3 BIND version 9 is a major rewrite of nearly all aspects of the
4 underlying BIND architecture. Some of the important features of
9 TSIG (signed DNS requests)
12 Answers DNS queries on IPv6 sockets
13 IPv6 resource records (AAAA)
14 Experimental IPv6 Resolver Library
16 - DNS Protocol Enhancements
17 IXFR, DDNS, Notify, EDNS0
18 Improved standards conformance
21 One server process can provide multiple "views" of
22 the DNS namespace, e.g. an "inside" view to certain
23 clients, and an "outside" view to others.
25 - Multiprocessor Support
27 - Improved Portability Architecture
30 BIND version 9 development has been underwritten by the following
33 Sun Microsystems, Inc.
35 Compaq Computer Corporation
37 Process Software Corporation
38 Silicon Graphics, Inc.
39 Network Associates, Inc.
40 U.S. Defense Information Systems Agency
42 Stichting NLnet - NLnet Foundation
48 BIND 9.4.2 is a maintenance release, containing fixes for
49 a number of bugs in 9.4.1.
51 Warning: If you installed BIND 9.4.2rc1 then any applications
52 linked against this release candidate will need to be rebuilt.
56 BIND 9.4.1 is a security release, containing a fix for
57 a security bugs in 9.4.0.
61 BIND 9.4.0 has a number of new features over 9.3,
64 Implemented "additional section caching" (or "acache"), an
65 internal cache framework for additional section content to
66 improve response performance. Several configuration options
67 were provided to control the behavior.
69 New notify type 'master-only'. Enable notify for master
72 Accept 'notify-source' style syntax for query-source.
74 rndc now allows addresses to be set in the server clauses.
76 New option "allow-query-cache". This lets allow-query be
77 used to specify the default zone access level rather than
78 having to have every zone override the global value.
79 allow-query-cache can be set at both the options and view
80 levels. If allow-query-cache is not set then allow-recursion
81 is used if set, otherwise allow-query is used if set, otherwise
82 the default (localhost; localnets;) is used.
84 rndc: the source address can now be specified.
86 ixfr-from-differences now takes master and slave in addition
87 to yes and no at the options and view levels.
89 Allow the journal's name to be changed via named.conf.
91 'rndc notify zone [class [view]]' resend the NOTIFY messages
92 for the specified zone.
94 'dig +trace' now randomly selects the next servers to try.
95 Report if there is a bad delegation.
97 Improve check-names error messages.
99 Make public the function to read a key file, dst_key_read_public().
101 dig now returns the byte count for axfr/ixfr.
103 allow-update is now settable at the options / view level.
105 named-checkconf now checks the logging configuration.
107 host now can turn on memory debugging flags with '-m'.
109 Don't send notify messages to self.
111 Perform sanity checks on NS records which refer to 'in zone' names.
113 New zone option "notify-delay". Specify a minimum delay
114 between sets of NOTIFY messages.
116 Extend adjusting TTL warning messages.
118 Named and named-checkzone can now both check for non-terminal
121 "rndc freeze/thaw" now freezes/thaws all zones.
123 named-checkconf now check acls to verify that they only
124 refer to existing acls.
126 The server syntax has been extended to support a range of
129 Report differences between hints and real NS rrset and
130 associated address records.
132 Preserve the case of domain names in rdata during zone
135 Restructured the data locking framework using architecture
136 dependent atomic operations (when available), improving
137 response performance on multi-processor machines significantly.
138 x86, x86_64, alpha, powerpc, and mips are currently supported.
140 UNIX domain controls are now supported.
142 Add support for additional zone file formats for improving
143 loading performance. The masterfile-format option in
144 named.conf can be used to specify a non-default format. A
145 separate command named-compilezone was provided to generate
146 zone files in the new format. Additionally, the -I and -O
147 options for dnssec-signzone specify the input and output
150 dnssec-signzone can now randomize signature end times
151 (dnssec-signzone -j jitter).
153 Add support for CH A record.
155 Add additional zone data consistancy checks. named-checkzone
156 has extended checking of NS, MX and SRV record and the hosts
157 they reference. named has extended post zone load checks.
158 New zone options: check-mx and integrity-check.
160 edns-udp-size can now be overridden on a per server basis.
162 dig can now specify the EDNS version when making a query.
164 Added framework for handling multiple EDNS versions.
166 Additional memory debugging support to track size and mctx
169 Detect duplicates of UDP queries we are recursing on and
170 drop them. New stats category "duplicates".
