-Functional enhancements from prior major releases of BIND 9
-
-BIND 9.9.0
-
-BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
-releases. New features include:
-
- * Inline signing, allowing automatic DNSSEC signing of master zones
- without modification of the zonefile, or "bump in the wire" signing in
- slaves.
- * NXDOMAIN redirection.
- * New 'rndc flushtree' command clears all data under a given name from
- the DNS cache.
- * New 'rndc sync' command dumps pending changes in a dynamic zone to
- disk without a freeze/thaw cycle.
- * New 'rndc signing' command displays or clears signing status records
- in 'auto-dnssec' zones.
- * NSEC3 parameters for 'auto-dnssec' zones can now be set prior to
- signing, eliminating the need to initially sign with NSEC.
- * Startup time improvements on large authoritative servers.
- * Slave zones are now saved in raw format by default.
- * Several improvements to response policy zones (RPZ).
- * Improved hardware scalability by using multiple threads to listen for
- queries and using finer-grained client locking
- * The 'also-notify' option now takes the same syntax as 'masters', so it
- can used named masterlists and TSIG keys.
- * 'dnssec-signzone -D' writes an output file containing only DNSSEC
- data, which can be included by the primary zone file.
- * 'dnssec-signzone -R' forces removal of signatures that are not expired
- but were created by a key which no longer exists.
- * 'dnssec-signzone -X' allows a separate expiration date to be specified
- for DNSKEY signatures from other signatures.
- * New '-L' option to dnssec-keygen, dnssec-settime, and
- dnssec-keyfromlabel sets the default TTL for the key.
- * dnssec-dsfromkey now supports reading from standard input, to make it
- easier to convert DNSKEY to DS.
- * RFC 1918 reverse zones have been added to the empty-zones table per
- RFC 6303.
- * Dynamic updates can now optionally set the zone's SOA serial number to
- the current UNIX time.
- * DLZ modules can now retrieve the source IP address of the querying
- client.
- * 'request-ixfr' option can now be set at the per-zone level.
- * 'dig +rrcomments' turns on comments about DNSKEY records, indicating
- their key ID, algorithm and function
- * Simplified nsupdate syntax and added readline support
-
-BIND 9.8.0
-
-BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
-releases. New features include:
-
- * Built-in trust anchor for the root zone, which can be switched on via
- "dnssec-validation auto;"
- * Support for DNS64.
- * Support for response policy zones (RPZ).
- * Support for writable DLZ zones.
- * Improved ease of configuration of GSS/TSIG for interoperability with
- Active Directory
- * Support for GOST signing algorithm for DNSSEC.
- * Removed RTT Banding from server selection algorithm.
- * New "static-stub" zone type.
- * Allow configuration of resolver timeouts via "resolver-query-timeout"
- option.
- * The DLZ "dlopen" driver is now built by default.
- * Added a new include file with function typedefs for the DLZ "dlopen"
- driver.
- * Made "--with-gssapi" default.
- * More verbose error reporting from DLZ LDAP.
-
-BIND 9.7.0
-
-BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
-releases. Most are intended to simplify DNSSEC configuration. New features
-include:
-
- * Fully automatic signing of zones by "named".
- * Simplified configuration of DNSSEC Lookaside Validation (DLV).
- * Simplified configuration of Dynamic DNS, using the "ddns-confgen"
- command line tool or the "local" update-policy option. (As a side
- effect, this also makes it easier to configure automatic zone
- re-signing.)
- * New named option "attach-cache" that allows multiple views to share a
- single cache.
- * DNS rebinding attack prevention.
- * New default values for dnssec-keygen parameters.
- * Support for RFC 5011 automated trust anchor maintenance
- * Smart signing: simplified tools for zone signing and key maintenance.
- * The "statistics-channels" option is now available on Windows.
- * A new DNSSEC-aware libdns API for use by non-BIND9 applications
- * On some platforms, named and other binaries can now print out a stack
- backtrace on assertion failure, to aid in debugging.
- * A "tools only" installation mode on Windows, which only installs dig,
- host, nslookup and nsupdate.
- * Improved PKCS#11 support, including Keyper support and explicit
- OpenSSL engine selection.
-
-BIND 9.6.0
-
- * Full NSEC3 support
- * Automatic zone re-signing
- * New update-policy methods tcp-self and 6to4-self
- * The BIND 8 resolver library, libbind, has been removed from the BIND 9
- distribution and is now available as a separate download.
- * Change the default pid file location from /var/run to /var/run/
- {named,lwresd} for improved chroot/setuid support.
-
-BIND 9.5.0
-
- * GSS-TSIG support (RFC 3645).
- * DHCID support.
- * Experimental http server and statistics support for named via xml.
- * More detailed statistics counters including those supported in BIND 8.
- * Faster ACL processing.
- * Use Doxygen to generate internal documentation.
- * Efficient LRU cache-cleaning mechanism.
- * NSID support.
-
-BIND 9.4.0
-
- * Implemented "additional section caching (or acache)", an internal
- cache framework for additional section content to improve response
- performance. Several configuration options were provided to control
- the behavior.
- * New notify type 'master-only'. Enable notify for master zones only.
- * Accept 'notify-source' style syntax for query-source.
- * rndc now allows addresses to be set in the server clauses.
- * New option "allow-query-cache". This lets "allow-query" be used to
- specify the default zone access level rather than having to have every
- zone override the global value. "allow-query-cache" can be set at both
- the options and view levels. If "allow-query-cache" is not set then
- "allow-recursion" is used if set, otherwise "allow-query" is used if
- set unless "recursion no;" is set in which case "none;" is used,
- otherwise the default (localhost; localnets;) is used.
- * rndc: the source address can now be specified.
- * ixfr-from-differences now takes master and slave in addition to yes
- and no at the options and view levels.
- * Allow the journal's name to be changed via named.conf.
- * 'rndc notify zone [class [view]]' resend the NOTIFY messages for the
- specified zone.
- * 'dig +trace' now randomly selects the next servers to try. Report if
- there is a bad delegation.
- * Improve check-names error messages.
- * Make public the function to read a key file, dst_key_read_public().
- * dig now returns the byte count for axfr/ixfr.
- * allow-update is now settable at the options / view level.
- * named-checkconf now checks the logging configuration.
- * host now can turn on memory debugging flags with '-m'.
- * Don't send notify messages to self.
- * Perform sanity checks on NS records which refer to 'in zone' names.
- * New zone option "notify-delay". Specify a minimum delay between sets
- of NOTIFY messages.
- * Extend adjusting TTL warning messages.
- * Named and named-checkzone can now both check for non-terminal wildcard
- records.
- * "rndc freeze/thaw" now freezes/thaws all zones.
- * named-checkconf now check acls to verify that they only refer to
- existing acls.
- * The server syntax has been extended to support a range of servers.
- * Report differences between hints and real NS rrset and associated
- address records.
- * Preserve the case of domain names in rdata during zone transfers.
- * Restructured the data locking framework using architecture dependent
- atomic operations (when available), improving response performance on
- multi-processor machines significantly. x86, x86_64, alpha, powerpc,
- and mips are currently supported.
- * UNIX domain controls are now supported.
- * Add support for additional zone file formats for improving loading
- performance. The masterfile-format option in named.conf can be used to
- specify a non-default format. A separate command named-compilezone was
- provided to generate zone files in the new format. Additionally, the
- -I and -O options for dnssec-signzone specify the input and output
- formats.
- * dnssec-signzone can now randomize signature end times (dnssec-signzone
- -j jitter).
- * Add support for CH A record.
- * Add additional zone data constancy checks. named-checkzone has
- extended checking of NS, MX and SRV record and the hosts they
- reference. named has extended post zone load checks. New zone options:
- check-mx and integrity-check.
- * edns-udp-size can now be overridden on a per server basis.
- * dig can now specify the EDNS version when making a query.
- * Added framework for handling multiple EDNS versions.
- * Additional memory debugging support to track size and mctx arguments.
- * Detect duplicates of UDP queries we are recursing on and drop them.
- New stats category "duplicates".
- * "USE INTERNAL MALLOC" is now runtime selectable.
- * The lame cache is now done on a basis as some servers only appear to
- be lame for certain query types.
- * Limit the number of recursive clients that can be waiting for a single
- query () to resolve. New options clients-per-query and
- max-clients-per-query.
- * dig: report the number of extra bytes still left in the packet after
- processing all the records.
- * Support for IPSECKEY rdata type.
- * Raise the UDP recieve buffer size to 32k if it is less than 32k.
- * x86 and x86_64 now have seperate atomic locking implementations.
- * named-checkconf now validates update-policy entries.
- * Attempt to make the amount of work performed in a iteration self
- tuning. The covers nodes clean from the cache per iteration, nodes
- written to disk when rewriting a master file and nodes destroyed per
- iteration when destroying a zone or a cache.
- * ISC string copy API.
- * Automatic empty zone creation for D.F.IP6.ARPA and friends. Note: RFC
- 1918 zones are not yet covered by this but are likely to be in a
- future release.
- * New options: empty-server, empty-contact, empty-zones-enable and
- disable-empty-zone.
- * dig now has a '-q queryname' and '+showsearch' options.
- * host/nslookup now continue (default)/fail on SERVFAIL.
- * dig now warns if 'RA' is not set in the answer when 'RD' was set in
- the query. host/nslookup skip servers that fail to set 'RA' when 'RD'
- is set unless a server is explicitly set.
- * Integrate contibuted DLZ code into named.
- * Integrate contibuted IDN code from JPNIC.
- * libbind: corresponds to that from BIND 8.4.7.
-
-BIND 9.3.0
-
- * DNSSEC is now DS based (RFC 3658).
- * DNSSEC lookaside validation.
- * check-names is now implemented.
- * rrset-order is more complete.
- * IPv4/IPv6 transition support, dual-stack-servers.
- * IXFR deltas can now be generated when loading master files,
- ixfr-from-differences.
- * It is now possible to specify the size of a journal, max-journal-size.
- * It is now possible to define a named set of master servers to be used
- in masters clause, masters.
- * The advertised EDNS UDP size can now be set, edns-udp-size.
- * allow-v6-synthesis has been obsoleted.
- * Zones containing MD and MF will now be rejected.
- * dig, nslookup name. now report "Not Implemented" as NOTIMP rather than
- NOTIMPL. This will have impact on scripts that are looking for
- NOTIMPL.
- * libbind: corresponds to that from BIND 8.4.5.
-
-BIND 9.2.0
-
- * The size of the cache can now be limited using the "max-cache-size"
- option.
- * The server can now automatically convert RFC1886-style recursive
- lookup requests into RFC2874-style lookups, when enabled using the new
- option "allow-v6-synthesis". This allows stub resolvers that support
- AAAA records but not A6 record chains or binary labels to perform
- lookups in domains that make use of these IPv6 DNS features.
- * Performance has been improved.
- * The man pages now use the more portable "man" macros rather than the
- "mandoc" macros, and are installed by "make install".
- * The named.conf parser has been completely rewritten. It now supports
- "include" directives in more places such as inside "view" statements,
- and it no longer has any reserved words.
- * The "rndc status" command is now implemented.
- * rndc can now be configured automatically.
- * A BIND 8 compatible stub resolver library is now included in lib/bind.
- * OpenSSL has been removed from the distribution. This means that to use
- DNSSEC, OpenSSL must be installed and the --with-openssl option must
- be supplied to configure. This does not apply to the use of TSIG,
- which does not require OpenSSL.
- * The source distribution now builds on Windows. See win32utils/
- readme1.txt and win32utils/win32-build.txt for details.
- * This distribution also includes a new lightweight stub resolver
- library and associated resolver daemon that fully support forward and
- reverse lookups of both IPv4 and IPv6 addresses. This library is
- considered experimental and is not a complete replacement for the BIND
- 8 resolver library. Applications that use the BIND 8 res_* functions
- to perform DNS lookups or dynamic updates still need to be linked
- against the BIND 8 libraries. For DNS lookups, they can also use the
- new "getrrsetbyname()" API.
- * BIND 9.2 is capable of acting as an authoritative server for DNSSEC
- secured zones. This functionality is believed to be stable and
- complete except for lacking support for verifications involving
- wildcard records in secure zones.
- * When acting as a caching server, BIND 9.2 can be configured to perform
- DNSSEC secure resolution on behalf of its clients. This part of the
- DNSSEC implementation is still considered experimental. For detailed
- information about the state of the DNSSEC implementation, see the file
- doc/misc/dnssec.
-
-BIND 9
-
-Contents
-
- 1. Introduction
- 2. Reporting bugs and getting help
- 3. Contributing to BIND
- 4. BIND 9.10 features
- 5. Building BIND
- 6. Compile-time options
- 7. Automated testing
- 8. Documentation
- 9. Change log
-10. Acknowledgments
-
-Introduction
-
-BIND (Berkeley Internet Name Domain) is a complete, highly portable
-implementation of the DNS (Domain Name System) protocol.
-
-The BIND name server, named, is able to serve as an authoritative name
-server, recursive resolver, DNS forwarder, or all three simultaneously. It
-implements views for split-horizon DNS, automatic DNSSEC zone signing and
-key management, catalog zones to facilitate provisioning of zone data
-throughout a name server constellation, response policy zones (RPZ) to
-protect clients from malicious data, response rate limiting (RRL) and
-recursive query limits to reduce distributed denial of service attacks,
-and many other advanced DNS features. BIND also includes a suite of
-administrative tools, including the dig and delv DNS lookup tools,
-nsupdate for dynamic DNS zone updates, rndc for remote name server
-administration, and more.
-
-BIND 9 is a complete re-write of the BIND architecture that was used in
-versions 4 and 8. Internet Systems Consortium (https://www.isc.org), a 501
-(c)(3) public benefit corporation dedicated to providing software and
-services in support of the Internet infrastructure, developed BIND 9 and
-is responsible for its ongoing maintenance and improvement. BIND is open
-source software licenced under the terms of the Mozilla Public License,
-version 2.0.
-
-For a summary of features introduced in past major releases of BIND, see
-the file HISTORY.
-
-For a detailed list of changes made throughout the history of BIND 9, see
-the file CHANGES. See below for details on the CHANGES file format.
-
-For up-to-date release notes and errata, see http://www.isc.org/software/
-bind9/releasenotes
-
-Reporting bugs and getting help
-
-Please report assertion failure errors and suspected security issues to
-security-officer@isc.org.
-
-General bug reports can be sent to bind9-bugs@isc.org.
-
-Feature requests can be sent to bind-suggest@isc.org.
-
-Please note that, while ISC's ticketing system is not currently publicly
-readable, this may change in the future. Please do not include information
-in bug reports that you consider to be confidential. For example, when
-sending the contents of your configuration file, it is advisable to
-obscure key secrets; this can be done automatically by using
-named-checkconf -px.
-
-Professional support and training for BIND are available from ISC at
-https://www.isc.org/support.
-
-To join the BIND Users mailing list, or view the archives, visit https://
-lists.isc.org/mailman/listinfo/bind-users.
-
-If you're planning on making changes to the BIND 9 source code, you may
-also want to join the BIND Workers mailing list, at https://lists.isc.org/
-mailman/listinfo/bind-workers.
-
-Contributing to BIND
-
-A public git repository for BIND is maintained at http://www.isc.org/git/,
-and also on Github at https://github.com/isc-projects.
-
-Information for BIND contributors can be found in the following files: -
-General information: doc/dev/contrib.md - BIND 9 code style: doc/dev/
-style.md - BIND architecture and developer guide: doc/dev/dev.md
-
-Patches for BIND may be submitted either as Github pull requests or via
-email. When submitting a patch via email, please prepend the subject
-header with "[PATCH]" so it will be easier for us to find. If your patch
-introduces a new feature in BIND, please submit it to bind-suggest@isc.org
-; if it fixes a bug, please submit it to bind9-bugs@isc.org.
