Solution
/usr/sbin/named -u named -g &
The problem of high CPU usage caused by the named process
Error log
Jun 26 10:26:03 localhost named[1906]: managed-keys-zone ./IN: sync_keyzone:dns_journal_open -> unexpected error
Jun 26 10:26:12 localhost named[1906]: error (no valid RRSIG) resolving '168.192.in-addr.arpa/DS/IN': 8.8.8.8#53
Jun 26 10:26:12 localhost named[1906]: error (network unreachable) resolving '168.192.in-addr.arpa/DS/IN': 2001:503:ba3e::2:30#53
Jun 26 10:26:12 localhost named[1906]: error (network unreachable) resolving '168.192.in-addr.arpa/DS/IN': 2001:500:13::73#53
Jun 26 10:26:12 localhost named[1906]: error (network unreachable) resolving '168.192.in-addr.arpa/DS/IN': 2001:500:87::87#53
Jun 26 10:26:12 localhost named[1906]: error (network unreachable) resolving '168.192.in-addr.arpa/DS/IN': 2001:500:f0::63#53At this time, there are 14 zombie processes
The error (no valid RRSIG) appears because the three options of the security settings (generally do not need to open the three options to directly comment) are set as follows
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside auto;
Restart named
There is only one error left in the log
Jun 26 10:56:33 localhost named[10967]: managed-keys-zone ./IN: journal rollforward failed: unexpecte
Look at the CPU usage is still very high
[root@ostaer named]# /usr/sbin/named -g &
[1] 23304
[root@ostaer named]# 26-Jun-2014 11:05:38.357 starting BIND 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 -g
26-Jun-2014 11:05:38.357 built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
26-Jun-2014 11:05:38.357 ----------------------------------------------------
26-Jun-2014 11:05:38.357 BIND 9 is maintained by Internet Systems Consortium,
26-Jun-2014 11:05:38.357 Inc. (ISC), a non-profit 501(c)(3) public-benefit
26-Jun-2014 11:05:38.357 corporation. Support and training for BIND 9 are
26-Jun-2014 11:05:38.357 available at https://www.isc.org/support
26-Jun-2014 11:05:38.357 ----------------------------------------------------
26-Jun-2014 11:05:38.357 adjusted limit on open files from 4096 to 1048576
26-Jun-2014 11:05:38.357 found 4 CPUs, using 4 worker threads
26-Jun-2014 11:05:38.358 using up to 4096 sockets
26-Jun-2014 11:05:38.365 loading configuration from '/etc/named.conf'
26-Jun-2014 11:05:38.365 /etc/named.conf:13: change directory to '/var/named' failed: permission denied
26-Jun-2014 11:05:38.365 /etc/named.conf:13: parsing failed
26-Jun-2014 11:05:38.396 loading configuration: permission denied
26-Jun-2014 11:05:38.396 exiting (due to fatal error)
^C
[1]+ Exit 1 /usr/sbin/named -g
提示/etc/named.conf:13: change directory to '/var/named' failed: permission denied
Check zone file permissions
[root@ostaer named]# ll -d /var/named
drwxr-x---. 6 named named 4096 Jun 26 11:17 /var/namedcorrect
Run as named user
[root@ostaer named]# /usr/sbin/named -u named -g &
[1] 31401
[root@ostaer named]# 26-Jun-2014 11:11:50.100 starting BIND 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 -u named -g
26-Jun-2014 11:11:50.100 built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
26-Jun-2014 11:11:50.100 ----------------------------------------------------
26-Jun-2014 11:11:50.100 BIND 9 is maintained by Internet Systems Consortium,
26-Jun-2014 11:11:50.100 Inc. (ISC), a non-profit 501(c)(3) public-benefit
26-Jun-2014 11:11:50.100 corporation. Support and training for BIND 9 are
26-Jun-2014 11:11:50.100 available at https://www.isc.org/support
26-Jun-2014 11:11:50.100 ----------------------------------------------------
26-Jun-2014 11:11:50.100 adjusted limit on open files from 4096 to 1048576
26-Jun-2014 11:11:50.100 found 4 CPUs, using 4 worker threads
26-Jun-2014 11:11:50.103 using up to 4096 sockets
26-Jun-2014 11:11:50.112 loading configuration from '/etc/named.conf'
26-Jun-2014 11:11:50.113 reading built-in trusted keys from file '/etc/named.iscdlv.key'
26-Jun-2014 11:11:50.115 using default UDP/IPv4 port range: [1024, 65535]
26-Jun-2014 11:11:50.115 using default UDP/IPv6 port range: [1024, 65535]
26-Jun-2014 11:11:50.237 listening on IPv4 interface lo, 127.0.0.1#53
26-Jun-2014 11:11:50.243 listening on IPv4 interface eth0, 172.16.7.129#53
26-Jun-2014 11:11:50.280 listening on IPv6 interface lo, ::1#53
26-Jun-2014 11:11:50.324 Could not open '/var/run/named/named.pid'.
