README 17.5 KB
Newer Older
Bob Halley's avatar
Bob Halley committed
1
BIND 9
Bob Halley's avatar
update  
Bob Halley committed
2

Bob Halley's avatar
Bob Halley committed
3
	BIND version 9 is a major rewrite of nearly all aspects of the
4 5 6 7 8 9 10 11 12
	underlying BIND architecture.  Some of the important features of
	BIND 9 are:

		- DNS Security
			DNSSEC (signed zones)
			TSIG (signed DNS requests)

		- IP version 6
			Answers DNS queries on IPv6 sockets
13
			IPv6 resource records (AAAA)
14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
			Experimental IPv6 Resolver Library

		- DNS Protocol Enhancements
			IXFR, DDNS, Notify, EDNS0
			Improved standards conformance

		- Views
			One server process can provide multiple "views" of
			the DNS namespace, e.g. an "inside" view to certain
			clients, and an "outside" view to others.

		- Multiprocessor Support

		- Improved Portability Architecture

Bob Halley's avatar
Bob Halley committed
29 30 31 32

	BIND version 9 development has been underwritten by the following
	organizations:

33 34 35 36 37 38 39 40
		Sun Microsystems, Inc.
		Hewlett Packard
		Compaq Computer Corporation
		IBM
		Process Software Corporation
		Silicon Graphics, Inc.
		Network Associates, Inc.
		U.S. Defense Information Systems Agency
Bob Halley's avatar
Bob Halley committed
41 42
		USENIX Association
		Stichting NLnet - NLnet Foundation
43
		Nominum, Inc.
Bob Halley's avatar
update  
Bob Halley committed
44

Mark Andrews's avatar
9.5.0a1  
Mark Andrews committed
45 46 47 48 49 50 51 52 53 54 55
BIND 9.5.0

	BIND 9.5.0 has a number of new features over 9.4,
	including:

	GSS-TSIG support (RFC 3645).

	DHCID support.

	Experimental http server and statistics support for named via xml.

56 57
	More detailed statistics counters including those supported in BIND 8.

Evan Hunt's avatar
Evan Hunt committed
58 59
	Faster ACL processing.

60
	Use Doxygen to generate internal documentation.
Mark Andrews's avatar
9.5.0a1  
Mark Andrews committed
61

Evan Hunt's avatar
Evan Hunt committed
62 63
        Efficient LRU cache-cleaning mechanism.

64 65
        NSID support.

Mark Andrews's avatar
Mark Andrews committed
66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86
BIND 9.4.0

	BIND 9.4.0 has a number of new features over 9.3,
	including:

	Implemented "additional section caching (or acache)", an
	internal cache framework for additional section content to
	improve response performance.  Several configuration options
	were provided to control the behavior.

	New notify type 'master-only'.  Enable notify for master
	zones only.

	Accept 'notify-source' style syntax for query-source.

	rndc now allows addresses to be set in the server clauses.

	New option "allow-query-cache".  This lets allow-query be
	used to specify the default zone access level rather than
	having to have every zone override the global value.
	allow-query-cache can be set at both the options and view
87 88 89
	levels. If allow-query-cache is not set then allow-recursion
	is used if set, otherwise allow-query is used if set, otherwise
	the default (localhost; localnets;) is used.
Mark Andrews's avatar
Mark Andrews committed
90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230

	rndc: the source address can now be specified.

	ixfr-from-differences now takes master and slave in addition
	to yes and no at the options and view levels.

	Allow the journal's name to be changed via named.conf.

	'rndc notify zone [class [view]]' resend the NOTIFY messages
	for the specified zone.

	'dig +trace' now randomly selects the next servers to try.
	Report if there is a bad delegation.

	Improve check-names error messages.

	Make public the function to read a key file, dst_key_read_public().

	dig now returns the byte count for axfr/ixfr.
			
	allow-update is now settable at the options / view level.

	named-checkconf now checks the logging configuration.

	host now can turn on memory debugging flags with '-m'.

