3 BIND version 9 is a major rewrite of nearly all aspects of the
4 underlying BIND architecture. Some of the important features of
9 TSIG (signed DNS requests)
12 Answers DNS queries on IPv6 sockets
13 IPv6 resource records (AAAA)
14 Experimental IPv6 Resolver Library
16 - DNS Protocol Enhancements
17 IXFR, DDNS, Notify, EDNS0
18 Improved standards conformance
21 One server process can provide multiple "views" of
22 the DNS namespace, e.g. an "inside" view to certain
23 clients, and an "outside" view to others.
25 - Multiprocessor Support
27 - Improved Portability Architecture
30 BIND version 9 development has been underwritten by the following
33 Sun Microsystems, Inc.
35 Compaq Computer Corporation
37 Process Software Corporation
38 Silicon Graphics, Inc.
39 Network Associates, Inc.
40 U.S. Defense Information Systems Agency
42 Stichting NLnet - NLnet Foundation
47 BIND 9.6.2 is a maintenance release, fixing bugs in 9.6.1.
48 It also introduces support for the SHA-2 DNSSEC algorithms,
49 RSASHA256 and RSASHA512.
51 Known issues in this release:
53 - A validating resolver that has been incorrectly configured with
54 an invalid trust anchor will be unable to resolve names covered
55 by that trust anchor. In all current versions of BIND 9, such a
56 resolver will also generate significant unnecessary DNS traffic
57 while trying to validate. The latter problem will be addressed
58 in future BIND 9 releases. In the meantime, to avoid these
59 problems, exercise caution when configuring "trusted-keys":
60 make sure all keys are correct and current when you add them,
61 and update your configuration in a timely manner when keys
66 BIND 9.6.1 is a maintenance release, fixing bugs in 9.6.0.
70 BIND 9.6.0 includes a number of changes from BIND 9.5 and earlier
75 Automatic zone re-signing
77 New update-policy methods tcp-self and 6to4-self
79 The BIND 8 resolver library, libbind, has been removed from the
80 BIND 9 distribution and is now available as a separate download.
82 Change the default pid file location from /var/run to
83 /var/run/{named,lwresd} for improved chroot/setuid support.
87 BIND 9.5.0 has a number of new features over 9.4,
90 GSS-TSIG support (RFC 3645).
94 Experimental http server and statistics support for named via xml.
96 More detailed statistics counters including those supported in BIND 8.
98 Faster ACL processing.
100 Use Doxygen to generate internal documentation.
102 Efficient LRU cache-cleaning mechanism.
108 BIND 9.4.0 has a number of new features over 9.3,
111 Implemented "additional section caching (or acache)", an
112 internal cache framework for additional section content to
113 improve response performance. Several configuration options
114 were provided to control the behavior.
116 New notify type 'master-only'. Enable notify for master
119 Accept 'notify-source' style syntax for query-source.
121 rndc now allows addresses to be set in the server clauses.
123 New option "allow-query-cache". This lets "allow-query"
124 be used to specify the default zone access level rather
125 than having to have every zone override the global value.
126 "allow-query-cache" can be set at both the options and view
127 levels. If "allow-query-cache" is not set then "allow-recursion"
128 is used if set, otherwise "allow-query" is used if set
129 unless "recursion no;" is set in which case "none;" is used,
130 otherwise the default (localhost; localnets;) is used.
132 rndc: the source address can now be specified.
134 ixfr-from-differences now takes master and slave in addition
135 to yes and no at the options and view levels.
137 Allow the journal's name to be changed via named.conf.
139 'rndc notify zone [class [view]]' resend the NOTIFY messages
140 for the specified zone.
142 'dig +trace' now randomly selects the next servers to try.
143 Report if there is a bad delegation.
145 Improve check-names error messages.
147 Make public the function to read a key file, dst_key_read_public().
149 dig now returns the byte count for axfr/ixfr.
151 allow-update is now settable at the options / view level.
153 named-checkconf now checks the logging configuration.
155 host now can turn on memory debugging flags with '-m'.
157 Don't send notify messages to self.
159 Perform sanity checks on NS records which refer to 'in zone' names.
161 New zone option "notify-delay". Specify a minimum delay
162 between sets of NOTIFY messages.
164 Extend adjusting TTL warning messages.
166 Named and named-checkzone can now both check for non-terminal
169 "rndc freeze/thaw" now freezes/thaws all zones.
171 named-checkconf now check acls to verify that they only
172 refer to existing acls.
174 The server syntax has been extended to support a range of
177 Report differences between hints and real NS rrset and
178 associated address records.
180 Preserve the case of domain names in rdata during zone
183 Restructured the data locking framework using architecture
184 dependent atomic operations (when available), improving
185 response performance on multi-processor machines significantly.
186 x86, x86_64, alpha, powerpc, and mips are currently supported.
188 UNIX domain controls are now supported.
190 Add support for additional zone file formats for improving
191 loading performance. The masterfile-format option in
192 named.conf can be used to specify a non-default format. A
193 separate command named-compilezone was provided to generate
194 zone files in the new format. Additionally, the -I and -O
195 options for dnssec-signzone specify the input and output
198 dnssec-signzone can now randomize signature end times
199 (dnssec-signzone -j jitter).
201 Add support for CH A record.
203 Add additional zone data constancy checks. named-checkzone
204 has extended checking of NS, MX and SRV record and the hosts
205 they reference. named has extended post zone load checks.
206 New zone options: check-mx and integrity-check.
209 edns-udp-size can now be overridden on a per server basis.
211 dig can now specify the EDNS version when making a query.
213 Added framework for handling multiple EDNS versions.
215 Additional memory debugging support to track size and mctx
218 Detect duplicates of UDP queries we are recursing on and
219 drop them. New stats category "duplicates".
221 "USE INTERNAL MALLOC" is now runtime selectable.
223 The lame cache is now done on a <qname,qclass,qtype> basis
224 as some servers only appear to be lame for certain query
227 Limit the number of recursive clients that can be waiting
228 for a single query (<qname,qtype,qclass>) to resolve. New
229 options clients-per-query and max-clients-per-query.
231 dig: report the number of extra bytes still left in the
232 packet after processing all the records.
234 Support for IPSECKEY rdata type.
236 Raise the UDP recieve buffer size to 32k if it is less than 32k.
238 x86 and x86_64 now have seperate atomic locking implementations.
240 named-checkconf now validates update-policy entries.
242 Attempt to make the amount of work performed in a iteration
243 self tuning. The covers nodes clean from the cache per
244 iteration, nodes written to disk when rewriting a master
245 file and nodes destroyed per iteration when destroying a
250 Automatic empty zone creation for D.F.IP6.ARPA and friends.
251 Note: RFC 1918 zones are not yet covered by this but are
252 likely to be in a future release.
254 New options: empty-server, empty-contact, empty-zones-enable
255 and disable-empty-zone.
257 dig now has a '-q queryname' and '+showsearch' options.
259 host/nslookup now continue (default)/fail on SERVFAIL.
261 dig now warns if 'RA' is not set in the answer when 'RD'
262 was set in the query. host/nslookup skip servers that fail
263 to set 'RA' when 'RD' is set unless a server is explicitly
266 Integrate contibuted DLZ code into named.
268 Integrate contibuted IDN code from JPNIC.
270 libbind: corresponds to that from BIND 8.4.7.
274 BIND 9.3.0 has a number of new features over 9.2,
277 DNSSEC is now DS based (RFC 3658).
278 See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
280 DNSSEC lookaside validation.
282 check-names is now implemented.
283 rrset-order in more complete.
285 IPv4/IPv6 transition support, dual-stack-servers.
287 IXFR deltas can now be generated when loading master files,
288 ixfr-from-differences.
290 It is now possible to specify the size of a journal, max-journal-size.
292 It is now possible to define a named set of master servers to be
293 used in masters clause, masters.
295 The advertised EDNS UDP size can now be set, edns-udp-size.
297 allow-v6-synthesis has been obsoleted.
300 * Zones containing MD and MF will now be rejected.
301 * dig, nslookup name. now report "Not Implemented" as
302 NOTIMP rather than NOTIMPL. This will have impact on scripts
303 that are looking for NOTIMPL.
305 libbind: corresponds to that from BIND 8.4.5.
309 BIND 9.2.0 has a number of new features over 9.1,
312 - The size of the cache can now be limited using the
313 "max-cache-size" option.
315 - The server can now automatically convert RFC1886-style
316 recursive lookup requests into RFC2874-style lookups,
317 when enabled using the new option "allow-v6-synthesis".
318 This allows stub resolvers that support AAAA records
319 but not A6 record chains or binary labels to perform
320 lookups in domains that make use of these IPv6 DNS
323 - Performance has been improved.
325 - The man pages now use the more portable "man" macros
326 rather than the "mandoc" macros, and are installed
329 - The named.conf parser has been completely rewritten.
