HISTORY 20.8 KB
Newer Older
Tinderbox User's avatar
Tinderbox User committed
1 2
HISTORY

Tinderbox User's avatar
Tinderbox User committed
3 4 5 6 7 8 9
Functional enhancements from prior major releases of BIND 9

BIND 9.10.0

BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
releases. New features include:

Tinderbox User's avatar
Tinderbox User committed
10
  • DNS Response-rate limiting (DNS RRL), which blunts the impact of
Tinderbox User's avatar
Tinderbox User committed
11 12
    reflection and amplification attacks, is always compiled in and no
    longer requires a compile-time option to enable it.
Tinderbox User's avatar
Tinderbox User committed
13
  • An experimental "Source Identity Token" (SIT) EDNS option is now
Tinderbox User's avatar
Tinderbox User committed
14 15 16 17 18 19 20 21 22
    available. Similar to DNS Cookies as invented by Donald Eastlake 3rd,
    these are designed to enable clients to detect off-path spoofed
    responses, and to enable servers to detect spoofed-source queries.
    Servers can be configured to send smaller responses to clients that
    have not identified themselves using a SIT option, reducing the
    effectiveness of amplification attacks. RRL processing has also been
    updated; clients proven to be legitimate via SIT are not subject to
    rate limiting. Use "configure --enable-sit" to enable this feature in
    BIND.
Tinderbox User's avatar
Tinderbox User committed
23
  • A new zone file format, "map", stores zone data in a format that can
Tinderbox User's avatar
Tinderbox User committed
24 25
    be mapped directly into memory, allowing significantly faster zone
    loading.
Tinderbox User's avatar
Tinderbox User committed
26
  • "delv" (domain entity lookup and validation) is a new tool with
Tinderbox User's avatar
Tinderbox User committed
27 28 29 30 31 32 33
    dig-like semantics for looking up DNS data and performing internal
    DNSSEC validation. This allows easy validation in environments where
    the resolver may not be trustworthy, and assists with troubleshooting
    of DNSSEC problems. (NOTE: In previous development releases of BIND
    9.10, this utility was called "delve". The spelling has been changed
    to avoid confusion with the "delve" utility included with the Xapian
    search engine.)
Tinderbox User's avatar
Tinderbox User committed
34
  • Improved EDNS(0) processing for better resolver performance and
Tinderbox User's avatar
Tinderbox User committed
35
    reliability over slow or lossy connections.
Tinderbox User's avatar
Tinderbox User committed
36
  • A new "configure --with-tuning=large" option tunes certain compiled-in
Tinderbox User's avatar
Tinderbox User committed
37 38 39 40
    constants and default settings to values better suited to large
    servers with abundant memory. This can improve performance on such
    servers, but will consume more memory and may degrade performance on
    smaller systems.
Tinderbox User's avatar
Tinderbox User committed
41
  • Substantial improvement in response-policy zone (RPZ) performance. Up
Tinderbox User's avatar
Tinderbox User committed
42 43
    to 32 response-policy zones can be configured with minimal performance
    loss.
Tinderbox User's avatar
Tinderbox User committed
44
  • To improve recursive resolver performance, cache records which are
Tinderbox User's avatar
Tinderbox User committed
45 46 47 48
    still being requested by clients can now be automatically refreshed
    from the authoritative server before they expire, reducing or
    eliminating the time window in which no answer is available in the
    cache.
Tinderbox User's avatar
Tinderbox User committed
49
  • New "rpz-client-ip" triggers and drop policies allowing response
Tinderbox User's avatar
Tinderbox User committed
50
    policies based on the IP address of the client.
Tinderbox User's avatar
Tinderbox User committed
51
  • ACLs can now be specified based on geographic location using the
Tinderbox User's avatar
Tinderbox User committed
52
    MaxMind GeoIP databases. Use "configure --with-geoip" to enable.
Tinderbox User's avatar
Tinderbox User committed
53
  • Zone data can now be shared between views, allowing multiple views to
Tinderbox User's avatar
Tinderbox User committed
54 55
    serve the same zones authoritatively without storing multiple copies
    in memory.
Tinderbox User's avatar
Tinderbox User committed
56
  • New XML schema (version 3) for the statistics channel includes many
Tinderbox User's avatar
Tinderbox User committed
57 58
    new statistics and uses a flattened XML tree for faster parsing. The
    older schema is now deprecated.
Tinderbox User's avatar
Tinderbox User committed
59
  • A new stylesheet, based on the Google Charts API, displays XML
Tinderbox User's avatar
Tinderbox User committed
60
    statistics in charts and graphs on javascript-enabled browsers.
Tinderbox User's avatar
Tinderbox User committed
61
  • The statistics channel can now provide data in JSON format as well as
Tinderbox User's avatar
Tinderbox User committed
62
    XML.
Tinderbox User's avatar
Tinderbox User committed
63
  • New stats counters track TCP and UDP queries received per zone, and
Tinderbox User's avatar
Tinderbox User committed
64
    EDNS options received in total.
