3 BIND version 9 is a major rewrite of nearly all aspects of the
4 underlying BIND architecture. Some of the important features of
9 TSIG (signed DNS requests)
12 Answers DNS queries on IPv6 sockets
13 IPv6 resource records (AAAA)
14 Experimental IPv6 Resolver Library
16 - DNS Protocol Enhancements
17 IXFR, DDNS, Notify, EDNS0
18 Improved standards conformance
21 One server process can provide multiple "views" of
22 the DNS namespace, e.g. an "inside" view to certain
23 clients, and an "outside" view to others.
25 - Multiprocessor Support
27 - Improved Portability Architecture
30 BIND version 9 development has been underwritten by the following
33 Sun Microsystems, Inc.
35 Compaq Computer Corporation
37 Process Software Corporation
38 Silicon Graphics, Inc.
39 Network Associates, Inc.
40 U.S. Defense Information Systems Agency
42 Stichting NLnet - NLnet Foundation
45 For a detailed list of user-visible changes from
46 previous releases, see the CHANGES file.
48 For up-to-date release notes and errata, see
49 http://www.isc.org/software/bind9/releasenotes
51 BIND 9.6-ESV-R7 (Extended Support Version)
53 BIND 9.4-ESV-R7 is a maintenance release, fixing bugs in BIND
56 BIND 9.6-ESV-R6 (Extended Support Version)
58 BIND 9.6-ESV-R6 includes a number of bug fixes and prevents a
59 security problem described in CVE-2011-4313
61 BIND 9.6-ESV-R5 (Extended Support Version)
63 BIND 9.4-ESV-R5 is a maintenance release, fixing bugs in BIND
66 BIND 9.6.3/BIND 9.6-ESV-R4
68 BIND 9.6.3/BIND 9.6-ESV-R4 is a maintenance release, fixing bugs
73 BIND 9.6.2 is a maintenance release, fixing bugs in 9.6.1.
74 It also introduces support for the SHA-2 DNSSEC algorithms,
75 RSASHA256 and RSASHA512.
77 Known issues in this release:
79 - A validating resolver that has been incorrectly configured with
80 an invalid trust anchor will be unable to resolve names covered
81 by that trust anchor. In all current versions of BIND 9, such a
82 resolver will also generate significant unnecessary DNS traffic
83 while trying to validate. The latter problem will be addressed
84 in future BIND 9 releases. In the meantime, to avoid these
85 problems, exercise caution when configuring "trusted-keys":
86 make sure all keys are correct and current when you add them,
87 and update your configuration in a timely manner when keys
92 BIND 9.6.1 is a maintenance release, fixing bugs in 9.6.0.
96 BIND 9.6.0 includes a number of changes from BIND 9.5 and earlier
101 Automatic zone re-signing
103 New update-policy methods tcp-self and 6to4-self
105 The BIND 8 resolver library, libbind, has been removed from the
106 BIND 9 distribution and is now available as a separate download.
108 Change the default pid file location from /var/run to
109 /var/run/{named,lwresd} for improved chroot/setuid support.
113 BIND 9.5.0 has a number of new features over 9.4,
116 GSS-TSIG support (RFC 3645).
120 Experimental http server and statistics support for named via xml.
122 More detailed statistics counters including those supported in BIND 8.
124 Faster ACL processing.
126 Use Doxygen to generate internal documentation.
128 Efficient LRU cache-cleaning mechanism.
134 BIND 9.4.0 has a number of new features over 9.3,
137 Implemented "additional section caching (or acache)", an
138 internal cache framework for additional section content to
139 improve response performance. Several configuration options
140 were provided to control the behavior.
142 New notify type 'master-only'. Enable notify for master
145 Accept 'notify-source' style syntax for query-source.
147 rndc now allows addresses to be set in the server clauses.
149 New option "allow-query-cache". This lets "allow-query"
150 be used to specify the default zone access level rather
151 than having to have every zone override the global value.
152 "allow-query-cache" can be set at both the options and view
153 levels. If "allow-query-cache" is not set then "allow-recursion"
154 is used if set, otherwise "allow-query" is used if set
155 unless "recursion no;" is set in which case "none;" is used,
156 otherwise the default (localhost; localnets;) is used.
158 rndc: the source address can now be specified.
160 ixfr-from-differences now takes master and slave in addition
161 to yes and no at the options and view levels.
163 Allow the journal's name to be changed via named.conf.
165 'rndc notify zone [class [view]]' resend the NOTIFY messages
166 for the specified zone.
168 'dig +trace' now randomly selects the next servers to try.
169 Report if there is a bad delegation.
171 Improve check-names error messages.
173 Make public the function to read a key file, dst_key_read_public().
175 dig now returns the byte count for axfr/ixfr.