172 Memory management. "USE INTERNAL MALLOC" is now runtime selectable.
174 The lame cache is now done on a <qname,qclass,qtype> basis
175 as some servers only appear to be lame for certain query
178 Limit the number of recursive clients that can be waiting
179 for a single query (<qname,qtype,qclass>) to resolve. New
180 options clients-per-query and max-clients-per-query.
182 dig: report the number of extra bytes still left in the
183 packet after processing all the records.
185 Support for IPSECKEY rdata type.
187 Raise the UDP receive buffer size to 32k if it is less than 32k.
189 x86 and x86_64 now have separate atomic locking implementations.
191 named-checkconf now validates update-policy entries.
193 Attempt to make the amount of work performed in a iteration
194 self tuning. The covers nodes clean from the cache per
195 iteration, nodes written to disk when rewriting a master
196 file and nodes destroyed per iteration when destroying a
201 Automatic empty zone creation for D.F.IP6.ARPA and friends.
202 Note: RFC 1918 zones are not yet covered by this but are
203 likely to be in a future release.
205 New options: empty-server, empty-contact, empty-zones-enable
206 and disable-empty-zone.
208 dig now has a '-q queryname' and '+showsearch' options.
210 host/nslookup now continue (default)/fail on SERVFAIL.
212 dig now warns if 'RA' is not set in the answer when 'RD'
213 was set in the query. host/nslookup skip servers that fail
214 to set 'RA' when 'RD' is set unless a server is explicitly
217 Integrate contributed DLZ code into named.
219 Integrate contributed IDN code from JPNIC.
221 Validate pending NS RRsets, in the authority section, prior
222 to returning them if it can be done without requiring DNSKEYs
225 It is now possible to configure named to accept expired
226 RRSIGs. Default "dnssec-accept-expired no;". Setting
227 "dnssec-accept-expired yes;" leaves named vulnerable to
230 Additional memory leakage checks.
232 The maximum EDNS UDP response named will send can now be
233 set in named.conf (max-udp-size). This is independent of
234 the advertised receive buffer (edns-udp-size).
236 Named now falls back to advertising EDNS with a 512 byte
237 receive buffer if the initial EDNS queries fail.
239 Control the zeroing of the negative response TTL to a soa
240 query. Defaults "zero-no-soa-ttl yes;" and
241 "zero-no-soa-ttl-cache no;".
243 Separate out MX and SRV to CNAME checks.
245 dig/nslookup/host: warn about missing "QR".
247 TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
250 dnssec-signzone: output the SOA record as the first record
253 Two new update policies. "selfsub" and "selfwild".
255 dig, nslookup and host now advertise a 4096 byte EDNS UDP
256 buffer size by default.
258 Report when a zone is removed.
260 DS/DLV SHA256 digest algorithm support.
262 Implement "rrset-order fixed".
264 Check the KSK flag when updating a secure dynamic zone.
265 New zone option "update-check-ksk yes;".
267 It is now possible to explicitly enable DNSSEC validation.
268 default dnssec-validation no; to be changed to yes in 9.5.0.
270 It is now possible to enable/disable DNSSEC validation
271 from rndc. This is useful for the mobile hosts where the
272 current connection point breaks DNSSEC (firewall/proxy).
274 rndc validation newstate [view]
276 dnssec-signzone can now update the SOA record of the signed
277 zone, either as an increment or as the system time().
279 Statistics about acache now recorded and sent to log.
281 libbind: corresponds to that from BIND 8.4.7.
285 BIND 9.3.0 has a number of new features over 9.2,
288 DNSSEC is now DS based (RFC 3658).
289 See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
291 DNSSEC lookaside validation.
293 check-names is now implemented.
294 rrset-order in more complete.
296 IPv4/IPv6 transition support, dual-stack-servers.
298 IXFR deltas can now be generated when loading master files,
299 ixfr-from-differences.
301 It is now possible to specify the size of a journal, max-journal-size.
303 It is now possible to define a named set of master servers to be
304 used in masters clause, masters.
306 The advertised EDNS UDP size can now be set, edns-udp-size.
308 allow-v6-synthesis has been obsoleted.
311 * Zones containing MD and MF will now be rejected.
312 * dig, nslookup name. now report "Not Implemented" as
313 NOTIMP rather than NOTIMPL. This will have impact on scripts
314 that are looking for NOTIMPL.
316 libbind: corresponds to that from BIND 8.4.5.
