3 BIND version 9 is a major rewrite of nearly all aspects of the
4 underlying BIND architecture. Some of the important features of
9 TSIG (signed DNS requests)
12 Answers DNS queries on IPv6 sockets
13 IPv6 resource records (AAAA)
14 Experimental IPv6 Resolver Library
16 - DNS Protocol Enhancements
17 IXFR, DDNS, Notify, EDNS0
18 Improved standards conformance
21 One server process can provide multiple "views" of
22 the DNS namespace, e.g. an "inside" view to certain
23 clients, and an "outside" view to others.
25 - Multiprocessor Support
27 - Improved Portability Architecture
30 BIND version 9 development has been underwritten by the following
33 Sun Microsystems, Inc.
35 Compaq Computer Corporation
37 Process Software Corporation
38 Silicon Graphics, Inc.
39 Network Associates, Inc.
40 U.S. Defense Information Systems Agency
42 Stichting NLnet - NLnet Foundation
47 BIND 9.6.0 includes a number of changes from BIND 9.5 and earlier
52 Automatic zone re-signing
54 New update-policy methods tcp-self and 6to4-self
56 The BIND 8 resolver library, libbind, has been removed from the
57 BIND 9 distribution and is now available as a separate download.
59 Change the default pid file location from /var/run to
60 /var/run/{named,lwresd} for improved chroot/setuid support.
64 BIND 9.5.0 has a number of new features over 9.4,
67 GSS-TSIG support (RFC 3645).
71 Experimental http server and statistics support for named via xml.
73 More detailed statistics counters including those supported in BIND 8.
75 Faster ACL processing.
77 Use Doxygen to generate internal documentation.
79 Efficient LRU cache-cleaning mechanism.
85 BIND 9.4.0 has a number of new features over 9.3,
88 Implemented "additional section caching (or acache)", an
89 internal cache framework for additional section content to
90 improve response performance. Several configuration options
91 were provided to control the behavior.
93 New notify type 'master-only'. Enable notify for master
96 Accept 'notify-source' style syntax for query-source.
98 rndc now allows addresses to be set in the server clauses.
100 New option "allow-query-cache". This lets "allow-query"
101 be used to specify the default zone access level rather
102 than having to have every zone override the global value.
103 "allow-query-cache" can be set at both the options and view
104 levels. If "allow-query-cache" is not set then "allow-recursion"
105 is used if set, otherwise "allow-query" is used if set
106 unless "recursion no;" is set in which case "none;" is used,
107 otherwise the default (localhost; localnets;) is used.
109 rndc: the source address can now be specified.
111 ixfr-from-differences now takes master and slave in addition
112 to yes and no at the options and view levels.
114 Allow the journal's name to be changed via named.conf.
116 'rndc notify zone [class [view]]' resend the NOTIFY messages
117 for the specified zone.
119 'dig +trace' now randomly selects the next servers to try.
120 Report if there is a bad delegation.
122 Improve check-names error messages.
124 Make public the function to read a key file, dst_key_read_public().
126 dig now returns the byte count for axfr/ixfr.
128 allow-update is now settable at the options / view level.
130 named-checkconf now checks the logging configuration.
132 host now can turn on memory debugging flags with '-m'.
134 Don't send notify messages to self.
136 Perform sanity checks on NS records which refer to 'in zone' names.
138 New zone option "notify-delay". Specify a minimum delay
139 between sets of NOTIFY messages.
141 Extend adjusting TTL warning messages.
143 Named and named-checkzone can now both check for non-terminal
146 "rndc freeze/thaw" now freezes/thaws all zones.
148 named-checkconf now check acls to verify that they only
149 refer to existing acls.
151 The server syntax has been extended to support a range of
154 Report differences between hints and real NS rrset and
155 associated address records.
157 Preserve the case of domain names in rdata during zone
160 Restructured the data locking framework using architecture
161 dependent atomic operations (when available), improving
162 response performance on multi-processor machines significantly.
163 x86, x86_64, alpha, powerpc, and mips are currently supported.
165 UNIX domain controls are now supported.
167 Add support for additional zone file formats for improving
168 loading performance. The masterfile-format option in
169 named.conf can be used to specify a non-default format. A
170 separate command named-compilezone was provided to generate
171 zone files in the new format. Additionally, the -I and -O
172 options for dnssec-signzone specify the input and output
175 dnssec-signzone can now randomize signature end times
176 (dnssec-signzone -j jitter).
