summaryrefslogtreecommitdiffstats
path: root/doc/arm/troubleshooting.inc.rst
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--doc/arm/troubleshooting.inc.rst160
1 files changed, 160 insertions, 0 deletions
diff --git a/doc/arm/troubleshooting.inc.rst b/doc/arm/troubleshooting.inc.rst
new file mode 100644
index 0000000..a2d81a9
--- /dev/null
+++ b/doc/arm/troubleshooting.inc.rst
@@ -0,0 +1,160 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _troubleshooting:
+
+Troubleshooting
+===============
+
+.. _common_problems:
+
+Common Problems
+---------------
+
+It's Not Working; How Can I Figure Out What's Wrong?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The best solution to installation and configuration issues is to
+take preventive measures by setting up logging files beforehand. The
+log files provide hints and information that can be used to
+identify anything that went wrong and fix the problem.
+
+EDNS Compliance Issues
+~~~~~~~~~~~~~~~~~~~~~~
+
+EDNS (Extended DNS) is a standard that was first specified in 1999. It
+is required for DNSSEC validation, DNS COOKIE options, and other
+features. There are broken and outdated DNS servers and firewalls still
+in use which misbehave when queried with EDNS; for example, they may
+drop EDNS queries rather than replying with FORMERR. BIND and other
+recursive name servers have traditionally employed workarounds in this
+situation, retrying queries in different ways and eventually falling
+back to plain DNS queries without EDNS.
+
+Such workarounds cause unnecessary resolution delays, increase code
+complexity, and prevent deployment of new DNS features. In February
+2019, all major DNS software vendors removed these
+workarounds; see https://dnsflagday.net/2019 for further details. This change
+was implemented in BIND as of release 9.14.0.
+
+As a result, some domains may be non-resolvable without manual
+intervention. In these cases, resolution can be restored by adding
+:namedconf:ref:`server` clauses for the offending servers, or by specifying ``edns no`` or
+``send-cookie no``, depending on the specific noncompliance.
+
+To determine which :namedconf:ref:`server` clause to use, run the following commands
+to send queries to the authoritative servers for the broken domain:
+
+::
+
+ dig soa <zone> @<server> +dnssec
+ dig soa <zone> @<server> +dnssec +nocookie
+ dig soa <zone> @<server> +noedns
+
+
+If the first command fails but the second succeeds, the server most
+likely needs ``send-cookie no``. If the first two fail but the third
+succeeds, then the server needs EDNS to be fully disabled with
+``edns no``.
+
+Please contact the administrators of noncompliant domains and encourage
+them to upgrade their broken DNS servers.
+
+Inspecting Encrypted DNS Traffic
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. note::
+
+ This feature requires support from the cryptographic library that
+ BIND 9 is built against. For OpenSSL, version 1.1.1 or newer is
+ required (use :option:`named -V` to check).
+
+By definition, TLS-encrypted traffic (e.g. DNS over TLS, DNS over HTTPS)
+is opaque to packet sniffers, which makes debugging problems with
+encrypted DNS close to impossible. However, Wireshark_ offers a
+solution_ to this problem by being able to read key log files. In order
+to make :iscman:`named` prepare such a file, set the ``SSLKEYLOGFILE``
+environment variable to either:
+
+- the string ``config`` (``SSLKEYLOGFILE=config``); this requires
+ defining a :any:`logging` :any:`channel` which will
+ handle messages belonging to the ``sslkeylog`` category,
+
+- the path to the key file to write (``SSLKEYLOGFILE=/path/to/file``);
+ this is equivalent to the following :any:`logging` configuration:
+
+ ::
+
+ channel default_sslkeylogfile {
+ file "${SSLKEYLOGFILE}" versions 10 size 100m suffix timestamp;
+ };
+
+ category sslkeylog {
+ default_sslkeylogfile;
+ };
+
+.. note::
+
+ When using ``SSLKEYLOGFILE=config``, augmenting the log channel
+ output using options like :any:`print-time` or :any:`print-severity` is
+ strongly discouraged as it will likely make the key log file
+ unusable.
+
+When the ``SSLKEYLOGFILE`` environment variable is set, each TLS
+connection established by :iscman:`named` (both incoming and outgoing) causes
+about 1 kilobyte of data to be written to the key log file.
+
+.. warning::
+
+ Due to the limitations of the current logging code in BIND 9,
+ enabling TLS pre-master secret logging adversely affects :iscman:`named`
+ performance.
+
+.. _Wireshark: https://www.wireshark.org/
+.. _solution: https://wiki.wireshark.org/TLS#tls-decryption
+
+Incrementing and Changing the Serial Number
+-------------------------------------------
+
+Zone serial numbers are just numbers — they are not date-related. However, many
+people set them to a number that represents a date, usually of the
+form YYYYMMDDRR. Occasionally they make a mistake and set the serial number to a
+date in the future, then try to correct it by setting it to the
+current date. This causes problems because serial numbers are used to
+indicate that a zone has been updated. If the serial number on the secondary
+server is lower than the serial number on the primary, the secondary server
+attempts to update its copy of the zone.
+
+Setting the serial number to a lower number on the primary server than the one
+on the secondary server means that the secondary will not perform updates to its
+copy of the zone.
+
+The solution to this is to add 2147483647 (2^31-1) to the number, reload
+the zone and make sure all secondaries have updated to the new zone serial
+number, then reset it to the desired number and reload the
+zone again.
+
+.. _more_help:
+
+Where Can I Get Help?
+---------------------
+The BIND-users mailing list, at https://lists.isc.org/mailman/listinfo/bind-users, is an excellent resource for
+peer user support. In addition, ISC maintains a Knowledgebase of helpful articles
+at https://kb.isc.org.
+
+Internet Systems Consortium (ISC) offers annual support agreements
+for BIND 9, ISC DHCP, and Kea DHCP.
+All paid support contracts include advance security notifications; some levels include
+service level agreements (SLAs), premium software features, and increased priority on bug fixes
+and feature requests.
+
+Please contact info@isc.org or visit
+https://www.isc.org/contact/ for more information.