159
159
<H2>1. I'm using an older version of MaraDNS</H2>
161
Upgrade to MaraDNS 1.4 or MaraDNS 2.0. MaraDNS 1.4 is compatible with
162
older versions of MaraDNS, with the relatively few changes need to upgrade
161
Upgrade to MaraDNS 1.4. MaraDNS 1.4 is compatible with older versions
162
of MaraDNS, with the relatively few changes need to upgrade
163
163
<A href=http://maradns.org/tutorial/update.html>documented</A>.
167
Use MaraDNS 2.0 if there are any issues using MaraDNS 1.4 to recursively
168
resolve records (via <tt>recursive_acl</tt>); the recursive resolver
169
in MaraDNS 1.4 is deprecated and only critical security issues are fixed
170
with it. MaraDNS 2.0 uses the separate daemon Deadwood to recursively
175
167
MaraDNS 1.0 and 1.2 are only supported for critical security updates, and
176
168
will no longer be supported on December 21, 2010. MaraDNS 1.3 is also only
177
169
supported for critical security updates, and support will stop on December
178
21, 2012. MaraDNS 1.4 and MaraDNS 2.0 are both fully supported (security
179
and other important bug fixes) for the foreseeable future.
170
21, 2012. MaraDNS 1.4 will be fully supported (security and other important
171
bug fixes) for the foreseeable future, alongside MaraDNS 2.0 when and if
284
<H2>8. I am on a slow network, and Deadwood can not process recursive
277
<H2>8. I am on a slow network, and MaraDNS can not process recursive
287
Deadwood, by default, only waits two seconds for a reply from a remote
280
MaraDNS, by default, only waits two seconds for a reply from a remote
288
281
DNS server. This default can be increased by adding a line like this
289
282
in the mararc file:
346
339
<H2>12. Why does MaraDNS use a multi-threaded model?</H2>
348
<p>MaraDNS 2.0 no longer uses threads.
350
<p>The multi-threaded model was the simplest way to write
351
a functioning recursive DNS server for MaraDNS 1.0. There is a reason
352
why MaraDNS, pdnsd, and BIND 9 all use the multi-threaded model.
354
<p>It took me nearly three years to rewrite MaraDNS' recursive resolver
355
as a separate non-threaded daemon. This has been done, and now all recursion
356
is done with Deadwood which does not need threads.
341
<p>The multi-threaded model is, plain and simple, the simplest way to write
342
a functioning recursive DNS server. There is a reason why MaraDNS, pdnsd, and
343
BIND 9 all use the multi-threaded model.
345
<p>MaraDNS 2.0, when and if it is released, will not use threads.
358
347
<A NAME=wishlist>
360
349
<H2>13. I feel that XXX feature should be added to MaraDNS</H2>
362
There are no plans to add new features to MaraDNS or Deadwood at
351
The only thing that will convince me to implement a given feature for
352
MaraDNS is cold, hard cash. If you want me to keep a given feature
353
proprietary, you better have lots of cold hard cash.
355
The only feature I will implement for free is to finish up full
356
recursion in Deadwood, including IPv6 support. I have <A
357
href=http://maradns.blogspot.com/2009/06/why-i-will-not-implement-dns-curve.html>no
358
plans to implement DNS curve</A>, nor <A
359
href=http://maradns.blogspot.com/2009/11/maradns-wish-list-status.html>DNSsec,
360
Geo IP, or whatever feature you want me to implement for fun and for free</A>.
362
Keep in mind that both the BIND and NSD name servers were
363
developed by having the programmers paid to work on the programs.
364
PowerDNS was originally commercial software with the author only
365
reluctantly made GPL after seeing that the market
366
for a commercial DNS server is very small. All of the other DNS servers
367
which have been developed as hobbyist projects (Posadis, Pdnsd, and djbdns)
368
are no longer being actively worked on by the primary developer.
