1 Summary of functional enhancements from prior major releases of BIND 9:
5 BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
6 releases. New features include:
8 - Built-in trust anchor for the root zone, which can be
9 switched on via "dnssec-validation auto;"
11 - Support for response policy zones (RPZ).
12 - Support for writable DLZ zones.
13 - Improved ease of configuration of GSS/TSIG for
14 interoperability with Active Directory
15 - Support for GOST signing algorithm for DNSSEC.
16 - Removed RTT Banding from server selection algorithm.
17 - New "static-stub" zone type.
18 - Allow configuration of resolver timeouts via
19 "resolver-query-timeout" option.
20 - The DLZ "dlopen" driver is now built by default.
21 - Added a new include file with function typedefs
22 for the DLZ "dlopen" driver.
23 - Made "--with-gssapi" default.
24 - More verbose error reporting from DLZ LDAP.
28 BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
29 releases. Most are intended to simplify DNSSEC configuration.
33 - Fully automatic signing of zones by "named".
34 - Simplified configuration of DNSSEC Lookaside Validation (DLV).
35 - Simplified configuration of Dynamic DNS, using the "ddns-confgen"
36 command line tool or the "local" update-policy option. (As a side
37 effect, this also makes it easier to configure automatic zone
39 - New named option "attach-cache" that allows multiple views to
41 - DNS rebinding attack prevention.
42 - New default values for dnssec-keygen parameters.
43 - Support for RFC 5011 automated trust anchor maintenance
44 - Smart signing: simplified tools for zone signing and key
46 - The "statistics-channels" option is now available on Windows.
47 - A new DNSSEC-aware libdns API for use by non-BIND9 applications
48 - On some platforms, named and other binaries can now print out
49 a stack backtrace on assertion failure, to aid in debugging.
50 - A "tools only" installation mode on Windows, which only installs
51 dig, host, nslookup and nsupdate.
52 - Improved PKCS#11 support, including Keyper support and explicit
53 OpenSSL engine selection.
59 Automatic zone re-signing
61 New update-policy methods tcp-self and 6to4-self
63 The BIND 8 resolver library, libbind, has been removed from the
64 BIND 9 distribution and is now available as a separate download.
66 Change the default pid file location from /var/run to
67 /var/run/{named,lwresd} for improved chroot/setuid support.
71 GSS-TSIG support (RFC 3645).
75 Experimental http server and statistics support for named via xml.
77 More detailed statistics counters including those supported in BIND 8.
79 Faster ACL processing.
81 Use Doxygen to generate internal documentation.
83 Efficient LRU cache-cleaning mechanism.
89 Implemented "additional section caching (or acache)", an
90 internal cache framework for additional section content to
91 improve response performance. Several configuration options
92 were provided to control the behavior.
94 New notify type 'master-only'. Enable notify for master
97 Accept 'notify-source' style syntax for query-source.
99 rndc now allows addresses to be set in the server clauses.
101 New option "allow-query-cache". This lets "allow-query"
102 be used to specify the default zone access level rather
103 than having to have every zone override the global value.
104 "allow-query-cache" can be set at both the options and view
105 levels. If "allow-query-cache" is not set then "allow-recursion"
106 is used if set, otherwise "allow-query" is used if set
107 unless "recursion no;" is set in which case "none;" is used,
108 otherwise the default (localhost; localnets;) is used.
110 rndc: the source address can now be specified.
112 ixfr-from-differences now takes master and slave in addition
113 to yes and no at the options and view levels.
115 Allow the journal's name to be changed via named.conf.
117 'rndc notify zone [class [view]]' resend the NOTIFY messages
118 for the specified zone.
120 'dig +trace' now randomly selects the next servers to try.
121 Report if there is a bad delegation.
123 Improve check-names error messages.
125 Make public the function to read a key file, dst_key_read_public().
127 dig now returns the byte count for axfr/ixfr.
129 allow-update is now settable at the options / view level.
131 named-checkconf now checks the logging configuration.
133 host now can turn on memory debugging flags with '-m'.
135 Don't send notify messages to self.
137 Perform sanity checks on NS records which refer to 'in zone' names.
139 New zone option "notify-delay". Specify a minimum delay
140 between sets of NOTIFY messages.
142 Extend adjusting TTL warning messages.
144 Named and named-checkzone can now both check for non-terminal
147 "rndc freeze/thaw" now freezes/thaws all zones.
149 named-checkconf now check acls to verify that they only
150 refer to existing acls.
152 The server syntax has been extended to support a range of
155 Report differences between hints and real NS rrset and
156 associated address records.
158 Preserve the case of domain names in rdata during zone
161 Restructured the data locking framework using architecture
162 dependent atomic operations (when available), improving
163 response performance on multi-processor machines significantly.
164 x86, x86_64, alpha, powerpc, and mips are currently supported.
166 UNIX domain controls are now supported.
168 Add support for additional zone file formats for improving
169 loading performance. The masterfile-format option in
170 named.conf can be used to specify a non-default format. A
171 separate command named-compilezone was provided to generate
172 zone files in the new format. Additionally, the -I and -O
173 options for dnssec-signzone specify the input and output
176 dnssec-signzone can now randomize signature end times
177 (dnssec-signzone -j jitter).
179 Add support for CH A record.
181 Add additional zone data constancy checks. named-checkzone
182 has extended checking of NS, MX and SRV record and the hosts
183 they reference. named has extended post zone load checks.
184 New zone options: check-mx and integrity-check.
187 edns-udp-size can now be overridden on a per server basis.
189 dig can now specify the EDNS version when making a query.
191 Added framework for handling multiple EDNS versions.
193 Additional memory debugging support to track size and mctx
196 Detect duplicates of UDP queries we are recursing on and
197 drop them. New stats category "duplicates".
