3 BIND version 9 is a major rewrite of nearly all aspects of the
4 underlying BIND architecture. Some of the important features of
9 TSIG (signed DNS requests)
12 Answers DNS queries on IPv6 sockets
13 IPv6 resource records (AAAA)
14 Experimental IPv6 Resolver Library
16 - DNS Protocol Enhancements
17 IXFR, DDNS, Notify, EDNS0
18 Improved standards conformance
21 One server process can provide multiple "views" of
22 the DNS namespace, e.g. an "inside" view to certain
23 clients, and an "outside" view to others.
25 - Multiprocessor Support
27 - Improved Portability Architecture
30 BIND version 9 development has been underwritten by the following
33 Sun Microsystems, Inc.
35 Compaq Computer Corporation
37 Process Software Corporation
38 Silicon Graphics, Inc.
39 Network Associates, Inc.
40 U.S. Defense Information Systems Agency
42 Stichting NLnet - NLnet Foundation
45 BIND 9.6-ESV (Extended Support Version)
47 BIND 9.6-ESV will be supported until March 31, 2013, at
48 which time you will need to upgrade to the current release
53 BIND 9.6.2 is a maintenance release, fixing bugs in 9.6.1.
54 It also introduces support for the SHA-2 DNSSEC algorithms,
55 RSASHA256 and RSASHA512.
57 Known issues in this release:
59 - A validating resolver that has been incorrectly configured with
60 an invalid trust anchor will be unable to resolve names covered
61 by that trust anchor. In all current versions of BIND 9, such a
62 resolver will also generate significant unnecessary DNS traffic
63 while trying to validate. The latter problem will be addressed
64 in future BIND 9 releases. In the meantime, to avoid these
65 problems, exercise caution when configuring "trusted-keys":
66 make sure all keys are correct and current when you add them,
67 and update your configuration in a timely manner when keys
72 BIND 9.6.1 is a maintenance release, fixing bugs in 9.6.0.
76 BIND 9.6.0 includes a number of changes from BIND 9.5 and earlier
81 Automatic zone re-signing
83 New update-policy methods tcp-self and 6to4-self
85 The BIND 8 resolver library, libbind, has been removed from the
86 BIND 9 distribution and is now available as a separate download.
88 Change the default pid file location from /var/run to
89 /var/run/{named,lwresd} for improved chroot/setuid support.
93 BIND 9.5.0 has a number of new features over 9.4,
96 GSS-TSIG support (RFC 3645).
100 Experimental http server and statistics support for named via xml.
102 More detailed statistics counters including those supported in BIND 8.
104 Faster ACL processing.
106 Use Doxygen to generate internal documentation.
108 Efficient LRU cache-cleaning mechanism.
114 BIND 9.4.0 has a number of new features over 9.3,
117 Implemented "additional section caching (or acache)", an
118 internal cache framework for additional section content to
119 improve response performance. Several configuration options
120 were provided to control the behavior.
122 New notify type 'master-only'. Enable notify for master
125 Accept 'notify-source' style syntax for query-source.
127 rndc now allows addresses to be set in the server clauses.
129 New option "allow-query-cache". This lets "allow-query"
130 be used to specify the default zone access level rather
131 than having to have every zone override the global value.
132 "allow-query-cache" can be set at both the options and view
133 levels. If "allow-query-cache" is not set then "allow-recursion"
134 is used if set, otherwise "allow-query" is used if set
135 unless "recursion no;" is set in which case "none;" is used,
136 otherwise the default (localhost; localnets;) is used.
138 rndc: the source address can now be specified.
140 ixfr-from-differences now takes master and slave in addition
141 to yes and no at the options and view levels.
143 Allow the journal's name to be changed via named.conf.
145 'rndc notify zone [class [view]]' resend the NOTIFY messages
146 for the specified zone.
148 'dig +trace' now randomly selects the next servers to try.
149 Report if there is a bad delegation.
151 Improve check-names error messages.
153 Make public the function to read a key file, dst_key_read_public().
155 dig now returns the byte count for axfr/ixfr.
157 allow-update is now settable at the options / view level.
159 named-checkconf now checks the logging configuration.
161 host now can turn on memory debugging flags with '-m'.
163 Don't send notify messages to self.
165 Perform sanity checks on NS records which refer to 'in zone' names.
167 New zone option "notify-delay". Specify a minimum delay
168 between sets of NOTIFY messages.
170 Extend adjusting TTL warning messages.
172 Named and named-checkzone can now both check for non-terminal
175 "rndc freeze/thaw" now freezes/thaws all zones.