177 allow-update is now settable at the options / view level.
179 named-checkconf now checks the logging configuration.
181 host now can turn on memory debugging flags with '-m'.
183 Don't send notify messages to self.
185 Perform sanity checks on NS records which refer to 'in zone' names.
187 New zone option "notify-delay". Specify a minimum delay
188 between sets of NOTIFY messages.
190 Extend adjusting TTL warning messages.
192 Named and named-checkzone can now both check for non-terminal
195 "rndc freeze/thaw" now freezes/thaws all zones.
197 named-checkconf now check acls to verify that they only
198 refer to existing acls.
200 The server syntax has been extended to support a range of
203 Report differences between hints and real NS rrset and
204 associated address records.
206 Preserve the case of domain names in rdata during zone
209 Restructured the data locking framework using architecture
210 dependent atomic operations (when available), improving
211 response performance on multi-processor machines significantly.
212 x86, x86_64, alpha, powerpc, and mips are currently supported.
214 UNIX domain controls are now supported.
216 Add support for additional zone file formats for improving
217 loading performance. The masterfile-format option in
218 named.conf can be used to specify a non-default format. A
219 separate command named-compilezone was provided to generate
220 zone files in the new format. Additionally, the -I and -O
221 options for dnssec-signzone specify the input and output
224 dnssec-signzone can now randomize signature end times
225 (dnssec-signzone -j jitter).
227 Add support for CH A record.
229 Add additional zone data constancy checks. named-checkzone
230 has extended checking of NS, MX and SRV record and the hosts
231 they reference. named has extended post zone load checks.
232 New zone options: check-mx and integrity-check.
235 edns-udp-size can now be overridden on a per server basis.
237 dig can now specify the EDNS version when making a query.
239 Added framework for handling multiple EDNS versions.
241 Additional memory debugging support to track size and mctx
244 Detect duplicates of UDP queries we are recursing on and
245 drop them. New stats category "duplicates".
247 "USE INTERNAL MALLOC" is now runtime selectable.
249 The lame cache is now done on a <qname,qclass,qtype> basis
250 as some servers only appear to be lame for certain query
253 Limit the number of recursive clients that can be waiting
254 for a single query (<qname,qtype,qclass>) to resolve. New
255 options clients-per-query and max-clients-per-query.
257 dig: report the number of extra bytes still left in the
258 packet after processing all the records.
260 Support for IPSECKEY rdata type.
262 Raise the UDP recieve buffer size to 32k if it is less than 32k.
264 x86 and x86_64 now have seperate atomic locking implementations.
266 named-checkconf now validates update-policy entries.
268 Attempt to make the amount of work performed in a iteration
269 self tuning. The covers nodes clean from the cache per
270 iteration, nodes written to disk when rewriting a master
271 file and nodes destroyed per iteration when destroying a
276 Automatic empty zone creation for D.F.IP6.ARPA and friends.
277 Note: RFC 1918 zones are not yet covered by this but are
278 likely to be in a future release.
280 New options: empty-server, empty-contact, empty-zones-enable
281 and disable-empty-zone.
283 dig now has a '-q queryname' and '+showsearch' options.
285 host/nslookup now continue (default)/fail on SERVFAIL.
287 dig now warns if 'RA' is not set in the answer when 'RD'
288 was set in the query. host/nslookup skip servers that fail
289 to set 'RA' when 'RD' is set unless a server is explicitly
292 Integrate contibuted DLZ code into named.
294 Integrate contibuted IDN code from JPNIC.
296 libbind: corresponds to that from BIND 8.4.7.
300 BIND 9.3.0 has a number of new features over 9.2,
303 DNSSEC is now DS based (RFC 3658).
304 See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
306 DNSSEC lookaside validation.
308 check-names is now implemented.
309 rrset-order in more complete.
311 IPv4/IPv6 transition support, dual-stack-servers.
313 IXFR deltas can now be generated when loading master files,
314 ixfr-from-differences.
316 It is now possible to specify the size of a journal, max-journal-size.
318 It is now possible to define a named set of master servers to be
319 used in masters clause, masters.
321 The advertised EDNS UDP size can now be set, edns-udp-size.
323 allow-v6-synthesis has been obsoleted.
326 * Zones containing MD and MF will now be rejected.
327 * dig, nslookup name. now report "Not Implemented" as
328 NOTIMP rather than NOTIMPL. This will have impact on scripts
329 that are looking for NOTIMPL.
331 libbind: corresponds to that from BIND 8.4.5.
335 BIND 9.2.0 has a number of new features over 9.1,
338 - The size of the cache can now be limited using the
339 "max-cache-size" option.
