BIND 9.17 features
BIND 9.17 is the newest development branch of BIND 9. It includes a number
-of changes from BIND 9.16 and earlier releases.
+of changes from BIND 9.16 and earlier releases. New features include:
+
+ * New option "max-ixfr-ratio" to limit the size of outgoing IXFR
+ responses before falling back to full zone transfers.
+ * "rndc nta -d" and "rndc secroots" now include "validate-except"
+ entries when listing negative trust anchors.
Building BIND
<acronym class="acronym">BIND</acronym> version 9 software package for
system administrators.
</p>
- <p>This version of the manual corresponds to BIND version 9.15.</p>
+ <p>This version of the manual corresponds to BIND version 9.17.</p>
</div>
<div class="section">
<p>
The incremental zone transfer (IXFR) protocol is a way for
- slave servers to transfer only changed data, instead of having to
+ secondary servers to transfer only changed data, instead of having to
transfer the entire zone. The IXFR protocol is specified in RFC
1995. See <a class="xref" href="Bv9ARM.ch10.html#proposed_standards" title="Proposed Standards">Proposed Standards</a>.
</p>
<p>
- When acting as a
master, <acronym class="acronym">BIND</acronym> 9
+ When acting as a
primary server, <acronym class="acronym">BIND</acronym> 9
supports IXFR for those zones
where the necessary change history information is available. These
- include master zones maintained by dynamic update and slave zones
+ include primary zones maintained by dynamic update and secondary zones
whose data was obtained by IXFR. For manually maintained master
- zones, and for slave zones obtained by performing a full zone
+ zones, and for secondary zones obtained by performing a full zone
transfer (AXFR), IXFR is supported only if the option
<span class="command"><strong>ixfr-from-differences</strong></span> is set
to <strong class="userinput"><code>yes</code></strong>.
</p>
<p>
- When acting as a s
lave, <acronym class="acronym">BIND</acronym> 9 will
+ When acting as a s
econdary server, <acronym class="acronym">BIND</acronym> 9 will
attempt to use IXFR unless
it is explicitly disabled. For more information about disabling
IXFR, see the description of the <span class="command"><strong>request-ixfr</strong></span> clause
of the <span class="command"><strong>server</strong></span> statement.
</p>
+
+ <p>
+ When a secondary server receives a zone via AXFR, it creates a
+ new copy of the zone database and then swaps it into place; during
+ the loading process, queries continue to be served from the old
+ database with no interference. When receiving a zone via IXFR,
+ however, changes are applied to the running zone, which may
+ degrade query performance during the transfer. If a server
+ receiving an IXFR request determines that the response size would
+ be similar in size to an AXFR response, it may wish to send AXFR
+ instead. The threshold at which this determination is made can
+ be configured using the <span class="command"><strong>max-ixfr-ratio</strong></span> option.
+ </p>
</div>
<div class="section">
<p>
The <span class="command"><strong>include</strong></span> statement inserts the
- specified file at the point where the <span class="command"><strong>include</strong></span>
+ specified file (or files if a valid glob expression is detected)
+ at the point where the <span class="command"><strong>include</strong></span>
statement is encountered. The <span class="command"><strong>include</strong></span>
statement facilitates the administration of configuration
files
of the new format.)
</p>
</dd>
+<dt><span class="term"><span class="command"><strong>max-ixfr-ratio</strong></span></span></dt>
+<dd>
+ <p>
+ Sets the size threshold (expressed as a percentage
+ of the size of the full zone) beyond which
+ <span class="command"><strong>named</strong></span> will choose to use an AXFR
+ response rather than IXFR when answering zone transfer
+ requests. See <a class="xref" href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called “Incremental Zone Transfers (IXFR)”</a>.
+ </p>
+ <p>
+ The minimum value is <code class="literal">1%</code>. The keyword
+ <code class="literal">unlimited</code> disables ratio checking and
+ allows IXFRs of any size. The default is
+ <code class="literal">100%</code>.