Tinderbox User's avatar
Tinderbox User committed
65
  • The internal and export versions of the BIND libraries (libisc,
Tinderbox User's avatar
Tinderbox User committed
66 67
    libdns, etc) have been unified so that external library clients can
    use the same libraries as BIND itself.
Tinderbox User's avatar
Tinderbox User committed
68
  • A new compile-time option, "configure --enable-native-pkcs11", allows
Tinderbox User's avatar
Tinderbox User committed
69 70 71 72 73 74 75 76
    BIND 9 cryptography functions to use the PKCS#11 API natively, so that
    BIND can drive a cryptographic hardware service module (HSM) directly
    instead of using a modified OpenSSL as an intermediary. (Note: This
    feature requires an HSM to have a full implementation of the PKCS#11
    API; many current HSMs only have partial implementations. The new
    "pkcs11-tokens" command can be used to check API completeness. Native
    PKCS#11 is known to work with the Thales nShield HSM and with SoftHSM
    version 2 from the Open DNSSEC project.)
Tinderbox User's avatar
Tinderbox User committed
77
  • The new "max-zone-ttl" option enforces maximum TTLs for zones. This
Tinderbox User's avatar
Tinderbox User committed
78 79 80
    can simplify the process of rolling DNSSEC keys by guaranteeing that
    cached signatures will have expired within the specified amount of
    time.
Tinderbox User's avatar
Tinderbox User committed
81 82
  • "dig +subnet" sends an EDNS CLIENT-SUBNET option when querying.
  • "dig +expire" sends an EDNS EXPIRE option when querying. When this
Tinderbox User's avatar
Tinderbox User committed
83 84
    option is sent with an SOA query to a server that supports it, it will
    report the expiry time of a slave zone.
Tinderbox User's avatar
Tinderbox User committed
85
  • New "dnssec-coverage" tool to check DNSSEC key coverage for a zone and
Tinderbox User's avatar
Tinderbox User committed
86 87
    report if a lapse in signing coverage has been inadvertently
    scheduled.
Tinderbox User's avatar
Tinderbox User committed
88
  • Signing algorithm flexibility and other improvements for the "rndc"
Tinderbox User's avatar
Tinderbox User committed
89
    control channel.
Tinderbox User's avatar
Tinderbox User committed
90
  • "named-checkzone" and "named-compilezone" can now read journal files,
Tinderbox User's avatar
Tinderbox User committed
91
    allowing them to process dynamic zones.
Tinderbox User's avatar
Tinderbox User committed
92
  • Multiple DLZ databases can now be configured. Individual zones can be
Tinderbox User's avatar
Tinderbox User committed
93 94
    configured to be served from a specific DLZ database. DLZ databases
    now serve zones of type "master" and "redirect".
Tinderbox User's avatar
Tinderbox User committed
95 96 97
  • "rndc zonestatus" reports information about a specified zone.
  • "named" now listens on IPv6 as well as IPv4 interfaces by default.
  • "named" now preserves the capitalization of names when responding to
Tinderbox User's avatar
Tinderbox User committed
98 99 100 101 102 103 104
    queries: for instance, a query for "example.com" may be answered with
    "example.COM" if the name was configured that way in the zone file.
    Some clients have a bug causing them to depend on the older behavior,
    in which the case of the answer always matched the case of the query,
    rather than the case of the name configured in the DNS. Such clients
    can now be specified in the new "no-case-compress" ACL; this will
    restore the older behavior of "named" for those clients only.
Tinderbox User's avatar
Tinderbox User committed
105
  • new "dnssec-importkey" command allows the use of offline DNSSEC keys
Tinderbox User's avatar
Tinderbox User committed
106
    with automatic DNSKEY management.
Tinderbox User's avatar
Tinderbox User committed
107
  • New "named-rrchecker" tool to verify the syntactic correctness of
Tinderbox User's avatar
Tinderbox User committed
108
    individual resource records.
Tinderbox User's avatar
Tinderbox User committed
109
  • When re-signing a zone, the new "dnssec-signzone -Q" option drops
Tinderbox User's avatar
Tinderbox User committed
110 111
    signatures from keys that are still published but are no longer
    active.
Tinderbox User's avatar
Tinderbox User committed
112
  • "named-checkconf -px" will print the contents of configuration files
Tinderbox User's avatar
Tinderbox User committed
113 114 115
    with the shared secrets obscured, making it easier to share
    configuration (e.g. when submitting a bug report) without revealing
    private information.
Tinderbox User's avatar
Tinderbox User committed
116
  • "rndc scan" causes named to re-scan network interfaces for changes in
Tinderbox User's avatar
Tinderbox User committed
117
    local addresses.
Tinderbox User's avatar
Tinderbox User committed
118
  • On operating systems with support for routing sockets, network
Tinderbox User's avatar
Tinderbox User committed
119
    interfaces are re-scanned automatically whenever they change.
Tinderbox User's avatar
Tinderbox User committed
120
  • "tsig-keygen" is now available as an alternate command name to use for
Tinderbox User's avatar
Tinderbox User committed
121 122 123 124 125 126 127
    "ddns-confgen".

