3 BIND version 9 is a major rewrite of nearly all aspects of the
4 underlying BIND architecture. Some of the important features of
9 TSIG (signed DNS requests)
12 Answers DNS queries on IPv6 sockets
13 IPv6 resource records (AAAA)
14 Experimental IPv6 Resolver Library
16 - DNS Protocol Enhancements
17 IXFR, DDNS, Notify, EDNS0
18 Improved standards conformance
21 One server process can provide multiple "views" of
22 the DNS namespace, e.g. an "inside" view to certain
23 clients, and an "outside" view to others.
25 - Multiprocessor Support
27 - Improved Portability Architecture
30 BIND version 9 development has been underwritten by the following
33 Sun Microsystems, Inc.
35 Compaq Computer Corporation
37 Process Software Corporation
38 Silicon Graphics, Inc.
39 Network Associates, Inc.
40 U.S. Defense Information Systems Agency
42 Stichting NLnet - NLnet Foundation
47 BIND 9.6.3 is a maintenance release, fixing bugs in 9.6.2.
51 BIND 9.6.2 is a maintenance release, fixing bugs in 9.6.1.
52 It also introduces support for the SHA-2 DNSSEC algorithms,
53 RSASHA256 and RSASHA512.
55 Known issues in this release:
57 - A validating resolver that has been incorrectly configured with
58 an invalid trust anchor will be unable to resolve names covered
59 by that trust anchor. In all current versions of BIND 9, such a
60 resolver will also generate significant unnecessary DNS traffic
61 while trying to validate. The latter problem will be addressed
62 in future BIND 9 releases. In the meantime, to avoid these
63 problems, exercise caution when configuring "trusted-keys":
64 make sure all keys are correct and current when you add them,
65 and update your configuration in a timely manner when keys
70 BIND 9.6.1 is a maintenance release, fixing bugs in 9.6.0.
74 BIND 9.6.0 includes a number of changes from BIND 9.5 and earlier
79 Automatic zone re-signing
81 New update-policy methods tcp-self and 6to4-self
83 The BIND 8 resolver library, libbind, has been removed from the
84 BIND 9 distribution and is now available as a separate download.
86 Change the default pid file location from /var/run to
87 /var/run/{named,lwresd} for improved chroot/setuid support.
91 BIND 9.5.0 has a number of new features over 9.4,
94 GSS-TSIG support (RFC 3645).
98 Experimental http server and statistics support for named via xml.
100 More detailed statistics counters including those supported in BIND 8.
102 Faster ACL processing.
104 Use Doxygen to generate internal documentation.
106 Efficient LRU cache-cleaning mechanism.
112 BIND 9.4.0 has a number of new features over 9.3,
115 Implemented "additional section caching (or acache)", an
116 internal cache framework for additional section content to
117 improve response performance. Several configuration options
118 were provided to control the behavior.
120 New notify type 'master-only'. Enable notify for master
123 Accept 'notify-source' style syntax for query-source.
125 rndc now allows addresses to be set in the server clauses.
127 New option "allow-query-cache". This lets "allow-query"
128 be used to specify the default zone access level rather
129 than having to have every zone override the global value.
130 "allow-query-cache" can be set at both the options and view
131 levels. If "allow-query-cache" is not set then "allow-recursion"
132 is used if set, otherwise "allow-query" is used if set
133 unless "recursion no;" is set in which case "none;" is used,
134 otherwise the default (localhost; localnets;) is used.
136 rndc: the source address can now be specified.
138 ixfr-from-differences now takes master and slave in addition
139 to yes and no at the options and view levels.
141 Allow the journal's name to be changed via named.conf.
143 'rndc notify zone [class [view]]' resend the NOTIFY messages
144 for the specified zone.
146 'dig +trace' now randomly selects the next servers to try.
147 Report if there is a bad delegation.
149 Improve check-names error messages.
151 Make public the function to read a key file, dst_key_read_public().
153 dig now returns the byte count for axfr/ixfr.
155 allow-update is now settable at the options / view level.
157 named-checkconf now checks the logging configuration.
159 host now can turn on memory debugging flags with '-m'.
161 Don't send notify messages to self.
163 Perform sanity checks on NS records which refer to 'in zone' names.
165 New zone option "notify-delay". Specify a minimum delay
166 between sets of NOTIFY messages.
168 Extend adjusting TTL warning messages.
170 Named and named-checkzone can now both check for non-terminal
173 "rndc freeze/thaw" now freezes/thaws all zones.