178 Add support for CH A record.
180 Add additional zone data constancy checks. named-checkzone
181 has extended checking of NS, MX and SRV record and the hosts
182 they reference. named has extended post zone load checks.
183 New zone options: check-mx and integrity-check.
186 edns-udp-size can now be overridden on a per server basis.
188 dig can now specify the EDNS version when making a query.
190 Added framework for handling multiple EDNS versions.
192 Additional memory debugging support to track size and mctx
195 Detect duplicates of UDP queries we are recursing on and
196 drop them. New stats category "duplicates".
198 "USE INTERNAL MALLOC" is now runtime selectable.
200 The lame cache is now done on a <qname,qclass,qtype> basis
201 as some servers only appear to be lame for certain query
204 Limit the number of recursive clients that can be waiting
205 for a single query (<qname,qtype,qclass>) to resolve. New
206 options clients-per-query and max-clients-per-query.
208 dig: report the number of extra bytes still left in the
209 packet after processing all the records.
211 Support for IPSECKEY rdata type.
213 Raise the UDP recieve buffer size to 32k if it is less than 32k.
215 x86 and x86_64 now have seperate atomic locking implementations.
217 named-checkconf now validates update-policy entries.
219 Attempt to make the amount of work performed in a iteration
220 self tuning. The covers nodes clean from the cache per
221 iteration, nodes written to disk when rewriting a master
222 file and nodes destroyed per iteration when destroying a
227 Automatic empty zone creation for D.F.IP6.ARPA and friends.
228 Note: RFC 1918 zones are not yet covered by this but are
229 likely to be in a future release.
231 New options: empty-server, empty-contact, empty-zones-enable
232 and disable-empty-zone.
234 dig now has a '-q queryname' and '+showsearch' options.
236 host/nslookup now continue (default)/fail on SERVFAIL.
238 dig now warns if 'RA' is not set in the answer when 'RD'
239 was set in the query. host/nslookup skip servers that fail
240 to set 'RA' when 'RD' is set unless a server is explicitly
243 Integrate contibuted DLZ code into named.
245 Integrate contibuted IDN code from JPNIC.
247 libbind: corresponds to that from BIND 8.4.7.
251 BIND 9.3.0 has a number of new features over 9.2,
254 DNSSEC is now DS based (RFC 3658).
255 See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
257 DNSSEC lookaside validation.
259 check-names is now implemented.
260 rrset-order in more complete.
262 IPv4/IPv6 transition support, dual-stack-servers.
264 IXFR deltas can now be generated when loading master files,
265 ixfr-from-differences.
267 It is now possible to specify the size of a journal, max-journal-size.
269 It is now possible to define a named set of master servers to be
270 used in masters clause, masters.
272 The advertised EDNS UDP size can now be set, edns-udp-size.
274 allow-v6-synthesis has been obsoleted.
277 * Zones containing MD and MF will now be rejected.
278 * dig, nslookup name. now report "Not Implemented" as
279 NOTIMP rather than NOTIMPL. This will have impact on scripts
280 that are looking for NOTIMPL.
282 libbind: corresponds to that from BIND 8.4.5.
286 BIND 9.2.0 has a number of new features over 9.1,
289 - The size of the cache can now be limited using the
290 "max-cache-size" option.
292 - The server can now automatically convert RFC1886-style
293 recursive lookup requests into RFC2874-style lookups,
294 when enabled using the new option "allow-v6-synthesis".
295 This allows stub resolvers that support AAAA records
296 but not A6 record chains or binary labels to perform
297 lookups in domains that make use of these IPv6 DNS
300 - Performance has been improved.
302 - The man pages now use the more portable "man" macros
303 rather than the "mandoc" macros, and are installed
306 - The named.conf parser has been completely rewritten.
307 It now supports "include" directives in more
308 places such as inside "view" statements, and it no
309 longer has any reserved words.
311 - The "rndc status" command is now implemented.
313 - rndc can now be configured automatically.
315 - A BIND 8 compatible stub resolver library is now
316 included in lib/bind.