	Don't send notify messages to self.

	Perform sanity checks on NS records which refer to 'in zone' names.

	New zone option "notify-delay".  Specify a minimum delay
	between sets of NOTIFY messages.

	Extend adjusting TTL warning messages.

	Named and named-checkzone can now both check for non-terminal
	wildcard records.

	"rndc freeze/thaw" now freezes/thaws all zones.

	named-checkconf now check acls to verify that they only
	refer to existing acls.

	The server syntax has been extended to support a range of
	servers.

	Report differences between hints and real NS rrset and
	associated address records.

	Preserve the case of domain names in rdata during zone
	transfers.

	Restructured the data locking framework using architecture
	dependent atomic operations (when available), improving
	response performance on multi-processor machines significantly.
	x86, x86_64, alpha, powerpc, and mips are currently supported.

	UNIX domain controls are now supported.

	Add support for additional zone file formats for improving
	loading performance.  The masterfile-format option in
	named.conf can be used to specify a non-default format.  A
	separate command named-compilezone was provided to generate
	zone files in the new format.  Additionally, the -I and -O
	options for dnssec-signzone specify the input and output
	formats.

	dnssec-signzone can now randomize signature end times
	(dnssec-signzone -j jitter).

	Add support for CH A record.

	Add additional zone data constancy checks.  named-checkzone
	has extended checking of NS, MX and SRV record and the hosts
	they reference.  named has extended post zone load checks.
	New zone options: check-mx and integrity-check.


	edns-udp-size can now be overridden on a per server basis.

	dig can now specify the EDNS version when making a query.

	Added framework for handling multiple EDNS versions.

	Additional memory debugging support to track size and mctx
	arguments.

	Detect duplicates of UDP queries we are recursing on and
	drop them.  New stats category "duplicates".

	"USE INTERNAL MALLOC" is now runtime selectable.

	The lame cache is now done on a <qname,qclass,qtype> basis
	as some servers only appear to be lame for certain query
	types.

	Limit the number of recursive clients that can be waiting
	for a single query (<qname,qtype,qclass>) to resolve.  New
	options clients-per-query and max-clients-per-query.

	dig: report the number of extra bytes still left in the
	packet after processing all the records.

	Support for IPSECKEY rdata type.

	Raise the UDP recieve buffer size to 32k if it is less than 32k.

	x86 and x86_64 now have seperate atomic locking implementations.

	named-checkconf now validates update-policy entries.

	Attempt to make the amount of work performed in a iteration
	self tuning.  The covers nodes clean from the cache per
	iteration, nodes written to disk when rewriting a master
	file and nodes destroyed per iteration when destroying a
	zone or a cache.

	ISC string copy API.

	Automatic empty zone creation for D.F.IP6.ARPA and friends.
	Note: RFC 1918 zones are not yet covered by this but are
	likely to be in a future release.

	New options: empty-server, empty-contact, empty-zones-enable
	and disable-empty-zone.

	dig now has a '-q queryname' and '+showsearch' options.

	host/nslookup now continue (default)/fail on SERVFAIL.

	dig now warns if 'RA' is not set in the answer when 'RD'
	was set in the query.  host/nslookup skip servers that fail
	to set 'RA' when 'RD' is set unless a server is explicitly
	set.

	Integrate contibuted DLZ code into named.

	Integrate contibuted IDN code from JPNIC.

	libbind: corresponds to that from BIND 8.4.7.

231 232 233 234 235
BIND 9.3.0

	BIND 9.3.0 has a number of new features over 9.2,
	including:

236 237
	DNSSEC is now DS based (RFC 3658).
	See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
Mark Andrews's avatar
Mark Andrews committed
238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257

	DNSSEC lookaside validation.

	check-names is now implemented.
	rrset-order in more complete.

	IPv4/IPv6 transition support, dual-stack-servers.

	IXFR deltas can now be generated when loading master files,
	ixfr-from-differences.

	It is now possible to specify the size of a journal, max-journal-size.

	It is now possible to define a named set of master servers to be
	used in masters clause, masters.

	The advertised EDNS UDP size can now be set, edns-udp-size.

	allow-v6-synthesis has been obsoleted.

Mark Andrews's avatar
Mark Andrews committed
258 259 260 261 262 263
	NOTE:
	* Zones containing MD and MF will now be rejected.
	* dig, nslookup name. now report "Not Implemented" as
	  NOTIMP rather than NOTIMPL.  This will have impact on scripts
	  that are looking for NOTIMPL.

Mark Andrews's avatar
Mark Andrews committed
264
	libbind: corresponds to that from BIND 8.4.5.
265 266

BIND 9.2.0
Andreas Gustafsson's avatar
Andreas Gustafsson committed
267

Andreas Gustafsson's avatar
Andreas Gustafsson committed
268 269
	BIND 9.2.0 has a number of new features over 9.1,
	including:
Andreas Gustafsson's avatar
Andreas Gustafsson committed
270

271 272 273 274
	  - The size of the cache can now be limited using the
            "max-cache-size" option.

	  - The server can now automatically convert RFC1886-style
Andreas Gustafsson's avatar
Andreas Gustafsson committed
275
	    recursive lookup requests into RFC2874-style lookups, 
276
	    when enabled using the new option "allow-v6-synthesis".
Andreas Gustafsson's avatar
Andreas Gustafsson committed
277 278 279 280 281
            This allows stub resolvers that support AAAA records
            but not A6 record chains or binary labels to perform
            lookups in domains that make use of these IPv6 DNS
            features.

282 283 284 285 286
	  - Performance has been improved.

	  - The man pages now use the more portable "man" macros
	    rather than the "mandoc" macros, and are installed
            by "make install".
287

Andreas Gustafsson's avatar
Andreas Gustafsson committed
288 289
          - The named.conf parser has been completely rewritten.
            It now supports "include" directives in more
Mark Andrews's avatar
Mark Andrews committed
290
            places such as inside "view" statements, and it no
Andreas Gustafsson's avatar
Andreas Gustafsson committed
291 292
            longer has any reserved words.

Andreas Gustafsson's avatar
Andreas Gustafsson committed
293 294
          - The "rndc status" command is now implemented.

Brian Wellington's avatar
updates  
Brian Wellington committed
295 296
	  - rndc can now be configured automatically.

297 298
	  - A BIND 8 compatible stub resolver library is now
	    included in lib/bind.
Andreas Gustafsson's avatar
Andreas Gustafsson committed
299

Andreas Gustafsson's avatar
Andreas Gustafsson committed
300 301 302 303 304
	  - OpenSSL has been removed from the distribution.  This
	    means that to use DNSSEC, OpenSSL must be installed and
	    the --with-openssl option must be supplied to configure.
	    This does not apply to the use of TSIG, which does not
	    require OpenSSL.
305

306
	  - The source distribution now builds on Windows.
307 308
	    See win32utils/readme1.txt and win32utils/win32-build.txt
	    for details.
Andreas Gustafsson's avatar
Andreas Gustafsson committed
309

Andreas Gustafsson's avatar
Andreas Gustafsson committed
310
	This distribution also includes a new lightweight stub
Andreas Gustafsson's avatar
Andreas Gustafsson committed
311 312
	resolver library and associated resolver daemon that fully
	support forward and reverse lookups of both IPv4 and IPv6
Andreas Gustafsson's avatar
Andreas Gustafsson committed
313
	addresses.  This library is considered experimental and
Andreas Gustafsson's avatar
Andreas Gustafsson committed
314 315 316 317 318 319 320
	is not a complete replacement for the BIND 8 resolver library.
	Applications that use the BIND 8 res_* functions to perform
	DNS lookups or dynamic updates still need to be linked against
	the BIND 8 libraries.  For DNS lookups, they can also use the
	new "getrrsetbyname()" API.

	BIND 9.2 is capable of acting as an authoritative server
Andreas Gustafsson's avatar
Andreas Gustafsson committed
321
	for DNSSEC secured zones.  This functionality is believed to
322 323
	be stable and complete except for lacking support for
	verifications involving wildcard records in secure zones.
Andreas Gustafsson's avatar
Andreas Gustafsson committed
324

Andreas Gustafsson's avatar
Andreas Gustafsson committed
325
	When acting as a caching server, BIND 9.2 can be configured
Andreas Gustafsson's avatar
Andreas Gustafsson committed
326 327 328 329 330 331 332 333 334 335 336 337 338 339 340
	to perform DNSSEC secure resolution on behalf of its clients.
	This part of the DNSSEC implementation is still considered
	experimental.  For detailed information about the state of the
	DNSSEC implementation, see the file doc/misc/dnssec.

	There are a few known bugs:

		On some systems, IPv6 and IPv4 sockets interact in
		unexpected ways.  For details, see doc/misc/ipv6.
		To reduce the impact of these problems, the server
		no longer listens for requests on IPv6 addresses
		by default.  If you need to accept DNS queries over
		IPv6, you must specify "listen-on-v6 { any; };"
		in the named.conf options statement.

341 342 343 344 345
		FreeBSD prior to 4.2 (and 4.2 if running as non-root)
		and OpenBSD prior to 2.8 log messages like
		"fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
		This is due to a bug in "/dev/random" and impacts the
		server's DNSSEC support.
Andreas Gustafsson's avatar
grammar  
Andreas Gustafsson committed
346

Mark Andrews's avatar
Mark Andrews committed
347 348
		OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
		OS X 10.2 (Darwin 6.0) reports errors like
349 350 351 352
		"fcntl(3, F_SETFL, 4): Operation not supported by device".
		This is due to a bug in "/dev/random" and impacts the
		server's DNSSEC support.

Andreas Gustafsson's avatar
Andreas Gustafsson committed
353
		--with-libtool does not work on AIX.
Bob Halley's avatar
update  
Bob Halley committed
354

355 356
	A bug in some versions of the Microsoft DNS server can cause zone
        transfers from a BIND 9 server to a W2K server to fail.  For details,
357 358
	see the "Zone Transfers" section in doc/misc/migration.

359
	For a detailed list of user-visible changes from
360
	previous releases, see the CHANGES file.
Bob Halley's avatar
Bob Halley committed
361

362

Bob Halley's avatar
update  
Bob Halley committed
363 364
Building

Bob Halley's avatar
Bob Halley committed
365
	BIND 9 currently requires a UNIX system with an ANSI C compiler,
366
	basic POSIX support, and a 64 bit integer type.
Bob Halley's avatar
Bob Halley committed
367

368
	We've had successful builds and tests on the following systems:
Bob Halley's avatar
Bob Halley committed
369

370
		COMPAQ Tru64 UNIX 5.1B
371
		Fedora Core 6
372
		FreeBSD 4.10, 5.2.1, 6.2
373
		HP-UX 11.11
374 375 376 377 378
		Mac OS X 10.5
		NetBSD 3.x and 4.0-beta
		OpenBSD 3.3 and up
		Solaris 8, 9, 9 (x86), 10
		Ubuntu 7.04, 7.10
379 380 381 382 383
		Windows XP/2003/2008

        NOTE:  As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
        Windows, including Windows NT and Windows 2000, are no longer
        supported.
384

385 386 387 388 389 390 391 392 393 394 395 396 397 398 399
	We have recent reports from the user community that a supported
	version of BIND will build and run on the following systems:

		AIX 4.3, 5L
		CentOS 4, 4.5, 5
		Darwin 9.0.0d1/ARM
		Debian 4
		Fedora Core 5, 7
		FreeBSD 6.1
		HP-UX 11.23 PA
		MacOS X 10.4, 10.5
		Red Hat Enterprise Linux 4, 5
		SCO OpenServer 5.0.6
		Slackware 9, 10
		SuSE 9, 10
400

Bob Halley's avatar
Bob Halley committed
401 402 403 404 405
	To build, just

		./configure
		make

406 407
	Do not use a parallel "make".

Andreas Gustafsson's avatar
Andreas Gustafsson committed
408 409
	Several environment variables that can be set before running
	configure will affect compilation:
410

Andreas Gustafsson's avatar
Andreas Gustafsson committed
411 412 413
	    CC
		The C compiler to use.	configure tries to figure
		out the right one for supported systems.
414

Andreas Gustafsson's avatar
Andreas Gustafsson committed
415 416
	    CFLAGS
		C compiler flags.  Defaults to include -g and/or -O2
Mark Andrews's avatar
Mark Andrews committed
417
		as supported by the compiler.  
418

Andreas Gustafsson's avatar
Andreas Gustafsson committed
419 420 421 422
	    STD_CINCLUDES
		System header file directories.	 Can be used to specify
		where add-on thread or IPv6 support is, for example.
		Defaults to empty string.
423

Andreas Gustafsson's avatar
Andreas Gustafsson committed
424 425 426
	    STD_CDEFINES
		Any additional preprocessor symbols you want defined.
		Defaults to empty string.
427

428 429
		Possible settings:
		Change the default syslog facility of named/lwresd.
430 431 432 433
		  -DISC_FACILITY=LOG_LOCAL0	
		Enable DNSSEC signature chasing support in dig.
		  -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
				    -DDIG_SIGCHASE_BU=1)
434 435
		Disable dropping queries from particular well known ports.
		  -DNS_CLIENT_DROPPORT=0
436

437 438 439
	    LDFLAGS
		Linker flags. Defaults to empty string.

440 441 442 443 444 445 446 447 448 449 450
	The following need to be set when cross compiling.

	    BUILD_CC
		The native C compiler.
	    BUILD_CFLAGS (optional)
	    BUILD_CPPFLAGS (optional)
		Possible Settings:
		-DNEED_OPTARG=1		(optarg is not declared in <unistd.h>)
	    BUILD_LDFLAGS (optional)
	    BUILD_LIBS (optional)

Andreas Gustafsson's avatar
Andreas Gustafsson committed
451
	To build shared libraries, specify "--with-libtool" on the
452 453
	configure command line.

454 455
	For the server to support DNSSEC, you need to build it
	with crypto support.  You must have OpenSSL 0.9.5a
456 457 458 459 460 461
	or newer installed and specify "--with-openssl" on the
	configure command line.  If OpenSSL is installed under
	a nonstandard prefix, you can tell configure where to
	look for it using "--with-openssl=/prefix".

	To build libbind (the BIND 8 resolver library), specify
Mark Andrews's avatar
Mark Andrews committed
462 463
	"--enable-libbind" on the configure command line.

464 465 466 467 468 469
	On some platforms, BIND 9 can be built with multithreading
	support, allowing it to take advantage of multiple CPUs.
	You can specify whether to build a multithreaded BIND 9 
	by specifying "--enable-threads" or "--disable-threads"
	on the configure command line.  The default is operating
	system dependent.
Andreas Gustafsson's avatar
Andreas Gustafsson committed
470

471 472 473 474 475
        Support for the "fixed" rrset-order option can be enabled
        or disabled by specifying "--enable-fixed-rrset" or
        "--disable-fixed-rrset" on the configure command line.
        The default is "disabled", to reduce memory footprint.

476 477 478
	If your operating system has integrated support for IPv6, it
	will be used automatically.  If you have installed KAME IPv6
	separately, use "--with-kame[=PATH]" to specify its location.
479

Bob Halley's avatar
Bob Halley committed
480 481 482 483
	"make install" will install "named" and the various BIND 9 libraries.
	By default, installation is into /usr/local, but this can be changed
	with the "--prefix" option when running "configure".