175 named-checkconf now check acls to verify that they only
176 refer to existing acls.
178 The server syntax has been extended to support a range of
181 Report differences between hints and real NS rrset and
182 associated address records.
184 Preserve the case of domain names in rdata during zone
187 Restructured the data locking framework using architecture
188 dependent atomic operations (when available), improving
189 response performance on multi-processor machines significantly.
190 x86, x86_64, alpha, powerpc, and mips are currently supported.
192 UNIX domain controls are now supported.
194 Add support for additional zone file formats for improving
195 loading performance. The masterfile-format option in
196 named.conf can be used to specify a non-default format. A
197 separate command named-compilezone was provided to generate
198 zone files in the new format. Additionally, the -I and -O
199 options for dnssec-signzone specify the input and output
202 dnssec-signzone can now randomize signature end times
203 (dnssec-signzone -j jitter).
205 Add support for CH A record.
207 Add additional zone data constancy checks. named-checkzone
208 has extended checking of NS, MX and SRV record and the hosts
209 they reference. named has extended post zone load checks.
210 New zone options: check-mx and integrity-check.
213 edns-udp-size can now be overridden on a per server basis.
215 dig can now specify the EDNS version when making a query.
217 Added framework for handling multiple EDNS versions.
219 Additional memory debugging support to track size and mctx
222 Detect duplicates of UDP queries we are recursing on and
223 drop them. New stats category "duplicates".
225 "USE INTERNAL MALLOC" is now runtime selectable.
227 The lame cache is now done on a <qname,qclass,qtype> basis
228 as some servers only appear to be lame for certain query
231 Limit the number of recursive clients that can be waiting
232 for a single query (<qname,qtype,qclass>) to resolve. New
233 options clients-per-query and max-clients-per-query.
235 dig: report the number of extra bytes still left in the
236 packet after processing all the records.
238 Support for IPSECKEY rdata type.
240 Raise the UDP recieve buffer size to 32k if it is less than 32k.
242 x86 and x86_64 now have seperate atomic locking implementations.
244 named-checkconf now validates update-policy entries.
246 Attempt to make the amount of work performed in a iteration
247 self tuning. The covers nodes clean from the cache per
248 iteration, nodes written to disk when rewriting a master
249 file and nodes destroyed per iteration when destroying a
254 Automatic empty zone creation for D.F.IP6.ARPA and friends.
255 Note: RFC 1918 zones are not yet covered by this but are
256 likely to be in a future release.
258 New options: empty-server, empty-contact, empty-zones-enable
259 and disable-empty-zone.
261 dig now has a '-q queryname' and '+showsearch' options.
263 host/nslookup now continue (default)/fail on SERVFAIL.
265 dig now warns if 'RA' is not set in the answer when 'RD'
266 was set in the query. host/nslookup skip servers that fail
267 to set 'RA' when 'RD' is set unless a server is explicitly
270 Integrate contibuted DLZ code into named.
272 Integrate contibuted IDN code from JPNIC.
274 libbind: corresponds to that from BIND 8.4.7.
278 BIND 9.3.0 has a number of new features over 9.2,
281 DNSSEC is now DS based (RFC 3658).
282 See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
284 DNSSEC lookaside validation.
286 check-names is now implemented.
287 rrset-order in more complete.
289 IPv4/IPv6 transition support, dual-stack-servers.
291 IXFR deltas can now be generated when loading master files,
292 ixfr-from-differences.
294 It is now possible to specify the size of a journal, max-journal-size.
296 It is now possible to define a named set of master servers to be
297 used in masters clause, masters.
299 The advertised EDNS UDP size can now be set, edns-udp-size.
301 allow-v6-synthesis has been obsoleted.
304 * Zones containing MD and MF will now be rejected.
305 * dig, nslookup name. now report "Not Implemented" as
306 NOTIMP rather than NOTIMPL. This will have impact on scripts
307 that are looking for NOTIMPL.
309 libbind: corresponds to that from BIND 8.4.5.
313 BIND 9.2.0 has a number of new features over 9.1,
316 - The size of the cache can now be limited using the
317 "max-cache-size" option.
319 - The server can now automatically convert RFC1886-style
320 recursive lookup requests into RFC2874-style lookups,
321 when enabled using the new option "allow-v6-synthesis".
322 This allows stub resolvers that support AAAA records
323 but not A6 record chains or binary labels to perform
324 lookups in domains that make use of these IPv6 DNS
327 - Performance has been improved.