320 BIND 9.2.0 has a number of new features over 9.1,
323 - The size of the cache can now be limited using the
324 "max-cache-size" option.
326 - The server can now automatically convert RFC1886-style
327 recursive lookup requests into RFC2874-style lookups,
328 when enabled using the new option "allow-v6-synthesis".
329 This allows stub resolvers that support AAAA records
330 but not A6 record chains or binary labels to perform
331 lookups in domains that make use of these IPv6 DNS
334 - Performance has been improved.
336 - The man pages now use the more portable "man" macros
337 rather than the "mandoc" macros, and are installed
340 - The named.conf parser has been completely rewritten.
341 It now supports "include" directives in more
342 places such as inside "view" statements, and it no
343 longer has any reserved words.
345 - The "rndc status" command is now implemented.
347 - rndc can now be configured automatically.
349 - A BIND 8 compatible stub resolver library is now
350 included in lib/bind.
352 - OpenSSL has been removed from the distribution. This
353 means that to use DNSSEC, OpenSSL must be installed and
354 the --with-openssl option must be supplied to configure.
355 This does not apply to the use of TSIG, which does not
358 - The source distribution now builds on Windows NT/2000.
359 See win32utils/readme1.txt and win32utils/win32-build.txt
362 This distribution also includes a new lightweight stub
363 resolver library and associated resolver daemon that fully
364 support forward and reverse lookups of both IPv4 and IPv6
365 addresses. This library is considered experimental and
366 is not a complete replacement for the BIND 8 resolver library.
367 Applications that use the BIND 8 res_* functions to perform
368 DNS lookups or dynamic updates still need to be linked against
369 the BIND 8 libraries. For DNS lookups, they can also use the
370 new "getrrsetbyname()" API.
372 BIND 9.2 is capable of acting as an authoritative server
373 for DNSSEC secured zones. This functionality is believed to
374 be stable and complete except for lacking support for
375 verifications involving wildcard records in secure zones.
377 When acting as a caching server, BIND 9.2 can be configured
378 to perform DNSSEC secure resolution on behalf of its clients.
379 This part of the DNSSEC implementation is still considered
380 experimental. For detailed information about the state of the
381 DNSSEC implementation, see the file doc/misc/dnssec.
383 There are a few known bugs:
385 On some systems, IPv6 and IPv4 sockets interact in
386 unexpected ways. For details, see doc/misc/ipv6.
387 To reduce the impact of these problems, the server
388 no longer listens for requests on IPv6 addresses
389 by default. If you need to accept DNS queries over
390 IPv6, you must specify "listen-on-v6 { any; };"
391 in the named.conf options statement.
393 FreeBSD prior to 4.2 (and 4.2 if running as non-root)
394 and OpenBSD prior to 2.8 log messages like
395 "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
396 This is due to a bug in "/dev/random" and impacts the
397 server's DNSSEC support.
399 OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
400 OS X 10.2 (Darwin 6.0) reports errors like
401 "fcntl(3, F_SETFL, 4): Operation not supported by device".
402 This is due to a bug in "/dev/random" and impacts the
403 server's DNSSEC support.
405 --with-libtool does not work on AIX.
407 --with-libtool does not work on SunOS 4. configure
408 requires "printf" which is not available.
410 A bug in the Windows 2000 DNS server can cause zone transfers
411 from a BIND 9 server to a W2K server to fail. For details,
412 see the "Zone Transfers" section in doc/misc/migration.
414 For a detailed list of user-visible changes from
415 previous releases, see the CHANGES file.
420 BIND 9 currently requires a UNIX system with an ANSI C compiler,
421 basic POSIX support, and a 64 bit integer type.
423 We've had successful builds and tests on the following systems:
425 COMPAQ Tru64 UNIX 5.1B
426 FreeBSD 4.10, 5.2.1, 6.2
430 Solaris 8, 9, 9 (x86)
431 Windows NT/2000/XP/2003
433 Additionally, we have unverified reports of success building
434 previous versions of BIND 9 from users of the following systems:
438 Slackware Linux 7.x, 8.0
440 Debian GNU/Linux 2.2 and 3.0
442 OpenBSD 2.6, 2.8, 2.9, 3.1, 3.6, 3.8
446 Mac OS X 10.1, 10.3.8
453 Do not use a parallel "make".
455 Several environment variables that can be set before running
456 configure will affect compilation:
459 The C compiler to use. configure tries to figure
460 out the right one for supported systems.
