Articles

Fix BIND "Type Not Allowed in Class" Error (2026)

April 16, 2026 6 min read

The BIND DNS server is refusing to process DNS records because it’s encountering a "Type Not Allowed in Class" error, indicating a fundamental misconfiguration in how DNS record types are defined or applied within a specific DNS class.

Here’s a breakdown of the common causes and how to fix them:

1. Incorrect Record Type Syntax in Zone File

  • Diagnosis: Manually inspect your zone files for syntax errors in the record type field. Look for typos, missing characters, or non-standard abbreviations. For example, a typo like A (with a trailing space) or AAAAA instead of AAAA can trigger this.
    # Example: Check zone file for 'example.com'
sudo cat /var/named/zones/db.example.com
  • Cause: BIND expects specific, standardized mnemonics for DNS record types (e.g., A, AAAA, MX, CNAME, TXT, NS). Any deviation from these accepted types, even a minor typo, is rejected.
  • Fix: Correct the misspelled or malformed record type in your zone file. Ensure it matches one of the standard types.
    ; Incorrect:
www IN AAAA TXT "This is a text record"  ; TXT is not a valid type for AAAA
; Correct:
www IN AAAA 2001:db8::1
www IN TXT "This is a text record"
  • Why it works: BIND parses the zone file line by line. When it encounters a field that should be a record type but isn’t a recognized mnemonic, it throws the "Type Not Allowed in Class" error because it cannot classify the record. Correcting the type allows BIND to parse it as intended.

2. Using Reserved Keywords as Record Types

  • Diagnosis: Review your zone files for any instances where you might have accidentally used a reserved BIND keyword (like IN, CLASS, TYPE, SOA, NS, A, AAAA, etc.) as a record type.
    # Example: Search for common keywords used incorrectly
grep -E '\s(IN|CLASS|TYPE|SOA|NS|A|AAAA|MX|CNAME|TXT)\s' /var/named/zones/db.example.com
  • Cause: DNS record syntax follows a specific order: [name] [ttl] [class] [type] [rdata]. If a keyword that belongs in a different position is placed where the type should be, BIND interprets it as an invalid type.
  • Fix: Ensure that the class field (usually IN for Internet) and the type field are correctly placed and are actual DNS record types.
    ; Incorrect:
mail IN IN MX 10 mail.example.com ; IN used as type
; Correct:
mail IN MX 10 mail.example.com
  • Why it works: By correcting the placement and ensuring the correct fields are populated with their expected values, BIND can properly parse the DNS record structure.

3. Invalid Class Specification

  • Diagnosis: Check the CLASS field in your zone file. While IN (Internet) is overwhelmingly common, other classes exist, and typos or incorrect specifications can lead to this error if BIND doesn’t recognize the specified class.
    # Example: Look for non-IN classes or typos
grep -v 'IN' /var/named/zones/db.example.com | grep -v '^\s*;'
  • Cause: DNS records have a class associated with them (e.g., IN for Internet, CS for CSNET, CH for Chaosnet, HS for Hesiod). If you specify a non-standard class and BIND isn’t configured to support it, or if there’s a typo in the class name, it can manifest as a "Type Not Allowed in Class" error.
  • Fix: Ensure the class is correctly specified, typically IN. If you intend to use a different class, verify your BIND configuration supports it.
    ; Incorrect:
host.example.com 3600 CS A 192.168.1.1 ; CSNET class, if not supported/intended
; Correct:
host.example.com 3600 IN A 192.168.1.1
  • Why it works: BIND expects a valid class identifier. Correcting it to a recognized class like IN allows BIND to proceed with parsing the rest of the record, including the type.

4. Missing CLASS Field Entirely

  • Diagnosis: Examine zone file entries that are failing. If a CLASS field is completely absent where it’s expected, BIND might misinterpret the subsequent field as the class, leading to a type error.
    # Example: Look for lines with fewer fields than expected for A records
awk '{ if ($3 == "" && $2 != "SOA" && $2 != "NS" && $2 != "MX") print "Potential missing class: ", $0 }' /var/named/zones/db.example.com
  • Cause: The standard DNS record format is [name] [ttl] [class] [type] [rdata]. If the [class] field is omitted, the [type] field is shifted left and misinterpreted.
  • Fix: Add the correct CLASS field, typically IN, before the TYPE field.
    ; Incorrect:
www 3600 A 192.168.1.100 ; Missing CLASS
; Correct:
www 3600 IN A 192.168.1.100
  • Why it works: Providing the CLASS field restores the expected structure of the DNS record, allowing BIND to correctly identify the TYPE field.

5. Incorrectly Formatted SOA Record

  • Diagnosis: The SOA (Start of Authority) record is critical and has a specific format. Errors here, especially in the fields that follow the SOA type, can sometimes trigger this error if BIND gets confused about the record structure.
    # Example: Check the SOA record format
grep "SOA" /var/named/zones/db.example.com
  • Cause: The SOA record requires specific parameters (primary name server, responsible person’s mailbox, serial number, refresh, retry, expire, minimum TTL). If these are malformed or missing, BIND might fail to parse the record correctly, leading to downstream errors.
    ; Incorrect SOA format:
@ 3600 IN SOA ns1.example.com admin.example.com (
                            2023102701 ; Serial
                            7200       ; Refresh
                            3600       ; Retry
                            1209600    ; Expire
                            86400 )    ; Minimum TTL
; The 'admin.example.com' with a dot is incorrect, should be 'admin.example.com.' or 'admin.example.com'
; Correct SOA format:
@ 3600 IN SOA ns1.example.com. admin.example.com. (
                            2023102701 ; Serial
                            7200       ; Refresh
                            3600       ; Retry
                            1209600    ; Expire
                            86400 )    ; Minimum TTL
  • Fix: Ensure your SOA record follows the correct syntax, paying close attention to the FQDNs for the primary name server and responsible person, and that the serial number is a valid integer.
  • Why it works: A correctly formatted SOA record is essential for BIND to initialize the zone. Fixing its structure allows BIND to properly load the zone’s metadata.

6. Non-Standard DNS Record Types (Rare)

  • Diagnosis: If you are absolutely certain your zone files are syntactically perfect and you’re still seeing this error, consider if you’re attempting to use a custom or very obscure DNS record type not supported by default BIND.
  • Cause: Some DNS record types are not universally defined or might require specific BIND configuration or extensions to be processed.
  • Fix: Consult the DNS record type specifications (RFCs) or BIND documentation. If it’s a custom type, you might need to use a generic type like TXT to store the data or explore BIND’s advanced configuration options if available. For standard types, ensure your BIND version is up-to-date.
  • Why it works: By either using a supported type or ensuring BIND is capable of handling the intended type, you resolve the parser’s inability to classify the record.

After fixing these issues, you will likely encounter a "zone was serial out of date" error if you haven’t incremented the serial number in your SOA record.

Want structured learning?

Take the full Dns course →