3 BIND version 9 is a major rewrite of nearly all aspects of the
4 underlying BIND architecture. Some of the important features of
9 TSIG (signed DNS requests)
12 Answers DNS queries on IPv6 sockets
13 IPv6 resource records (AAAA)
14 Experimental IPv6 Resolver Library
16 - DNS Protocol Enhancements
17 IXFR, DDNS, Notify, EDNS0
18 Improved standards conformance
21 One server process can provide multiple "views" of
22 the DNS namespace, e.g. an "inside" view to certain
23 clients, and an "outside" view to others.
25 - Multiprocessor Support
27 - Improved Portability Architecture
30 BIND version 9 development has been underwritten by the following
33 Sun Microsystems, Inc.
35 Compaq Computer Corporation
37 Process Software Corporation
38 Silicon Graphics, Inc.
39 Network Associates, Inc.
40 U.S. Defense Information Systems Agency
42 Stichting NLnet - NLnet Foundation
48 BIND 9.4.1-P1 is a security release, containing a fixes for a
49 security bugs in BIND 9.4.1.
53 BIND 9.4.1 is a security release, containing a fix for a
54 security bug in 9.4.0.
58 BIND 9.4.0 has a number of new features over 9.3,
61 Implemented "additional section caching" (or "acache"), an
62 internal cache framework for additional section content to
63 improve response performance. Several configuration options
64 were provided to control the behavior.
66 New notify type 'master-only'. Enable notify for master
69 Accept 'notify-source' style syntax for query-source.
71 rndc now allows addresses to be set in the server clauses.
73 New option "allow-query-cache". This lets allow-query be
74 used to specify the default zone access level rather than
75 having to have every zone override the global value.
76 allow-query-cache can be set at both the options and view
77 levels. If allow-query-cache is not set allow-query applies.
79 rndc: the source address can now be specified.
81 ixfr-from-differences now takes master and slave in addition
82 to yes and no at the options and view levels.
84 Allow the journal's name to be changed via named.conf.
86 'rndc notify zone [class [view]]' resend the NOTIFY messages
87 for the specified zone.
89 'dig +trace' now randomly selects the next servers to try.
90 Report if there is a bad delegation.
92 Improve check-names error messages.
94 Make public the function to read a key file, dst_key_read_public().
96 dig now returns the byte count for axfr/ixfr.
98 allow-update is now settable at the options / view level.
100 named-checkconf now checks the logging configuration.
102 host now can turn on memory debugging flags with '-m'.
104 Don't send notify messages to self.
106 Perform sanity checks on NS records which refer to 'in zone' names.
108 New zone option "notify-delay". Specify a minimum delay
109 between sets of NOTIFY messages.
111 Extend adjusting TTL warning messages.
113 Named and named-checkzone can now both check for non-terminal
116 "rndc freeze/thaw" now freezes/thaws all zones.
118 named-checkconf now check acls to verify that they only
119 refer to existing acls.
121 The server syntax has been extended to support a range of
124 Report differences between hints and real NS rrset and
125 associated address records.
127 Preserve the case of domain names in rdata during zone
130 Restructured the data locking framework using architecture
131 dependent atomic operations (when available), improving
132 response performance on multi-processor machines significantly.
133 x86, x86_64, alpha, powerpc, and mips are currently supported.
135 UNIX domain controls are now supported.
137 Add support for additional zone file formats for improving
138 loading performance. The masterfile-format option in
139 named.conf can be used to specify a non-default format. A
140 separate command named-compilezone was provided to generate
141 zone files in the new format. Additionally, the -I and -O
142 options for dnssec-signzone specify the input and output
145 dnssec-signzone can now randomize signature end times
146 (dnssec-signzone -j jitter).
148 Add support for CH A record.
150 Add additional zone data consistancy checks. named-checkzone
151 has extended checking of NS, MX and SRV record and the hosts
152 they reference. named has extended post zone load checks.
153 New zone options: check-mx and integrity-check.
155 edns-udp-size can now be overridden on a per server basis.
157 dig can now specify the EDNS version when making a query.
159 Added framework for handling multiple EDNS versions.
161 Additional memory debugging support to track size and mctx
164 Detect duplicates of UDP queries we are recursing on and
165 drop them. New stats category "duplicates".
