3 BIND version 9 is a major rewrite of nearly all aspects of the
4 underlying BIND architecture. Some of the important features of
9 TSIG (signed DNS requests)
12 Answers DNS queries on IPv6 sockets
13 IPv6 resource records (AAAA)
14 Experimental IPv6 Resolver Library
16 - DNS Protocol Enhancements
17 IXFR, DDNS, Notify, EDNS0
18 Improved standards conformance
21 One server process can provide multiple "views" of
22 the DNS namespace, e.g. an "inside" view to certain
23 clients, and an "outside" view to others.
25 - Multiprocessor Support
27 - Improved Portability Architecture
30 BIND version 9 development has been underwritten by the following
33 Sun Microsystems, Inc.
35 Compaq Computer Corporation
37 Process Software Corporation
38 Silicon Graphics, Inc.
39 Network Associates, Inc.
40 U.S. Defense Information Systems Agency
42 Stichting NLnet - NLnet Foundation
45 BIND 9.6-ESV-R5 (Extended Support Version)
47 BIND 9.4-ESV-R5 is a maintenance release, fixing bugs in BIND
50 BIND 9.6.3/BIND 9.6-ESV-R4
52 BIND 9.6.3/BIND 9.6-ESV-R4 is a maintenance release, fixing bugs
57 BIND 9.6.2 is a maintenance release, fixing bugs in 9.6.1.
58 It also introduces support for the SHA-2 DNSSEC algorithms,
59 RSASHA256 and RSASHA512.
61 Known issues in this release:
63 - A validating resolver that has been incorrectly configured with
64 an invalid trust anchor will be unable to resolve names covered
65 by that trust anchor. In all current versions of BIND 9, such a
66 resolver will also generate significant unnecessary DNS traffic
67 while trying to validate. The latter problem will be addressed
68 in future BIND 9 releases. In the meantime, to avoid these
69 problems, exercise caution when configuring "trusted-keys":
70 make sure all keys are correct and current when you add them,
71 and update your configuration in a timely manner when keys
76 BIND 9.6.1 is a maintenance release, fixing bugs in 9.6.0.
80 BIND 9.6.0 includes a number of changes from BIND 9.5 and earlier
85 Automatic zone re-signing
87 New update-policy methods tcp-self and 6to4-self
89 The BIND 8 resolver library, libbind, has been removed from the
90 BIND 9 distribution and is now available as a separate download.
92 Change the default pid file location from /var/run to
93 /var/run/{named,lwresd} for improved chroot/setuid support.
97 BIND 9.5.0 has a number of new features over 9.4,
100 GSS-TSIG support (RFC 3645).
104 Experimental http server and statistics support for named via xml.
106 More detailed statistics counters including those supported in BIND 8.
108 Faster ACL processing.
110 Use Doxygen to generate internal documentation.
112 Efficient LRU cache-cleaning mechanism.
118 BIND 9.4.0 has a number of new features over 9.3,
121 Implemented "additional section caching (or acache)", an
122 internal cache framework for additional section content to
123 improve response performance. Several configuration options
124 were provided to control the behavior.
126 New notify type 'master-only'. Enable notify for master
129 Accept 'notify-source' style syntax for query-source.
131 rndc now allows addresses to be set in the server clauses.
133 New option "allow-query-cache". This lets "allow-query"
134 be used to specify the default zone access level rather
135 than having to have every zone override the global value.
136 "allow-query-cache" can be set at both the options and view
137 levels. If "allow-query-cache" is not set then "allow-recursion"
138 is used if set, otherwise "allow-query" is used if set
139 unless "recursion no;" is set in which case "none;" is used,
140 otherwise the default (localhost; localnets;) is used.
142 rndc: the source address can now be specified.
144 ixfr-from-differences now takes master and slave in addition
145 to yes and no at the options and view levels.
147 Allow the journal's name to be changed via named.conf.
149 'rndc notify zone [class [view]]' resend the NOTIFY messages
150 for the specified zone.
152 'dig +trace' now randomly selects the next servers to try.
153 Report if there is a bad delegation.
155 Improve check-names error messages.
157 Make public the function to read a key file, dst_key_read_public().
159 dig now returns the byte count for axfr/ixfr.
161 allow-update is now settable at the options / view level.
163 named-checkconf now checks the logging configuration.
165 host now can turn on memory debugging flags with '-m'.
167 Don't send notify messages to self.
169 Perform sanity checks on NS records which refer to 'in zone' names.
171 New zone option "notify-delay". Specify a minimum delay
172 between sets of NOTIFY messages.