-
-BIND 9.10 features
-
-BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
-releases. New features include:
-
- * DNS Response-rate limiting (DNS RRL), which blunts the impact of
- reflection and amplification attacks, is always compiled in and no
- longer requires a compile-time option to enable it.
- * An experimental "Source Identity Token" (SIT) EDNS option is now
- available. Similar to DNS Cookies as invented by Donald Eastlake 3rd,
- these are designed to enable clients to detect off-path spoofed
- responses, and to enable servers to detect spoofed-source queries.
- Servers can be configured to send smaller responses to clients that
- have not identified themselves using a SIT option, reducing the
- effectiveness of amplification attacks. RRL processing has also been
- updated; clients proven to be legitimate via SIT are not subject to
- rate limiting. Use configure --enable-sit to enable this feature in
- BIND.
- * A new zone file format, map, stores zone data in a format that can be
- mapped directly into memory, allowing significantly faster zone
- loading.
- * delv (domain entity lookup and validation) is a new tool with dig-like
- semantics for looking up DNS data and performing internal DNSSEC
- validation. This allows easy validation in environments where the
- resolver may not be trustworthy, and assists with troubleshooting of
- DNSSEC problems. (NOTE: In previous development releases of BIND 9.10,
- this utility was called delve. The spelling has been changed to avoid
- confusion with the delve utility included with the Xapian search
- engine.)
- * Improved EDNS(0) processing for better resolver performance and
- reliability over slow or lossy connections.
- * A new configure --with-tuning=large option tunes certain compiled-in
- constants and default settings to values better suited to large
- servers with abundant memory. This can improve performance on such
- servers, but will consume more memory and may degrade performance on
- smaller systems.
- * Substantial improvement in response-policy zone (RPZ) performance. Up
- to 32 response-policy zones can be configured with minimal performance
- loss.
- * To improve recursive resolver performance, cache records which are
- still being requested by clients can now be automatically refreshed
- from the authoritative server before they expire, reducing or
- eliminating the time window in which no answer is available in the
- cache.
- * New rpz-client-ip triggers and drop policies allowing response
- policies based on the IP address of the client.
- * ACLs can now be specified based on geographic location using the
- MaxMind GeoIP databases. Use configure --with-geoip to enable.
- * Zone data can now be shared between views, allowing multiple views to
- serve the same zones authoritatively without storing multiple copies
- in memory.
- * New XML schema (version 3) for the statistics channel includes many
- new statistics and uses a flattened XML tree for faster parsing. The
- older schema is now deprecated.
- * A new stylesheet, based on the Google Charts API, displays XML
- statistics in charts and graphs on javascript-enabled browsers.
- * The statistics channel can now provide data in JSON format as well as
- XML.
- * New stats counters track TCP and UDP queries received per zone, and
- EDNS options received in total.
- * The internal and export versions of the BIND libraries (libisc,
- libdns, etc) have been unified so that external library clients can
- use the same libraries as BIND itself.
- * A new compile-time option, configure --enable-native-pkcs11, allows
- BIND 9 cryptography functions to use the PKCS#11 API natively, so that
- BIND can drive a cryptographic hardware service module (HSM) directly
- instead of using a modified OpenSSL as an intermediary. (Note: This
- feature requires an HSM to have a full implementation of the PKCS#11
- API; many current HSMs only have partial implementations. The new
- pkcs11-tokens command can be used to check API completeness. Native
- PKCS#11 is known to work with the Thales nShield HSM and with SoftHSM
- version 2 from the Open DNSSEC project.)
- * The new max-zone-ttl option enforces maximum TTLs for zones. This can
- simplify the process of rolling DNSSEC keys by guaranteeing that
- cached signatures will have expired within the specified amount of
- time.
- * dig +subnet sends an EDNS CLIENT-SUBNET option when querying.
- * dig +expire sends an EDNS EXPIRE option when querying. When this
- option is sent with an SOA query to a server that supports it, it will
- report the expiry time of a slave zone.