+ </p>
+ </dd>
<dt><span class="term"><span class="command"><strong>new-zones-directory</strong></span></span></dt>
<dd>
<p>
roll, which cryptographic algorithms to use, and how often RRSIG
records need to be refreshed.
</p>
+ <p>
+ Keys are not shared among zones, which means that one set of keys
+ per zone will be generated even if they have the same policy.
+ If multiple views are configured with different versions of the
+ same zone, each separate version will use the same set of signing
+ keys.
+ </p>
<p>
Multiple key and signing policies can be configured. To
attach a policy to a zone, add a <span class="command"><strong>dnssec-policy</strong></span>
This is applicable to <span class="command"><strong>master</strong></span> and <span class="command"><strong>slave</strong></span> zones.
</p>
</dd>
+<dt><span class="term"><span class="command"><strong>max-ixfr-ratio</strong></span></span></dt>
+<dd>
+ <p>
+ See the description of
+ <span class="command"><strong>max-ixfr-ratio</strong></span> in
+ <a class="xref" href="Bv9ARM.ch05.html#options" title="options Statement Definition and Usage">the section called “<span class="command"><strong>options</strong></span> Statement Definition and
+ Usage”</a>.
+ </p>
+ </dd>
<dt><span class="term"><span class="command"><strong>max-journal-size</strong></span></span></dt>
<dd>
<p>
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.17.0"></a>Notes for BIND 9.17.0</h3></div></div></div>
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.17.0-known"></a>Known Issues</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ UDP network ports used for listening can no longer simultaneously be
+ used for sending traffic. An example configuration which triggers
+ this issue would be one which uses the same
+ <em class="replaceable"><code>address:port</code></em> pair for
+ <span class="command"><strong>listen-on(-v6)</strong></span> statements as for
+ <span class="command"><strong>notify-source(-v6)</strong></span> or
+ <span class="command"><strong>transfer-source(-v6)</strong></span>. While this issue affects all
+ operating systems, it only triggers log messages (e.g. "unable to
+ create dispatch for reserved port") on some of them. There are
+ currently no plans to make such a combination of settings work again.
+ </p>
+ </li></ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.17.0-new"></a>New Features</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ When a secondary server receives a large incremental zone
+ transfer (IXFR), it can have a negative impact on query
+ performance while the incremental changes are applied to
+ the zone. To address this, <span class="command"><strong>named</strong></span> can now
+ limit the size of IXFR responses it sends in response to zone
+ transfer requests. If an IXFR response would be larger than an
+ AXFR of the entire zone, it will send an AXFR resonse instead.
+ </p>
+ <p>
+ This behavior is controlled by the <span class="command"><strong>max-ixfr-ratio</strong></span>
+ option - a percentage value representing the ratio of IXFR size
+ to the size of a full zone transfer. The default is
+ <code class="literal">100%</code>. [GL #1515]
+ </p>
+ </li></ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.17.0-changes"></a>Feature Changes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ The system-provided POSIX Threads read-write lock implementation is
+ now used by default instead of the native BIND 9 implementation.
+ Please be aware that glibc versions 2.26 through 2.29 had a
+ <a class="link" href="https://sourceware.org/bugzilla/show_bug.cgi?id=23844" target="_top">bug</a>
+ that could cause BIND 9 to deadlock. A fix was released in glibc 2.30,
+ and most current Linux distributions have patched or updated glibc,
+ with the notable exception of Ubuntu 18.04 (Bionic) which is a work in
+ progress. If you are running on an affected operating system, compile
+ BIND 9 with <span class="command"><strong>--disable-pthread-rwlock</strong></span> until a fixed
+ version of glibc is available. [GL !3125]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The <span class="command"><strong>rndc nta -dump</strong></span> and
+ <span class="command"><strong>rndc secroots</strong></span> commands now both include
+ <span class="command"><strong>validate-except</strong></span> entries when listing negative
+ trust anchors. These are indicated by the keyword
+ <code class="literal">permanent</code> in place of the expiry
+ date. [GL #1532]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.17.0-bugs"></a>Bug Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ Fixed re-signing issues with inline zones which resulted in
+ records being re-signed late or not at all.