484 485 486 487 488 489 490 491 492 493 494 495 496
	You may specify the option "--sysconfdir" to set the directory 
	where configuration files like "named.conf" go by default,
	and "--localstatedir" to set the default parent directory
	of "run/named.pid".   For backwards compatibility with BIND 8,
	--sysconfdir defaults to "/etc" and --localstatedir defaults to
	"/var" if no --prefix option is given.  If there is a --prefix
	option, sysconfdir defaults to "$prefix/etc" and localstatedir
	defaults to "$prefix/var".

	To see additional configure options, run "configure --help".
	Note that the help message does not reflect the BIND 8 
	compatibility defaults for sysconfdir and localstatedir.

497 498 499 500
	If you're planning on making changes to the BIND 9 source, you
	should also "make depend".  If you're using Emacs, you might find
	"make tags" helpful.

501 502 503
	If you need to re-run configure please run "make distclean" first.
	This will ensure that all the option changes take.

Bob Halley's avatar
Bob Halley committed
504 505
	Building with gcc is not supported, unless gcc is the vendor's usual
	compiler (e.g. the various BSD systems, Linux).
Mark Andrews's avatar
Mark Andrews committed
506
	
507
	Known compiler issues:
Mark Andrews's avatar
Mark Andrews committed
508
	* gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
Mark Andrews's avatar
Mark Andrews committed
509
	* gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
510
	* gcc-3.3.5 powerpc generates incorrect code at -02.
Mark Andrews's avatar
Mark Andrews committed
511
	* Irix, MipsPRO 7.4.1m is known to cause problems.
Bob Halley's avatar
Bob Halley committed
512

513 514 515 516
	A limited test suite can be run with "make test".  Many of
	the tests require you to configure a set of virtual IP addresses
	on your system, and some require Perl; see bin/tests/system/README
	for details.
517

518 519 520
	SunOS 4 requires "printf" to be installed to make the shared
	libraries.  sh-utils-1.16 provides a "printf" which compiles
	on SunOS 4.
521

522 523 524
Documentation

	The BIND 9 Administrator Reference Manual is included with the
525 526
	source distribution in DocBook XML and HTML format, in the
	doc/arm directory.
527 528

	Some of the programs in the BIND 9 distribution have man pages
529 530
	in their directories.  In particular, the command line
	options of "named" are documented in /bin/named/named.8.
531
	There is now also a set of man pages for the lwres library.
532 533

	If you are upgrading from BIND 8, please read the migration
534 535
	notes in doc/misc/migration.  If you are upgrading from
	BIND 4, read doc/misc/migration-4to9.
Bob Halley's avatar
Bob Halley committed
536

Andreas Gustafsson's avatar
English  
Andreas Gustafsson committed
537
	Frequently asked questions and their answers can be found in
Mark Andrews's avatar
Mark Andrews committed
538 539
	FAQ.

540 541

Bug Reports and Mailing Lists
542

Bob Halley's avatar
Bob Halley committed
543 544 545 546
	Bugs reports should be sent to

		bind9-bugs@isc.org

Mark Andrews's avatar
Mark Andrews committed
547
	To join the BIND Users mailing list, send mail to
Bob Halley's avatar
Bob Halley committed
548

Mark Andrews's avatar
Mark Andrews committed
549
		bind-users-request@isc.org
Bob Halley's avatar
Bob Halley committed
550

551 552
	archives of which can be found via

Mark Andrews's avatar
Mark Andrews committed
553
		http://www.isc.org/ops/lists/
554

Bob Halley's avatar
Bob Halley committed
555
	If you're planning on making changes to the BIND 9 source
Mark Andrews's avatar
Mark Andrews committed
556
	code, you might want to join the BIND Workers mailing list.
Bob Halley's avatar
Bob Halley committed
557 558
	Send mail to

Mark Andrews's avatar
Mark Andrews committed
559
		bind-workers-request@isc.org
Bob Halley's avatar
Bob Halley committed
560

Bob Halley's avatar
add  
Bob Halley committed
561