423
429
<p>The <tt>zoneserver</tt> program serves zones so that other DNS servers
424
430
can be secondaries for zones which MaraDNS serves. This is a separate
425
program from the <tt>maradns</tt> server, which processes
426
authoritative UDP DNS queries, and Deadwood which processes recursive
431
program from the <tt>maradns</tt> server, which processes both
432
authoritative and recursive UDP DNS queries.
429
<p>See the <A href="http://www.maradns.org/tutorial/dnsmaster.html">DNS
434
<p>See the <A href="http://www.maradns.org/tutorial/1.2/dnsmaster.html">DNS
430
435
master</A> document in the MaraDNS tutorial for details.
432
437
<A NAME=secondary>
446
452
A recursive DNS server is a DNS server that is able to contact other DNS
447
453
servers in order to resolve a given domain name label. This is the kind
448
of DNS server one points to in <tt>/etc/resolve.conf</tt>. MaraDNS uses
449
the Deadwood daemon to process recursive DNS queries.
454
of DNS server one points to in <tt>/etc/resolve.conf</tt>
453
458
An authoritative DNS server is a DNS server that a recursive server
454
contacts in order to find out the answer to a given DNS query. The
455
maradns daemon processes authoritative DNS queries.
459
contacts in order to find out the answer to a given DNS query.
457
461
<A NAME=bailiwick>
562
566
<h2>26. I am having problems setting <tt>upstream_servers</tt></h2>
564
<tt>upstream_servers</tt> is only supported by Deadwood, and is no
565
longer supported in MaraDNS 2.0.
567
The <tt>upstream_servers</tt> dwood3rc variable is set thusly:
568
The <tt>upstream_servers</tt> mararc variable is set thusly:
570
571
<tt>upstream_servers["."] = "10.3.28.79, 10.2.19.83"</tt>
573
Note the <tt>["."]</tt>.
574
Note the <tt>["."]</tt>. The reason for this is so future versions
575
of MaraDNS may have more fine-grained control over the
576
<tt>upstream_servers</tt> and <tt>root_servers</tt> values.
577
580
Note that the <tt>upstream_servers</tt> variable needs to be initialized
578
581
before being used via <tt>upstream_servers = {}</tt> (the reason for this
579
is so that a dwood3rc file has 100% Python-compatible syntax). A complete
580
dwood3rc file that uses <tt>upstream_servers</tt> may look like this:
582
is so that a mararc file has 100% Python-compatible syntax). A complete
583
mararc file that uses <tt>upstream_servers</tt> may look like this:
583
586
ipv4_bind_addresses = "127.0.0.1"
717
720
<h2>31. I have a NS delegation, and MaraDNS is doing
718
721
strange things.</h2>
720
This is only an issue in MaraDNS 1.4. MaraDNS 2.0 does not allow
721
the same IP to both authoritatively and recursively resolve records.
723
In the case of there being a NS delegation, MaraDNS handles recursive
724
queries and non-recursive DNS queries differently. Basically, unless
725
you use <tt>askmara</tt> with the <tt>-n</tt> option, dig with the
726
<tt>+norecuse</tt> option, or <tt>nslookup</tt> with the <tt>-norec</tt>
727
option, MaraDNS will try to recursively resolve the record that is
732
The thinking is this: A normal recursive DNS query is usually one
733
where one wants to know the final DNS output. So, if MaraDNS
734
delegates a given record to another DNS server, and gets a recursive
735
request for said query, MaraDNS will recursively resolve the query
740
For example, let us suppose we have a <tt>mararc</tt> file that looks
744
chroot_dir = "/etc/maradns"
745
ipv4_bind_addresses = "10.1.2.3"
746
chroot_dir = "/etc/maradns"
747
recursive_acl = "127.0.0.1/8, 10.0.0.0/8"
749
csv2["example.com."] = "db.example.com"
752
And a <tt>db.example.com</tt> file that looks like this:
755
www.example.com. 10.1.2.3
756
joe.example.com. NS ns.joe.example.com.