318 - OpenSSL has been removed from the distribution. This
319 means that to use DNSSEC, OpenSSL must be installed and
320 the --with-openssl option must be supplied to configure.
321 This does not apply to the use of TSIG, which does not
324 - The source distribution now builds on Windows.
325 See win32utils/readme1.txt and win32utils/win32-build.txt
328 This distribution also includes a new lightweight stub
329 resolver library and associated resolver daemon that fully
330 support forward and reverse lookups of both IPv4 and IPv6
331 addresses. This library is considered experimental and
332 is not a complete replacement for the BIND 8 resolver library.
333 Applications that use the BIND 8 res_* functions to perform
334 DNS lookups or dynamic updates still need to be linked against
335 the BIND 8 libraries. For DNS lookups, they can also use the
336 new "getrrsetbyname()" API.
338 BIND 9.2 is capable of acting as an authoritative server
339 for DNSSEC secured zones. This functionality is believed to
340 be stable and complete except for lacking support for
341 verifications involving wildcard records in secure zones.
343 When acting as a caching server, BIND 9.2 can be configured
344 to perform DNSSEC secure resolution on behalf of its clients.
345 This part of the DNSSEC implementation is still considered
346 experimental. For detailed information about the state of the
347 DNSSEC implementation, see the file doc/misc/dnssec.
349 There are a few known bugs:
351 On some systems, IPv6 and IPv4 sockets interact in
352 unexpected ways. For details, see doc/misc/ipv6.
353 To reduce the impact of these problems, the server
354 no longer listens for requests on IPv6 addresses
355 by default. If you need to accept DNS queries over
356 IPv6, you must specify "listen-on-v6 { any; };"
357 in the named.conf options statement.
359 FreeBSD prior to 4.2 (and 4.2 if running as non-root)
360 and OpenBSD prior to 2.8 log messages like
361 "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
362 This is due to a bug in "/dev/random" and impacts the
363 server's DNSSEC support.
365 OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
366 OS X 10.2 (Darwin 6.0) reports errors like
367 "fcntl(3, F_SETFL, 4): Operation not supported by device".
368 This is due to a bug in "/dev/random" and impacts the
369 server's DNSSEC support.
371 --with-libtool does not work on AIX.
373 A bug in some versions of the Microsoft DNS server can cause zone
374 transfers from a BIND 9 server to a W2K server to fail. For details,
375 see the "Zone Transfers" section in doc/misc/migration.
377 For a detailed list of user-visible changes from
378 previous releases, see the CHANGES file.
383 BIND 9 currently requires a UNIX system with an ANSI C compiler,
384 basic POSIX support, and a 64 bit integer type.
386 We've had successful builds and tests on the following systems:
388 COMPAQ Tru64 UNIX 5.1B
390 FreeBSD 4.10, 5.2.1, 6.2
393 NetBSD 3.x and 4.0-beta
395 Solaris 8, 9, 9 (x86), 10
399 NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
400 Windows, including Windows NT and Windows 2000, are no longer
403 We have recent reports from the user community that a supported
404 version of BIND will build and run on the following systems:
414 Red Hat Enterprise Linux 4, 5
424 Do not use a parallel "make".
426 Several environment variables that can be set before running
427 configure will affect compilation:
430 The C compiler to use. configure tries to figure
431 out the right one for supported systems.
434 C compiler flags. Defaults to include -g and/or -O2
435 as supported by the compiler.
438 System header file directories. Can be used to specify
439 where add-on thread or IPv6 support is, for example.
440 Defaults to empty string.
443 Any additional preprocessor symbols you want defined.
444 Defaults to empty string.
447 Change the default syslog facility of named/lwresd.
448 -DISC_FACILITY=LOG_LOCAL0
449 Enable DNSSEC signature chasing support in dig.
450 -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
452 Disable dropping queries from particular well known ports.
453 -DNS_CLIENT_DROPPORT=0
454 Sibling glue checking in named-checkzone is enabled by default.
455 To disable the default check set. -DCHECK_SIBLING=0
456 named-checkzone checks out-of-zone addresses by default.
457 To disable this default set. -DCHECK_LOCAL=0
458 To create the default pid files in ${localstatedir}/run rather
459 than ${localstatedir}/run/{named,lwresd}/ set.