- * New dnssec-coverage tool to check DNSSEC key coverage for a zone and
- report if a lapse in signing coverage has been inadvertently
- scheduled.
- * Signing algorithm flexibility and other improvements for the rndc
- control channel.
- * named-checkzone and named-compilezone can now read journal files,
- allowing them to process dynamic zones.
- * Multiple DLZ databases can now be configured. Individual zones can be
- configured to be served from a specific DLZ database. DLZ databases
- now serve zones of type master and redirect.
- * rndc zonestatus reports information about a specified zone.
- * named now listens on IPv6 as well as IPv4 interfaces by default.
- * named now preserves the capitalization of names when responding to
- queries: for instance, a query for "example.com" may be answered with
- "example.COM" if the name was configured that way in the zone file.
- Some clients have a bug causing them to depend on the older behavior,
- in which the case of the answer always matched the case of the query,
- rather than the case of the name configured in the DNS. Such clients
- can now be specified in the new no-case-compress ACL; this will
- restore the older behavior of named for those clients only.
- * new dnssec-importkey command allows the use of offline DNSSEC keys
- with automatic DNSKEY management.
- * New named-rrchecker tool to verify the syntactic correctness of
- individual resource records.
- * When re-signing a zone, the new dnssec-signzone -Q option drops
- signatures from keys that are still published but are no longer
- active.
- * named-checkconf -px will print the contents of configuration files
- with the shared secrets obscured, making it easier to share
- configuration (e.g. when submitting a bug report) without revealing
- private information.
- * rndc scan causes named to re-scan network interfaces for changes in
- local addresses.
- * On operating systems with support for routing sockets, network
- interfaces are re-scanned automatically whenever they change.
- * tsig-keygen is now available as an alternate command name to use for
- ddns-confgen.
-
-BIND 9.10.1
-
-BIND 9.10.1 is a maintenance release, and addresses the security flaws
-described in CVE-2014-3214 and CVE-2014-3859.
-
-BIND 9.10.2
-
-BIND 9.10.2 is a maintenance release, and addresses the security flaws
-described in CVE-2014-8500, CVE-2014-8680 and CVE-2015-1349.
-
-BIND 9.10.3
-
-BIND 9.10.3 is a maintenance release, and addresses the security flaws
-described in CVE-2015-4620, CVE-2015-5477, CVE-2015-5722, and
-CVE-2015-5986.
-
-It also makes the following new features available:
-
- * New "fetchlimit" quotas are now available for the use of recursive
- resolvers that are are under high query load for domains whose
- authoritative servers are nonresponsive or are experiencing a denial
- of service attack.
-
- + fetches-per-server limits the number of simultaneous queries that
- can be sent to any single authoritative server. The configured
- value is a starting point; it is automatically adjusted downward
- if the server is partially or completely non-responsive. The
- algorithm used to adjust the quota can be configured via the
- fetch-quota-params option.
- + fetches-per-zone limits the number of simultaneous queries that
- can be sent for names within a single domain. (Note: Unlike
- fetches-per-server, this value is not self-tuning.)
- + New stats counters have been added to count queries spilled due to
- these quotas.
-
-NOTE: These features are NOT built in by default; use configure
---enable-fetchlimit to enable them.
-
- * dig now supports sending of arbitrary EDNS options by specifying them
- on the command line.
-
-BIND 9.10.4
-
-BIND 9.10.4 is a maintenance release, and addresses the security flaws
-described in CVE-2015-8000, CVE-2015-8461, CVE-2015-8704, CVE-2015-8705,
-CVE-2016-1285, CVE-2016-1286, CVE-2016-2088, CVE-2016-2775 and
-CVE-2016-2776.
-
-BIND 9.10.5
-
-BIND 9.10.5 is a maintenance release, and addresses the security flaws
-disclosed in CVE-2016-2775, CVE-2016-2776, CVE-2016-6170, CVE-2016-8864,
-CVE-2016-9131, CVE-2016-9147, CVE-2016-9444, CVE-2017-3135, CVE-2017-3136,
-CVE-2017-3137, and CVE-2017-3138.
