3 BIND version 9 is a major rewrite of nearly all aspects of the
4 underlying BIND architecture. Some of the important features of
9 TSIG (signed DNS requests)
12 Answers DNS queries on IPv6 sockets
13 IPv6 resource records (AAAA)
14 Experimental IPv6 Resolver Library
16 - DNS Protocol Enhancements
17 IXFR, DDNS, Notify, EDNS0
18 Improved standards conformance
21 One server process can provide multiple "views" of
22 the DNS namespace, e.g. an "inside" view to certain
23 clients, and an "outside" view to others.
25 - Multiprocessor Support
27 - Improved Portability Architecture
30 BIND version 9 development has been underwritten by the following
33 Sun Microsystems, Inc.
35 Compaq Computer Corporation
37 Process Software Corporation
38 Silicon Graphics, Inc.
39 Network Associates, Inc.
40 U.S. Defense Information Systems Agency
42 Stichting NLnet - NLnet Foundation
45 For a summary of functional enhancements in previous
46 releases, see the HISTORY file.
48 For a detailed list of user-visible changes from
49 previous releases, see the CHANGES file.
51 For up-to-date release notes and errata, see
52 http://www.isc.org/software/bind9/releasenotes
57 BIND 9.9.7 is a maintenance release and addresses bugs
58 found in BIND 9.9.6 and earlier, as well as the security
59 flaws described in CVE-2014-8500 and CVE-2015-1349.
63 BIND 9.9.6 is a maintenance release, and also includes
64 the following new functionality.
66 - The former behavior with respect to capitalization of names
67 (prior to BIND 9.9.5) can be restored for specific clients via
68 the new "no-case-compress" ACL.
72 BIND 9.9.5 is a maintenance release, and patches the security
73 flaws described in CVE-2013-6320 and CVE-2014-0591. It also
74 includes the following functional enhancements:
76 - "named" now preserves the capitalization of names when
77 responding to queries.
78 - new "dnssec-importkey" command allows the use of offline
79 DNSSEC keys with automatic DNSKEY management.
80 - When re-signing a zone, the new "dnssec-signzone -Q" option
81 drops signatures from keys that are still published but are
83 - "named-checkconf -px" will print the contents of configuration
84 files with the shared secrets obscured, making it easier to
85 share configuration (e.g. when submitting a bug report)
86 without revealing private information.
90 BIND 9.9.4 is a maintenance release, and patches the security
91 flaws described in CVE-2013-3919 and CVE-2013-4854. It also
92 introduces DNS Response Rate Limiting (DNS RRL) as a
93 compile-time option. To use this feature, configure with
94 the "--enable-rrl" option.
98 BIND 9.9.3 is a maintenance release and patches the security
99 flaws described in CVE-2012-5688, CVE-2012-5689 and CVE-2013-2266.
103 BIND 9.9.2 is a maintenance release and patches the security
104 flaw described in CVE-2012-4244.
108 BIND 9.9.1 is a maintenance release.
112 BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
113 releases. New features include:
115 - Inline signing, allowing automatic DNSSEC signing of
116 master zones without modification of the zonefile, or
117 "bump in the wire" signing in slaves.
118 - NXDOMAIN redirection.
119 - New 'rndc flushtree' command clears all data under a given
120 name from the DNS cache.
121 - New 'rndc sync' command dumps pending changes in a dynamic
122 zone to disk without a freeze/thaw cycle.
123 - New 'rndc signing' command displays or clears signing status
124 records in 'auto-dnssec' zones.
125 - NSEC3 parameters for 'auto-dnssec' zones can now be set prior
126 to signing, eliminating the need to initially sign with NSEC.
127 - Startup time improvements on large authoritative servers.
128 - Slave zones are now saved in raw format by default.
129 - Several improvements to response policy zones (RPZ).
130 - Improved hardware scalability by using multiple threads
131 to listen for queries and using finer-grained client locking
132 - The 'also-notify' option now takes the same syntax as
133 'masters', so it can used named masterlists and TSIG keys.
134 - 'dnssec-signzone -D' writes an output file containing only DNSSEC
135 data, which can be included by the primary zone file.
136 - 'dnssec-signzone -R' forces removal of signatures that are
137 not expired but were created by a key which no longer exists.