BIND 9.9.0

BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
releases. New features include:

Tinderbox User's avatar
Tinderbox User committed
128
  • Inline signing, allowing automatic DNSSEC signing of master zones
Tinderbox User's avatar
Tinderbox User committed
129 130
    without modification of the zonefile, or "bump in the wire" signing in
    slaves.
Tinderbox User's avatar
Tinderbox User committed
131 132
  • NXDOMAIN redirection.
  • New 'rndc flushtree' command clears all data under a given name from
Tinderbox User's avatar
Tinderbox User committed
133
    the DNS cache.
Tinderbox User's avatar
Tinderbox User committed
134
  • New 'rndc sync' command dumps pending changes in a dynamic zone to
Tinderbox User's avatar
Tinderbox User committed
135
    disk without a freeze/thaw cycle.
Tinderbox User's avatar
Tinderbox User committed
136
  • New 'rndc signing' command displays or clears signing status records
Tinderbox User's avatar
Tinderbox User committed
137
    in 'auto-dnssec' zones.
Tinderbox User's avatar
Tinderbox User committed
138
  • NSEC3 parameters for 'auto-dnssec' zones can now be set prior to
Tinderbox User's avatar
Tinderbox User committed
139
    signing, eliminating the need to initially sign with NSEC.
Tinderbox User's avatar
Tinderbox User committed
140 141 142 143
  • Startup time improvements on large authoritative servers.
  • Slave zones are now saved in raw format by default.
  • Several improvements to response policy zones (RPZ).
  • Improved hardware scalability by using multiple threads to listen for
Tinderbox User's avatar
Tinderbox User committed
144
    queries and using finer-grained client locking
Tinderbox User's avatar
Tinderbox User committed
145
  • The 'also-notify' option now takes the same syntax as 'masters', so it
Tinderbox User's avatar
Tinderbox User committed
146
    can used named masterlists and TSIG keys.
Tinderbox User's avatar
Tinderbox User committed
147
  • 'dnssec-signzone -D' writes an output file containing only DNSSEC
Tinderbox User's avatar
Tinderbox User committed
148
    data, which can be included by the primary zone file.
Tinderbox User's avatar
Tinderbox User committed
149
  • 'dnssec-signzone -R' forces removal of signatures that are not expired
Tinderbox User's avatar
Tinderbox User committed
150
    but were created by a key which no longer exists.
Tinderbox User's avatar
Tinderbox User committed
151
  • 'dnssec-signzone -X' allows a separate expiration date to be specified
Tinderbox User's avatar
Tinderbox User committed
152
    for DNSKEY signatures from other signatures.
Tinderbox User's avatar
Tinderbox User committed
153
  • New '-L' option to dnssec-keygen, dnssec-settime, and
Tinderbox User's avatar
Tinderbox User committed
154
    dnssec-keyfromlabel sets the default TTL for the key.
Tinderbox User's avatar
Tinderbox User committed
155
  • dnssec-dsfromkey now supports reading from standard input, to make it
Tinderbox User's avatar
Tinderbox User committed
156
    easier to convert DNSKEY to DS.
Tinderbox User's avatar
Tinderbox User committed
157
  • RFC 1918 reverse zones have been added to the empty-zones table per
Tinderbox User's avatar
Tinderbox User committed
158
    RFC 6303.
Tinderbox User's avatar
Tinderbox User committed
159
  • Dynamic updates can now optionally set the zone's SOA serial number to
Tinderbox User's avatar
Tinderbox User committed
160
    the current UNIX time.
Tinderbox User's avatar
Tinderbox User committed
161
  • DLZ modules can now retrieve the source IP address of the querying
Tinderbox User's avatar
Tinderbox User committed
162
    client.
Tinderbox User's avatar
Tinderbox User committed
163 164
  • 'request-ixfr' option can now be set at the per-zone level.
  • 'dig +rrcomments' turns on comments about DNSKEY records, indicating
Tinderbox User's avatar
Tinderbox User committed
165
    their key ID, algorithm and function
Tinderbox User's avatar
Tinderbox User committed
166
  • Simplified nsupdate syntax and added readline support
Tinderbox User's avatar
Tinderbox User committed
167 168 169 170 171 172

BIND 9.8.0

BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
releases. New features include:

Tinderbox User's avatar
Tinderbox User committed
173
  • Built-in trust anchor for the root zone, which can be switched on via
Tinderbox User's avatar
Tinderbox User committed
174
    "dnssec-validation auto;"
Tinderbox User's avatar
Tinderbox User committed
175 176 177 178
  • Support for DNS64.
  • Support for response policy zones (RPZ).
  • Support for writable DLZ zones.
  • Improved ease of configuration of GSS/TSIG for interoperability with
Tinderbox User's avatar
Tinderbox User committed
179
    Active Directory
Tinderbox User's avatar
Tinderbox User committed
180 181 182 183
  • Support for GOST signing algorithm for DNSSEC.
  • Removed RTT Banding from server selection algorithm.
  • New "static-stub" zone type.
  • Allow configuration of resolver timeouts via "resolver-query-timeout"
Tinderbox User's avatar
Tinderbox User committed
184
    option.
Tinderbox User's avatar
Tinderbox User committed
185 186
  • The DLZ "dlopen" driver is now built by default.
  • Added a new include file with function typedefs for the DLZ "dlopen"
Tinderbox User's avatar
Tinderbox User committed
187
    driver.
Tinderbox User's avatar
Tinderbox User committed
188 189
  • Made "--with-gssapi" default.
  • More verbose error reporting from DLZ LDAP.
Tinderbox User's avatar
Tinderbox User committed
190 191 192 193 194 195 196

BIND 9.7.0

BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
releases. Most are intended to simplify DNSSEC configuration. New features
include:

Tinderbox User's avatar
Tinderbox User committed
197 198 199
  • Fully automatic signing of zones by "named".
  • Simplified configuration of DNSSEC Lookaside Validation (DLV).
  • Simplified configuration of Dynamic DNS, using the "ddns-confgen"
Tinderbox User's avatar
Tinderbox User committed
200 201 202
    command line tool or the "local" update-policy option. (As a side
    effect, this also makes it easier to configure automatic zone
    re-signing.)
Tinderbox User's avatar
Tinderbox User committed
203
  • New named option "attach-cache" that allows multiple views to share a
Tinderbox User's avatar
Tinderbox User committed
204
    single cache.
Tinderbox User's avatar
Tinderbox User committed
205 206 207 208 209 210 211
  • DNS rebinding attack prevention.
  • New default values for dnssec-keygen parameters.
  • Support for RFC 5011 automated trust anchor maintenance
  • Smart signing: simplified tools for zone signing and key maintenance.
  • The "statistics-channels" option is now available on Windows.
  • A new DNSSEC-aware libdns API for use by non-BIND9 applications
  • On some platforms, named and other binaries can now print out a stack
Tinderbox User's avatar
Tinderbox User committed
212
    backtrace on assertion failure, to aid in debugging.
Tinderbox User's avatar
Tinderbox User committed
213
  • A "tools only" installation mode on Windows, which only installs dig,
Tinderbox User's avatar
Tinderbox User committed
214
    host, nslookup and nsupdate.
Tinderbox User's avatar
Tinderbox User committed
215
  • Improved PKCS#11 support, including Keyper support and explicit
Tinderbox User's avatar
Tinderbox User committed
216 217 218 219
    OpenSSL engine selection.

BIND 9.6.0

Tinderbox User's avatar
Tinderbox User committed
220 221 222 223
  • Full NSEC3 support
  • Automatic zone re-signing
  • New update-policy methods tcp-self and 6to4-self
  • The BIND 8 resolver library, libbind, has been removed from the BIND 9
Tinderbox User's avatar
Tinderbox User committed
224
    distribution and is now available as a separate download.
Tinderbox User's avatar
Tinderbox User committed
225
  • Change the default pid file location from /var/run to /var/run/
Tinderbox User's avatar
Tinderbox User committed
226 227 228 229
    {named,lwresd} for improved chroot/setuid support.

BIND 9.5.0

Tinderbox User's avatar
Tinderbox User committed
230 231 232 233 234 235 236 237
  • GSS-TSIG support (RFC 3645).
  • DHCID support.
  • Experimental http server and statistics support for named via xml.
  • More detailed statistics counters including those supported in BIND 8.
  • Faster ACL processing.
  • Use Doxygen to generate internal documentation.
  • Efficient LRU cache-cleaning mechanism.
  • NSID support.
Tinderbox User's avatar
Tinderbox User committed
238 239 240

