3 BIND version 9 is a major rewrite of nearly all aspects of the
4 underlying BIND architecture. Some of the important features of
9 TSIG (signed DNS requests)
12 Answers DNS queries on IPv6 sockets
13 IPv6 resource records (AAAA)
14 Experimental IPv6 Resolver Library
16 - DNS Protocol Enhancements
17 IXFR, DDNS, Notify, EDNS0
18 Improved standards conformance
21 One server process can provide multiple "views" of
22 the DNS namespace, e.g. an "inside" view to certain
23 clients, and an "outside" view to others.
25 - Multiprocessor Support
27 - Improved Portability Architecture
30 BIND version 9 development has been underwritten by the following
33 Sun Microsystems, Inc.
35 Compaq Computer Corporation
37 Process Software Corporation
38 Silicon Graphics, Inc.
39 Network Associates, Inc.
40 U.S. Defense Information Systems Agency
42 Stichting NLnet - NLnet Foundation
47 BIND 9.4.3 is a maintenance release, fixing bugs in 9.4.2.
51 BIND 9.4.2 is a maintenance release, containing fixes for
52 a number of bugs in 9.4.1.
54 Warning: If you installed BIND 9.4.2rc1 then any applications
55 linked against this release candidate will need to be rebuilt.
59 BIND 9.4.1 is a security release, containing a fix for
60 a security bugs in 9.4.0.
64 BIND 9.4.0 has a number of new features over 9.3,
67 Implemented "additional section caching" (or "acache"), an
68 internal cache framework for additional section content to
69 improve response performance. Several configuration options
70 were provided to control the behavior.
72 New notify type 'master-only'. Enable notify for master
75 Accept 'notify-source' style syntax for query-source.
77 rndc now allows addresses to be set in the server clauses.
79 New option "allow-query-cache". This lets allow-query be
80 used to specify the default zone access level rather than
81 having to have every zone override the global value.
82 allow-query-cache can be set at both the options and view
83 levels. If allow-query-cache is not set then allow-recursion
84 is used if set, otherwise allow-query is used if set, otherwise
85 the default (localhost; localnets;) is used.
87 rndc: the source address can now be specified.
89 ixfr-from-differences now takes master and slave in addition
90 to yes and no at the options and view levels.
92 Allow the journal's name to be changed via named.conf.
94 'rndc notify zone [class [view]]' resend the NOTIFY messages
95 for the specified zone.
97 'dig +trace' now randomly selects the next servers to try.
98 Report if there is a bad delegation.
100 Improve check-names error messages.
102 Make public the function to read a key file, dst_key_read_public().
104 dig now returns the byte count for axfr/ixfr.
106 allow-update is now settable at the options / view level.
108 named-checkconf now checks the logging configuration.
110 host now can turn on memory debugging flags with '-m'.
112 Don't send notify messages to self.
114 Perform sanity checks on NS records which refer to 'in zone' names.
116 New zone option "notify-delay". Specify a minimum delay
117 between sets of NOTIFY messages.
119 Extend adjusting TTL warning messages.
121 Named and named-checkzone can now both check for non-terminal
124 "rndc freeze/thaw" now freezes/thaws all zones.
126 named-checkconf now check acls to verify that they only
127 refer to existing acls.
129 The server syntax has been extended to support a range of
132 Report differences between hints and real NS rrset and
133 associated address records.
135 Preserve the case of domain names in rdata during zone
138 Restructured the data locking framework using architecture
139 dependent atomic operations (when available), improving
140 response performance on multi-processor machines significantly.
141 x86, x86_64, alpha, powerpc, and mips are currently supported.
143 UNIX domain controls are now supported.
145 Add support for additional zone file formats for improving
146 loading performance. The masterfile-format option in
147 named.conf can be used to specify a non-default format. A
148 separate command named-compilezone was provided to generate
149 zone files in the new format. Additionally, the -I and -O
150 options for dnssec-signzone specify the input and output
153 dnssec-signzone can now randomize signature end times
154 (dnssec-signzone -j jitter).
156 Add support for CH A record.
158 Add additional zone data consistancy checks. named-checkzone
159 has extended checking of NS, MX and SRV record and the hosts
160 they reference. named has extended post zone load checks.
161 New zone options: check-mx and integrity-check.
163 edns-udp-size can now be overridden on a per server basis.
165 dig can now specify the EDNS version when making a query.
167 Added framework for handling multiple EDNS versions.
169 Additional memory debugging support to track size and mctx
172 Detect duplicates of UDP queries we are recursing on and
173 drop them. New stats category "duplicates".