174 Extend adjusting TTL warning messages.
176 Named and named-checkzone can now both check for non-terminal
179 "rndc freeze/thaw" now freezes/thaws all zones.
181 named-checkconf now check acls to verify that they only
182 refer to existing acls.
184 The server syntax has been extended to support a range of
187 Report differences between hints and real NS rrset and
188 associated address records.
190 Preserve the case of domain names in rdata during zone
193 Restructured the data locking framework using architecture
194 dependent atomic operations (when available), improving
195 response performance on multi-processor machines significantly.
196 x86, x86_64, alpha, powerpc, and mips are currently supported.
198 UNIX domain controls are now supported.
200 Add support for additional zone file formats for improving
201 loading performance. The masterfile-format option in
202 named.conf can be used to specify a non-default format. A
203 separate command named-compilezone was provided to generate
204 zone files in the new format. Additionally, the -I and -O
205 options for dnssec-signzone specify the input and output
208 dnssec-signzone can now randomize signature end times
209 (dnssec-signzone -j jitter).
211 Add support for CH A record.
213 Add additional zone data constancy checks. named-checkzone
214 has extended checking of NS, MX and SRV record and the hosts
215 they reference. named has extended post zone load checks.
216 New zone options: check-mx and integrity-check.
219 edns-udp-size can now be overridden on a per server basis.
221 dig can now specify the EDNS version when making a query.
223 Added framework for handling multiple EDNS versions.
225 Additional memory debugging support to track size and mctx
228 Detect duplicates of UDP queries we are recursing on and
229 drop them. New stats category "duplicates".
231 "USE INTERNAL MALLOC" is now runtime selectable.
233 The lame cache is now done on a <qname,qclass,qtype> basis
234 as some servers only appear to be lame for certain query
237 Limit the number of recursive clients that can be waiting
238 for a single query (<qname,qtype,qclass>) to resolve. New
239 options clients-per-query and max-clients-per-query.
241 dig: report the number of extra bytes still left in the
242 packet after processing all the records.
244 Support for IPSECKEY rdata type.
246 Raise the UDP recieve buffer size to 32k if it is less than 32k.
248 x86 and x86_64 now have seperate atomic locking implementations.
250 named-checkconf now validates update-policy entries.
252 Attempt to make the amount of work performed in a iteration
253 self tuning. The covers nodes clean from the cache per
254 iteration, nodes written to disk when rewriting a master
255 file and nodes destroyed per iteration when destroying a
260 Automatic empty zone creation for D.F.IP6.ARPA and friends.
261 Note: RFC 1918 zones are not yet covered by this but are
262 likely to be in a future release.
264 New options: empty-server, empty-contact, empty-zones-enable
265 and disable-empty-zone.
267 dig now has a '-q queryname' and '+showsearch' options.
269 host/nslookup now continue (default)/fail on SERVFAIL.
271 dig now warns if 'RA' is not set in the answer when 'RD'
272 was set in the query. host/nslookup skip servers that fail
273 to set 'RA' when 'RD' is set unless a server is explicitly
276 Integrate contibuted DLZ code into named.
278 Integrate contibuted IDN code from JPNIC.
280 libbind: corresponds to that from BIND 8.4.7.
284 BIND 9.3.0 has a number of new features over 9.2,
287 DNSSEC is now DS based (RFC 3658).
288 See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
290 DNSSEC lookaside validation.
292 check-names is now implemented.
293 rrset-order in more complete.
295 IPv4/IPv6 transition support, dual-stack-servers.
297 IXFR deltas can now be generated when loading master files,
298 ixfr-from-differences.
300 It is now possible to specify the size of a journal, max-journal-size.
302 It is now possible to define a named set of master servers to be
303 used in masters clause, masters.
305 The advertised EDNS UDP size can now be set, edns-udp-size.
307 allow-v6-synthesis has been obsoleted.
310 * Zones containing MD and MF will now be rejected.
311 * dig, nslookup name. now report "Not Implemented" as
312 NOTIMP rather than NOTIMPL. This will have impact on scripts
313 that are looking for NOTIMPL.
315 libbind: corresponds to that from BIND 8.4.5.
319 BIND 9.2.0 has a number of new features over 9.1,
322 - The size of the cache can now be limited using the
323 "max-cache-size" option.
325 - The server can now automatically convert RFC1886-style
326 recursive lookup requests into RFC2874-style lookups,
327 when enabled using the new option "allow-v6-synthesis".
328 This allows stub resolvers that support AAAA records
329 but not A6 record chains or binary labels to perform
330 lookups in domains that make use of these IPv6 DNS
333 - Performance has been improved.