138 - 'dnssec-signzone -X' allows a separate expiration date to
139 be specified for DNSKEY signatures from other signatures.
140 - New '-L' option to dnssec-keygen, dnssec-settime, and
141 dnssec-keyfromlabel sets the default TTL for the key.
142 - dnssec-dsfromkey now supports reading from standard input,
143 to make it easier to convert DNSKEY to DS.
144 - RFC 1918 reverse zones have been added to the empty-zones
146 - Dynamic updates can now optionally set the zone's SOA serial
147 number to the current UNIX time.
148 - DLZ modules can now retrieve the source IP address of
150 - 'request-ixfr' option can now be set at the per-zone level.
151 - 'dig +rrcomments' turns on comments about DNSKEY records,
152 indicating their key ID, algorithm and function
153 - Simplified nsupdate syntax and added readline support
157 BIND 9 currently requires a UNIX system with an ANSI C compiler,
158 basic POSIX support, and a 64 bit integer type.
160 We've had successful builds and tests on the following systems:
162 COMPAQ Tru64 UNIX 5.1B
164 FreeBSD 4.10, 5.2.1, 6.2
167 NetBSD 3.x, 4.0-beta, 5.0-beta
169 Solaris 8, 9, 9 (x86), 10
173 NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
174 Windows, including Windows NT and Windows 2000, are no longer
177 We have recent reports from the user community that a supported
178 version of BIND will build and run on the following systems:
187 MacOS X 10.5, 10.6, 10.7
188 Red Hat Enterprise Linux 4, 5, 6
198 Do not use a parallel "make".
200 Several environment variables that can be set before running
201 configure will affect compilation:
204 The C compiler to use. configure tries to figure
205 out the right one for supported systems.
208 C compiler flags. Defaults to include -g and/or -O2
209 as supported by the compiler. Please include '-g'
210 if you need to set CFLAGS.
213 System header file directories. Can be used to specify
214 where add-on thread or IPv6 support is, for example.
215 Defaults to empty string.
218 Any additional preprocessor symbols you want defined.
219 Defaults to empty string.
222 Change the default syslog facility of named/lwresd.
223 -DISC_FACILITY=LOG_LOCAL0
224 Enable DNSSEC signature chasing support in dig.
225 -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
227 Disable dropping queries from particular well known ports.
228 -DNS_CLIENT_DROPPORT=0
229 Sibling glue checking in named-checkzone is enabled by default.
230 To disable the default check set. -DCHECK_SIBLING=0
231 named-checkzone checks out-of-zone addresses by default.
232 To disable this default set. -DCHECK_LOCAL=0
233 To create the default pid files in ${localstatedir}/run rather
234 than ${localstatedir}/run/{named,lwresd}/ set.
236 Enable workaround for Solaris kernel bug about /dev/poll
237 -DISC_SOCKET_USE_POLLWATCH=1
238 The watch timeout is also configurable, e.g.,
239 -DISC_SOCKET_POLLWATCH_TIMEOUT=20
242 Linker flags. Defaults to empty string.
244 The following need to be set when cross compiling.
247 The native C compiler.
248 BUILD_CFLAGS (optional)
249 BUILD_CPPFLAGS (optional)
251 -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
252 BUILD_LDFLAGS (optional)
253 BUILD_LIBS (optional)
255 To build shared libraries, specify "--with-libtool" on the
256 configure command line.
258 For the server to support DNSSEC, you need to build it
259 with crypto support. You must have OpenSSL 0.9.5a
260 or newer installed and specify "--with-openssl" on the
261 configure command line. If OpenSSL is installed under
262 a nonstandard prefix, you can tell configure where to
263 look for it using "--with-openssl=/prefix".
265 On some platforms it is necessary to explictly request large
266 file support to handle files bigger than 2GB. This can be
267 done by "--enable-largefile" on the configure command line.
269 On some platforms, BIND 9 can be built with multithreading
270 support, allowing it to take advantage of multiple CPUs.
271 You can specify whether to build a multithreaded BIND 9
272 by specifying "--enable-threads" or "--disable-threads"
273 on the configure command line. The default is operating
276 Support for the "fixed" rrset-order option can be enabled
277 or disabled by specifying "--enable-fixed-rrset" or
278 "--disable-fixed-rrset" on the configure command line.