-
-Building BIND
-
-BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
-support, and a 64-bit integer type. Successful builds have been observed
-on many versions of Linux and UNIX, including RedHat, Fedora, Debian,
-Ubuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris,
-HP-UX, AIX, SCO OpenServer, and OpenWRT.
-
-BIND is also available for Windows XP, 2003, 2008, and higher. See
-win32utils/readme1st.txt for details on building for Windows systems.
-
-To build on a UNIX or Linux system, use:
-
- $ ./configure
- $ make
-
-If you're planning on making changes to the BIND 9 source, you should run
-make depend. If you're using Emacs, you might find make tags helpful.
-
-Several environment variables that can be set before running configure
-will affect compilation:
-
-Variable Description
-CC The C compiler to use. configure tries to figure out the
- right one for supported systems.
- C compiler flags. Defaults to include -g and/or -O2 as
-CFLAGS supported by the compiler. Please include '-g' if you need
- to set CFLAGS.
- System header file directories. Can be used to specify
-STD_CINCLUDES where add-on thread or IPv6 support is, for example.
- Defaults to empty string.
- Any additional preprocessor symbols you want defined.
-STD_CDEFINES Defaults to empty string. For a list of possible settings,
- see the file OPTIONS.
-LDFLAGS Linker flags. Defaults to empty string.
-BUILD_CC Needed when cross-compiling: the native C compiler to use
- when building for the target system.
-BUILD_CFLAGS Optional, used for cross-compiling
-BUILD_CPPFLAGS
-BUILD_LDFLAGS
-BUILD_LIBS
-
-Compile-time options
-
-To see a full list of configuration options, run configure --help.
-
-On most platforms, BIND 9 is built with multithreading support, allowing
-it to take advantage of multiple CPUs. You can configure this by
-specifying --enable-threads or --disable-threads on the configure command
-line. The default is to enable threads, except on some older operating
-systems on which threads are known to have had problems in the past.
-(Note: Prior to BIND 9.10, the default was to disable threads on Linux
-systems; this has now been reversed. On Linux systems, the threaded build
-is known to change BIND's behavior with respect to file permissions; it
-may be necessary to specify a user with the -u option when running named.)
-
-To build shared libraries, specify --with-libtool on the configure command
-line.
-
-Certain compiled-in constants and default settings can be increased to
-values better suited to large servers with abundant memory resources (e.g,
-64-bit servers with 12G or more of memory) by specifying --with-tuning=
-large on the configure command line. This can improve performance on big
-servers, but will consume more memory and may degrade performance on
-smaller systems.
-
-For the server to support DNSSEC, you need to build it with crypto
-support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer
-installed. If the OpenSSL library is installed in a nonstandard location,
-specify the prefix using "--with-openssl=/prefix" on the configure command
-line. To use a PKCS#11 hardware service module for cryptographic
-operations, specify the path to the PKCS#11 provider library using
-"--with-pkcs11=/prefix", and configure BIND with "--enable-native-pkcs11".
-
-To support the HTTP statistics channel, the server must be linked with at
-least one of the following: libxml2 http://xmlsoft.org or json-c https://
-github.com/json-c. If these are installed at a nonstandard location,
-specify the prefix using --with-libxml2=/prefix or --with-libjson=/prefix.
-
-To support GeoIP location-based ACLs, the server must be linked with
-libGeoIP. This is not turned on by default; BIND must be configured with
-"--with-geoip". If the library is installed in a nonstandard location, use
-specify the prefix using "--with-geoip=/prefix".
-
-Python requires the 'argparse' module to be available. 'argparse' is a
-standard module as of Python 2.7 and Python 3.2.
-
-On some platforms it is necessary to explicitly request large file support
-to handle files bigger than 2GB. This can be done by using
---enable-largefile on the configure command line.
-
-Support for the "fixed" rrset-order option can be enabled or disabled by
-specifying --enable-fixed-rrset or --disable-fixed-rrset on the configure
-command line. By default, fixed rrset-order is disabled to reduce memory
-footprint.
