Copyright © 2010 Internet Systems Consortium, Inc.
This is the reference guide for BIND 10.
The most up-to-date version of this document, along with other documents for BIND 10, can be found at http://bind10.isc.org/docs.
Table of Contents
Table of Contents
BIND is the popular implementation of a DNS server, developer interfaces, and DNS tools. BIND 10 is a rewrite of BIND 9. BIND 10 is written in C++ and Python and provides a modular environment for serving and maintaining DNS.
This guide covers the experimental prototype version of BIND 10.
BIND 10, at this time, does not provide an recursive DNS server. It does provide a EDNS0- and DNSSEC-capable authoritative DNS server.
BIND 10 builds have been tested on Debian GNU/Linux 5, Ubuntu 9.10, NetBSD 5, Solaris 10, FreeBSD 7, and CentOS Linux 5.3. It has been tested on Sparc, i386, and amd64 hardware platforms. It is planned for BIND 10 to build, install and run on Windows and standard Unix-type platforms.
BIND 10 requires Python 3.1. Later versions may work, but Python 3.1 is the minimum version which will work.
For this development prototype release, the only supported data source backend is SQLite3. The authoritative server requires SQLite 3.3.9 or newer. The b10-xfrin and b10-xfrout modules require the libboost library, Boost Python library, libpython3 library, and the Python _sqlite3.so module.
Some operating systems do not provide these dependencies in their default installation nor standard packages collections. You may need to install them separately.
BIND 10 is modular. Part of this modularity is accomplished using multiple cooperating processes which, together, provide the server functionality. This is a change from the previous generation of BIND software, which used a single process.
At first, running many different processes may seem confusing. However, these processes are started, stopped, and maintained by a single command, bind10. This command starts a master process which will start other processes as needed. The processes started by the bind10 command have names starting with "b10-", including:
These are ran automatically by bind10 and do not need to be run manually.
Once BIND 10 is running, a few commands are used to interact directly with the system:
The tools and modules are covered in full detail in this guide. In addition, manual pages are also provided in the default installation.
BIND 10 also provides libraries and programmer interfaces for C++ and Python for the message bus, configuration backend, and, of course, DNS. These include detailed developer documentation and code examples.
Table of Contents
Some operating systems have split their distribution packages into a run-time and a development package. You will need to install the development package versions, which include header files and libraries, to build BIND 10 from source code.
Building from source code requires the Boost build-time headers. At least Boost version 1.34 is required.
The Boost Library, Boost Python Library, Python Library, and Python _sqlite3 module are required to enable the Xfrout and Xfrin support.
The Python related libraries and modules need to be built for Python 3.1.
Building BIND 10 also requires a C++ compiler and standard development headers. BIND 10 builds have been tested with GCC g++ 3.4.3, 4.1.2, 4.1.3, 4.2.1, 4.3.2, and 4.4.1.
This quickly covers the standard steps for installing and deploying BIND 10 as an authoritative name server using its defaults. For troubleshooting, full customizations and further details, see the respective chapters in the BIND 10 guide.
The development prototype of the b10-auth server listens on 0.0.0.0 (all interfaces) port 5300. (This is not the standard domain service port.)
To quickly get started with BIND 10, follow these steps.
Extract the tar file:
VERSION.tar.gz | tar -xvf -
Go into the source and run configure:
Install it (to default /usr/local):
Start the server:
Test it; for example:
dig @127.0.0.1 -p 5300 -c CH -t TXT authors.bind
Load desired zone file(s), for example:
BIND 10 is open source software written in C++ and Python. It is freely available in source code form from ISC via the Subversion code revision control system or as a downloadable tar file. It may also be available in pre-compiled ready-to-use packages from operating system vendors.
Downloading a release tar file is the recommended method to obtain the source code.
The BIND 10 releases are available as tar file downloads from ftp://ftp.isc.org/isc/bind10/. Periodic development snapshots may also be available.
Downloading this "bleeding edge" code is recommended only for developers or advanced users. Using development code in a production environment is not recommended.
When using source code retrieved via Subversion additional software will be required: automake (v1.11 or newer), libtoolize, and autoconf (2.59 or newer). These may need to be installed.
The latest development code, including temporary experiments and un-reviewed code, is available via the BIND 10 code revision control system. This is powered by Subversion and all the BIND 10 development is public. The leading development is done in the “trunk”.