BIND 9.4.0

Tinderbox User's avatar
Tinderbox User committed
241
  • Implemented "additional section caching (or acache)", an internal
Tinderbox User's avatar
Tinderbox User committed
242 243 244
    cache framework for additional section content to improve response
    performance. Several configuration options were provided to control
    the behavior.
Tinderbox User's avatar
Tinderbox User committed
245 246 247 248
  • New notify type 'master-only'. Enable notify for master zones only.
  • Accept 'notify-source' style syntax for query-source.
  • rndc now allows addresses to be set in the server clauses.
  • New option "allow-query-cache". This lets "allow-query" be used to
Tinderbox User's avatar
Tinderbox User committed
249 250 251 252 253 254
    specify the default zone access level rather than having to have every
    zone override the global value. "allow-query-cache" can be set at both
    the options and view levels. If "allow-query-cache" is not set then
    "allow-recursion" is used if set, otherwise "allow-query" is used if
    set unless "recursion no;" is set in which case "none;" is used,
    otherwise the default (localhost; localnets;) is used.
Tinderbox User's avatar
Tinderbox User committed
255 256
  • rndc: the source address can now be specified.
  • ixfr-from-differences now takes master and slave in addition to yes
Tinderbox User's avatar
Tinderbox User committed
257
    and no at the options and view levels.
Tinderbox User's avatar
Tinderbox User committed
258 259
  • Allow the journal's name to be changed via named.conf.
  • 'rndc notify zone [class [view]]' resend the NOTIFY messages for the
Tinderbox User's avatar
Tinderbox User committed
260
    specified zone.
Tinderbox User's avatar
Tinderbox User committed
261
  • 'dig +trace' now randomly selects the next servers to try. Report if
Tinderbox User's avatar
Tinderbox User committed
262
    there is a bad delegation.
Tinderbox User's avatar
Tinderbox User committed
263 264 265 266 267 268 269 270 271
  • Improve check-names error messages.
  • Make public the function to read a key file, dst_key_read_public().
  • dig now returns the byte count for axfr/ixfr.
  • allow-update is now settable at the options / view level.
  • named-checkconf now checks the logging configuration.
  • host now can turn on memory debugging flags with '-m'.
  • Don't send notify messages to self.
  • Perform sanity checks on NS records which refer to 'in zone' names.
  • New zone option "notify-delay". Specify a minimum delay between sets
Tinderbox User's avatar
Tinderbox User committed
272
    of NOTIFY messages.
Tinderbox User's avatar
Tinderbox User committed
273 274
  • Extend adjusting TTL warning messages.
  • Named and named-checkzone can now both check for non-terminal wildcard
Tinderbox User's avatar
Tinderbox User committed
275
    records.
Tinderbox User's avatar
Tinderbox User committed
276 277
  • "rndc freeze/thaw" now freezes/thaws all zones.
  • named-checkconf now check acls to verify that they only refer to
Tinderbox User's avatar
Tinderbox User committed
278
    existing acls.
Tinderbox User's avatar
Tinderbox User committed
279 280
  • The server syntax has been extended to support a range of servers.
  • Report differences between hints and real NS rrset and associated
Tinderbox User's avatar
Tinderbox User committed
281
    address records.
Tinderbox User's avatar
Tinderbox User committed
282 283
  • Preserve the case of domain names in rdata during zone transfers.
  • Restructured the data locking framework using architecture dependent
Tinderbox User's avatar
Tinderbox User committed
284 285 286
    atomic operations (when available), improving response performance on
    multi-processor machines significantly. x86, x86_64, alpha, powerpc,
    and mips are currently supported.
Tinderbox User's avatar
Tinderbox User committed
287 288
  • UNIX domain controls are now supported.
  • Add support for additional zone file formats for improving loading
Tinderbox User's avatar