341 - The server can now automatically convert RFC1886-style
342 recursive lookup requests into RFC2874-style lookups,
343 when enabled using the new option "allow-v6-synthesis".
344 This allows stub resolvers that support AAAA records
345 but not A6 record chains or binary labels to perform
346 lookups in domains that make use of these IPv6 DNS
349 - Performance has been improved.
351 - The man pages now use the more portable "man" macros
352 rather than the "mandoc" macros, and are installed
355 - The named.conf parser has been completely rewritten.
356 It now supports "include" directives in more
357 places such as inside "view" statements, and it no
358 longer has any reserved words.
360 - The "rndc status" command is now implemented.
362 - rndc can now be configured automatically.
364 - A BIND 8 compatible stub resolver library is now
365 included in lib/bind.
367 - OpenSSL has been removed from the distribution. This
368 means that to use DNSSEC, OpenSSL must be installed and
369 the --with-openssl option must be supplied to configure.
370 This does not apply to the use of TSIG, which does not
373 - The source distribution now builds on Windows.
374 See win32utils/readme1.txt and win32utils/win32-build.txt
377 This distribution also includes a new lightweight stub
378 resolver library and associated resolver daemon that fully
379 support forward and reverse lookups of both IPv4 and IPv6
380 addresses. This library is considered experimental and
381 is not a complete replacement for the BIND 8 resolver library.
382 Applications that use the BIND 8 res_* functions to perform
383 DNS lookups or dynamic updates still need to be linked against
384 the BIND 8 libraries. For DNS lookups, they can also use the
385 new "getrrsetbyname()" API.
387 BIND 9.2 is capable of acting as an authoritative server
388 for DNSSEC secured zones. This functionality is believed to
389 be stable and complete except for lacking support for
390 verifications involving wildcard records in secure zones.
392 When acting as a caching server, BIND 9.2 can be configured
393 to perform DNSSEC secure resolution on behalf of its clients.
394 This part of the DNSSEC implementation is still considered
395 experimental. For detailed information about the state of the
396 DNSSEC implementation, see the file doc/misc/dnssec.
398 There are a few known bugs:
400 On some systems, IPv6 and IPv4 sockets interact in
401 unexpected ways. For details, see doc/misc/ipv6.
402 To reduce the impact of these problems, the server
403 no longer listens for requests on IPv6 addresses
404 by default. If you need to accept DNS queries over
405 IPv6, you must specify "listen-on-v6 { any; };"
406 in the named.conf options statement.
408 FreeBSD prior to 4.2 (and 4.2 if running as non-root)
409 and OpenBSD prior to 2.8 log messages like
410 "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
411 This is due to a bug in "/dev/random" and impacts the
412 server's DNSSEC support.
414 OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
415 OS X 10.2 (Darwin 6.0) reports errors like
416 "fcntl(3, F_SETFL, 4): Operation not supported by device".
417 This is due to a bug in "/dev/random" and impacts the
418 server's DNSSEC support.
420 --with-libtool does not work on AIX.
422 A bug in some versions of the Microsoft DNS server can cause zone
423 transfers from a BIND 9 server to a W2K server to fail. For details,
424 see the "Zone Transfers" section in doc/misc/migration.
429 BIND 9 currently requires a UNIX system with an ANSI C compiler,
430 basic POSIX support, and a 64 bit integer type.
432 We've had successful builds and tests on the following systems:
434 COMPAQ Tru64 UNIX 5.1B
436 FreeBSD 4.10, 5.2.1, 6.2
439 NetBSD 3.x and 4.0-beta
441 Solaris 8, 9, 9 (x86), 10
445 NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
446 Windows, including Windows NT and Windows 2000, are no longer
449 We have recent reports from the user community that a supported
450 version of BIND will build and run on the following systems:
460 Red Hat Enterprise Linux 4, 5
470 Do not use a parallel "make".
472 Several environment variables that can be set before running
473 configure will affect compilation:
476 The C compiler to use. configure tries to figure
477 out the right one for supported systems.
480 C compiler flags. Defaults to include -g and/or -O2
481 as supported by the compiler.
484 System header file directories. Can be used to specify
485 where add-on thread or IPv6 support is, for example.
486 Defaults to empty string.
489 Any additional preprocessor symbols you want defined.
490 Defaults to empty string.
493 Change the default syslog facility of named/lwresd.
494 -DISC_FACILITY=LOG_LOCAL0
495 Enable DNSSEC signature chasing support in dig.
496 -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
498 Disable dropping queries from particular well known ports.
499 -DNS_CLIENT_DROPPORT=0
500 Sibling glue checking in named-checkzone is enabled by default.
501 To disable the default check set. -DCHECK_SIBLING=0
502 named-checkzone checks out-of-zone addresses by default.