167 Memory management. "USE INTERNAL MALLOC" is now runtime selectable.
169 The lame cache is now done on a <qname,qclass,qtype> basis
170 as some servers only appear to be lame for certain query
173 Limit the number of recursive clients that can be waiting
174 for a single query (<qname,qtype,qclass>) to resolve. New
175 options clients-per-query and max-clients-per-query.
177 dig: report the number of extra bytes still left in the
178 packet after processing all the records.
180 Support for IPSECKEY rdata type.
182 Raise the UDP receive buffer size to 32k if it is less than 32k.
184 x86 and x86_64 now have separate atomic locking implementations.
186 named-checkconf now validates update-policy entries.
188 Attempt to make the amount of work performed in a iteration
189 self tuning. The covers nodes clean from the cache per
190 iteration, nodes written to disk when rewriting a master
191 file and nodes destroyed per iteration when destroying a
196 Automatic empty zone creation for D.F.IP6.ARPA and friends.
197 Note: RFC 1918 zones are not yet covered by this but are
198 likely to be in a future release.
200 New options: empty-server, empty-contact, empty-zones-enable
201 and disable-empty-zone.
203 dig now has a '-q queryname' and '+showsearch' options.
205 host/nslookup now continue (default)/fail on SERVFAIL.
207 dig now warns if 'RA' is not set in the answer when 'RD'
208 was set in the query. host/nslookup skip servers that fail
209 to set 'RA' when 'RD' is set unless a server is explicitly
212 Integrate contributed DLZ code into named.
214 Integrate contributed IDN code from JPNIC.
216 Validate pending NS RRsets, in the authority section, prior
217 to returning them if it can be done without requiring DNSKEYs
220 It is now possible to configure named to accept expired
221 RRSIGs. Default "dnssec-accept-expired no;". Setting
222 "dnssec-accept-expired yes;" leaves named vulnerable to
225 Additional memory leakage checks.
227 The maximum EDNS UDP response named will send can now be
228 set in named.conf (max-udp-size). This is independent of
229 the advertised receive buffer (edns-udp-size).
231 Named now falls back to advertising EDNS with a 512 byte
232 receive buffer if the initial EDNS queries fail.
234 Control the zeroing of the negative response TTL to a soa
235 query. Defaults "zero-no-soa-ttl yes;" and
236 "zero-no-soa-ttl-cache no;".
238 Separate out MX and SRV to CNAME checks.
240 dig/nslookup/host: warn about missing "QR".
242 TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
245 dnssec-signzone: output the SOA record as the first record
248 Two new update policies. "selfsub" and "selfwild".
250 dig, nslookup and host now advertise a 4096 byte EDNS UDP
251 buffer size by default.
253 Report when a zone is removed.
255 DS/DLV SHA256 digest algorithm support.
257 Implement "rrset-order fixed".
259 Check the KSK flag when updating a secure dynamic zone.
260 New zone option "update-check-ksk yes;".
262 It is now possible to explicitly enable DNSSEC validation.
263 default dnssec-validation no; to be changed to yes in 9.5.0.
265 It is now possible to enable/disable DNSSEC validation
266 from rndc. This is useful for the mobile hosts where the
267 current connection point breaks DNSSEC (firewall/proxy).
269 rndc validation newstate [view]
271 dnssec-signzone can now update the SOA record of the signed
272 zone, either as an increment or as the system time().
274 Statistics about acache now recorded and sent to log.
276 libbind: corresponds to that from BIND 8.4.7.
280 BIND 9.3.0 has a number of new features over 9.2,
283 DNSSEC is now DS based (RFC 3658).
284 See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
286 DNSSEC lookaside validation.
288 check-names is now implemented.
289 rrset-order in more complete.
291 IPv4/IPv6 transition support, dual-stack-servers.
293 IXFR deltas can now be generated when loading master files,
294 ixfr-from-differences.
296 It is now possible to specify the size of a journal, max-journal-size.
298 It is now possible to define a named set of master servers to be
299 used in masters clause, masters.
301 The advertised EDNS UDP size can now be set, edns-udp-size.
303 allow-v6-synthesis has been obsoleted.
306 * Zones containing MD and MF will now be rejected.
307 * dig, nslookup name. now report "Not Implemented" as
308 NOTIMP rather than NOTIMPL. This will have impact on scripts
309 that are looking for NOTIMPL.
311 libbind: corresponds to that from BIND 8.4.5.
315 BIND 9.2.0 has a number of new features over 9.1,
318 - The size of the cache can now be limited using the
319 "max-cache-size" option.
321 - The server can now automatically convert RFC1886-style
322 recursive lookup requests into RFC2874-style lookups,
323 when enabled using the new option "allow-v6-synthesis".
324 This allows stub resolvers that support AAAA records
325 but not A6 record chains or binary labels to perform
326 lookups in domains that make use of these IPv6 DNS
329 - Performance has been improved.
331 - The man pages now use the more portable "man" macros
332 rather than the "mandoc" macros, and are installed
335 - The named.conf parser has been completely rewritten.
336 It now supports "include" directives in more
337 places such as inside "view" statements, and it no
338 longer has any reserved words.
340 - The "rndc status" command is now implemented.
342 - rndc can now be configured automatically.
344 - A BIND 8 compatible stub resolver library is now
345 included in lib/bind.
347 - OpenSSL has been removed from the distribution. This
348 means that to use DNSSEC, OpenSSL must be installed and
349 the --with-openssl option must be supplied to configure.
350 This does not apply to the use of TSIG, which does not
353 - The source distribution now builds on Windows NT/2000.
354 See win32utils/readme1.txt and win32utils/win32-build.txt
357 This distribution also includes a new lightweight stub
358 resolver library and associated resolver daemon that fully
359 support forward and reverse lookups of both IPv4 and IPv6
360 addresses. This library is considered experimental and
361 is not a complete replacement for the BIND 8 resolver library.
362 Applications that use the BIND 8 res_* functions to perform
363 DNS lookups or dynamic updates still need to be linked against
364 the BIND 8 libraries. For DNS lookups, they can also use the
365 new "getrrsetbyname()" API.
367 BIND 9.2 is capable of acting as an authoritative server
368 for DNSSEC secured zones. This functionality is believed to
369 be stable and complete except for lacking support for
370 verifications involving wildcard records in secure zones.
372 When acting as a caching server, BIND 9.2 can be configured
373 to perform DNSSEC secure resolution on behalf of its clients.
374 This part of the DNSSEC implementation is still considered
375 experimental. For detailed information about the state of the
376 DNSSEC implementation, see the file doc/misc/dnssec.
378 There are a few known bugs:
380 On some systems, IPv6 and IPv4 sockets interact in
381 unexpected ways. For details, see doc/misc/ipv6.
382 To reduce the impact of these problems, the server
383 no longer listens for requests on IPv6 addresses
384 by default. If you need to accept DNS queries over
385 IPv6, you must specify "listen-on-v6 { any; };"
386 in the named.conf options statement.
388 FreeBSD prior to 4.2 (and 4.2 if running as non-root)
389 and OpenBSD prior to 2.8 log messages like
390 "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
391 This is due to a bug in "/dev/random" and impacts the
392 server's DNSSEC support.
394 OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
395 OS X 10.2 (Darwin 6.0) reports errors like
396 "fcntl(3, F_SETFL, 4): Operation not supported by device".
397 This is due to a bug in "/dev/random" and impacts the
398 server's DNSSEC support.
400 --with-libtool does not work on AIX.
402 --with-libtool does not work on SunOS 4. configure
403 requires "printf" which is not available.
405 A bug in the Windows 2000 DNS server can cause zone transfers
406 from a BIND 9 server to a W2K server to fail. For details,
407 see the "Zone Transfers" section in doc/misc/migration.
409 For a detailed list of user-visible changes from
410 previous releases, see the CHANGES file.
415 BIND 9 currently requires a UNIX system with an ANSI C compiler,
416 basic POSIX support, and a 64 bit integer type.
418 We've had successful builds and tests on the following systems:
420 COMPAQ Tru64 UNIX 5.1B
425 Solaris 8, 9, 9 (x86)
426 Windows NT/2000/XP/2003
428 Additionally, we have unverified reports of success building
429 previous versions of BIND 9 from users of the following systems:
433 Slackware Linux 7.x, 8.0
435 Debian GNU/Linux 2.2 and 3.0
437 OpenBSD 2.6, 2.8, 2.9, 3.1, 3.6, 3.8
441 Mac OS X 10.1, 10.3.8
448 Do not use a parallel "make".
450 Several environment variables that can be set before running
451 configure will affect compilation:
454 The C compiler to use. configure tries to figure
455 out the right one for supported systems.