The code can be checked out from
svn://bind10.isc.org/svn/bind10; for example to check out the trunk:
svn co svn://bind10.isc.org/svn/bind10/trunk
When checking out the code from
the code version control system, it doesn't include the
generated configure script, Makefile.in files, nor the
related configure files.
They can be created by running autoreconf
This will run autoconf,
and related commands.
BIND 10 uses the GNU Build System to discover build environment details. To generate the makefiles using the defaults, simply run:
Run ./configure with the
switch to view the different options. The commonly-used options are:
For example, the following configures it build with Boost Python support (for Python DNS library), find the Boost headers and library, find the Python interpreter, and sets the installation location:
./configure --with-boost-lib=/usr/pkg/lib \ --with-boost-include=/usr/pkg/include \ --with-boost-python \ --with-pythonpath=/usr/pkg/bin/python3.1 \ --prefix=/opt/bind10
If the configure fails, it may be due to missing or old dependencies.
After the configure step is complete, to build the executables from the C++ code and prepare the Python scripts, run:
To install the BIND 10 executables, support files, and documentation, run:
The install step may require superuser privileges.
Depending on your system and the location of your Boost Python and Python shared libraries, you may need to configure your run-time linker to find them (such as setting LD_LIBRARY_PATH).
The following is the layout of the complete BIND 10 installation:
bin/— general tools and diagnostic clients.
etc/bind10-devel/— configuration files.
lib/— libraries and python modules.
libexec/bind10-devel/— executables that a user wouldn't normally run directly and are not run independently. These are the BIND 10 modules which are daemons started by the bind10 tool.
sbin/— commands used by the system administrator.
share/bind10-devel/— configuration specifications.
share/man/— manual pages (online documentation).
var/bind10-devel/— data source and configuration databases.
Table of Contents
BIND 10 provides the bind10 command which starts up the required processes. bind10 will also restart processes that exit unexpectedly. This is the only command needed to start the BIND 10 system.
After starting the b10-msgq communications channel, bind10 connects to it, runs the configuration manager, and reads its own configuration. Then it starts the other modules.
The b10-msgq and b10-cfgmgr services make up the core. The b10-msgq daemon provides the communication channel between every part of the system. The b10-cfgmgr daemon is always needed by every module, if only to send information about themselves somewhere, but more importantly to ask about their own settings, and about other modules. The bind10 master process will also start up b10-cmdctl for admins to communicate with the system, b10-auth for Authoritative DNS service, b10-xfrin for inbound DNS zone transfers. and b10-xfrout for outbound DNS zone transfers.
The BIND 10 components use the b10-msgq message routing daemon to communicate with other BIND 10 components. The b10-msgq implements what is called the “Command Channel”. Processes intercommunicate by sending messages on the command channel. Example messages include shutdown, get configurations, and set configurations. This Command Channel is not used for DNS message passing. It is used only to control and monitor the BIND 10 system.
Administrators do not communicate directly with the b10-msgq daemon. By default, BIND 10 uses port 9912 for the b10-msgq service. It listens on 127.0.0.1.
The configuration manager, b10-cfgmgr, handles all BIND 10 system configuration. It provides persistent storage for configuration, and notifies running modules of configuration changes.
The b10-auth and b10-xfrin daemons and other components receive their configurations from the configuration manager over the b10-msgq command channel.
The administrator doesn't connect to it directly, but uses a user interface to communicate with the configuration manager via b10-cmdctl's REST-ful interface. b10-cmdctl is covered in Chapter 6, Remote control daemon.
The development prototype release only provides the bindctl as a user interface to b10-cmdctl. Upcoming releases will provide another interactive command-line interface and a web-based interface.
The b10-cfgmgr daemon can send all specifications and all current settings to the bindctl client (via b10-cmdctl).
b10-cfgmgr relays configurations received from b10-cmdctl to the appropriate modules.
The stored configuration file is at
(The full path is what was defined at build configure time for
The default is
The format is loosely based on JSON and is directly parseable
python, but this may change in a future version.
This configuration data file is not manually edited by the
The configuration manager does not have any command line arguments. Normally it is not started manually, but is automatically started using the bind10 master process (as covered in Chapter 3, Starting BIND10 with bind10).
Table of Contents
b10-cmdctl is the gateway between administrators and the BIND 10 system. It is a HTTPS server that uses standard HTTP Digest Authentication for username and password validation. It provides a REST-ful interface for accessing and controlling BIND 10.
When b10-cmdctl starts, it firsts asks b10-cfgmgr about what modules are running and what their configuration is (over the b10-msgq channel). Then it will start listening on HTTPS for clients — the user interface — such as bindctl.
b10-cmdctl directly sends commands (received from the user interface) to the specified component. Configuration changes are actually commands to b10-cfgmgr so are sent there.
The HTTPS server requires a private key,
such as a RSA PRIVATE KEY.
The default location is at
(A sample key is at
It also uses a certificate located at
(A sample certificate is at
This may be a self-signed certificate or purchased from a
The HTTPS server doesn't support a certificate request from a client (at this time). The b10-cmdctl daemon does not provide a public service. If any client wants to control BIND 10, then a certificate needs to be first received from the BIND 10 administrator. The BIND 10 installation provides a sample PEM bundle that matches the sample key and certificate.
The b10-cmdctl daemon also requires
the user account file located at
This comma-delimited file lists the accounts with a user name,
hashed password, and salt.
(A sample file is at
It contains the user named “root” with the password
The administrator may create a user account with the b10-cmdctl-usermgr tool.
By default the HTTPS server listens on the localhost port 8080.
The port can be set by using the
--port command line option.
The address to listen on can be set using the
Each HTTPS connection is stateless and timesout in 1200 seconds
by default. This can be
redefined by using the
--idle-timeout command line argument.
For this development prototype release, bindctl is the only user interface. It is expected that upcoming releases will provide another interactive command-line interface and a web-based interface for controlling and configuring BIND 10.
The bindctl tool provides an interactive prompt for configuring, controlling, and querying the BIND 10 components. It communicates directly with a REST-ful interface over HTTPS provided by b10-cmdctl. It doesn't communicate to any other components directly.
Configuration changes are actually commands to b10-cfgmgr. So when bindctl sends a configuration, it is sent to b10-cmdctl (over a HTTPS connection); then b10-cmdctl sends the command (over a b10-msgq command channel) to b10-cfgmgr which then stores the details and relays (over a b10-msgq command channel) the configuration on to the specified module.
The b10-auth is the authoritative DNS server. It supports EDNS0 and DNSSEC. It supports IPv6. Normally it is started by the bind10 master process.
This development prototype release listens on all interfaces and the non-standard port 5300.
b10-auth is configured via the b10-cfgmgr configuration manager. The module name is “Auth”. The configuration data item is:
The configuration command is:
For the development prototype release, b10-auth only supports the SQLite3 data source backend. Upcoming versions will be able to use multiple different data sources, such as MySQL, Berkeley DB, or in-memory DB.
By default, the SQLite3 backend uses the data file located at
(The full path is what was defined at build configure time for
The default is
This data file location may be changed by defining the
RFC 1035 style DNS master zone files may imported into a BIND 10 data source by using the b10-loadzone utility.
b10-loadzone supports the following special directives (control entries):
-o argument may be used to define the
default origin for loaded zone file records.
In the development prototype release, only the SQLite3 back
end is used.
By default, it stores the zone data in
-d switch is used to set the
Multiple zones are stored in a single SQLite3 zone database.
If you reload a zone already existing in the database, all records from that prior zone disappear and a whole new set appears.
The b10-xfrin process is started by bind10. It can be manually triggered to request an AXFR zone transfer. When received, it is stored in the BIND 10 data store, and its records can be served by b10-auth. This allows the BIND 10 server to provide “secondary” service.
The current development release of BIND 10 only supports AXFR. (IXFR is not supported.) It also does not yet support automated SOA checks.
To manually trigger a zone transfer to retrieve a remote zone, you may use the bindctl utility. For example, at the bindctl prompt run:
Xfrin retransfer zone_name="
The b10-xfrout process is started by bind10. When the b10-auth authoritative DNS server receives an AXFR request, b10-xfrout sends the zone. This is used to provide master DNS service to share zones to secondary name servers.
The current development release of BIND 10 only supports AXFR. (IXFR is not supported.) It also does not yet support NOTIFY. Access control is not yet provided.