199 "USE INTERNAL MALLOC" is now runtime selectable.
201 The lame cache is now done on a <qname,qclass,qtype> basis
202 as some servers only appear to be lame for certain query
205 Limit the number of recursive clients that can be waiting
206 for a single query (<qname,qtype,qclass>) to resolve. New
207 options clients-per-query and max-clients-per-query.
209 dig: report the number of extra bytes still left in the
210 packet after processing all the records.
212 Support for IPSECKEY rdata type.
214 Raise the UDP recieve buffer size to 32k if it is less than 32k.
216 x86 and x86_64 now have seperate atomic locking implementations.
218 named-checkconf now validates update-policy entries.
220 Attempt to make the amount of work performed in a iteration
221 self tuning. The covers nodes clean from the cache per
222 iteration, nodes written to disk when rewriting a master
223 file and nodes destroyed per iteration when destroying a
228 Automatic empty zone creation for D.F.IP6.ARPA and friends.
229 Note: RFC 1918 zones are not yet covered by this but are
230 likely to be in a future release.
232 New options: empty-server, empty-contact, empty-zones-enable
233 and disable-empty-zone.
235 dig now has a '-q queryname' and '+showsearch' options.
237 host/nslookup now continue (default)/fail on SERVFAIL.
239 dig now warns if 'RA' is not set in the answer when 'RD'
240 was set in the query. host/nslookup skip servers that fail
241 to set 'RA' when 'RD' is set unless a server is explicitly
244 Integrate contibuted DLZ code into named.
246 Integrate contibuted IDN code from JPNIC.
248 libbind: corresponds to that from BIND 8.4.7.
252 DNSSEC is now DS based (RFC 3658).
253 See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
255 DNSSEC lookaside validation.
257 check-names is now implemented.
258 rrset-order in more complete.
260 IPv4/IPv6 transition support, dual-stack-servers.
262 IXFR deltas can now be generated when loading master files,
263 ixfr-from-differences.
265 It is now possible to specify the size of a journal, max-journal-size.
267 It is now possible to define a named set of master servers to be
268 used in masters clause, masters.
270 The advertised EDNS UDP size can now be set, edns-udp-size.
272 allow-v6-synthesis has been obsoleted.
275 * Zones containing MD and MF will now be rejected.
276 * dig, nslookup name. now report "Not Implemented" as
277 NOTIMP rather than NOTIMPL. This will have impact on scripts
278 that are looking for NOTIMPL.
280 libbind: corresponds to that from BIND 8.4.5.
284 The size of the cache can now be limited using the
285 "max-cache-size" option.
287 The server can now automatically convert RFC1886-style recursive
288 lookup requests into RFC2874-style lookups, when enabled using the
289 new option "allow-v6-synthesis". This allows stub resolvers that
290 support AAAA records but not A6 record chains or binary labels to
291 perform lookups in domains that make use of these IPv6 DNS
294 Performance has been improved.
296 The man pages now use the more portable "man" macros rather than
297 the "mandoc" macros, and are installed by "make install".
299 The named.conf parser has been completely rewritten. It now
300 supports "include" directives in more places such as inside "view"
301 statements, and it no longer has any reserved words.
303 The "rndc status" command is now implemented.
305 rndc can now be configured automatically.
307 A BIND 8 compatible stub resolver library is now included in
310 OpenSSL has been removed from the distribution. This means that to
311 use DNSSEC, OpenSSL must be installed and the --with-openssl option
312 must be supplied to configure. This does not apply to the use of
313 TSIG, which does not require OpenSSL.
315 The source distribution now builds on Windows. See
316 win32utils/readme1.txt and win32utils/win32-build.txt for details.
318 This distribution also includes a new lightweight stub
319 resolver library and associated resolver daemon that fully
320 support forward and reverse lookups of both IPv4 and IPv6
321 addresses. This library is considered experimental and
322 is not a complete replacement for the BIND 8 resolver library.
323 Applications that use the BIND 8 res_* functions to perform
324 DNS lookups or dynamic updates still need to be linked against
325 the BIND 8 libraries. For DNS lookups, they can also use the
326 new "getrrsetbyname()" API.
328 BIND 9.2 is capable of acting as an authoritative server
329 for DNSSEC secured zones. This functionality is believed to
330 be stable and complete except for lacking support for
331 verifications involving wildcard records in secure zones.
333 When acting as a caching server, BIND 9.2 can be configured
334 to perform DNSSEC secure resolution on behalf of its clients.
335 This part of the DNSSEC implementation is still considered
336 experimental. For detailed information about the state of the
337 DNSSEC implementation, see the file doc/misc/dnssec.
339 There are a few known bugs:
341 On some systems, IPv6 and IPv4 sockets interact in
342 unexpected ways. For details, see doc/misc/ipv6.
343 To reduce the impact of these problems, the server
344 no longer listens for requests on IPv6 addresses
345 by default. If you need to accept DNS queries over
346 IPv6, you must specify "listen-on-v6 { any; };"
347 in the named.conf options statement.
349 FreeBSD prior to 4.2 (and 4.2 if running as non-root)
350 and OpenBSD prior to 2.8 log messages like
351 "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
352 This is due to a bug in "/dev/random" and impacts the
353 server's DNSSEC support.
355 OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
356 OS X 10.2 (Darwin 6.0) reports errors like
357 "fcntl(3, F_SETFL, 4): Operation not supported by device".
358 This is due to a bug in "/dev/random" and impacts the
359 server's DNSSEC support.
361 --with-libtool does not work on AIX.
363 A bug in some versions of the Microsoft DNS server can cause zone
364 transfers from a BIND 9 server to a W2K server to fail. For details,
365 see the "Zone Transfers" section in doc/misc/migration.