Knowledge Base ISC Main Website Ask a Question/Contact ISC
Quick Jump Menu
11 Will named be affected by the 2007 changes to daylight savings rules in the US?

No, so long as the machines internal clock (as reported by "date -u") remains at UTC. The only visible change if you fail to upgrade your OS, if you are in a affected area, will be that log messages will be a hour out during the period where the old rules…

12 I get warning messages like "zone example.com/IN: refresh: failure trying master 1.2.3.4#53: timed out".

Check that you can make UDP queries from the slave to the master dig +norec example.com soa @1.2.3.4 You could be generating queries faster than the slave can cope with. Lower the serial query rate. serial-query-rate 5; // default 20

13 When I do a "dig . ns", many of the A records for the root servers are missing. Why?

This is normal and harmless. It is a somewhat confusing side effect of the way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 makes to avoid promoting glue into answers. When BIND 9 first starts up and primes its cache, it receives the root server…

14 I keep getting log messages like the following. Why? Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied

Someone is trying to update your DNS data using the RFC2136 Dynamic Update protocol. Windows 2000 machines have a habit of sending dynamic update requests to DNS servers without being specifically configured to do so. If the update requests are coming from…

15 What has changed in the behavior of "allow-recursion" and "allow-query-cache"

BIND's Default Policy for Recursion In versions of BIND prior to (and including) BIND 9.4.1, the default behavior of BIND servers was to allow recursion for all clients (unless otherwise specified.) Because open recursion has some undesirable side-effects…

16 Why is the outcome different from dig when using the +trace option?

By default dig will use the configured nameservers from /etc/resolv.conf (or one explicitly specified using the command syntax). Without +trace you are testing the ability of the target nameserver to resolve your query. Adding the +trace option instructs…

17 I want to use IPv6 locally but I don't have an external IPv6 connection. External lookups are slow.

You can use server clauses to stop named making external lookups over IPv6. server fd81:ec6c:bd62::/48 { bogus no; }; // site ULA prefix server ::/0 { bogus yes; };

18 I don't get RRSIG's returned when I use "dig +dnssec" - why is this?

You need to ensure DNSSEC is enabled on the nameserver that you are querying. dnssec-enable yes;

19 What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA" mean?

If the IN-ADDR.ARPA name covered refers to a internal address space you are using then you have failed to follow RFC 1918 usage rules and are leaking queries to the Internet. You should establish your own zones for these addresses to prevent you querying…

20 Can a NS record refer to a CNAME?

No. The rules for glue (copies of the address records in the parent zones) and additional section processing do not allow it to work. You would have to add both the CNAME and address records (A/AAAA) as glue to the parent zone and have CNAMEs be followed…