177 named-checkconf now check acls to verify that they only
178 refer to existing acls.
180 The server syntax has been extended to support a range of
183 Report differences between hints and real NS rrset and
184 associated address records.
186 Preserve the case of domain names in rdata during zone
189 Restructured the data locking framework using architecture
190 dependent atomic operations (when available), improving
191 response performance on multi-processor machines significantly.
192 x86, x86_64, alpha, powerpc, and mips are currently supported.
194 UNIX domain controls are now supported.
196 Add support for additional zone file formats for improving
197 loading performance. The masterfile-format option in
198 named.conf can be used to specify a non-default format. A
199 separate command named-compilezone was provided to generate
200 zone files in the new format. Additionally, the -I and -O
201 options for dnssec-signzone specify the input and output
204 dnssec-signzone can now randomize signature end times
205 (dnssec-signzone -j jitter).
207 Add support for CH A record.
209 Add additional zone data constancy checks. named-checkzone
210 has extended checking of NS, MX and SRV record and the hosts
211 they reference. named has extended post zone load checks.
212 New zone options: check-mx and integrity-check.
215 edns-udp-size can now be overridden on a per server basis.
217 dig can now specify the EDNS version when making a query.
219 Added framework for handling multiple EDNS versions.
221 Additional memory debugging support to track size and mctx
224 Detect duplicates of UDP queries we are recursing on and
225 drop them. New stats category "duplicates".
227 "USE INTERNAL MALLOC" is now runtime selectable.
229 The lame cache is now done on a <qname,qclass,qtype> basis
230 as some servers only appear to be lame for certain query
233 Limit the number of recursive clients that can be waiting
234 for a single query (<qname,qtype,qclass>) to resolve. New
235 options clients-per-query and max-clients-per-query.
237 dig: report the number of extra bytes still left in the
238 packet after processing all the records.
240 Support for IPSECKEY rdata type.
242 Raise the UDP recieve buffer size to 32k if it is less than 32k.
244 x86 and x86_64 now have seperate atomic locking implementations.
246 named-checkconf now validates update-policy entries.
248 Attempt to make the amount of work performed in a iteration
249 self tuning. The covers nodes clean from the cache per
250 iteration, nodes written to disk when rewriting a master
251 file and nodes destroyed per iteration when destroying a
256 Automatic empty zone creation for D.F.IP6.ARPA and friends.
257 Note: RFC 1918 zones are not yet covered by this but are
258 likely to be in a future release.
260 New options: empty-server, empty-contact, empty-zones-enable
261 and disable-empty-zone.
263 dig now has a '-q queryname' and '+showsearch' options.
265 host/nslookup now continue (default)/fail on SERVFAIL.
267 dig now warns if 'RA' is not set in the answer when 'RD'
268 was set in the query. host/nslookup skip servers that fail
269 to set 'RA' when 'RD' is set unless a server is explicitly
272 Integrate contibuted DLZ code into named.
274 Integrate contibuted IDN code from JPNIC.
276 libbind: corresponds to that from BIND 8.4.7.
280 BIND 9.3.0 has a number of new features over 9.2,
283 DNSSEC is now DS based (RFC 3658).
284 See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
286 DNSSEC lookaside validation.
288 check-names is now implemented.
289 rrset-order in more complete.
291 IPv4/IPv6 transition support, dual-stack-servers.
293 IXFR deltas can now be generated when loading master files,
294 ixfr-from-differences.
296 It is now possible to specify the size of a journal, max-journal-size.
298 It is now possible to define a named set of master servers to be
299 used in masters clause, masters.
301 The advertised EDNS UDP size can now be set, edns-udp-size.
303 allow-v6-synthesis has been obsoleted.
306 * Zones containing MD and MF will now be rejected.
307 * dig, nslookup name. now report "Not Implemented" as
308 NOTIMP rather than NOTIMPL. This will have impact on scripts
309 that are looking for NOTIMPL.
311 libbind: corresponds to that from BIND 8.4.5.
315 BIND 9.2.0 has a number of new features over 9.1,
318 - The size of the cache can now be limited using the
319 "max-cache-size" option.
321 - The server can now automatically convert RFC1886-style
322 recursive lookup requests into RFC2874-style lookups,
323 when enabled using the new option "allow-v6-synthesis".
324 This allows stub resolvers that support AAAA records
325 but not A6 record chains or binary labels to perform
326 lookups in domains that make use of these IPv6 DNS
329 - Performance has been improved.
