3 BIND version 9 is a major rewrite of nearly all aspects of the
4 underlying BIND architecture. Some of the important features of
9 TSIG (signed DNS requests)
12 Answers DNS queries on IPv6 sockets
13 IPv6 resource records (AAAA)
14 Experimental IPv6 Resolver Library
16 - DNS Protocol Enhancements
17 IXFR, DDNS, Notify, EDNS0
18 Improved standards conformance
21 One server process can provide multiple "views" of
22 the DNS namespace, e.g. an "inside" view to certain
23 clients, and an "outside" view to others.
25 - Multiprocessor Support
27 - Improved Portability Architecture
30 BIND version 9 development has been underwritten by the following
33 Sun Microsystems, Inc.
35 Compaq Computer Corporation
37 Process Software Corporation
38 Silicon Graphics, Inc.
39 Network Associates, Inc.
40 U.S. Defense Information Systems Agency
42 Stichting NLnet - NLnet Foundation
45 For a detailed list of user-visible changes from
46 previous releases, see the CHANGES file.
48 For up-to-date release notes and errata, see
49 http://www.isc.org/software/bind9/releasenotes
51 BIND 9.6-ESV-R8 (Extended Support Version)
53 BIND 9.6-ESV-R8 includes several bug fixes and patches security
54 flaws described in CVE-2012-1667, CVE-2012-3817 and CVE-2012-4244.
56 BIND 9.6-ESV-R7 (Extended Support Version)
58 BIND 9.6-ESV-R7 is a maintenance release, fixing bugs in BIND
61 BIND 9.6-ESV-R6 (Extended Support Version)
63 BIND 9.6-ESV-R6 includes a number of bug fixes and prevents a
64 security problem described in CVE-2011-4313
66 BIND 9.6-ESV-R5 (Extended Support Version)
68 BIND 9.6-ESV-R5 is a maintenance release, fixing bugs in BIND
71 BIND 9.6.3/BIND 9.6-ESV-R4
73 BIND 9.6.3/BIND 9.6-ESV-R4 is a maintenance release, fixing bugs
78 BIND 9.6.2 is a maintenance release, fixing bugs in 9.6.1.
79 It also introduces support for the SHA-2 DNSSEC algorithms,
80 RSASHA256 and RSASHA512.
82 Known issues in this release:
84 - A validating resolver that has been incorrectly configured with
85 an invalid trust anchor will be unable to resolve names covered
86 by that trust anchor. In all current versions of BIND 9, such a
87 resolver will also generate significant unnecessary DNS traffic
88 while trying to validate. The latter problem will be addressed
89 in future BIND 9 releases. In the meantime, to avoid these
90 problems, exercise caution when configuring "trusted-keys":
91 make sure all keys are correct and current when you add them,
92 and update your configuration in a timely manner when keys
97 BIND 9.6.1 is a maintenance release, fixing bugs in 9.6.0.
101 BIND 9.6.0 includes a number of changes from BIND 9.5 and earlier
106 Automatic zone re-signing
108 New update-policy methods tcp-self and 6to4-self
110 The BIND 8 resolver library, libbind, has been removed from the
111 BIND 9 distribution and is now available as a separate download.
113 Change the default pid file location from /var/run to
114 /var/run/{named,lwresd} for improved chroot/setuid support.
118 BIND 9.5.0 has a number of new features over 9.4,
121 GSS-TSIG support (RFC 3645).
125 Experimental http server and statistics support for named via xml.
127 More detailed statistics counters including those supported in BIND 8.
129 Faster ACL processing.
131 Use Doxygen to generate internal documentation.
133 Efficient LRU cache-cleaning mechanism.
139 BIND 9.4.0 has a number of new features over 9.3,
142 Implemented "additional section caching (or acache)", an
143 internal cache framework for additional section content to
144 improve response performance. Several configuration options
145 were provided to control the behavior.
147 New notify type 'master-only'. Enable notify for master
150 Accept 'notify-source' style syntax for query-source.
152 rndc now allows addresses to be set in the server clauses.
154 New option "allow-query-cache". This lets "allow-query"
155 be used to specify the default zone access level rather
156 than having to have every zone override the global value.
157 "allow-query-cache" can be set at both the options and view
158 levels. If "allow-query-cache" is not set then "allow-recursion"
159 is used if set, otherwise "allow-query" is used if set
160 unless "recursion no;" is set in which case "none;" is used,
161 otherwise the default (localhost; localnets;) is used.
163 rndc: the source address can now be specified.
165 ixfr-from-differences now takes master and slave in addition
166 to yes and no at the options and view levels.
168 Allow the journal's name to be changed via named.conf.
170 'rndc notify zone [class [view]]' resend the NOTIFY messages
171 for the specified zone.