+ </p>
+ </li></ul></div>
+ </div>
+
</div>
<div class="section">
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes-9.17.0"></a>Notes for BIND 9.17.0</h3></div></div></div>
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.17.0-known"></a>Known Issues</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ UDP network ports used for listening can no longer simultaneously be
+ used for sending traffic. An example configuration which triggers
+ this issue would be one which uses the same
+ <em class="replaceable"><code>address:port</code></em> pair for
+ <span class="command"><strong>listen-on(-v6)</strong></span> statements as for
+ <span class="command"><strong>notify-source(-v6)</strong></span> or
+ <span class="command"><strong>transfer-source(-v6)</strong></span>. While this issue affects all
+ operating systems, it only triggers log messages (e.g. "unable to
+ create dispatch for reserved port") on some of them. There are
+ currently no plans to make such a combination of settings work again.
+ </p>
+ </li></ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.17.0-new"></a>New Features</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ When a secondary server receives a large incremental zone
+ transfer (IXFR), it can have a negative impact on query
+ performance while the incremental changes are applied to
+ the zone. To address this, <span class="command"><strong>named</strong></span> can now
+ limit the size of IXFR responses it sends in response to zone
+ transfer requests. If an IXFR response would be larger than an
+ AXFR of the entire zone, it will send an AXFR resonse instead.
+ </p>
+ <p>
+ This behavior is controlled by the <span class="command"><strong>max-ixfr-ratio</strong></span>
+ option - a percentage value representing the ratio of IXFR size
+ to the size of a full zone transfer. The default is
+ <code class="literal">100%</code>. [GL #1515]
+ </p>
+ </li></ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.17.0-changes"></a>Feature Changes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ The system-provided POSIX Threads read-write lock implementation is
+ now used by default instead of the native BIND 9 implementation.
+ Please be aware that glibc versions 2.26 through 2.29 had a
+ <a class="link" href="https://sourceware.org/bugzilla/show_bug.cgi?id=23844" target="_top">bug</a>
+ that could cause BIND 9 to deadlock. A fix was released in glibc 2.30,
+ and most current Linux distributions have patched or updated glibc,
+ with the notable exception of Ubuntu 18.04 (Bionic) which is a work in
+ progress. If you are running on an affected operating system, compile
+ BIND 9 with <span class="command"><strong>--disable-pthread-rwlock</strong></span> until a fixed
+ version of glibc is available. [GL !3125]
+ </p>
+ </li>
+<li class="listitem">
+ <p>
+ The <span class="command"><strong>rndc nta -dump</strong></span> and
+ <span class="command"><strong>rndc secroots</strong></span> commands now both include
+ <span class="command"><strong>validate-except</strong></span> entries when listing negative
+ trust anchors. These are indicated by the keyword
+ <code class="literal">permanent</code> in place of the expiry
+ date. [GL #1532]
+ </p>
+ </li>
+</ul></div>
+ </div>
+
+ <div class="section">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="relnotes-9.17.0-bugs"></a>Bug Fixes</h4></div></div></div>
+ <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
+ <p>
+ Fixed re-signing issues with inline zones which resulted in
+ records being re-signed late or not at all.
+ </p>
+ </li></ul></div>
+ </div>
+
</div>
<div class="section">
Notes for BIND 9.17.0
+Known Issues
+
+ * UDP network ports used for listening can no longer simultaneously be
+ used for sending traffic. An example configuration which triggers this
+ issue would be one which uses the same address:port pair for listen-on
+ (-v6) statements as for notify-source(-v6) or transfer-source(-v6).
+ While this issue affects all operating systems, it only triggers log
+ messages (e.g. "unable to create dispatch for reserved port") on some
+ of them. There are currently no plans to make such a combination of
+ settings work again.