503 To disable this default set. -DCHECK_LOCAL=0
504 To create the default pid files in ${localstatedir}/run rather
505 than ${localstatedir}/run/{named,lwresd}/ set.
507 Enable workaround for Solaris kernel bug about /dev/poll
508 -DISC_SOCKET_USE_POLLWATCH=1
509 The watch timeout is also configurable, e.g.,
510 -DISC_SOCKET_POLLWATCH_TIMEOUT=20
513 Linker flags. Defaults to empty string.
515 The following need to be set when cross compiling.
518 The native C compiler.
519 BUILD_CFLAGS (optional)
520 BUILD_CPPFLAGS (optional)
522 -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
523 BUILD_LDFLAGS (optional)
524 BUILD_LIBS (optional)
526 To build shared libraries, specify "--with-libtool" on the
527 configure command line.
529 For the server to support DNSSEC, you need to build it
530 with crypto support. You must have OpenSSL 0.9.5a
531 or newer installed and specify "--with-openssl" on the
532 configure command line. If OpenSSL is installed under
533 a nonstandard prefix, you can tell configure where to
534 look for it using "--with-openssl=/prefix".
536 On some platforms it is necessary to explictly request large
537 file support to handle files bigger than 2GB. This can be
538 done by "--enable-largefile" on the configure command line.
540 On some platforms, BIND 9 can be built with multithreading
541 support, allowing it to take advantage of multiple CPUs.
542 You can specify whether to build a multithreaded BIND 9
543 by specifying "--enable-threads" or "--disable-threads"
544 on the configure command line. The default is operating
547 Support for the "fixed" rrset-order option can be enabled
548 or disabled by specifying "--enable-fixed-rrset" or
549 "--disable-fixed-rrset" on the configure command line.
550 The default is "disabled", to reduce memory footprint.
552 If your operating system has integrated support for IPv6, it
553 will be used automatically. If you have installed KAME IPv6
554 separately, use "--with-kame[=PATH]" to specify its location.
556 "make install" will install "named" and the various BIND 9 libraries.
557 By default, installation is into /usr/local, but this can be changed
558 with the "--prefix" option when running "configure".
560 You may specify the option "--sysconfdir" to set the directory
561 where configuration files like "named.conf" go by default,
562 and "--localstatedir" to set the default parent directory
563 of "run/named.pid". For backwards compatibility with BIND 8,
564 --sysconfdir defaults to "/etc" and --localstatedir defaults to
565 "/var" if no --prefix option is given. If there is a --prefix
566 option, sysconfdir defaults to "$prefix/etc" and localstatedir
567 defaults to "$prefix/var".
569 To see additional configure options, run "configure --help".
570 Note that the help message does not reflect the BIND 8
571 compatibility defaults for sysconfdir and localstatedir.
573 If you're planning on making changes to the BIND 9 source, you
574 should also "make depend". If you're using Emacs, you might find
577 If you need to re-run configure please run "make distclean" first.
578 This will ensure that all the option changes take.
580 Building with gcc is not supported, unless gcc is the vendor's usual
581 compiler (e.g. the various BSD systems, Linux).
583 Known compiler issues:
584 * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
585 * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
586 * gcc-3.3.5 powerpc generates incorrect code at -02.
587 * Irix, MipsPRO 7.4.1m is known to cause problems.
589 A limited test suite can be run with "make test". Many of
590 the tests require you to configure a set of virtual IP addresses
591 on your system, and some require Perl; see bin/tests/system/README
594 SunOS 4 requires "printf" to be installed to make the shared
595 libraries. sh-utils-1.16 provides a "printf" which compiles
600 The BIND 9 Administrator Reference Manual is included with the
601 source distribution in DocBook XML and HTML format, in the
604 Some of the programs in the BIND 9 distribution have man pages
605 in their directories. In particular, the command line
606 options of "named" are documented in /bin/named/named.8.
607 There is now also a set of man pages for the lwres library.
609 If you are upgrading from BIND 8, please read the migration
610 notes in doc/misc/migration. If you are upgrading from
611 BIND 4, read doc/misc/migration-4to9.
613 Frequently asked questions and their answers can be found in
617 Bug Reports and Mailing Lists
619 Bugs reports should be sent to
623 To join the BIND Users mailing list, send mail to
625 bind-users-request@isc.org
627 archives of which can be found via
629 http://www.isc.org/ops/lists/
631 If you're planning on making changes to the BIND 9 source
632 code, you might want to join the BIND Workers mailing list.
635 bind-workers-request@isc.org