330 It now supports "include" directives in more
331 places such as inside "view" statements, and it no
332 longer has any reserved words.
334 - The "rndc status" command is now implemented.
336 - rndc can now be configured automatically.
338 - A BIND 8 compatible stub resolver library is now
339 included in lib/bind.
341 - OpenSSL has been removed from the distribution. This
342 means that to use DNSSEC, OpenSSL must be installed and
343 the --with-openssl option must be supplied to configure.
344 This does not apply to the use of TSIG, which does not
347 - The source distribution now builds on Windows.
348 See win32utils/readme1.txt and win32utils/win32-build.txt
351 This distribution also includes a new lightweight stub
352 resolver library and associated resolver daemon that fully
353 support forward and reverse lookups of both IPv4 and IPv6
354 addresses. This library is considered experimental and
355 is not a complete replacement for the BIND 8 resolver library.
356 Applications that use the BIND 8 res_* functions to perform
357 DNS lookups or dynamic updates still need to be linked against
358 the BIND 8 libraries. For DNS lookups, they can also use the
359 new "getrrsetbyname()" API.
361 BIND 9.2 is capable of acting as an authoritative server
362 for DNSSEC secured zones. This functionality is believed to
363 be stable and complete except for lacking support for
364 verifications involving wildcard records in secure zones.
366 When acting as a caching server, BIND 9.2 can be configured
367 to perform DNSSEC secure resolution on behalf of its clients.
368 This part of the DNSSEC implementation is still considered
369 experimental. For detailed information about the state of the
370 DNSSEC implementation, see the file doc/misc/dnssec.
372 There are a few known bugs:
374 On some systems, IPv6 and IPv4 sockets interact in
375 unexpected ways. For details, see doc/misc/ipv6.
376 To reduce the impact of these problems, the server
377 no longer listens for requests on IPv6 addresses
378 by default. If you need to accept DNS queries over
379 IPv6, you must specify "listen-on-v6 { any; };"
380 in the named.conf options statement.
382 FreeBSD prior to 4.2 (and 4.2 if running as non-root)
383 and OpenBSD prior to 2.8 log messages like
384 "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
385 This is due to a bug in "/dev/random" and impacts the
386 server's DNSSEC support.
388 OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
389 OS X 10.2 (Darwin 6.0) reports errors like
390 "fcntl(3, F_SETFL, 4): Operation not supported by device".
391 This is due to a bug in "/dev/random" and impacts the
392 server's DNSSEC support.
394 --with-libtool does not work on AIX.
396 A bug in some versions of the Microsoft DNS server can cause zone
397 transfers from a BIND 9 server to a W2K server to fail. For details,
398 see the "Zone Transfers" section in doc/misc/migration.
400 For a detailed list of user-visible changes from
401 previous releases, see the CHANGES file.
406 BIND 9 currently requires a UNIX system with an ANSI C compiler,
407 basic POSIX support, and a 64 bit integer type.
409 We've had successful builds and tests on the following systems:
411 COMPAQ Tru64 UNIX 5.1B
413 FreeBSD 4.10, 5.2.1, 6.2
416 NetBSD 3.x and 4.0-beta
418 Solaris 8, 9, 9 (x86), 10
422 NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
423 Windows, including Windows NT and Windows 2000, are no longer
426 We have recent reports from the user community that a supported
427 version of BIND will build and run on the following systems:
437 Red Hat Enterprise Linux 4, 5
447 Do not use a parallel "make".
449 Several environment variables that can be set before running
450 configure will affect compilation:
453 The C compiler to use. configure tries to figure
454 out the right one for supported systems.
457 C compiler flags. Defaults to include -g and/or -O2
458 as supported by the compiler.
461 System header file directories. Can be used to specify
462 where add-on thread or IPv6 support is, for example.
463 Defaults to empty string.
466 Any additional preprocessor symbols you want defined.
467 Defaults to empty string.
470 Change the default syslog facility of named/lwresd.
471 -DISC_FACILITY=LOG_LOCAL0
472 Enable DNSSEC signature chasing support in dig.
473 -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
475 Disable dropping queries from particular well known ports.
476 -DNS_CLIENT_DROPPORT=0
477 Sibling glue checking in named-checkzone is enabled by default.
478 To disable the default check set. -DCHECK_SIBLING=0
479 named-checkzone checks out-of-zone addresses by default.