461 Enable workaround for Solaris kernel bug about /dev/poll
462 -DISC_SOCKET_USE_POLLWATCH=1
463 The watch timeout is also configurable, e.g.,
464 -DISC_SOCKET_POLLWATCH_TIMEOUT=20
467 Linker flags. Defaults to empty string.
469 The following need to be set when cross compiling.
472 The native C compiler.
473 BUILD_CFLAGS (optional)
474 BUILD_CPPFLAGS (optional)
476 -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
477 BUILD_LDFLAGS (optional)
478 BUILD_LIBS (optional)
480 To build shared libraries, specify "--with-libtool" on the
481 configure command line.
483 For the server to support DNSSEC, you need to build it
484 with crypto support. You must have OpenSSL 0.9.5a
485 or newer installed and specify "--with-openssl" on the
486 configure command line. If OpenSSL is installed under
487 a nonstandard prefix, you can tell configure where to
488 look for it using "--with-openssl=/prefix".
490 On some platforms it is necessary to explictly request large
491 file support to handle files bigger than 2GB. This can be
492 done by "--enable-largefile" on the configure command line.
494 On some platforms, BIND 9 can be built with multithreading
495 support, allowing it to take advantage of multiple CPUs.
496 You can specify whether to build a multithreaded BIND 9
497 by specifying "--enable-threads" or "--disable-threads"
498 on the configure command line. The default is operating
501 Support for the "fixed" rrset-order option can be enabled
502 or disabled by specifying "--enable-fixed-rrset" or
503 "--disable-fixed-rrset" on the configure command line.
504 The default is "disabled", to reduce memory footprint.
506 If your operating system has integrated support for IPv6, it
507 will be used automatically. If you have installed KAME IPv6
508 separately, use "--with-kame[=PATH]" to specify its location.
510 "make install" will install "named" and the various BIND 9 libraries.
511 By default, installation is into /usr/local, but this can be changed
512 with the "--prefix" option when running "configure".
514 You may specify the option "--sysconfdir" to set the directory
515 where configuration files like "named.conf" go by default,
516 and "--localstatedir" to set the default parent directory
517 of "run/named.pid". For backwards compatibility with BIND 8,
518 --sysconfdir defaults to "/etc" and --localstatedir defaults to
519 "/var" if no --prefix option is given. If there is a --prefix
520 option, sysconfdir defaults to "$prefix/etc" and localstatedir
521 defaults to "$prefix/var".
523 To see additional configure options, run "configure --help".
524 Note that the help message does not reflect the BIND 8
525 compatibility defaults for sysconfdir and localstatedir.
527 If you're planning on making changes to the BIND 9 source, you
528 should also "make depend". If you're using Emacs, you might find
531 If you need to re-run configure please run "make distclean" first.
532 This will ensure that all the option changes take.
534 Building with gcc is not supported, unless gcc is the vendor's usual
535 compiler (e.g. the various BSD systems, Linux).
537 Known compiler issues:
538 * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
539 * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
540 * gcc-3.3.5 powerpc generates incorrect code at -02.
541 * Irix, MipsPRO 7.4.1m is known to cause problems.
543 A limited test suite can be run with "make test". Many of
544 the tests require you to configure a set of virtual IP addresses
545 on your system, and some require Perl; see bin/tests/system/README
548 SunOS 4 requires "printf" to be installed to make the shared
549 libraries. sh-utils-1.16 provides a "printf" which compiles
554 The BIND 9 Administrator Reference Manual is included with the
555 source distribution in DocBook XML and HTML format, in the
558 Some of the programs in the BIND 9 distribution have man pages
559 in their directories. In particular, the command line
560 options of "named" are documented in /bin/named/named.8.
561 There is now also a set of man pages for the lwres library.
563 If you are upgrading from BIND 8, please read the migration
564 notes in doc/misc/migration. If you are upgrading from
565 BIND 4, read doc/misc/migration-4to9.
567 Frequently asked questions and their answers can be found in
571 Bug Reports and Mailing Lists
573 Bugs reports should be sent to
577 To join the BIND Users mailing list, send mail to
579 bind-users-request@isc.org
581 archives of which can be found via
583 http://www.isc.org/ops/lists/
585 If you're planning on making changes to the BIND 9 source
586 code, you might want to join the BIND Workers mailing list.
589 bind-workers-request@isc.org