173 'dig +trace' now randomly selects the next servers to try.
174 Report if there is a bad delegation.
176 Improve check-names error messages.
178 Make public the function to read a key file, dst_key_read_public().
180 dig now returns the byte count for axfr/ixfr.
182 allow-update is now settable at the options / view level.
184 named-checkconf now checks the logging configuration.
186 host now can turn on memory debugging flags with '-m'.
188 Don't send notify messages to self.
190 Perform sanity checks on NS records which refer to 'in zone' names.
192 New zone option "notify-delay". Specify a minimum delay
193 between sets of NOTIFY messages.
195 Extend adjusting TTL warning messages.
197 Named and named-checkzone can now both check for non-terminal
200 "rndc freeze/thaw" now freezes/thaws all zones.
202 named-checkconf now check acls to verify that they only
203 refer to existing acls.
205 The server syntax has been extended to support a range of
208 Report differences between hints and real NS rrset and
209 associated address records.
211 Preserve the case of domain names in rdata during zone
214 Restructured the data locking framework using architecture
215 dependent atomic operations (when available), improving
216 response performance on multi-processor machines significantly.
217 x86, x86_64, alpha, powerpc, and mips are currently supported.
219 UNIX domain controls are now supported.
221 Add support for additional zone file formats for improving
222 loading performance. The masterfile-format option in
223 named.conf can be used to specify a non-default format. A
224 separate command named-compilezone was provided to generate
225 zone files in the new format. Additionally, the -I and -O
226 options for dnssec-signzone specify the input and output
229 dnssec-signzone can now randomize signature end times
230 (dnssec-signzone -j jitter).
232 Add support for CH A record.
234 Add additional zone data constancy checks. named-checkzone
235 has extended checking of NS, MX and SRV record and the hosts
236 they reference. named has extended post zone load checks.
237 New zone options: check-mx and integrity-check.
240 edns-udp-size can now be overridden on a per server basis.
242 dig can now specify the EDNS version when making a query.
244 Added framework for handling multiple EDNS versions.
246 Additional memory debugging support to track size and mctx
249 Detect duplicates of UDP queries we are recursing on and
250 drop them. New stats category "duplicates".
252 "USE INTERNAL MALLOC" is now runtime selectable.
254 The lame cache is now done on a <qname,qclass,qtype> basis
255 as some servers only appear to be lame for certain query
258 Limit the number of recursive clients that can be waiting
259 for a single query (<qname,qtype,qclass>) to resolve. New
260 options clients-per-query and max-clients-per-query.
262 dig: report the number of extra bytes still left in the
263 packet after processing all the records.
265 Support for IPSECKEY rdata type.
267 Raise the UDP recieve buffer size to 32k if it is less than 32k.
269 x86 and x86_64 now have seperate atomic locking implementations.
271 named-checkconf now validates update-policy entries.
273 Attempt to make the amount of work performed in a iteration
274 self tuning. The covers nodes clean from the cache per
275 iteration, nodes written to disk when rewriting a master
276 file and nodes destroyed per iteration when destroying a
281 Automatic empty zone creation for D.F.IP6.ARPA and friends.
282 Note: RFC 1918 zones are not yet covered by this but are
283 likely to be in a future release.
285 New options: empty-server, empty-contact, empty-zones-enable
286 and disable-empty-zone.
288 dig now has a '-q queryname' and '+showsearch' options.
290 host/nslookup now continue (default)/fail on SERVFAIL.
292 dig now warns if 'RA' is not set in the answer when 'RD'
293 was set in the query. host/nslookup skip servers that fail
294 to set 'RA' when 'RD' is set unless a server is explicitly
297 Integrate contibuted DLZ code into named.
299 Integrate contibuted IDN code from JPNIC.
301 libbind: corresponds to that from BIND 8.4.7.
305 BIND 9.3.0 has a number of new features over 9.2,
308 DNSSEC is now DS based (RFC 3658).
309 See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
311 DNSSEC lookaside validation.
313 check-names is now implemented.
314 rrset-order in more complete.
316 IPv4/IPv6 transition support, dual-stack-servers.
318 IXFR deltas can now be generated when loading master files,
319 ixfr-from-differences.
321 It is now possible to specify the size of a journal, max-journal-size.
323 It is now possible to define a named set of master servers to be
324 used in masters clause, masters.
326 The advertised EDNS UDP size can now be set, edns-udp-size.
328 allow-v6-synthesis has been obsoleted.
331 * Zones containing MD and MF will now be rejected.
332 * dig, nslookup name. now report "Not Implemented" as
333 NOTIMP rather than NOTIMPL. This will have impact on scripts
334 that are looking for NOTIMPL.
336 libbind: corresponds to that from BIND 8.4.5.
340 BIND 9.2.0 has a number of new features over 9.1,
343 - The size of the cache can now be limited using the
344 "max-cache-size" option.
346 - The server can now automatically convert RFC1886-style
347 recursive lookup requests into RFC2874-style lookups,
348 when enabled using the new option "allow-v6-synthesis".
349 This allows stub resolvers that support AAAA records
350 but not A6 record chains or binary labels to perform
351 lookups in domains that make use of these IPv6 DNS
354 - Performance has been improved.
356 - The man pages now use the more portable "man" macros
357 rather than the "mandoc" macros, and are installed
360 - The named.conf parser has been completely rewritten.
361 It now supports "include" directives in more
362 places such as inside "view" statements, and it no
363 longer has any reserved words.
365 - The "rndc status" command is now implemented.
367 - rndc can now be configured automatically.
369 - A BIND 8 compatible stub resolver library is now
370 included in lib/bind.
372 - OpenSSL has been removed from the distribution. This
373 means that to use DNSSEC, OpenSSL must be installed and
374 the --with-openssl option must be supplied to configure.
375 This does not apply to the use of TSIG, which does not
378 - The source distribution now builds on Windows.
379 See win32utils/readme1.txt and win32utils/win32-build.txt
382 This distribution also includes a new lightweight stub
383 resolver library and associated resolver daemon that fully
384 support forward and reverse lookups of both IPv4 and IPv6
385 addresses. This library is considered experimental and
386 is not a complete replacement for the BIND 8 resolver library.
387 Applications that use the BIND 8 res_* functions to perform
388 DNS lookups or dynamic updates still need to be linked against
389 the BIND 8 libraries. For DNS lookups, they can also use the
390 new "getrrsetbyname()" API.
392 BIND 9.2 is capable of acting as an authoritative server
393 for DNSSEC secured zones. This functionality is believed to
394 be stable and complete except for lacking support for
395 verifications involving wildcard records in secure zones.
397 When acting as a caching server, BIND 9.2 can be configured
398 to perform DNSSEC secure resolution on behalf of its clients.
399 This part of the DNSSEC implementation is still considered
400 experimental. For detailed information about the state of the
401 DNSSEC implementation, see the file doc/misc/dnssec.
403 There are a few known bugs:
405 On some systems, IPv6 and IPv4 sockets interact in
406 unexpected ways. For details, see doc/misc/ipv6.
407 To reduce the impact of these problems, the server
408 no longer listens for requests on IPv6 addresses
409 by default. If you need to accept DNS queries over
410 IPv6, you must specify "listen-on-v6 { any; };"
411 in the named.conf options statement.
413 FreeBSD prior to 4.2 (and 4.2 if running as non-root)
414 and OpenBSD prior to 2.8 log messages like
415 "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
416 This is due to a bug in "/dev/random" and impacts the
417 server's DNSSEC support.
419 OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
420 OS X 10.2 (Darwin 6.0) reports errors like
421 "fcntl(3, F_SETFL, 4): Operation not supported by device".
422 This is due to a bug in "/dev/random" and impacts the
423 server's DNSSEC support.
425 --with-libtool does not work on AIX.
427 A bug in some versions of the Microsoft DNS server can cause zone
428 transfers from a BIND 9 server to a W2K server to fail. For details,
429 see the "Zone Transfers" section in doc/misc/migration.
434 BIND 9 currently requires a UNIX system with an ANSI C compiler,
435 basic POSIX support, and a 64 bit integer type.
437 We've had successful builds and tests on the following systems:
439 COMPAQ Tru64 UNIX 5.1B
441 FreeBSD 4.10, 5.2.1, 6.2
444 NetBSD 3.x and 4.0-beta
446 Solaris 8, 9, 9 (x86), 10
450 NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
451 Windows, including Windows NT and Windows 2000, are no longer
454 We have recent reports from the user community that a supported
455 version of BIND will build and run on the following systems:
465 Red Hat Enterprise Linux 4, 5
475 Do not use a parallel "make".
477 Several environment variables that can be set before running
478 configure will affect compilation:
481 The C compiler to use. configure tries to figure
482 out the right one for supported systems.
485 C compiler flags. Defaults to include -g and/or -O2
486 as supported by the compiler.
489 System header file directories. Can be used to specify
490 where add-on thread or IPv6 support is, for example.
491 Defaults to empty string.
494 Any additional preprocessor symbols you want defined.
495 Defaults to empty string.
498 Change the default syslog facility of named/lwresd.
499 -DISC_FACILITY=LOG_LOCAL0
500 Enable DNSSEC signature chasing support in dig.
501 -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
503 Disable dropping queries from particular well known ports.
504 -DNS_CLIENT_DROPPORT=0
505 Sibling glue checking in named-checkzone is enabled by default.
506 To disable the default check set. -DCHECK_SIBLING=0
507 named-checkzone checks out-of-zone addresses by default.
