142
142
<H2>1. I'm using an older version of MaraDNS</H2>
144
Upgrade to MaraDNS 1.4 or MaraDNS 2.0. MaraDNS 1.4 is compatible with
145
older versions of MaraDNS, with the relatively few changes need to upgrade
144
Upgrade to MaraDNS 1.4. MaraDNS 1.4 is compatible with older versions
145
of MaraDNS, with the relatively few changes need to upgrade
146
146
<A href=http://maradns.org/tutorial/update.html>documented</A>.
150
Use MaraDNS 2.0 if there are any issues using MaraDNS 1.4 to recursively
151
resolve records (via <tt>recursive_acl</tt>); the recursive resolver
152
in MaraDNS 1.4 is deprecated and only critical security issues are fixed
153
with it. MaraDNS 2.0 uses the separate daemon Deadwood to recursively
158
150
MaraDNS 1.0 and 1.2 are only supported for critical security updates, and
159
151
will no longer be supported on December 21, 2010. MaraDNS 1.3 is also only
160
152
supported for critical security updates, and support will stop on December
161
21, 2012. MaraDNS 1.4 and MaraDNS 2.0 are both fully supported (security
162
and other important bug fixes) for the foreseeable future.
153
21, 2012. MaraDNS 1.4 will be fully supported (security and other important
154
bug fixes) for the foreseeable future, alongside MaraDNS 2.0 when and if
267
<H2>8. I am on a slow network, and Deadwood can not process recursive
260
<H2>8. I am on a slow network, and MaraDNS can not process recursive
270
Deadwood, by default, only waits two seconds for a reply from a remote
263
MaraDNS, by default, only waits two seconds for a reply from a remote
271
264
DNS server. This default can be increased by adding a line like this
272
265
in the mararc file:
329
322
<H2>12. Why does MaraDNS use a multi-threaded model?</H2>
331
<p>MaraDNS 2.0 no longer uses threads.
333
<p>The multi-threaded model was the simplest way to write
334
a functioning recursive DNS server for MaraDNS 1.0. There is a reason
335
why MaraDNS, pdnsd, and BIND 9 all use the multi-threaded model.
337
<p>It took me nearly three years to rewrite MaraDNS' recursive resolver
338
as a separate non-threaded daemon. This has been done, and now all recursion
339
is done with Deadwood which does not need threads.
324
<p>The multi-threaded model is, plain and simple, the simplest way to write
325
a functioning recursive DNS server. There is a reason why MaraDNS, pdnsd, and
326
BIND 9 all use the multi-threaded model.
328
<p>MaraDNS 2.0, when and if it is released, will not use threads.
341
330
<A NAME=wishlist>
343
332
<H2>13. I feel that XXX feature should be added to MaraDNS</H2>
345
There are no plans to add new features to MaraDNS or Deadwood at
334
The only thing that will convince me to implement a given feature for
335
MaraDNS is cold, hard cash. If you want me to keep a given feature
336
proprietary, you better have lots of cold hard cash.
338
The only feature I will implement for free is to finish up full
339
recursion in Deadwood, including IPv6 support. I have <A
340
href=http://maradns.blogspot.com/2009/06/why-i-will-not-implement-dns-curve.html>no
341
plans to implement DNS curve</A>, nor <A
342
href=http://maradns.blogspot.com/2009/11/maradns-wish-list-status.html>DNSsec,
343
Geo IP, or whatever feature you want me to implement for fun and for free</A>.
345
Keep in mind that both the BIND and NSD name servers were
346
developed by having the programmers paid to work on the programs.
347
PowerDNS was originally commercial software with the author only
348
reluctantly made GPL after seeing that the market
349
for a commercial DNS server is very small. All of the other DNS servers
350
which have been developed as hobbyist projects (Posadis, Pdnsd, and djbdns)
351
are no longer being actively worked on by the primary developer.