+
+New Features
+
+ * When a secondary server receives a large incremental zone transfer
+ (IXFR), it can have a negative impact on query performance while the
+ incremental changes are applied to the zone. To address this, named
+ can now limit the size of IXFR responses it sends in response to zone
+ transfer requests. If an IXFR response would be larger than an AXFR of
+ the entire zone, it will send an AXFR resonse instead.
+
+ This behavior is controlled by the max-ixfr-ratio option - a
+ percentage value representing the ratio of IXFR size to the size of a
+ full zone transfer. The default is 100%. [GL #1515]
+
+Feature Changes
+
+ * The system-provided POSIX Threads read-write lock implementation is
+ now used by default instead of the native BIND 9 implementation.
+ Please be aware that glibc versions 2.26 through 2.29 had a bug that
+ could cause BIND 9 to deadlock. A fix was released in glibc 2.30, and
+ most current Linux distributions have patched or updated glibc, with
+ the notable exception of Ubuntu 18.04 (Bionic) which is a work in
+ progress. If you are running on an affected operating system, compile
+ BIND 9 with --disable-pthread-rwlock until a fixed version of glibc is
+ available. [GL !3125]
+
+ * The rndc nta -dump and rndc secroots commands now both include
+ validate-except entries when listing negative trust anchors. These are
+ indicated by the keyword permanent in place of the expiry date. [GL
+ #1532]
+
+Bug Fixes
+
+ * Fixed re-signing issues with inline zones which resulted in records
+ being re-signed late or not at all.
+
License
BIND 9 is open source software licensed under the terms of the Mozilla
key-directory <quoted_string>;
masterfile-format ( map | raw | text );
masterfile-style ( full | relative );
+ max-ixfr-ratio ( unlimited | <percentage> );
max-journal-size ( default | unlimited | <sizeval> );
max-records <integer>;
max-transfer-idle-out <integer>;
masterfile-format ( map | raw | text );
masterfile-style ( full | relative );
masters [ port <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+ max-ixfr-ratio ( unlimited | <percentage> );
max-journal-size ( default | unlimited | <sizeval> );
max-records <integer>;
max-refresh-time <integer>;
dnssec-policy <string> {
dnskey-ttl <duration>;
- keys { ( csk | ksk | zsk ) ( key-directory ) lifetime ( <duration> | unlimited )
- algorithm <integer> [ <integer> ]; ... };
+ keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
+ <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
max-zone-ttl <duration>;
parent-ds-ttl <duration>;
parent-propagation-delay <duration>;
fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
fstrm-set-output-queue-size <integer>; // not configured
fstrm-set-reopen-interval <duration>; // not configured
- geoip-directory ( <quoted_string> | none );
+ geoip-directory ( <quoted_string> | none ); // not configured
geoip-use-ecs <boolean>; // obsolete
glue-cache <boolean>;
has-old-clients <boolean>; // ancient
listen-on-v6 [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
- lmdb-mapsize <sizeval>;
+ lmdb-mapsize <sizeval>; // non-operational
lock-file ( <quoted_string> | none );
maintain-ixfr-base <boolean>; // ancient
managed-keys-directory <quoted_string>;
max-cache-ttl <duration>;
max-clients-per-query <integer>;
max-ixfr-log-size ( default | unlimited | <sizeval> ); // ancient
+ max-ixfr-ratio ( unlimited | <percentage> );
max-journal-size ( default | unlimited | <sizeval> );
max-ncache-ttl <duration>;
max-records <integer>;
}; // may occur multiple times
key-directory <quoted_string>;
lame-ttl <duration>;
- lmdb-mapsize <sizeval>;
+ lmdb-mapsize <sizeval>; // non-operational
maintain-ixfr-base <boolean>; // ancient
managed-keys { <string> (
static-key | initial-key
max-cache-ttl <duration>;
max-clients-per-query <integer>;
max-ixfr-log-size ( default | unlimited | <sizeval> ); // ancient
+ max-ixfr-ratio ( unlimited | <percentage> );
max-journal-size ( default | unlimited | <sizeval> );
max-ncache-ttl <duration>;
max-records <integer>;
port <integer> ] ) [ key <string> ]; ... };
max-ixfr-log-size ( default | unlimited |
<sizeval> ); // ancient
+ max-ixfr-ratio ( unlimited | <percentage> );
max-journal-size ( default | unlimited | <sizeval> );
max-records <integer>;
max-refresh-time <integer>;
<ipv4_address> [ port <integer> ] | <ipv6_address> [ port
<integer> ] ) [ key <string> ]; ... };
max-ixfr-log-size ( default | unlimited | <sizeval> ); // ancient
+ max-ixfr-ratio ( unlimited | <percentage> );
max-journal-size ( default | unlimited | <sizeval> );
max-records <integer>;
max-refresh-time <integer>;
dnssec-policy <string> {
dnskey-ttl <duration>;
- keys { ( csk | ksk | zsk ) ( key-directory ) lifetime ( <duration> | unlimited )
- algorithm <integer> [ <integer> ]; ... };
+ keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
+ <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
max-zone-ttl <duration>;
parent-ds-ttl <duration>;
parent-propagation-delay <duration>;
fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
fstrm-set-output-queue-size <integer>; // not configured
fstrm-set-reopen-interval <duration>; // not configured
- geoip-directory ( <quoted_string> | none );
+ geoip-directory ( <quoted_string> | none ); // not configured
glue-cache <boolean>;
heartbeat-interval <integer>;
hostname ( <quoted_string> | none );
listen-on-v6 [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
- lmdb-mapsize <sizeval>;
+ lmdb-mapsize <sizeval>; // non-operational
lock-file ( <quoted_string> | none );
managed-keys-directory <quoted_string>;
masterfile-format ( map | raw | text );
max-cache-size ( default | unlimited | <sizeval> | <percentage> );
max-cache-ttl <duration>;
max-clients-per-query <integer>;
+ max-ixfr-ratio ( unlimited | <percentage> );
max-journal-size ( default | unlimited | <sizeval> );
max-ncache-ttl <duration>;
max-records <integer>;
}; // may occur multiple times
key-directory <quoted_string>;
lame-ttl <duration>;
- lmdb-mapsize <sizeval>;
+ lmdb-mapsize <sizeval>; // non-operational
managed-keys { <string> (
static-key | initial-key
| static-ds | initial-ds
max-cache-size ( default | unlimited | <sizeval> | <percentage> );
max-cache-ttl <duration>;
max-clients-per-query <integer>;
+ max-ixfr-ratio ( unlimited | <percentage> );
max-journal-size ( default | unlimited | <sizeval> );
max-ncache-ttl <duration>;
max-records <integer>;
masters [ port <integer> ] [ dscp <integer> ] { ( <masters>
| <ipv4_address> [ port <integer> ] | <ipv6_address> [
port <integer> ] ) [ key <string> ]; ... };
+ max-ixfr-ratio ( unlimited | <percentage> );
max-journal-size ( default | unlimited | <sizeval> );
max-records <integer>;
max-refresh-time <integer>;
masters [ port <integer> ] [ dscp <integer> ] { ( <masters> |
<ipv4_address> [ port <integer> ] | <ipv6_address> [ port
<integer> ] ) [ key <string> ]; ... };
+ max-ixfr-ratio ( unlimited | <percentage> );
max-journal-size ( default | unlimited | <sizeval> );
max-records <integer>;
max-refresh-time <integer>;
masterfile-format ( map | raw | text );
masterfile-style ( full | relative );
masters [ port <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+ max-ixfr-ratio ( unlimited | <percentage> );
max-journal-size ( default | unlimited | <sizeval> );
max-records <integer>;
max-refresh-time <integer>;
projects / thirdparty / bind9.git / commitdiff