Tinderbox User committed
289 290 291 292 293
    performance. The masterfile-format option in named.conf can be used to
    specify a non-default format. A separate command named-compilezone was
    provided to generate zone files in the new format. Additionally, the
    -I and -O options for dnssec-signzone specify the input and output
    formats.
Tinderbox User's avatar
Tinderbox User committed
294
  • dnssec-signzone can now randomize signature end times (dnssec-signzone
Tinderbox User's avatar
Tinderbox User committed
295
    -j jitter).
Tinderbox User's avatar
Tinderbox User committed
296 297
  • Add support for CH A record.
  • Add additional zone data constancy checks. named-checkzone has
Tinderbox User's avatar
Tinderbox User committed
298 299 300
    extended checking of NS, MX and SRV record and the hosts they
    reference. named has extended post zone load checks. New zone options:
    check-mx and integrity-check.
Tinderbox User's avatar
Tinderbox User committed
301 302 303 304 305
  • edns-udp-size can now be overridden on a per server basis.
  • dig can now specify the EDNS version when making a query.
  • Added framework for handling multiple EDNS versions.
  • Additional memory debugging support to track size and mctx arguments.
  • Detect duplicates of UDP queries we are recursing on and drop them.
Tinderbox User's avatar
Tinderbox User committed
306
    New stats category "duplicates".
Tinderbox User's avatar
Tinderbox User committed
307 308
  • "USE INTERNAL MALLOC" is now runtime selectable.
  • The lame cache is now done on a <qname,qclass,qtype> basis as some
Tinderbox User's avatar
Tinderbox User committed
309
    servers only appear to be lame for certain query types.
Tinderbox User's avatar
Tinderbox User committed
310
  • Limit the number of recursive clients that can be waiting for a single
Tinderbox User's avatar
Tinderbox User committed
311 312
    query (<qname,qtype,qclass>) to resolve. New options clients-per-query
    and max-clients-per-query.
Tinderbox User's avatar
Tinderbox User committed
313
  • dig: report the number of extra bytes still left in the packet after
Tinderbox User's avatar
Tinderbox User committed
314
    processing all the records.
Tinderbox User's avatar
Tinderbox User committed
315 316 317 318 319
  • Support for IPSECKEY rdata type.
  • Raise the UDP receive buffer size to 32k if it is less than 32k.
  • x86 and x86_64 now have separate atomic locking implementations.
  • named-checkconf now validates update-policy entries.
  • Attempt to make the amount of work performed in a iteration self
Tinderbox User's avatar
Tinderbox User committed
320 321 322
    tuning. The covers nodes clean from the cache per iteration, nodes
    written to disk when rewriting a master file and nodes destroyed per
    iteration when destroying a zone or a cache.
Tinderbox User's avatar
Tinderbox User committed
323 324
  • ISC string copy API.
  • Automatic empty zone creation for D.F.IP6.ARPA and friends. Note: RFC
Tinderbox User's avatar
Tinderbox User committed
325 326
    1918 zones are not yet covered by this but are likely to be in a
    future release.
Tinderbox User's avatar
Tinderbox User committed
327
  • New options: empty-server, empty-contact, empty-zones-enable and
Tinderbox User's avatar
Tinderbox User committed
328
    disable-empty-zone.
Tinderbox User's avatar
Tinderbox User committed
329 330 331
  • dig now has a '-q queryname' and '+showsearch' options.
  • host/nslookup now continue (default)/fail on SERVFAIL.
  • dig now warns if 'RA' is not set in the answer when 'RD' was set in
Tinderbox User's avatar
Tinderbox User committed
332 333
    the query. host/nslookup skip servers that fail to set 'RA' when 'RD'
    is set unless a server is explicitly set.
Tinderbox User's avatar
Tinderbox User committed
334 335 336
  • Integrate contributed DLZ code into named.
  • Integrate contributed IDN code from JPNIC.
  • libbind: corresponds to that from BIND 8.4.7.
Tinderbox User's avatar
Tinderbox User committed
337 338 339