175 Memory management. "USE INTERNAL MALLOC" is now runtime selectable.
177 The lame cache is now done on a <qname,qclass,qtype> basis
178 as some servers only appear to be lame for certain query
181 Limit the number of recursive clients that can be waiting
182 for a single query (<qname,qtype,qclass>) to resolve. New
183 options clients-per-query and max-clients-per-query.
185 dig: report the number of extra bytes still left in the
186 packet after processing all the records.
188 Support for IPSECKEY rdata type.
190 Raise the UDP receive buffer size to 32k if it is less than 32k.
192 x86 and x86_64 now have separate atomic locking implementations.
194 named-checkconf now validates update-policy entries.
196 Attempt to make the amount of work performed in a iteration
197 self tuning. The covers nodes clean from the cache per
198 iteration, nodes written to disk when rewriting a master
199 file and nodes destroyed per iteration when destroying a
204 Automatic empty zone creation for D.F.IP6.ARPA and friends.
205 Note: RFC 1918 zones are not yet covered by this but are
206 likely to be in a future release.
208 New options: empty-server, empty-contact, empty-zones-enable
209 and disable-empty-zone.
211 dig now has a '-q queryname' and '+showsearch' options.
213 host/nslookup now continue (default)/fail on SERVFAIL.
215 dig now warns if 'RA' is not set in the answer when 'RD'
216 was set in the query. host/nslookup skip servers that fail
217 to set 'RA' when 'RD' is set unless a server is explicitly
220 Integrate contributed DLZ code into named.
222 Integrate contributed IDN code from JPNIC.
224 Validate pending NS RRsets, in the authority section, prior
225 to returning them if it can be done without requiring DNSKEYs
228 It is now possible to configure named to accept expired
229 RRSIGs. Default "dnssec-accept-expired no;". Setting
230 "dnssec-accept-expired yes;" leaves named vulnerable to
233 Additional memory leakage checks.
235 The maximum EDNS UDP response named will send can now be
236 set in named.conf (max-udp-size). This is independent of
237 the advertised receive buffer (edns-udp-size).
239 Named now falls back to advertising EDNS with a 512 byte
240 receive buffer if the initial EDNS queries fail.
242 Control the zeroing of the negative response TTL to a soa
243 query. Defaults "zero-no-soa-ttl yes;" and
244 "zero-no-soa-ttl-cache no;".
246 Separate out MX and SRV to CNAME checks.
248 dig/nslookup/host: warn about missing "QR".
250 TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
253 dnssec-signzone: output the SOA record as the first record
256 Two new update policies. "selfsub" and "selfwild".
258 dig, nslookup and host now advertise a 4096 byte EDNS UDP
259 buffer size by default.
261 Report when a zone is removed.
263 DS/DLV SHA256 digest algorithm support.
265 Implement "rrset-order fixed".
267 Check the KSK flag when updating a secure dynamic zone.
268 New zone option "update-check-ksk yes;".
270 It is now possible to explicitly enable DNSSEC validation.
271 default dnssec-validation no; to be changed to yes in 9.5.0.
273 It is now possible to enable/disable DNSSEC validation
274 from rndc. This is useful for the mobile hosts where the
275 current connection point breaks DNSSEC (firewall/proxy).
277 rndc validation newstate [view]
279 dnssec-signzone can now update the SOA record of the signed
280 zone, either as an increment or as the system time().
282 Statistics about acache now recorded and sent to log.
284 libbind: corresponds to that from BIND 8.4.7.
288 BIND 9.3.0 has a number of new features over 9.2,
291 DNSSEC is now DS based (RFC 3658).
292 See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
294 DNSSEC lookaside validation.
296 check-names is now implemented.
297 rrset-order in more complete.
299 IPv4/IPv6 transition support, dual-stack-servers.
301 IXFR deltas can now be generated when loading master files,
302 ixfr-from-differences.
304 It is now possible to specify the size of a journal, max-journal-size.
306 It is now possible to define a named set of master servers to be
307 used in masters clause, masters.
309 The advertised EDNS UDP size can now be set, edns-udp-size.
311 allow-v6-synthesis has been obsoleted.
314 * Zones containing MD and MF will now be rejected.
315 * dig, nslookup name. now report "Not Implemented" as
316 NOTIMP rather than NOTIMPL. This will have impact on scripts
317 that are looking for NOTIMPL.
319 libbind: corresponds to that from BIND 8.4.5.
323 BIND 9.2.0 has a number of new features over 9.1,
326 - The size of the cache can now be limited using the
327 "max-cache-size" option.
329 - The server can now automatically convert RFC1886-style
330 recursive lookup requests into RFC2874-style lookups,
331 when enabled using the new option "allow-v6-synthesis".
332 This allows stub resolvers that support AAAA records
333 but not A6 record chains or binary labels to perform
334 lookups in domains that make use of these IPv6 DNS
337 - Performance has been improved.
339 - The man pages now use the more portable "man" macros
340 rather than the "mandoc" macros, and are installed
343 - The named.conf parser has been completely rewritten.
344 It now supports "include" directives in more
345 places such as inside "view" statements, and it no
346 longer has any reserved words.
348 - The "rndc status" command is now implemented.
350 - rndc can now be configured automatically.
352 - A BIND 8 compatible stub resolver library is now
353 included in lib/bind.
355 - OpenSSL has been removed from the distribution. This
356 means that to use DNSSEC, OpenSSL must be installed and
357 the --with-openssl option must be supplied to configure.
358 This does not apply to the use of TSIG, which does not
361 - The source distribution now builds on Windows.
362 See win32utils/readme1.txt and win32utils/win32-build.txt
365 This distribution also includes a new lightweight stub
366 resolver library and associated resolver daemon that fully
367 support forward and reverse lookups of both IPv4 and IPv6
368 addresses. This library is considered experimental and
369 is not a complete replacement for the BIND 8 resolver library.
370 Applications that use the BIND 8 res_* functions to perform
371 DNS lookups or dynamic updates still need to be linked against
372 the BIND 8 libraries. For DNS lookups, they can also use the
373 new "getrrsetbyname()" API.
375 BIND 9.2 is capable of acting as an authoritative server
376 for DNSSEC secured zones. This functionality is believed to
377 be stable and complete except for lacking support for
378 verifications involving wildcard records in secure zones.
380 When acting as a caching server, BIND 9.2 can be configured
381 to perform DNSSEC secure resolution on behalf of its clients.
382 This part of the DNSSEC implementation is still considered
383 experimental. For detailed information about the state of the
384 DNSSEC implementation, see the file doc/misc/dnssec.
386 There are a few known bugs:
388 On some systems, IPv6 and IPv4 sockets interact in
389 unexpected ways. For details, see doc/misc/ipv6.
390 To reduce the impact of these problems, the server
391 no longer listens for requests on IPv6 addresses
392 by default. If you need to accept DNS queries over
393 IPv6, you must specify "listen-on-v6 { any; };"
394 in the named.conf options statement.
396 FreeBSD prior to 4.2 (and 4.2 if running as non-root)
397 and OpenBSD prior to 2.8 log messages like
398 "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
399 This is due to a bug in "/dev/random" and impacts the
400 server's DNSSEC support.
402 OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
403 OS X 10.2 (Darwin 6.0) reports errors like
404 "fcntl(3, F_SETFL, 4): Operation not supported by device".
405 This is due to a bug in "/dev/random" and impacts the
406 server's DNSSEC support.
408 --with-libtool does not work on AIX.
410 A bug in some versions of the Microsoft DNS server can cause zone
411 transfers from a BIND 9 server to a W2K server to fail. For details,
412 see the "Zone Transfers" section in doc/misc/migration.
414 For a detailed list of user-visible changes from
415 previous releases, see the CHANGES file.
420 BIND 9 currently requires a UNIX system with an ANSI C compiler,
421 basic POSIX support, and a 64 bit integer type.
423 We've had successful builds and tests on the following systems:
425 COMPAQ Tru64 UNIX 5.1B
426 FreeBSD 4.10, 5.2.1, 6.2
430 Solaris 8, 9, 9 (x86)
433 NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
434 Windows, including Windows NT and Windows 2000, are no longer
437 Additionally, we have unverified reports of success building
438 previous versions of BIND 9 from users of the following systems:
442 Slackware Linux 7.x, 8.0
444 Debian GNU/Linux 2.2 and 3.0
446 OpenBSD 2.6, 2.8, 2.9, 3.1, 3.6, 3.8
450 Mac OS X 10.1, 10.3.8
457 Do not use a parallel "make".
459 Several environment variables that can be set before running
460 configure will affect compilation:
463 The C compiler to use. configure tries to figure
464 out the right one for supported systems.
467 C compiler flags. Defaults to include -g and/or -O2
468 as supported by the compiler.
471 System header file directories. Can be used to specify
472 where add-on thread or IPv6 support is, for example.
473 Defaults to empty string.
476 Any additional preprocessor symbols you want defined.
477 Defaults to empty string.
480 Change the default syslog facility of named/lwresd.
481 -DISC_FACILITY=LOG_LOCAL0
482 Enable DNSSEC signature chasing support in dig.
483 -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
485 Disable dropping queries from particular well known ports.
486 -DNS_CLIENT_DROPPORT=0
487 Disable support for "rrset-order fixed".
488 -DDNS_RDATASET_FIXED=0
489 Sibling glue checking in named-checkzone is enabled by default.
490 To disable the default check set. -DCHECK_SIBLING=0
491 named-checkzone checks out-of-zone addresses by default.