26-Jun-2014 11:11:50.324 Please check file and directory permissions or reconfigure the filename.
26-Jun-2014 11:11:50.324 could not open file '/var/run/named/named.pid': Permission denied
26-Jun-2014 11:11:50.324 generating session key for dynamic DNS
26-Jun-2014 11:11:50.324 Could not open '/var/run/named/session.key'.
26-Jun-2014 11:11:50.325 Please check file and directory permissions or reconfigure the filename.
26-Jun-2014 11:11:50.325 could not open file '/var/run/named/session.key': Permission denied
26-Jun-2014 11:11:50.325 could not create /var/run/named/session.key
26-Jun-2014 11:11:50.325 failed to generate session key for dynamic DNS: permission denied
26-Jun-2014 11:11:50.325 sizing zone task pool based on 7 zones
26-Jun-2014 11:11:50.379 using built-in DLV key for view _default
26-Jun-2014 11:11:50.380 set up managed keys zone for view _default, file '/var/named/dynamic/managed-keys.bind'
26-Jun-2014 11:11:50.380 Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
26-Jun-2014 11:11:50.380 automatic empty zone: 127.IN-ADDR.ARPA
26-Jun-2014 11:11:50.381 automatic empty zone: 254.169.IN-ADDR.ARPA
26-Jun-2014 11:11:50.381 automatic empty zone: 2.0.192.IN-ADDR.ARPA
26-Jun-2014 11:11:50.381 automatic empty zone: 100.51.198.IN-ADDR.ARPA
26-Jun-2014 11:11:50.381 automatic empty zone: 113.0.203.IN-ADDR.ARPA
26-Jun-2014 11:11:50.381 automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
26-Jun-2014 11:11:50.381 automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
26-Jun-2014 11:11:50.381 automatic empty zone: D.F.IP6.ARPA
26-Jun-2014 11:11:50.381 automatic empty zone: 8.E.F.IP6.ARPA
26-Jun-2014 11:11:50.381 automatic empty zone: 9.E.F.IP6.ARPA
26-Jun-2014 11:11:50.381 automatic empty zone: A.E.F.IP6.ARPA
26-Jun-2014 11:11:50.381 automatic empty zone: B.E.F.IP6.ARPA
26-Jun-2014 11:11:50.381 automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
26-Jun-2014 11:11:50.471 command channel listening on 127.0.0.1#953
26-Jun-2014 11:11:50.471 command channel listening on ::1#953
26-Jun-2014 11:11:50.555 ignoring config file logging statement due to -g option
26-Jun-2014 11:11:50.563 zone 0.in-addr.arpa/IN: loaded serial 0
26-Jun-2014 11:11:50.568 zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
26-Jun-2014 11:11:50.569 zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
26-Jun-2014 11:11:50.574 zone localhost.localdomain/IN: loaded serial 0
26-Jun-2014 11:11:50.574 zone localhost/IN: loaded serial 0
26-Jun-2014 11:11:50.574 zone sirun.net/IN: loading from master file sirun.net.zone failed: file not found
26-Jun-2014 11:11:50.574 zone sirun.net/IN: not loaded due to errors.
26-Jun-2014 11:11:50.618 managed-keys-zone ./IN: loaded serial 0
26-Jun-2014 11:11:50.627 running
No error is reported. Check that the CPU has returned to normal
View zombie process# ps -ef |grep -e'^[zZ]'
Result: no zombie processes
to sum up:
The reason is unknown and the error cannot be reproduced
The original named service may be forced to execute as root
To view the named process, you need to pay attention to permissions
[root@ostaer init.d]# ps -ef | grep named | grep -v grep
named 15480 1 0 11:23 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot