Commit 6993d913 authored by Evan Hunt's avatar Evan Hunt

update new features list; also fix the "mirror" release note

parent 5bc0e410
Pipeline #2777 passed with stages
in 8 minutes and 36 seconds
...@@ -109,6 +109,11 @@ of changes from BIND 9.12 and earlier releases. New features include: ...@@ -109,6 +109,11 @@ of changes from BIND 9.12 and earlier releases. New features include:
* "Root key sentinel" support, enabling validating resolvers to indicate * "Root key sentinel" support, enabling validating resolvers to indicate
via a special query which trust anchors are configured for the root via a special query which trust anchors are configured for the root
zone. zone.
* Secondary zones can now be configured as "mirror" zones; their
contents are transferred in as with traditional slave zones, but are
subject to DNSSEC validation and are not treated as authoritative data
when answering. This makes it easier to configure a local copy of the
root zone as described in RFC 7706.
In addition, cryptographic support has been modernized. BIND now uses the In addition, cryptographic support has been modernized. BIND now uses the
best available pseudo-random number generator for the platform on which best available pseudo-random number generator for the platform on which
...@@ -118,11 +123,18 @@ supported. ...@@ -118,11 +123,18 @@ supported.
Building BIND Building BIND
BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
support, and a 64-bit integer type. Successful builds have been observed basic POSIX support, and a 64-bit integer type. Successful builds have
on many versions of Linux and UNIX, including RedHat, Fedora, Debian, been observed on many versions of Linux and UNIX, including RedHat,
Ubuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris, Fedora, Debian, Ubuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS
HP-UX, AIX, SCO OpenServer, and OpenWRT. X, Solaris, HP-UX, AIX, SCO OpenServer, and OpenWRT.
BIND requires a cryptography provider library such as OpenSSL or a
hardware service module supporting PKCS#11. On Linux, BIND requires the
libcap library to set process privileges, though this requirement can be
overridden by disabling capability support at compile time. See
Compile-time options below for details on other libraries that may be
required to support optional features.
BIND is also available for Windows 2008 and higher. See win32utils/ BIND is also available for Windows 2008 and higher. See win32utils/
readme1st.txt for details on building for Windows systems. readme1st.txt for details on building for Windows systems.
...@@ -193,11 +205,10 @@ smaller systems. ...@@ -193,11 +205,10 @@ smaller systems.
For the server to support DNSSEC, you need to build it with crypto For the server to support DNSSEC, you need to build it with crypto
support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer
installed. If the OpenSSL library is installed in a nonstandard location, installed. If the OpenSSL library is installed in a nonstandard location,
specify the prefix using "--with-openssl=<PREFIX>" on the configure specify the prefix using --with-openssl=<PREFIX> on the configure command
command line. To use a PKCS#11 hardware service module for cryptographic line. To use a PKCS#11 hardware service module for cryptographic
operations, specify the path to the PKCS#11 provider library using operations, specify the path to the PKCS#11 provider library using
"--with-pkcs11=<PREFIX>", and configure BIND with --with-pkcs11=<PREFIX>, and configure BIND with --enable-native-pkcs11.
"--enable-native-pkcs11".
To support the HTTP statistics channel, the server must be linked with at To support the HTTP statistics channel, the server must be linked with at
least one of the following: libxml2 http://xmlsoft.org or json-c https:// least one of the following: libxml2 http://xmlsoft.org or json-c https://
...@@ -210,17 +221,22 @@ specify the prefix using --with-zlib=/prefix. ...@@ -210,17 +221,22 @@ specify the prefix using --with-zlib=/prefix.
To support storing configuration data for runtime-added zones in an LMDB To support storing configuration data for runtime-added zones in an LMDB
database, the server must be linked with liblmdb. If this is installed in database, the server must be linked with liblmdb. If this is installed in
a nonstandard location, specify the prefix using "with-lmdb=/prefix". a nonstandard location, specify the prefix using with-lmdb=/prefix.