331 - The man pages now use the more portable "man" macros
332 rather than the "mandoc" macros, and are installed
335 - The named.conf parser has been completely rewritten.
336 It now supports "include" directives in more
337 places such as inside "view" statements, and it no
338 longer has any reserved words.
340 - The "rndc status" command is now implemented.
342 - rndc can now be configured automatically.
344 - A BIND 8 compatible stub resolver library is now
345 included in lib/bind.
347 - OpenSSL has been removed from the distribution. This
348 means that to use DNSSEC, OpenSSL must be installed and
349 the --with-openssl option must be supplied to configure.
350 This does not apply to the use of TSIG, which does not
353 - The source distribution now builds on Windows.
354 See win32utils/readme1.txt and win32utils/win32-build.txt
357 This distribution also includes a new lightweight stub
358 resolver library and associated resolver daemon that fully
359 support forward and reverse lookups of both IPv4 and IPv6
360 addresses. This library is considered experimental and
361 is not a complete replacement for the BIND 8 resolver library.
362 Applications that use the BIND 8 res_* functions to perform
363 DNS lookups or dynamic updates still need to be linked against
364 the BIND 8 libraries. For DNS lookups, they can also use the
365 new "getrrsetbyname()" API.
367 BIND 9.2 is capable of acting as an authoritative server
368 for DNSSEC secured zones. This functionality is believed to
369 be stable and complete except for lacking support for
370 verifications involving wildcard records in secure zones.
372 When acting as a caching server, BIND 9.2 can be configured
373 to perform DNSSEC secure resolution on behalf of its clients.
374 This part of the DNSSEC implementation is still considered
375 experimental. For detailed information about the state of the
376 DNSSEC implementation, see the file doc/misc/dnssec.
378 There are a few known bugs:
380 On some systems, IPv6 and IPv4 sockets interact in
381 unexpected ways. For details, see doc/misc/ipv6.
382 To reduce the impact of these problems, the server
383 no longer listens for requests on IPv6 addresses
384 by default. If you need to accept DNS queries over
385 IPv6, you must specify "listen-on-v6 { any; };"
386 in the named.conf options statement.
388 FreeBSD prior to 4.2 (and 4.2 if running as non-root)
389 and OpenBSD prior to 2.8 log messages like
390 "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
391 This is due to a bug in "/dev/random" and impacts the
392 server's DNSSEC support.
394 OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
395 OS X 10.2 (Darwin 6.0) reports errors like
396 "fcntl(3, F_SETFL, 4): Operation not supported by device".
397 This is due to a bug in "/dev/random" and impacts the
398 server's DNSSEC support.
400 --with-libtool does not work on AIX.
402 A bug in some versions of the Microsoft DNS server can cause zone
403 transfers from a BIND 9 server to a W2K server to fail. For details,
404 see the "Zone Transfers" section in doc/misc/migration.
406 For a detailed list of user-visible changes from
407 previous releases, see the CHANGES file.
412 BIND 9 currently requires a UNIX system with an ANSI C compiler,
413 basic POSIX support, and a 64 bit integer type.
415 We've had successful builds and tests on the following systems:
417 COMPAQ Tru64 UNIX 5.1B
419 FreeBSD 4.10, 5.2.1, 6.2
422 NetBSD 3.x and 4.0-beta
424 Solaris 8, 9, 9 (x86), 10
428 NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
429 Windows, including Windows NT and Windows 2000, are no longer
432 We have recent reports from the user community that a supported
433 version of BIND will build and run on the following systems:
443 Red Hat Enterprise Linux 4, 5
453 Do not use a parallel "make".
455 Several environment variables that can be set before running
456 configure will affect compilation:
459 The C compiler to use. configure tries to figure
460 out the right one for supported systems.
463 C compiler flags. Defaults to include -g and/or -O2
464 as supported by the compiler.
467 System header file directories. Can be used to specify
468 where add-on thread or IPv6 support is, for example.
469 Defaults to empty string.
472 Any additional preprocessor symbols you want defined.
473 Defaults to empty string.
476 Change the default syslog facility of named/lwresd.
477 -DISC_FACILITY=LOG_LOCAL0
478 Enable DNSSEC signature chasing support in dig.
479 -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
481 Disable dropping queries from particular well known ports.
482 -DNS_CLIENT_DROPPORT=0
483 Sibling glue checking in named-checkzone is enabled by default.
484 To disable the default check set. -DCHECK_SIBLING=0
485 named-checkzone checks out-of-zone addresses by default.