329 - The man pages now use the more portable "man" macros
330 rather than the "mandoc" macros, and are installed
333 - The named.conf parser has been completely rewritten.
334 It now supports "include" directives in more
335 places such as inside "view" statements, and it no
336 longer has any reserved words.
338 - The "rndc status" command is now implemented.
340 - rndc can now be configured automatically.
342 - A BIND 8 compatible stub resolver library is now
343 included in lib/bind.
345 - OpenSSL has been removed from the distribution. This
346 means that to use DNSSEC, OpenSSL must be installed and
347 the --with-openssl option must be supplied to configure.
348 This does not apply to the use of TSIG, which does not
351 - The source distribution now builds on Windows.
352 See win32utils/readme1.txt and win32utils/win32-build.txt
355 This distribution also includes a new lightweight stub
356 resolver library and associated resolver daemon that fully
357 support forward and reverse lookups of both IPv4 and IPv6
358 addresses. This library is considered experimental and
359 is not a complete replacement for the BIND 8 resolver library.
360 Applications that use the BIND 8 res_* functions to perform
361 DNS lookups or dynamic updates still need to be linked against
362 the BIND 8 libraries. For DNS lookups, they can also use the
363 new "getrrsetbyname()" API.
365 BIND 9.2 is capable of acting as an authoritative server
366 for DNSSEC secured zones. This functionality is believed to
367 be stable and complete except for lacking support for
368 verifications involving wildcard records in secure zones.
370 When acting as a caching server, BIND 9.2 can be configured
371 to perform DNSSEC secure resolution on behalf of its clients.
372 This part of the DNSSEC implementation is still considered
373 experimental. For detailed information about the state of the
374 DNSSEC implementation, see the file doc/misc/dnssec.
376 There are a few known bugs:
378 On some systems, IPv6 and IPv4 sockets interact in
379 unexpected ways. For details, see doc/misc/ipv6.
380 To reduce the impact of these problems, the server
381 no longer listens for requests on IPv6 addresses
382 by default. If you need to accept DNS queries over
383 IPv6, you must specify "listen-on-v6 { any; };"
384 in the named.conf options statement.
386 FreeBSD prior to 4.2 (and 4.2 if running as non-root)
387 and OpenBSD prior to 2.8 log messages like
388 "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
389 This is due to a bug in "/dev/random" and impacts the
390 server's DNSSEC support.
392 OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
393 OS X 10.2 (Darwin 6.0) reports errors like
394 "fcntl(3, F_SETFL, 4): Operation not supported by device".
395 This is due to a bug in "/dev/random" and impacts the
396 server's DNSSEC support.
398 --with-libtool does not work on AIX.
400 A bug in some versions of the Microsoft DNS server can cause zone
401 transfers from a BIND 9 server to a W2K server to fail. For details,
402 see the "Zone Transfers" section in doc/misc/migration.
404 For a detailed list of user-visible changes from
405 previous releases, see the CHANGES file.
410 BIND 9 currently requires a UNIX system with an ANSI C compiler,
411 basic POSIX support, and a 64 bit integer type.
413 We've had successful builds and tests on the following systems:
415 COMPAQ Tru64 UNIX 5.1B
417 FreeBSD 4.10, 5.2.1, 6.2
420 NetBSD 3.x and 4.0-beta
422 Solaris 8, 9, 9 (x86), 10
426 NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
427 Windows, including Windows NT and Windows 2000, are no longer
430 We have recent reports from the user community that a supported
431 version of BIND will build and run on the following systems:
441 Red Hat Enterprise Linux 4, 5
451 Do not use a parallel "make".
453 Several environment variables that can be set before running
454 configure will affect compilation:
457 The C compiler to use. configure tries to figure
458 out the right one for supported systems.
461 C compiler flags. Defaults to include -g and/or -O2
462 as supported by the compiler.
465 System header file directories. Can be used to specify
466 where add-on thread or IPv6 support is, for example.
467 Defaults to empty string.
470 Any additional preprocessor symbols you want defined.
471 Defaults to empty string.
474 Change the default syslog facility of named/lwresd.
475 -DISC_FACILITY=LOG_LOCAL0
476 Enable DNSSEC signature chasing support in dig.
477 -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
479 Disable dropping queries from particular well known ports.
480 -DNS_CLIENT_DROPPORT=0
481 Sibling glue checking in named-checkzone is enabled by default.
482 To disable the default check set. -DCHECK_SIBLING=0
483 named-checkzone checks out-of-zone addresses by default.
484 To disable this default set. -DCHECK_LOCAL=0
485 To create the default pid files in ${localstatedir}/run rather
486 than ${localstatedir}/run/{named,lwresd}/ set.
488 Enable workaround for Solaris kernel bug about /dev/poll
489 -DISC_SOCKET_USE_POLLWATCH=1
490 The watch timeout is also configurable, e.g.,
491 -DISC_SOCKET_POLLWATCH_TIMEOUT=20
494 Linker flags. Defaults to empty string.
496 The following need to be set when cross compiling.
499 The native C compiler.
500 BUILD_CFLAGS (optional)
501 BUILD_CPPFLAGS (optional)
503 -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
504 BUILD_LDFLAGS (optional)
505 BUILD_LIBS (optional)
507 To build shared libraries, specify "--with-libtool" on the
508 configure command line.
510 For the server to support DNSSEC, you need to build it
511 with crypto support. You must have OpenSSL 0.9.5a
512 or newer installed and specify "--with-openssl" on the
513 configure command line. If OpenSSL is installed under
514 a nonstandard prefix, you can tell configure where to
515 look for it using "--with-openssl=/prefix".
517 On some platforms it is necessary to explictly request large
518 file support to handle files bigger than 2GB. This can be
519 done by "--enable-largefile" on the configure command line.
521 On some platforms, BIND 9 can be built with multithreading
522 support, allowing it to take advantage of multiple CPUs.
523 You can specify whether to build a multithreaded BIND 9
524 by specifying "--enable-threads" or "--disable-threads"
525 on the configure command line. The default is operating
528 Support for the "fixed" rrset-order option can be enabled
529 or disabled by specifying "--enable-fixed-rrset" or
530 "--disable-fixed-rrset" on the configure command line.
531 The default is "disabled", to reduce memory footprint.
533 If your operating system has integrated support for IPv6, it
534 will be used automatically. If you have installed KAME IPv6
535 separately, use "--with-kame[=PATH]" to specify its location.
537 "make install" will install "named" and the various BIND 9 libraries.
538 By default, installation is into /usr/local, but this can be changed
539 with the "--prefix" option when running "configure".
541 You may specify the option "--sysconfdir" to set the directory
542 where configuration files like "named.conf" go by default,
543 and "--localstatedir" to set the default parent directory
544 of "run/named.pid". For backwards compatibility with BIND 8,
545 --sysconfdir defaults to "/etc" and --localstatedir defaults to
546 "/var" if no --prefix option is given. If there is a --prefix
547 option, sysconfdir defaults to "$prefix/etc" and localstatedir
548 defaults to "$prefix/var".
550 To see additional configure options, run "configure --help".
551 Note that the help message does not reflect the BIND 8
552 compatibility defaults for sysconfdir and localstatedir.
554 If you're planning on making changes to the BIND 9 source, you
555 should also "make depend". If you're using Emacs, you might find
558 If you need to re-run configure please run "make distclean" first.
559 This will ensure that all the option changes take.
561 Building with gcc is not supported, unless gcc is the vendor's usual
562 compiler (e.g. the various BSD systems, Linux).
564 Known compiler issues:
565 * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
566 * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
567 * gcc-3.3.5 powerpc generates incorrect code at -02.
568 * Irix, MipsPRO 7.4.1m is known to cause problems.
570 A limited test suite can be run with "make test". Many of
571 the tests require you to configure a set of virtual IP addresses
572 on your system, and some require Perl; see bin/tests/system/README
575 SunOS 4 requires "printf" to be installed to make the shared
576 libraries. sh-utils-1.16 provides a "printf" which compiles
581 The BIND 9 Administrator Reference Manual is included with the
582 source distribution in DocBook XML and HTML format, in the
585 Some of the programs in the BIND 9 distribution have man pages
586 in their directories. In particular, the command line
587 options of "named" are documented in /bin/named/named.8.
588 There is now also a set of man pages for the lwres library.
590 If you are upgrading from BIND 8, please read the migration
591 notes in doc/misc/migration. If you are upgrading from
592 BIND 4, read doc/misc/migration-4to9.
594 Frequently asked questions and their answers can be found in
598 Bug Reports and Mailing Lists
600 Bugs reports should be sent to
604 To join the BIND Users mailing list, send mail to
606 bind-users-request@isc.org
608 archives of which can be found via
610 http://www.isc.org/ops/lists/
612 If you're planning on making changes to the BIND 9 source
613 code, you might want to join the BIND Workers mailing list.
616 bind-workers-request@isc.org