458 C compiler flags. Defaults to include -g and/or -O2
459 as supported by the compiler.
462 System header file directories. Can be used to specify
463 where add-on thread or IPv6 support is, for example.
464 Defaults to empty string.
467 Any additional preprocessor symbols you want defined.
468 Defaults to empty string.
471 Change the default syslog facility of named/lwresd.
472 -DISC_FACILITY=LOG_LOCAL0
473 Enable DNSSEC signature chasing support in dig.
474 -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
476 Disable dropping queries from particular well known ports.
477 -DNS_CLIENT_DROPPORT=0
480 Linker flags. Defaults to empty string.
482 The following need to be set when cross compiling.
485 The native C compiler.
486 BUILD_CFLAGS (optional)
487 BUILD_CPPFLAGS (optional)
489 -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
490 BUILD_LDFLAGS (optional)
491 BUILD_LIBS (optional)
493 To build shared libraries, specify "--with-libtool" on the
494 configure command line.
496 For the server to support DNSSEC, you need to build it
497 with crypto support. You must have OpenSSL 0.9.5a
498 or newer installed and specify "--with-openssl" on the
499 configure command line. If OpenSSL is installed under
500 a nonstandard prefix, you can tell configure where to
501 look for it using "--with-openssl=/prefix".
503 To build libbind (the BIND 8 resolver library), specify
504 "--enable-libbind" on the configure command line.
506 On some platforms, BIND 9 can be built with multithreading
507 support, allowing it to take advantage of multiple CPUs.
508 You can specify whether to build a multithreaded BIND 9
509 by specifying "--enable-threads" or "--disable-threads"
510 on the configure command line. The default is operating
513 If your operating system has integrated support for IPv6, it
514 will be used automatically. If you have installed KAME IPv6
515 separately, use "--with-kame[=PATH]" to specify its location.
517 "make install" will install "named" and the various BIND 9 libraries.
518 By default, installation is into /usr/local, but this can be changed
519 with the "--prefix" option when running "configure".
521 You may specify the option "--sysconfdir" to set the directory
522 where configuration files like "named.conf" go by default,
523 and "--localstatedir" to set the default parent directory
524 of "run/named.pid". For backwards compatibility with BIND 8,
525 --sysconfdir defaults to "/etc" and --localstatedir defaults to
526 "/var" if no --prefix option is given. If there is a --prefix
527 option, sysconfdir defaults to "$prefix/etc" and localstatedir
528 defaults to "$prefix/var".
530 To see additional configure options, run "configure --help".
531 Note that the help message does not reflect the BIND 8
532 compatibility defaults for sysconfdir and localstatedir.
534 If you're planning on making changes to the BIND 9 source, you
535 should also "make depend". If you're using Emacs, you might find
538 If you need to re-run configure please run "make distclean" first.
539 This will ensure that all the option changes take.
541 Building with gcc is not supported, unless gcc is the vendor's usual
542 compiler (e.g. the various BSD systems, Linux).
544 Known compiler issues:
545 * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
546 * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
547 * gcc-3.3.5 powerpc generates incorrect code at -02.
548 * Irix, MipsPRO 7.4.1m is known to cause problems.
550 A limited test suite can be run with "make test". Many of
551 the tests require you to configure a set of virtual IP addresses
552 on your system, and some require Perl; see bin/tests/system/README
558 The BIND 9 Administrator Reference Manual is included with the
559 source distribution in DocBook XML and HTML format, in the
562 Some of the programs in the BIND 9 distribution have man pages
563 in their directories. In particular, the command line
564 options of "named" are documented in /bin/named/named.8.
565 There is now also a set of man pages for the lwres library.
567 If you are upgrading from BIND 8, please read the migration
568 notes in doc/misc/migration. If you are upgrading from
569 BIND 4, read doc/misc/migration-4to9.
571 Frequently asked questions and their answers can be found in
575 Bug Reports and Mailing Lists
577 Bugs reports should be sent to
581 To join the BIND Users mailing list, send mail to
583 bind-users-request@isc.org
585 archives of which can be found via
587 http://www.isc.org/ops/lists/
589 If you're planning on making changes to the BIND 9 source
590 code, you might want to join the BIND Workers mailing list.
593 bind-workers-request@isc.org