406
412
<p>The <tt>zoneserver</tt> program serves zones so that other DNS servers
407
413
can be secondaries for zones which MaraDNS serves. This is a separate
408
program from the <tt>maradns</tt> server, which processes
409
authoritative UDP DNS queries, and Deadwood which processes recursive
414
program from the <tt>maradns</tt> server, which processes both
415
authoritative and recursive UDP DNS queries.
412
<p>See the <A href="http://www.maradns.org/tutorial/dnsmaster.html">DNS
417
<p>See the <A href="http://www.maradns.org/tutorial/1.2/dnsmaster.html">DNS
413
418
master</A> document in the MaraDNS tutorial for details.
415
420
<A NAME=secondary>
429
435
A recursive DNS server is a DNS server that is able to contact other DNS
430
436
servers in order to resolve a given domain name label. This is the kind
431
of DNS server one points to in <tt>/etc/resolve.conf</tt>. MaraDNS uses
432
the Deadwood daemon to process recursive DNS queries.
437
of DNS server one points to in <tt>/etc/resolve.conf</tt>
436
441
An authoritative DNS server is a DNS server that a recursive server
437
contacts in order to find out the answer to a given DNS query. The
438
maradns daemon processes authoritative DNS queries.
442
contacts in order to find out the answer to a given DNS query.
440
444
<A NAME=bailiwick>
545
549
<h2>26. I am having problems setting <tt>upstream_servers</tt></h2>
547
<tt>upstream_servers</tt> is only supported by Deadwood, and is no
548
longer supported in MaraDNS 2.0.
550
The <tt>upstream_servers</tt> dwood3rc variable is set thusly:
551
The <tt>upstream_servers</tt> mararc variable is set thusly:
553
554
<tt>upstream_servers["."] = "10.3.28.79, 10.2.19.83"</tt>
556
Note the <tt>["."]</tt>.
557
Note the <tt>["."]</tt>. The reason for this is so future versions
558
of MaraDNS may have more fine-grained control over the
559
<tt>upstream_servers</tt> and <tt>root_servers</tt> values.
560
563
Note that the <tt>upstream_servers</tt> variable needs to be initialized
561
564
before being used via <tt>upstream_servers = {}</tt> (the reason for this
562
is so that a dwood3rc file has 100% Python-compatible syntax). A complete
563
dwood3rc file that uses <tt>upstream_servers</tt> may look like this:
565
is so that a mararc file has 100% Python-compatible syntax). A complete
566
mararc file that uses <tt>upstream_servers</tt> may look like this:
566
569
ipv4_bind_addresses = "127.0.0.1"
700
703
<h2>31. I have a NS delegation, and MaraDNS is doing
701
704
strange things.</h2>
703
This is only an issue in MaraDNS 1.4. MaraDNS 2.0 does not allow
704
the same IP to both authoritatively and recursively resolve records.
706
In the case of there being a NS delegation, MaraDNS handles recursive
707
queries and non-recursive DNS queries differently. Basically, unless
708
you use <tt>askmara</tt> with the <tt>-n</tt> option, dig with the
709
<tt>+norecuse</tt> option, or <tt>nslookup</tt> with the <tt>-norec</tt>
710
option, MaraDNS will try to recursively resolve the record that is
715
The thinking is this: A normal recursive DNS query is usually one
716
where one wants to know the final DNS output. So, if MaraDNS
717
delegates a given record to another DNS server, and gets a recursive
718
request for said query, MaraDNS will recursively resolve the query
723
For example, let us suppose we have a <tt>mararc</tt> file that looks
727
chroot_dir = "/etc/maradns"
728
ipv4_bind_addresses = "10.1.2.3"
729
chroot_dir = "/etc/maradns"
730
recursive_acl = "127.0.0.1/8, 10.0.0.0/8"
732
csv2["example.com."] = "db.example.com"
735
And a <tt>db.example.com</tt> file that looks like this:
738
www.example.com. 10.1.2.3
739
joe.example.com. NS ns.joe.example.com.