279 The default is "disabled", to reduce memory footprint.
281 If your operating system has integrated support for IPv6, it
282 will be used automatically. If you have installed KAME IPv6
283 separately, use "--with-kame[=PATH]" to specify its location.
285 "make install" will install "named" and the various BIND 9 libraries.
286 By default, installation is into /usr/local, but this can be changed
287 with the "--prefix" option when running "configure".
289 You may specify the option "--sysconfdir" to set the directory
290 where configuration files like "named.conf" go by default,
291 and "--localstatedir" to set the default parent directory
292 of "run/named.pid". For backwards compatibility with BIND 8,
293 --sysconfdir defaults to "/etc" and --localstatedir defaults to
294 "/var" if no --prefix option is given. If there is a --prefix
295 option, sysconfdir defaults to "$prefix/etc" and localstatedir
296 defaults to "$prefix/var".
298 To see additional configure options, run "configure --help".
299 Note that the help message does not reflect the BIND 8
300 compatibility defaults for sysconfdir and localstatedir.
302 If you're planning on making changes to the BIND 9 source, you
303 should also "make depend". If you're using Emacs, you might find
306 If you need to re-run configure please run "make distclean" first.
307 This will ensure that all the option changes take.
309 Building with gcc is not supported, unless gcc is the vendor's usual
310 compiler (e.g. the various BSD systems, Linux).
312 Known compiler issues:
313 * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
314 * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
315 * gcc-3.3.5 powerpc generates incorrect code at -02.
316 * Irix, MipsPRO 7.4.1m is known to cause problems.
318 A limited test suite can be run with "make test". Many of
319 the tests require you to configure a set of virtual IP addresses
320 on your system, and some require Perl; see bin/tests/system/README
323 SunOS 4 requires "printf" to be installed to make the shared
324 libraries. sh-utils-1.16 provides a "printf" which compiles
329 Linux requires kernel build 2.6.39 or later to get the
330 performance benefits from using multiple sockets.
334 The BIND 9 Administrator Reference Manual is included with the
335 source distribution in DocBook XML and HTML format, in the
338 Some of the programs in the BIND 9 distribution have man pages
339 in their directories. In particular, the command line
340 options of "named" are documented in /bin/named/named.8.
341 There is now also a set of man pages for the lwres library.
343 If you are upgrading from BIND 8, please read the migration
344 notes in doc/misc/migration. If you are upgrading from
345 BIND 4, read doc/misc/migration-4to9.
347 Frequently asked questions and their answers can be found in
350 Additional information on various subjects can be found
351 in the other README files.
356 A detailed list of all changes to BIND 9 is included in the
357 file CHANGES, with the most recent changes listed first.
358 Change notes include tags indicating the category of the
359 change that was made; these categories are:
363 [bug] General bug fix
365 [security] Fix for a significant security flaw
367 [experimental] Used for new features when the syntax
368 or other aspects of the design are still
369 in flux and may change
371 [port] Portability enhancement
373 [maint] Updates to built-in data such as root
374 server addresses and keys
376 [tuning] Changes to built-in configuration defaults
377 and constants to improve performanceo
379 [protocol] Updates to the DNS protocol such as new
382 [test] Changes to the automatic tests, not
383 affecting server functionality
385 [cleanup] Minor corrections and refactoring
389 [contrib] Changes to the contributed tools and
390 libraries in the 'contrib' subdirectory
392 [placeholder] Used in the master development branch to
393 reserve change numbers for use in other
394 branches, e.g. when fixing a bug that only
395 exists in older releases
397 In general, [func] and [experimental] tags will only appear
398 in new-feature releases (i.e., those with version numbers
399 ending in zero). Some new functionality may be backported to
400 older releases on a case-by-case basis. All other change
401 types may be applied to all currently-supported releases.
404 Bug Reports and Mailing Lists
406 Bug reports should be sent to:
410 Feature requests can be sent to:
414 To join or view the archives of the BIND Users mailing list,
417 https://lists.isc.org/mailman/listinfo/bind-users
419 If you're planning on making changes to the BIND 9 source
420 code, you may also want to join the BIND Workers mailing
423 https://lists.isc.org/mailman/listinfo/bind-workers
425 Information on read-only Git access, coding style and developer
426 guidelines can be found at:
428 http://www.isc.org/git/