335 - The man pages now use the more portable "man" macros
336 rather than the "mandoc" macros, and are installed
339 - The named.conf parser has been completely rewritten.
340 It now supports "include" directives in more
341 places such as inside "view" statements, and it no
342 longer has any reserved words.
344 - The "rndc status" command is now implemented.
346 - rndc can now be configured automatically.
348 - A BIND 8 compatible stub resolver library is now
349 included in lib/bind.
351 - OpenSSL has been removed from the distribution. This
352 means that to use DNSSEC, OpenSSL must be installed and
353 the --with-openssl option must be supplied to configure.
354 This does not apply to the use of TSIG, which does not
357 - The source distribution now builds on Windows.
358 See win32utils/readme1.txt and win32utils/win32-build.txt
361 This distribution also includes a new lightweight stub
362 resolver library and associated resolver daemon that fully
363 support forward and reverse lookups of both IPv4 and IPv6
364 addresses. This library is considered experimental and
365 is not a complete replacement for the BIND 8 resolver library.
366 Applications that use the BIND 8 res_* functions to perform
367 DNS lookups or dynamic updates still need to be linked against
368 the BIND 8 libraries. For DNS lookups, they can also use the
369 new "getrrsetbyname()" API.
371 BIND 9.2 is capable of acting as an authoritative server
372 for DNSSEC secured zones. This functionality is believed to
373 be stable and complete except for lacking support for
374 verifications involving wildcard records in secure zones.
376 When acting as a caching server, BIND 9.2 can be configured
377 to perform DNSSEC secure resolution on behalf of its clients.
378 This part of the DNSSEC implementation is still considered
379 experimental. For detailed information about the state of the
380 DNSSEC implementation, see the file doc/misc/dnssec.
382 There are a few known bugs:
384 On some systems, IPv6 and IPv4 sockets interact in
385 unexpected ways. For details, see doc/misc/ipv6.
386 To reduce the impact of these problems, the server
387 no longer listens for requests on IPv6 addresses
388 by default. If you need to accept DNS queries over
389 IPv6, you must specify "listen-on-v6 { any; };"
390 in the named.conf options statement.
392 FreeBSD prior to 4.2 (and 4.2 if running as non-root)
393 and OpenBSD prior to 2.8 log messages like
394 "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
395 This is due to a bug in "/dev/random" and impacts the
396 server's DNSSEC support.
398 OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
399 OS X 10.2 (Darwin 6.0) reports errors like
400 "fcntl(3, F_SETFL, 4): Operation not supported by device".
401 This is due to a bug in "/dev/random" and impacts the
402 server's DNSSEC support.
404 --with-libtool does not work on AIX.
406 A bug in some versions of the Microsoft DNS server can cause zone
407 transfers from a BIND 9 server to a W2K server to fail. For details,
408 see the "Zone Transfers" section in doc/misc/migration.
410 For a detailed list of user-visible changes from
411 previous releases, see the CHANGES file.
416 BIND 9 currently requires a UNIX system with an ANSI C compiler,
417 basic POSIX support, and a 64 bit integer type.
419 We've had successful builds and tests on the following systems:
421 COMPAQ Tru64 UNIX 5.1B
423 FreeBSD 4.10, 5.2.1, 6.2
426 NetBSD 3.x and 4.0-beta
428 Solaris 8, 9, 9 (x86), 10
432 NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
433 Windows, including Windows NT and Windows 2000, are no longer
436 We have recent reports from the user community that a supported
437 version of BIND will build and run on the following systems:
447 Red Hat Enterprise Linux 4, 5
457 Do not use a parallel "make".
459 Several environment variables that can be set before running
460 configure will affect compilation:
463 The C compiler to use. configure tries to figure
464 out the right one for supported systems.
467 C compiler flags. Defaults to include -g and/or -O2
468 as supported by the compiler.
471 System header file directories. Can be used to specify
472 where add-on thread or IPv6 support is, for example.
473 Defaults to empty string.
476 Any additional preprocessor symbols you want defined.
477 Defaults to empty string.
480 Change the default syslog facility of named/lwresd.
481 -DISC_FACILITY=LOG_LOCAL0
482 Enable DNSSEC signature chasing support in dig.
483 -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
485 Disable dropping queries from particular well known ports.
486 -DNS_CLIENT_DROPPORT=0
487 Sibling glue checking in named-checkzone is enabled by default.
488 To disable the default check set. -DCHECK_SIBLING=0
489 named-checkzone checks out-of-zone addresses by default.