508 To disable this default set. -DCHECK_LOCAL=0
509 To create the default pid files in ${localstatedir}/run rather
510 than ${localstatedir}/run/{named,lwresd}/ set.
512 Enable workaround for Solaris kernel bug about /dev/poll
513 -DISC_SOCKET_USE_POLLWATCH=1
514 The watch timeout is also configurable, e.g.,
515 -DISC_SOCKET_POLLWATCH_TIMEOUT=20
518 Linker flags. Defaults to empty string.
520 The following need to be set when cross compiling.
523 The native C compiler.
524 BUILD_CFLAGS (optional)
525 BUILD_CPPFLAGS (optional)
527 -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
528 BUILD_LDFLAGS (optional)
529 BUILD_LIBS (optional)
531 To build shared libraries, specify "--with-libtool" on the
532 configure command line.
534 For the server to support DNSSEC, you need to build it
535 with crypto support. You must have OpenSSL 0.9.5a
536 or newer installed and specify "--with-openssl" on the
537 configure command line. If OpenSSL is installed under
538 a nonstandard prefix, you can tell configure where to
539 look for it using "--with-openssl=/prefix".
541 On some platforms it is necessary to explictly request large
542 file support to handle files bigger than 2GB. This can be
543 done by "--enable-largefile" on the configure command line.
545 On some platforms, BIND 9 can be built with multithreading
546 support, allowing it to take advantage of multiple CPUs.
547 You can specify whether to build a multithreaded BIND 9
548 by specifying "--enable-threads" or "--disable-threads"
549 on the configure command line. The default is operating
552 Support for the "fixed" rrset-order option can be enabled
553 or disabled by specifying "--enable-fixed-rrset" or
554 "--disable-fixed-rrset" on the configure command line.
555 The default is "disabled", to reduce memory footprint.
557 If your operating system has integrated support for IPv6, it
558 will be used automatically. If you have installed KAME IPv6
559 separately, use "--with-kame[=PATH]" to specify its location.
561 "make install" will install "named" and the various BIND 9 libraries.
562 By default, installation is into /usr/local, but this can be changed
563 with the "--prefix" option when running "configure".
565 You may specify the option "--sysconfdir" to set the directory
566 where configuration files like "named.conf" go by default,
567 and "--localstatedir" to set the default parent directory
568 of "run/named.pid". For backwards compatibility with BIND 8,
569 --sysconfdir defaults to "/etc" and --localstatedir defaults to
570 "/var" if no --prefix option is given. If there is a --prefix
571 option, sysconfdir defaults to "$prefix/etc" and localstatedir
572 defaults to "$prefix/var".
574 To see additional configure options, run "configure --help".
575 Note that the help message does not reflect the BIND 8
576 compatibility defaults for sysconfdir and localstatedir.
578 If you're planning on making changes to the BIND 9 source, you
579 should also "make depend". If you're using Emacs, you might find
582 If you need to re-run configure please run "make distclean" first.
583 This will ensure that all the option changes take.
585 Building with gcc is not supported, unless gcc is the vendor's usual
586 compiler (e.g. the various BSD systems, Linux).
588 Known compiler issues:
589 * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
590 * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
591 * gcc-3.3.5 powerpc generates incorrect code at -02.
592 * Irix, MipsPRO 7.4.1m is known to cause problems.
594 A limited test suite can be run with "make test". Many of
595 the tests require you to configure a set of virtual IP addresses
596 on your system, and some require Perl; see bin/tests/system/README
599 SunOS 4 requires "printf" to be installed to make the shared
600 libraries. sh-utils-1.16 provides a "printf" which compiles
605 The BIND 9 Administrator Reference Manual is included with the
606 source distribution in DocBook XML and HTML format, in the
609 Some of the programs in the BIND 9 distribution have man pages
610 in their directories. In particular, the command line
611 options of "named" are documented in /bin/named/named.8.
612 There is now also a set of man pages for the lwres library.
614 If you are upgrading from BIND 8, please read the migration
615 notes in doc/misc/migration. If you are upgrading from
616 BIND 4, read doc/misc/migration-4to9.
618 Frequently asked questions and their answers can be found in
622 Bug Reports and Mailing Lists
624 Bugs reports should be sent to
628 To join the BIND Users mailing list, send mail to
630 bind-users-request@isc.org
632 archives of which can be found via
634 http://www.isc.org/ops/lists/
636 If you're planning on making changes to the BIND 9 source
637 code, you might want to join the BIND Workers mailing list.
640 bind-workers-request@isc.org