757
ns.joe.example.com. A 10.1.2.4
760
Next, you are trying to find out why www.joe.example.com is not
761
resolving. If you naively send a query to 10.1.2.3 for www.joe.example.com
762
as <tt>askmara Awww.joe.example.com. 10.1.2.3</tt> or as
763
<tt>dig @10.1.2.3 www.joe.example.com.</tt> or as
764
<tt>nslookup www.joe.example.com. 10.1.2.3</tt>, you will <b>not</b>
765
get any information that will help you solve the problem, since 10.1.2.3
766
will try to contact 10.1.2.4 to resolve www.joe.example.com.
770
The solution is to run your DNS query client thusly:
773
<li>Askmara would be run thusly:
774
<p><tt>askmara -n Awww.joe.example.com. 10.1.2.3</tt><p>
775
<li>Dig would be run thusly:
776
<p><tt>dig +norecurse @10.1.2.3 www.joe.example.com</tt><p>
777
<li>Nslookup would be run thusly:
778
<p><tt>nslookup -norec www.joe.example.com 10.1.2.3</tt><p>
781
This will allow you to see that packets MaraDNS actually sends to
782
a recursive DNS server.
786
As an aside, this particular problem will not happen if MaraDNS is
787
run only as an authoritative nameserver.
723
789
<A name="synthns"> </A>
782
848
<A name=roothints> </A>
783
849
<h2>33. Where is the root.hints file?</h2>
785
MaraDNS (actually, Deadwood), unlike BIND, does not need a complicated
786
root.hints file in order to have custom root servers. In order to change
787
the root.hints file, add something like this to your dwood3rc file:
851
MaraDNS, unlike BIND, does not need a complicated root.hints file in
852
order to have custom root servers. In order to change the root.hints
853
file, add something like this to your mararc file:
790
856
root_servers["."] = "131.161.247.232,"
992
<li> MaraDNS version 1.4 or 2.0 needs to be used; if you're using an
1060
<li> MaraDNS version 1.4 needs to be used; if you're using an
993
1061
older version of MaraDNS, upgrade.
995
<li> It is necessary to have recursion disabled, if using MaraDNS 1.4, either
996
by compiling MaraDNS without recursive support (./configure --authonly ; make),
1063
<li> It is necessary to have recursion disabled. This can be done either by
1064
compiling MaraDNS without recursive support (./configure --authonly ; make),
997
1065
or by making sure MaraDNS does not have recursion enabled (by not having
998
<tt>recursive_acl</tt> set in one's MaraDNS 1.4 mararc file)
1066
<tt>recursive_acl</tt> set in one's mararc file)
1002
If one wishes to both register domains with AFNIC and use MaraDNS 1.4 as a
1070
If one wishes to both register domains with AFNIC and use MaraDNS as a
1003
1071
recursive DNS server, it is required to have the recursive server be a
1004
1072
separate instance of MaraDNS on a separate IP. It is not possible to have
1005
1073
the same DNS server both send DNS packets in a way that both makes AFNIC
1020
1088
<h2>43. I can't see the full answers for subdomains I have delegated</h2>
1022
To have the subdomains be visible to MaraDNS 1.4 recursive nameservers,
1023
add the following to your mararc file:
1090
To have the subdomains be visible to recursive nameservers, add the following
1091
to your mararc file:
1025
1093
<tt>recurse_delegation = 1</tt>
1048
1116
Since the old recursive code is a bit difficult to maintain, and since I
1049
1117
in the process of rewriting the recursive code, my rule is that I will only
1050
resolve security issues with MaraDNS 1.0's recursive resolver.
1118
resolve security issues with MaraDNS 1.0's recursive resolver without
1121
If resolving a given domain with MaraDNS' code is an urgent issue
1122
for you, please consider helping beta-test Deadwood, or sponsoring MaraDNS:
1124
<A href=http://www.maradns.org/products.html>http://www.maradns.org/products.html</A>
1053
1126
<A name=nxdomain2> </A>
1054
1127
<h2>45. MaraDNS 1.2 has issues with NXDOMAINS and case sensitivity.</h2>