490 To disable this default set. -DCHECK_LOCAL=0
491 To create the default pid files in ${localstatedir}/run rather
492 than ${localstatedir}/run/{named,lwresd}/ set.
494 Enable workaround for Solaris kernel bug about /dev/poll
495 -DISC_SOCKET_USE_POLLWATCH=1
496 The watch timeout is also configurable, e.g.,
497 -DISC_SOCKET_POLLWATCH_TIMEOUT=20
500 Linker flags. Defaults to empty string.
502 The following need to be set when cross compiling.
505 The native C compiler.
506 BUILD_CFLAGS (optional)
507 BUILD_CPPFLAGS (optional)
509 -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
510 BUILD_LDFLAGS (optional)
511 BUILD_LIBS (optional)
513 To build shared libraries, specify "--with-libtool" on the
514 configure command line.
516 For the server to support DNSSEC, you need to build it
517 with crypto support. You must have OpenSSL 0.9.5a
518 or newer installed and specify "--with-openssl" on the
519 configure command line. If OpenSSL is installed under
520 a nonstandard prefix, you can tell configure where to
521 look for it using "--with-openssl=/prefix".
523 On some platforms it is necessary to explictly request large
524 file support to handle files bigger than 2GB. This can be
525 done by "--enable-largefile" on the configure command line.
527 On some platforms, BIND 9 can be built with multithreading
528 support, allowing it to take advantage of multiple CPUs.
529 You can specify whether to build a multithreaded BIND 9
530 by specifying "--enable-threads" or "--disable-threads"
531 on the configure command line. The default is operating
534 Support for the "fixed" rrset-order option can be enabled
535 or disabled by specifying "--enable-fixed-rrset" or
536 "--disable-fixed-rrset" on the configure command line.
537 The default is "disabled", to reduce memory footprint.
539 If your operating system has integrated support for IPv6, it
540 will be used automatically. If you have installed KAME IPv6
541 separately, use "--with-kame[=PATH]" to specify its location.
543 "make install" will install "named" and the various BIND 9 libraries.
544 By default, installation is into /usr/local, but this can be changed
545 with the "--prefix" option when running "configure".
547 You may specify the option "--sysconfdir" to set the directory
548 where configuration files like "named.conf" go by default,
549 and "--localstatedir" to set the default parent directory
550 of "run/named.pid". For backwards compatibility with BIND 8,
551 --sysconfdir defaults to "/etc" and --localstatedir defaults to
552 "/var" if no --prefix option is given. If there is a --prefix
553 option, sysconfdir defaults to "$prefix/etc" and localstatedir
554 defaults to "$prefix/var".
556 To see additional configure options, run "configure --help".
557 Note that the help message does not reflect the BIND 8
558 compatibility defaults for sysconfdir and localstatedir.
560 If you're planning on making changes to the BIND 9 source, you
561 should also "make depend". If you're using Emacs, you might find
564 If you need to re-run configure please run "make distclean" first.
565 This will ensure that all the option changes take.
567 Building with gcc is not supported, unless gcc is the vendor's usual
568 compiler (e.g. the various BSD systems, Linux).
570 Known compiler issues:
571 * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
572 * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
573 * gcc-3.3.5 powerpc generates incorrect code at -02.
574 * Irix, MipsPRO 7.4.1m is known to cause problems.
576 A limited test suite can be run with "make test". Many of
577 the tests require you to configure a set of virtual IP addresses
578 on your system, and some require Perl; see bin/tests/system/README
581 SunOS 4 requires "printf" to be installed to make the shared
582 libraries. sh-utils-1.16 provides a "printf" which compiles
587 The BIND 9 Administrator Reference Manual is included with the
588 source distribution in DocBook XML and HTML format, in the
591 Some of the programs in the BIND 9 distribution have man pages
592 in their directories. In particular, the command line
593 options of "named" are documented in /bin/named/named.8.
594 There is now also a set of man pages for the lwres library.
596 If you are upgrading from BIND 8, please read the migration
597 notes in doc/misc/migration. If you are upgrading from
598 BIND 4, read doc/misc/migration-4to9.
600 Frequently asked questions and their answers can be found in
604 Bug Reports and Mailing Lists
606 Bugs reports should be sent to
610 To join the BIND Users mailing list, send mail to
612 bind-users-request@isc.org
614 archives of which can be found via
616 http://www.isc.org/ops/lists/
618 If you're planning on making changes to the BIND 9 source
619 code, you might want to join the BIND Workers mailing list.
622 bind-workers-request@isc.org