Knowledge Base ISC Main Website Ask a Question/Contact ISC
Quick Jump Menu
11 Will named be affected by changes to daylight savings rules in my location?

Usually no, as it is most common for machines to keep track of time using UTC and apply adjustments to display in local time according to OS-specific configuration rules. For most OS's this change just means that you need to update the conversion rules from…

12 I get warning messages like "zone example.com/IN: refresh: failure trying master 1.2.3.4#53: timed out".

Check that you can make UDP queries from the slave to the master dig +norec example.com soa @1.2.3.4 You could be generating queries faster than the slave can cope with. One simple strategy would be to lower the serial query rate. serial-query-rate 5; //…

13 When I do a "dig . ns", many of the A records for the root servers are missing. Why?

This is normal and harmless. It is a somewhat confusing side effect of the way BIND 9 does RFC 2181 trust ranking and of the efforts BIND 9 makes to avoid promoting glue into answers. When BIND 9 first starts up and primes its cache, it receives the root…

14 I keep getting log messages like the following. Why? Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied

Someone may be trying to update your DNS zone using the RFC 2136 Dynamic Update protocol, but they do not possibly have permission to do so. Windows 2000 machines have a habit of sending dynamic update requests to DNS servers without being specifically configured…

15 What has changed in the behavior of "allow-recursion" and "allow-query-cache"

BIND's Default Policy for Recursion In versions of BIND prior to (and including) BIND 9.4.1, the default behavior of BIND servers was to allow recursion for all clients unless otherwise specified. Because open recursion has some undesirable side-effects,…

16 Why is the outcome different from dig when using the +trace option?

By default dig will use the configured nameservers from /etc/resolv.conf (or one explicitly specified using the command syntax). Without +trace you are testing the ability of the target nameserver to resolve your query. Adding the +trace option instructs…

17 I want to use IPv6 locally but I don't have an external IPv6 connection. External lookups are slow.

On some networks, IPv6 is used internally, but is not supported by the link to the rest of the internet. This degrades resolver performance due to named attempting to send IPv6 queries that can never be answered. To prevent IPv6 queries outside the network,…

18 I don't get RRSIG's returned when I use "dig +dnssec" - why is this?

Most likely, the domain is not signed. If it is signed, then check whether DNSSEC has been disabled on the name server you are querying. In BIND 9, DNSSEC is enabled by default, but can be disabled with: dnssec-enable no; If this has been done, the server…

19 What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA" mean?

If the IN-ADDR.ARPA name covered refers to a internal address space you are using then you have failed to follow RFC 1918 usage rules and are leaking queries to the Internet. You should establish your own zones for these addresses to prevent you querying…

20 Can a NS record refer to a CNAME?

No. The rules for glue (copies of the address records in the parent zones) and additional section processing do not allow it to work. You would have to add both the CNAME and address records (A/AAAA) as glue to the parent zone and have CNAMEs be followed…