492 To disable this default set. -DCHECK_LOCAL=0
493 Enable workaround for Solaris kernel bug about /dev/poll
494 -DISC_SOCKET_USE_POLLWATCH=1
495 The watch timeout is also configurable, e.g.,
496 -DISC_SOCKET_POLLWATCH_TIMEOUT=20
499 Linker flags. Defaults to empty string.
501 The following need to be set when cross compiling.
504 The native C compiler.
505 BUILD_CFLAGS (optional)
506 BUILD_CPPFLAGS (optional)
508 -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
509 BUILD_LDFLAGS (optional)
510 BUILD_LIBS (optional)
512 To build shared libraries, specify "--with-libtool" on the
513 configure command line.
515 For the server to support DNSSEC, you need to build it
516 with crypto support. You must have OpenSSL 0.9.5a
517 or newer installed and specify "--with-openssl" on the
518 configure command line. If OpenSSL is installed under
519 a nonstandard prefix, you can tell configure where to
520 look for it using "--with-openssl=/prefix".
522 To build libbind (the BIND 8 resolver library), specify
523 "--enable-libbind" on the configure command line.
525 On some platforms it is necessary to explictly request large
526 file support to handle files bigger than 2GB. This can be
527 done by "--enable-largefile" on the configure command line.
529 On some platforms, BIND 9 can be built with multithreading
530 support, allowing it to take advantage of multiple CPUs.
531 You can specify whether to build a multithreaded BIND 9
532 by specifying "--enable-threads" or "--disable-threads"
533 on the configure command line. The default is operating
536 If your operating system has integrated support for IPv6, it
537 will be used automatically. If you have installed KAME IPv6
538 separately, use "--with-kame[=PATH]" to specify its location.
540 "make install" will install "named" and the various BIND 9 libraries.
541 By default, installation is into /usr/local, but this can be changed
542 with the "--prefix" option when running "configure".
544 You may specify the option "--sysconfdir" to set the directory
545 where configuration files like "named.conf" go by default,
546 and "--localstatedir" to set the default parent directory
547 of "run/named.pid". For backwards compatibility with BIND 8,
548 --sysconfdir defaults to "/etc" and --localstatedir defaults to
549 "/var" if no --prefix option is given. If there is a --prefix
550 option, sysconfdir defaults to "$prefix/etc" and localstatedir
551 defaults to "$prefix/var".
553 To see additional configure options, run "configure --help".
554 Note that the help message does not reflect the BIND 8
555 compatibility defaults for sysconfdir and localstatedir.
557 If you're planning on making changes to the BIND 9 source, you
558 should also "make depend". If you're using Emacs, you might find
561 If you need to re-run configure please run "make distclean" first.
562 This will ensure that all the option changes take.
564 Building with gcc is not supported, unless gcc is the vendor's usual
565 compiler (e.g. the various BSD systems, Linux).
567 Known compiler issues:
568 * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
569 * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
570 * gcc-3.3.5 powerpc generates incorrect code at -02.
571 * Irix, MipsPRO 7.4.1m is known to cause problems.
573 A limited test suite can be run with "make test". Many of
574 the tests require you to configure a set of virtual IP addresses
575 on your system, and some require Perl; see bin/tests/system/README
578 SunOS 4 requires "printf" to be installed to make the shared
579 libraries. sh-utils-1.16 provides a "printf" which compiles
584 The BIND 9 Administrator Reference Manual is included with the
585 source distribution in DocBook XML and HTML format, in the
588 Some of the programs in the BIND 9 distribution have man pages
589 in their directories. In particular, the command line
590 options of "named" are documented in /bin/named/named.8.
591 There is now also a set of man pages for the lwres library.
593 If you are upgrading from BIND 8, please read the migration
594 notes in doc/misc/migration. If you are upgrading from
595 BIND 4, read doc/misc/migration-4to9.
597 Frequently asked questions and their answers can be found in
601 Bug Reports and Mailing Lists
603 Bugs reports should be sent to
607 To join the BIND Users mailing list, send mail to
609 bind-users-request@isc.org
611 archives of which can be found via
613 http://www.isc.org/ops/lists/
615 If you're planning on making changes to the BIND 9 source
616 code, you might want to join the BIND Forum as a Worker.
617 This gives you access to the bind-workers@isc.org mailing
618 list and pre-release access to the code.
620 http://www.isc.org/sw/guild/bf/