480 To disable this default set. -DCHECK_LOCAL=0
481 To create the default pid files in ${localstatedir}/run rather
482 than ${localstatedir}/run/{named,lwresd}/ set.
484 Enable workaround for Solaris kernel bug about /dev/poll
485 -DISC_SOCKET_USE_POLLWATCH=1
486 The watch timeout is also configurable, e.g.,
487 -DISC_SOCKET_POLLWATCH_TIMEOUT=20
490 Linker flags. Defaults to empty string.
492 The following need to be set when cross compiling.
495 The native C compiler.
496 BUILD_CFLAGS (optional)
497 BUILD_CPPFLAGS (optional)
499 -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
500 BUILD_LDFLAGS (optional)
501 BUILD_LIBS (optional)
503 To build shared libraries, specify "--with-libtool" on the
504 configure command line.
506 For the server to support DNSSEC, you need to build it
507 with crypto support. You must have OpenSSL 0.9.5a
508 or newer installed and specify "--with-openssl" on the
509 configure command line. If OpenSSL is installed under
510 a nonstandard prefix, you can tell configure where to
511 look for it using "--with-openssl=/prefix".
513 On some platforms it is necessary to explictly request large
514 file support to handle files bigger than 2GB. This can be
515 done by "--enable-largefile" on the configure command line.
517 On some platforms, BIND 9 can be built with multithreading
518 support, allowing it to take advantage of multiple CPUs.
519 You can specify whether to build a multithreaded BIND 9
520 by specifying "--enable-threads" or "--disable-threads"
521 on the configure command line. The default is operating
524 Support for the "fixed" rrset-order option can be enabled
525 or disabled by specifying "--enable-fixed-rrset" or
526 "--disable-fixed-rrset" on the configure command line.
527 The default is "disabled", to reduce memory footprint.
529 If your operating system has integrated support for IPv6, it
530 will be used automatically. If you have installed KAME IPv6
531 separately, use "--with-kame[=PATH]" to specify its location.
533 "make install" will install "named" and the various BIND 9 libraries.
534 By default, installation is into /usr/local, but this can be changed
535 with the "--prefix" option when running "configure".
537 You may specify the option "--sysconfdir" to set the directory
538 where configuration files like "named.conf" go by default,
539 and "--localstatedir" to set the default parent directory
540 of "run/named.pid". For backwards compatibility with BIND 8,
541 --sysconfdir defaults to "/etc" and --localstatedir defaults to
542 "/var" if no --prefix option is given. If there is a --prefix
543 option, sysconfdir defaults to "$prefix/etc" and localstatedir
544 defaults to "$prefix/var".
546 To see additional configure options, run "configure --help".
547 Note that the help message does not reflect the BIND 8
548 compatibility defaults for sysconfdir and localstatedir.
550 If you're planning on making changes to the BIND 9 source, you
551 should also "make depend". If you're using Emacs, you might find
554 If you need to re-run configure please run "make distclean" first.
555 This will ensure that all the option changes take.
557 Building with gcc is not supported, unless gcc is the vendor's usual
558 compiler (e.g. the various BSD systems, Linux).
560 Known compiler issues:
561 * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
562 * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
563 * gcc-3.3.5 powerpc generates incorrect code at -02.
564 * Irix, MipsPRO 7.4.1m is known to cause problems.
566 A limited test suite can be run with "make test". Many of
567 the tests require you to configure a set of virtual IP addresses
568 on your system, and some require Perl; see bin/tests/system/README
571 SunOS 4 requires "printf" to be installed to make the shared
572 libraries. sh-utils-1.16 provides a "printf" which compiles
577 The BIND 9 Administrator Reference Manual is included with the
578 source distribution in DocBook XML and HTML format, in the
581 Some of the programs in the BIND 9 distribution have man pages
582 in their directories. In particular, the command line
583 options of "named" are documented in /bin/named/named.8.
584 There is now also a set of man pages for the lwres library.
586 If you are upgrading from BIND 8, please read the migration
587 notes in doc/misc/migration. If you are upgrading from
588 BIND 4, read doc/misc/migration-4to9.
590 Frequently asked questions and their answers can be found in
594 Bug Reports and Mailing Lists
596 Bugs reports should be sent to
600 To join the BIND Users mailing list, send mail to
602 bind-users-request@isc.org
604 archives of which can be found via
606 http://www.isc.org/ops/lists/
608 If you're planning on making changes to the BIND 9 source
609 code, you might want to join the BIND Workers mailing list.
612 bind-workers-request@isc.org