BIND 9.3.0

Tinderbox User's avatar
Tinderbox User committed
340 341 342 343 344 345
  • DNSSEC is now DS based (RFC 3658).
  • DNSSEC lookaside validation.
  • check-names is now implemented.
  • rrset-order is more complete.
  • IPv4/IPv6 transition support, dual-stack-servers.
  • IXFR deltas can now be generated when loading master files,
Tinderbox User's avatar
Tinderbox User committed
346
    ixfr-from-differences.
Tinderbox User's avatar
Tinderbox User committed
347 348
  • It is now possible to specify the size of a journal, max-journal-size.
  • It is now possible to define a named set of master servers to be used
Tinderbox User's avatar
Tinderbox User committed
349
    in masters clause, masters.
Tinderbox User's avatar
Tinderbox User committed
350 351 352 353
  • The advertised EDNS UDP size can now be set, edns-udp-size.
  • allow-v6-synthesis has been obsoleted.
  • Zones containing MD and MF will now be rejected.
  • dig, nslookup name. now report "Not Implemented" as NOTIMP rather than
Tinderbox User's avatar
Tinderbox User committed
354 355
    NOTIMPL. This will have impact on scripts that are looking for
    NOTIMPL.
Tinderbox User's avatar
Tinderbox User committed
356
  • libbind: corresponds to that from BIND 8.4.5.
Tinderbox User's avatar
Tinderbox User committed
357 358 359