486 To disable this default set. -DCHECK_LOCAL=0
487 To create the default pid files in ${localstatedir}/run rather
488 than ${localstatedir}/run/{named,lwresd}/ set.
490 Enable workaround for Solaris kernel bug about /dev/poll
491 -DISC_SOCKET_USE_POLLWATCH=1
492 The watch timeout is also configurable, e.g.,
493 -DISC_SOCKET_POLLWATCH_TIMEOUT=20
496 Linker flags. Defaults to empty string.
498 The following need to be set when cross compiling.
501 The native C compiler.
502 BUILD_CFLAGS (optional)
503 BUILD_CPPFLAGS (optional)
505 -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
506 BUILD_LDFLAGS (optional)
507 BUILD_LIBS (optional)
509 To build shared libraries, specify "--with-libtool" on the
510 configure command line.
512 For the server to support DNSSEC, you need to build it
513 with crypto support. You must have OpenSSL 0.9.5a
514 or newer installed and specify "--with-openssl" on the
515 configure command line. If OpenSSL is installed under
516 a nonstandard prefix, you can tell configure where to
517 look for it using "--with-openssl=/prefix".
519 On some platforms it is necessary to explictly request large
520 file support to handle files bigger than 2GB. This can be
521 done by "--enable-largefile" on the configure command line.
523 On some platforms, BIND 9 can be built with multithreading
524 support, allowing it to take advantage of multiple CPUs.
525 You can specify whether to build a multithreaded BIND 9
526 by specifying "--enable-threads" or "--disable-threads"
527 on the configure command line. The default is operating
530 Support for the "fixed" rrset-order option can be enabled
531 or disabled by specifying "--enable-fixed-rrset" or
532 "--disable-fixed-rrset" on the configure command line.
533 The default is "disabled", to reduce memory footprint.
535 If your operating system has integrated support for IPv6, it
536 will be used automatically. If you have installed KAME IPv6
537 separately, use "--with-kame[=PATH]" to specify its location.
539 "make install" will install "named" and the various BIND 9 libraries.
540 By default, installation is into /usr/local, but this can be changed
541 with the "--prefix" option when running "configure".
543 You may specify the option "--sysconfdir" to set the directory
544 where configuration files like "named.conf" go by default,
545 and "--localstatedir" to set the default parent directory
546 of "run/named.pid". For backwards compatibility with BIND 8,
547 --sysconfdir defaults to "/etc" and --localstatedir defaults to
548 "/var" if no --prefix option is given. If there is a --prefix
549 option, sysconfdir defaults to "$prefix/etc" and localstatedir
550 defaults to "$prefix/var".
552 To see additional configure options, run "configure --help".
553 Note that the help message does not reflect the BIND 8
554 compatibility defaults for sysconfdir and localstatedir.
556 If you're planning on making changes to the BIND 9 source, you
557 should also "make depend". If you're using Emacs, you might find
560 If you need to re-run configure please run "make distclean" first.
561 This will ensure that all the option changes take.
563 Building with gcc is not supported, unless gcc is the vendor's usual
564 compiler (e.g. the various BSD systems, Linux).
566 Known compiler issues:
567 * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
568 * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
569 * gcc-3.3.5 powerpc generates incorrect code at -02.
570 * Irix, MipsPRO 7.4.1m is known to cause problems.
572 A limited test suite can be run with "make test". Many of
573 the tests require you to configure a set of virtual IP addresses
574 on your system, and some require Perl; see bin/tests/system/README
577 SunOS 4 requires "printf" to be installed to make the shared
578 libraries. sh-utils-1.16 provides a "printf" which compiles
583 The BIND 9 Administrator Reference Manual is included with the
584 source distribution in DocBook XML and HTML format, in the
587 Some of the programs in the BIND 9 distribution have man pages
588 in their directories. In particular, the command line
589 options of "named" are documented in /bin/named/named.8.
590 There is now also a set of man pages for the lwres library.
592 If you are upgrading from BIND 8, please read the migration
593 notes in doc/misc/migration. If you are upgrading from
594 BIND 4, read doc/misc/migration-4to9.
596 Frequently asked questions and their answers can be found in
600 Bug Reports and Mailing Lists
602 Bugs reports should be sent to
606 To join the BIND Users mailing list, send mail to
608 bind-users-request@isc.org
610 archives of which can be found via
612 http://www.isc.org/ops/lists/
614 If you're planning on making changes to the BIND 9 source
615 code, you might want to join the BIND Workers mailing list.
618 bind-workers-request@isc.org