-
-If your operating system has integrated support for IPv6, it will be used
-automatically. If you have installed KAME IPv6 separately, use --with-kame
-[=PATH] to specify its location.
-
-make install will install named and the various BIND 9 libraries. By
-default, installation is into /usr/local, but this can be changed with the
---prefix option when running configure.
-
-You may specify the option --sysconfdir to set the directory where
-configuration files like named.conf go by default, and --localstatedir to
-set the default parent directory of run/named.pid. For backwards
-compatibility with BIND 8, --sysconfdir defaults to /etc and
---localstatedir defaults to /var if no --prefix option is given. If there
-is a --prefix option, sysconfdir defaults to $prefix/etc and localstatedir
-defaults to $prefix/var.
-
-Automated testing
-
-A system test suite can be run with make test. The system tests require
-you to configure a set of virtual IP addresses on your system (this allows
-multiple servers to run locally and communicate with one another). These
-IP addresses can be configured by by running the script bin/tests/system/
-ifconfig.sh up as root.
-
-Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
-and will be skipped if these are not available. Some tests require Python
-and the 'dnspython' module and will be skipped if these are not available.
-See bin/tests/system/README for further details.
-
-Unit tests are implemented using Automated Testing Framework (ATF). To run
-them, use configure --with-atf, then run make test or make unit.
-
-Documentation
-
-The BIND 9 Administrator Reference Manual is included with the source
-distribution, in DocBook XML, HTML and PDF format, in the doc/arm
-directory.
-
-Some of the programs in the BIND 9 distribution have man pages in their
-directories. In particular, the command line options of named are
-documented in bin/named/named.8.
-
-Frequently (and not-so-frequently) asked questions and their answers can
-be found in the ISC Knowledge Base at https://kb.isc.org.
-
-Additional information on various subjects can be found in other README
-files throughout the source tree.
-
-Change log
-
-A detailed list of all changes that have been made throughout the
-development BIND 9 is included in the file CHANGES, with the most recent
-changes listed first. Change notes include tags indicating the category of
-the change that was made; these categories are:
-
-Category Description
-[func] New feature
-[bug] General bug fix
-[security] Fix for a significant security flaw
-[experimental] Used for new features when the syntax or other aspects of
- the design are still in flux and may change
-[port] Portability enhancement
-[maint] Updates to built-in data such as root server addresses and
- keys
-[tuning] Changes to built-in configuration defaults and constants to
- improve performance
-[performance] Other changes to improve server performance
-[protocol] Updates to the DNS protocol such as new RR types
-[test] Changes to the automatic tests, not affecting server
- functionality
-[cleanup] Minor corrections and refactoring
-[doc] Documentation
-[contrib] Changes to the contributed tools and libraries in the
- 'contrib' subdirectory
- Used in the master development branch to reserve change
-[placeholder] numbers for use in other branches, e.g. when fixing a bug
- that only exists in older releases
-
-In general, [func] and [experimental] tags will only appear in new-feature
-releases (i.e., those with version numbers ending in zero). Some new
-functionality may be backported to older releases on a case-by-case basis.
-All other change types may be applied to all currently-supported releases.
-
-Acknowledgments
-
- * The original development of BIND 9 was underwritten by the following
- organizations:
-
- Sun Microsystems, Inc.
- Hewlett Packard
- Compaq Computer Corporation
- IBM
- Process Software Corporation
- Silicon Graphics, Inc.
- Network Associates, Inc.
- U.S. Defense Information Systems Agency
- USENIX Association
- Stichting NLnet - NLnet Foundation
- Nominum, Inc.
-
- * This product includes software developed by the OpenSSL Project for
- use in the OpenSSL Toolkit. http://www.OpenSSL.org/
- * This product includes cryptographic software written by Eric Young
- (eay@cryptsoft.com)
- * This product includes software written by Tim Hudson
- (tjh@cryptsoft.com)
-
projects / thirdparty / bind9.git / commitdiff