BIND 9.2.0

Tinderbox User's avatar
Tinderbox User committed
360
  • The size of the cache can now be limited using the "max-cache-size"
Tinderbox User's avatar
Tinderbox User committed
361
    option.
Tinderbox User's avatar
Tinderbox User committed
362
  • The server can now automatically convert RFC1886-style recursive
Tinderbox User's avatar
Tinderbox User committed
363 364 365 366
    lookup requests into RFC2874-style lookups, when enabled using the new
    option "allow-v6-synthesis". This allows stub resolvers that support
    AAAA records but not A6 record chains or binary labels to perform
    lookups in domains that make use of these IPv6 DNS features.
Tinderbox User's avatar
Tinderbox User committed
367 368
  • Performance has been improved.
  • The man pages now use the more portable "man" macros rather than the
Tinderbox User's avatar
Tinderbox User committed
369
    "mandoc" macros, and are installed by "make install".
Tinderbox User's avatar
Tinderbox User committed
370
  • The named.conf parser has been completely rewritten. It now supports
Tinderbox User's avatar
Tinderbox User committed
371 372
    "include" directives in more places such as inside "view" statements,
    and it no longer has any reserved words.
Tinderbox User's avatar
Tinderbox User committed
373 374 375 376
  • The "rndc status" command is now implemented.
  • rndc can now be configured automatically.
  • A BIND 8 compatible stub resolver library is now included in lib/bind.
  • OpenSSL has been removed from the distribution. This means that to use
Tinderbox User's avatar
Tinderbox User committed
377 378 379
    DNSSEC, OpenSSL must be installed and the --with-openssl option must
    be supplied to configure. This does not apply to the use of TSIG,
    which does not require OpenSSL.
Tinderbox User's avatar
Tinderbox User committed
380
  • The source distribution now builds on Windows. See win32utils/
Tinderbox User's avatar
Tinderbox User committed
381
    readme1.txt and win32utils/win32-build.txt for details.
Tinderbox User's avatar
Tinderbox User committed
382
  • This distribution also includes a new lightweight stub resolver
Tinderbox User's avatar
Tinderbox User committed
383 384 385 386 387 388 389
    library and associated resolver daemon that fully support forward and
    reverse lookups of both IPv4 and IPv6 addresses. This library is
    considered experimental and is not a complete replacement for the BIND
    8 resolver library. Applications that use the BIND 8 res_* functions
    to perform DNS lookups or dynamic updates still need to be linked
    against the BIND 8 libraries. For DNS lookups, they can also use the
    new "getrrsetbyname()" API.
Tinderbox User's avatar
Tinderbox User committed
390
  • BIND 9.2 is capable of acting as an authoritative server for DNSSEC
Tinderbox User's avatar
Tinderbox User committed
391 392 393
    secured zones. This functionality is believed to be stable and
    complete except for lacking support for verifications involving
    wildcard records in secure zones.
Tinderbox User's avatar
Tinderbox User committed
394
  • When acting as a caching server, BIND 9.2 can be configured to perform
Tinderbox User's avatar
Tinderbox User committed
395 396 397 398
    DNSSEC secure resolution on behalf of its clients. This part of the
    DNSSEC implementation is still considered experimental. For detailed
    information about the state of the DNSSEC implementation, see the file
    doc/misc/dnssec.