740
ns.joe.example.com. A 10.1.2.4
743
Next, you are trying to find out why www.joe.example.com is not
744
resolving. If you naively send a query to 10.1.2.3 for www.joe.example.com
745
as <tt>askmara Awww.joe.example.com. 10.1.2.3</tt> or as
746
<tt>dig @10.1.2.3 www.joe.example.com.</tt> or as
747
<tt>nslookup www.joe.example.com. 10.1.2.3</tt>, you will <b>not</b>
748
get any information that will help you solve the problem, since 10.1.2.3
749
will try to contact 10.1.2.4 to resolve www.joe.example.com.
753
The solution is to run your DNS query client thusly:
756
<li>Askmara would be run thusly:
757
<p><tt>askmara -n Awww.joe.example.com. 10.1.2.3</tt><p>
758
<li>Dig would be run thusly:
759
<p><tt>dig +norecurse @10.1.2.3 www.joe.example.com</tt><p>
760
<li>Nslookup would be run thusly:
761
<p><tt>nslookup -norec www.joe.example.com 10.1.2.3</tt><p>
764
This will allow you to see that packets MaraDNS actually sends to
765
a recursive DNS server.
769
As an aside, this particular problem will not happen if MaraDNS is
770
run only as an authoritative nameserver.
706
772
<A name="synthns"> </A>
765
831
<A name=roothints> </A>
766
832
<h2>33. Where is the root.hints file?</h2>
768
MaraDNS (actually, Deadwood), unlike BIND, does not need a complicated
769
root.hints file in order to have custom root servers. In order to change
770
the root.hints file, add something like this to your dwood3rc file:
834
MaraDNS, unlike BIND, does not need a complicated root.hints file in
835
order to have custom root servers. In order to change the root.hints
836
file, add something like this to your mararc file:
773
839
root_servers["."] = "131.161.247.232,"
975
<li> MaraDNS version 1.4 or 2.0 needs to be used; if you're using an
1043
<li> MaraDNS version 1.4 needs to be used; if you're using an
976
1044
older version of MaraDNS, upgrade.
978
<li> It is necessary to have recursion disabled, if using MaraDNS 1.4, either
979
by compiling MaraDNS without recursive support (./configure --authonly ; make),
1046
<li> It is necessary to have recursion disabled. This can be done either by
1047
compiling MaraDNS without recursive support (./configure --authonly ; make),
980
1048
or by making sure MaraDNS does not have recursion enabled (by not having
981
<tt>recursive_acl</tt> set in one's MaraDNS 1.4 mararc file)
1049
<tt>recursive_acl</tt> set in one's mararc file)
985
If one wishes to both register domains with AFNIC and use MaraDNS 1.4 as a
1053
If one wishes to both register domains with AFNIC and use MaraDNS as a
986
1054
recursive DNS server, it is required to have the recursive server be a
987
1055
separate instance of MaraDNS on a separate IP. It is not possible to have
988
1056
the same DNS server both send DNS packets in a way that both makes AFNIC
1003
1071
<h2>43. I can't see the full answers for subdomains I have delegated</h2>
1005
To have the subdomains be visible to MaraDNS 1.4 recursive nameservers,
1006
add the following to your mararc file:
1073
To have the subdomains be visible to recursive nameservers, add the following
1074
to your mararc file:
1008
1076
<tt>recurse_delegation = 1</tt>
1031
1099
Since the old recursive code is a bit difficult to maintain, and since I
1032
1100
in the process of rewriting the recursive code, my rule is that I will only
1033
resolve security issues with MaraDNS 1.0's recursive resolver.
1101
resolve security issues with MaraDNS 1.0's recursive resolver without
1104
If resolving a given domain with MaraDNS' code is an urgent issue
1105
for you, please consider helping beta-test Deadwood, or sponsoring MaraDNS:
1107
<A href=http://www.maradns.org/products.html>http://www.maradns.org/products.html</A>
1036
1109
<A name=nxdomain2> </A>
1037
1110
<h2>45. MaraDNS 1.2 has issues with NXDOMAINS and case sensitivity.</h2>