463 C compiler flags. Defaults to include -g and/or -O2
464 as supported by the compiler.
467 System header file directories. Can be used to specify
468 where add-on thread or IPv6 support is, for example.
469 Defaults to empty string.
472 Any additional preprocessor symbols you want defined.
473 Defaults to empty string.
476 Change the default syslog facility of named/lwresd.
477 -DISC_FACILITY=LOG_LOCAL0
478 Enable DNSSEC signature chasing support in dig.
479 -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
481 Disable dropping queries from particular well known ports.
482 -DNS_CLIENT_DROPPORT=0
483 Disable support for "rrset-order fixed".
484 -DDNS_RDATASET_FIXED=0
487 Linker flags. Defaults to empty string.
489 The following need to be set when cross compiling.
492 The native C compiler.
493 BUILD_CFLAGS (optional)
494 BUILD_CPPFLAGS (optional)
496 -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
497 BUILD_LDFLAGS (optional)
498 BUILD_LIBS (optional)
500 To build shared libraries, specify "--with-libtool" on the
501 configure command line.
503 For the server to support DNSSEC, you need to build it
504 with crypto support. You must have OpenSSL 0.9.5a
505 or newer installed and specify "--with-openssl" on the
506 configure command line. If OpenSSL is installed under
507 a nonstandard prefix, you can tell configure where to
508 look for it using "--with-openssl=/prefix".
510 To build libbind (the BIND 8 resolver library), specify
511 "--enable-libbind" on the configure command line.
513 On some platforms, BIND 9 can be built with multithreading
514 support, allowing it to take advantage of multiple CPUs.
515 You can specify whether to build a multithreaded BIND 9
516 by specifying "--enable-threads" or "--disable-threads"
517 on the configure command line. The default is operating
520 If your operating system has integrated support for IPv6, it
521 will be used automatically. If you have installed KAME IPv6
522 separately, use "--with-kame[=PATH]" to specify its location.
524 "make install" will install "named" and the various BIND 9 libraries.
525 By default, installation is into /usr/local, but this can be changed
526 with the "--prefix" option when running "configure".
528 You may specify the option "--sysconfdir" to set the directory
529 where configuration files like "named.conf" go by default,
530 and "--localstatedir" to set the default parent directory
531 of "run/named.pid". For backwards compatibility with BIND 8,
532 --sysconfdir defaults to "/etc" and --localstatedir defaults to
533 "/var" if no --prefix option is given. If there is a --prefix
534 option, sysconfdir defaults to "$prefix/etc" and localstatedir
535 defaults to "$prefix/var".
537 To see additional configure options, run "configure --help".
538 Note that the help message does not reflect the BIND 8
539 compatibility defaults for sysconfdir and localstatedir.
541 If you're planning on making changes to the BIND 9 source, you
542 should also "make depend". If you're using Emacs, you might find
545 If you need to re-run configure please run "make distclean" first.
546 This will ensure that all the option changes take.
548 Building with gcc is not supported, unless gcc is the vendor's usual
549 compiler (e.g. the various BSD systems, Linux).
551 Known compiler issues:
552 * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
553 * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
554 * gcc-3.3.5 powerpc generates incorrect code at -02.
555 * Irix, MipsPRO 7.4.1m is known to cause problems.
557 A limited test suite can be run with "make test". Many of
558 the tests require you to configure a set of virtual IP addresses
559 on your system, and some require Perl; see bin/tests/system/README
565 The BIND 9 Administrator Reference Manual is included with the
566 source distribution in DocBook XML and HTML format, in the
569 Some of the programs in the BIND 9 distribution have man pages
570 in their directories. In particular, the command line
571 options of "named" are documented in /bin/named/named.8.
572 There is now also a set of man pages for the lwres library.
574 If you are upgrading from BIND 8, please read the migration
575 notes in doc/misc/migration. If you are upgrading from
576 BIND 4, read doc/misc/migration-4to9.
578 Frequently asked questions and their answers can be found in
582 Bug Reports and Mailing Lists
584 Bugs reports should be sent to
588 To join the BIND Users mailing list, send mail to
590 bind-users-request@isc.org
592 archives of which can be found via
594 http://www.isc.org/ops/lists/
596 If you're planning on making changes to the BIND 9 source
597 code, you might want to join the BIND Forum as a Worker.
598 This gives you access to the bind-workers@isc.org mailing
599 list and pre-release access to the code.
601 http://www.isc.org/sw/guild/bf/
projects / FreeBSD / FreeBSD.git / blob