (postscript coming soon)
-from one source file.
-
-The perl script "bfnnconv.pl" that is available with the linux FAQ is used
-to generate the various output files from the BFNN source. This script is
-available at
-
-txs-11.mit.edu : /pub/linux/docs/linux-faq/linux-faq.source.tar.gz
-
------------------------------------------------------------------------------
-
-Question 7.2. What formats are available ?
-
-Date: Fri Dec 6 16:51:31 EST 1996
-
-You may obtain one of the following formats for this document:
-
-* ASCII: http://www.intac.com/~cdp/cptd-faq/cptd-faq.ascii
-* BFNN: http://www.intac.com/~cdp/cptd-faq/cptd-faq.bfnn
-* GNU info: http://www.intac.com/~cdp/cptd-faq/cptd-faq.info
-* HTML: http://www.intac.com/~cdp/cptd-faq/index.html
-
------------------------------------------------------------------------------
-
-Question 7.3. Contributors
-
-Date: Thu Jul 16 10:45:57 EDT 1998
-
-Many people have helped put this list together. Listed in e-mail address
-alphabetical order, the following people have contributed to this FAQ:
-
-* <BERI@etf.bg.ac.yu> (Berislav Todorovic)
-* <Benoit.Grange@inria.fr> (Benoit.Grange)
-* <D.T.Shield@csc.liv.ac.uk> (Dave Shield)
-* <Karl.Auer@anu.edu.au> (Karl Auer)
-* <Todd.Aven@BankersTrust.Com>
-* <adam@comptech.demon.co.uk> (Adam Goodfellow)
-* <andras@is.co.za> (Andras Salamon)
-* <barmar@bbnplanet.com> (Barry Margolin)
-* <barr@pop.psu.edu> (David Barr)
-* <bj@herbison.com> (B.J. Herbison)
-* <bje@cbr.fidonet.org> (Ben Elliston)
-* <brad@birch.ims.disa.mil> (Brad Knowles)
-* <ckd@kei.com> (Christopher Davis)
-* <cdp2582@hertz.njit.edu> (Chris Peckham)
-* <cricket@hp.com> (Cricket Liu)
-* <cudep@csv.warwick.ac.uk> (Ian 'Vato' Dickinson [ID17])
-* <dj@netscape.com> (David Jagoda)
-* <djk@cyber.com.au> (David Keegel)
-* <dillon@best.com> (Matthew Dillon)
-* <dparter@cs.wisc.edu> (David Parter)
-* <e07@nikhef.nl> (Eric Wassenaar)
-* <fitz@think.com> (Tom Fitzgerald)
-* <fwp@CC.MsState.Edu> (Frank Peters)
-* <gah@cco.caltech.edu> (Glen A. Herrmannsfeldt)
-* <glenn@popco.com> (Glenn Fleishman)
-* <harvey@indyvax.iupui.edu> (James Harvey)
-* <hubert@cac.washington.edu> (Steve Hubert)
-* <ivanl@pacific.net.sg> (Ivan Leong)
-* <jpass@telxon.com> (Jim Pass)
-* <jhawk@panix.com> (John Hawkinson)
-* <jmalcolm@uunet.uu.net> (Joseph Malcolm)
-* <jprovo@augustus.ultra.net> (Joe Provo)
-* <jrs@foliage.com> (J. Richard Sladkey)
-* <jsd@gamespot.com> (Jon Drukman)
-* <jwells@pacificcoast.net> (John Wells)
-* <kop@meme.com> (Karl O. Pinc)
-* <kevin@cfc.com> (Kevin Darcy)
-* <lamont@abstractsoft.com> (Sean T. Lamont)
-* <lavondes@tidtest.total.fr> (Michel Lavondes)
-* <mark@ucsalf.ac.uk> (Mark Powell)
-* <marka@syd.dms.CSIRO.AU> (Mark Andrews)
-* <mathias@unicorn.swi.com.sg> (Mathias Koerber)
-* <mfuhr@dimensional.com> (Michael Fuhr)
-* <mike@westie.gi.net> (Michael Hawk)
-* <mjo@iao.ford.com> (Mike O'Connor)
-* <nick@flapjack.ieunet.ie> (Nick Hilliard)
-* <oppedahl@popserver.panix.com> (Carl Oppedahl)
-* <patrick@oes.amdahl.com> (Patrick J. Horgan)
-* <paul@software.com> (Paul Wren)
-* <pb@fasterix.frmug.fr.net> (Pierre Beyssac)
-* <ph10@cus.cam.ac.uk> (Philip Hazel)
-* <phil@netpart.com> (Phil Trubey)
-* <raj@ceeri.ernet.in> (Raj Singh)
-* <rocky@panix.com> (R. Bernstein)
-* <rv@seins.Informatik.Uni-Dortmund.DE> (Ruediger Volk)
-* <sedwards@sedwards.com> (Steve Edwards)
-* <shields@tembel.org> (Michael Shields)
-* <spsprunk@pop.srv.paranet.com> (Stephen Sprunk)
-* <tanner@george.arc.nasa.gov> (Rob Tanner)
-* <vixie@vix.com> (Paul A Vixie)
-* <wag@swl.msd.ray.com> (William Gianopoulos)
-* <whg@inel.gov> (Bill Gray)
-* <wolf@pasteur.fr> (Christophe Wolfhugel)
-
-Thank you !
-
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-31 00:24:17 +0000