To support GeoIP location-based ACLs, the server must be linked with To support GeoIP location-based ACLs, the server must be linked with
libGeoIP. This is not turned on by default; BIND must be configured with libGeoIP. This is not turned on by default; BIND must be configured with
"--with-geoip". If the library is installed in a nonstandard location, use --with-geoip. If the library is installed in a nonstandard location,
specify the prefix using "--with-geoip=/prefix". specify the prefix using --with-geoip=/prefix.
For DNSTAP packet logging, you must have installed libfstrm https:// For DNSTAP packet logging, you must have installed libfstrm https://
github.com/farsightsec/fstrm and libprotobuf-c https:// github.com/farsightsec/fstrm and libprotobuf-c https://
developers.google.com/protocol-buffers, and BIND must be configured with developers.google.com/protocol-buffers, and BIND must be configured with
"--enable-dnstap". --enable-dnstap.
On Linux, process capabilities are managed in user space using the libcap
library, which can be installed on most Linux systems via the libcap-dev
or libcap-devel module. Process capability support can also be disabled by
configuring with --disable-linux-caps.
Portions of BIND that are written in Python, including dnssec-keymgr, Portions of BIND that are written in Python, including dnssec-keymgr,
dnssec-coverage, dnssec-checkds, and some of the system tests, require the dnssec-coverage, dnssec-checkds, and some of the system tests, require the
......
...@@ -126,6 +126,11 @@ include: ...@@ -126,6 +126,11 @@ include:
* Support for IDNA2008 when linking with `libidn2`. * Support for IDNA2008 when linking with `libidn2`.
* "Root key sentinel" support, enabling validating resolvers to indicate * "Root key sentinel" support, enabling validating resolvers to indicate
via a special query which trust anchors are configured for the root zone. via a special query which trust anchors are configured for the root zone.
* Secondary zones can now be configured as "mirror" zones; their contents
are transferred in as with traditional slave zones, but are subject to
DNSSEC validation and are not treated as authoritative data when
answering. This makes it easier to configure a local copy of the root
zone as described in RFC 7706.
In addition, cryptographic support has been modernized. BIND now uses the In addition, cryptographic support has been modernized. BIND now uses the
best available pseudo-random number generator for the platform on which best available pseudo-random number generator for the platform on which
...@@ -135,11 +140,18 @@ longer supported. ...@@ -135,11 +140,18 @@ longer supported.
### <a name="build"/> Building BIND ### <a name="build"/> Building BIND
BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
support, and a 64-bit integer type. Successful builds have been observed on basic POSIX support, and a 64-bit integer type. Successful builds have been
many versions of Linux and UNIX, including RedHat, Fedora, Debian, Ubuntu, observed on many versions of Linux and UNIX, including RedHat, Fedora,
SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris, HP-UX, AIX, Debian, Ubuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X,
SCO OpenServer, and OpenWRT. Solaris, HP-UX, AIX, SCO OpenServer, and OpenWRT.
BIND requires a cryptography provider library such as OpenSSL or a
hardware service module supporting PKCS#11. On Linux, BIND requires
the `libcap` library to set process privileges, though this requirement
can be overridden by disabling capability support at compile time.
See [Compile-time options](#opts) below for details on other libraries
that may be required to support optional features.
BIND is also available for Windows 2008 and higher. See BIND is also available for Windows 2008 and higher. See
`win32utils/readme1st.txt` for details on building for Windows `win32utils/readme1st.txt` for details on building for Windows
...@@ -205,10 +217,10 @@ performance on smaller systems. ...@@ -205,10 +217,10 @@ performance on smaller systems.
For the server to support DNSSEC, you need to build it with crypto support. For the server to support DNSSEC, you need to build it with crypto support.
To use OpenSSL, you should have OpenSSL 1.0.2e or newer installed. If the To use OpenSSL, you should have OpenSSL 1.0.2e or newer installed. If the
OpenSSL library is installed in a nonstandard location, specify the prefix OpenSSL library is installed in a nonstandard location, specify the prefix
using "--with-openssl=&lt;PREFIX&gt;" on the configure command line. To use a using `--with-openssl=<PREFIX>` on the configure command line. To use a
PKCS#11 hardware service module for cryptographic operations, specify the PKCS#11 hardware service module for cryptographic operations, specify the
path to the PKCS#11 provider library using "--with-pkcs11=&lt;PREFIX&gt;", and path to the PKCS#11 provider library using `--with-pkcs11=<PREFIX>`, and
configure BIND with "--enable-native-pkcs11". configure BIND with `--enable-native-pkcs11`.
To support the HTTP statistics channel, the server must be linked with at To support the HTTP statistics channel, the server must be linked with at
least one of the following: libxml2 least one of the following: libxml2
...@@ -223,18 +235,23 @@ specify the prefix using `--with-zlib=/prefix`. ...@@ -223,18 +235,23 @@ specify the prefix using `--with-zlib=/prefix`.
To support storing configuration data for runtime-added zones in an LMDB To support storing configuration data for runtime-added zones in an LMDB
database, the server must be linked with liblmdb. If this is installed in a database, the server must be linked with liblmdb. If this is installed in a
nonstandard location, specify the prefix using "with-lmdb=/prefix". nonstandard location, specify the prefix using `with-lmdb=/prefix`.
To support GeoIP location-based ACLs, the server must be linked with To support GeoIP location-based ACLs, the server must be linked with
libGeoIP. This is not turned on by default; BIND must be configured with libGeoIP. This is not turned on by default; BIND must be configured with
"--with-geoip". If the library is installed in a nonstandard location, use `--with-geoip`. If the library is installed in a nonstandard location,
specify the prefix using "--with-geoip=/prefix". specify the prefix using `--with-geoip=/prefix`.
For DNSTAP packet logging, you must have installed libfstrm For DNSTAP packet logging, you must have installed libfstrm
[https://github.com/farsightsec/fstrm](https://github.com/farsightsec/fstrm) [https://github.com/farsightsec/fstrm](https://github.com/farsightsec/fstrm)
and libprotobuf-c and libprotobuf-c
[https://developers.google.com/protocol-buffers](https://developers.google.com/protocol-buffers), [https://developers.google.com/protocol-buffers](https://developers.google.com/protocol-buffers),
and BIND must be configured with "--enable-dnstap". and BIND must be configured with `--enable-dnstap`.
On Linux, process capabilities are managed in user space using
the `libcap` library, which can be installed on most Linux systems via
the `libcap-dev` or `libcap-devel` module. Process capability support can
also be disabled by configuring with `--disable-linux-caps`.
Portions of BIND that are written in Python, including Portions of BIND that are written in Python, including
`dnssec-keymgr`, `dnssec-coverage`, `dnssec-checkds`, and some of the `dnssec-keymgr`, `dnssec-coverage`, `dnssec-checkds`, and some of the
......
...@@ -79,12 +79,17 @@ ...@@ -79,12 +79,17 @@
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para> <para>
A new slave zone option, <command>mirror<command>, enables A new secondary zone option, <command>mirror</command>,
serving a non-authoritative copy of a zone that is subject to enables <command>named</command> to serve a transferred copy
DNSSEC validation before being used. For now, this option is of a zone's contents without acting as an authority for the
only meant to facilitate deployment of an RFC 7706-style local zone. DNS responses from mirror zones do not set the AA
copy of the root zone. ("authoritative answer") bit, and are subject to DNSSEC
validation. This is meant to facilitate deployment
of a local copy of the root zone as described in RFC 7706.
[GL #33]
</para> </para>
</listitem>
<listitem>
<para> <para>
BIND now can be compiled against the <command>libidn2</command> BIND now can be compiled against the <command>libidn2</command>
library to add IDNA2008 support. Previously, BIND supported library to add IDNA2008 support. Previously, BIND supported
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment