Feature requests can be sent to bind-suggest@isc.org.
-Please note that, while ISC's ticketing system is not currently publicly
-readable, this may change in the future. Please do not include information
-in bug reports that you consider to be confidential. For example, when
-sending the contents of your configuration file, it is advisable to
-obscure key secrets; this can be done automatically by using
-named-checkconf -px.
+Please note that, while tickets submitted to ISC's ticketing system are
+not initially publicly readable by default, they can be made publicly
+acessible afterward. Please do not include information in bug reports that
+you consider to be confidential. In particular, when sending the contents
+of your configuration file, it is advisable to obscure key secrets: this
+can be done automatically by using named-checkconf -px.
Professional support and training for BIND are available from ISC at
https://www.isc.org/support.
Contributing to BIND
-A public git repository for BIND is maintained at http://www.isc.org/git/,
-and also on Github at https://github.com/isc-projects.
+ISC maintains a public git repository for BIND; details can be found at
+http://www.isc.org/git/, and also on Github at https://github.com/
+isc-projects.
Information for BIND contributors can be found in the following files: -
General information: doc/dev/contrib.md - BIND 9 code style: doc/dev/
* Cached, validated NSEC and other records can now be used to synthesize
NXDOMAIN responses.
* The DNS Response Policy Service API (DNSRPS) is now supported.
- * Setting max-journal-size default now limits the size of journal files
- to twice the size of the zone.
- * The query handling code has been substantially refactored for improved
- readability, maintainability and testability .
+ * Setting 'max-journal-size default' now limits the size of journal
+ files to twice the size of the zone.
* dnstap-read -x prints a hex dump of the wire format of each logged DNS
message.
* dnstap output files can now be configured to roll automatically when
ISO 8601 (UTC) formats.
* Logging channels and dnstap output files can now be configured to use
a timestamp as the suffix when rolling to a new file.
- * named-checkconf -l lists zones found in named.conf.
+ * 'named-checkconf -l' lists zones found in named.conf.
* Added support for the EDNS Padding and Keepalive options.
* 'new-zones-directory' option sets the location where the configuration
data for zones added by rndc addzone is stored
For the server to support DNSSEC, you need to build it with crypto
support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer
installed. If the OpenSSL library is installed in a nonstandard location,
-specify the prefix using "--with-openssl=/prefix" on the configure command
-line. To use a PKCS#11 hardware service module for cryptographic
+specify the prefix using "--with-openssl=<PREFIX>" on the configure
+command line. To use a PKCS#11 hardware service module for cryptographic
operations, specify the path to the PKCS#11 provider library using
-"--with-pkcs11=/prefix", and configure BIND with "--enable-native-pkcs11".
+"--with-pkcs11=<PREFIX>", and configure BIND with
+"--enable-native-pkcs11".
To support the HTTP statistics channel, the server must be linked with at
least one of the following: libxml2 http://xmlsoft.org or json-c https://
"--with-geoip". If the library is installed in a nonstandard location, use
specify the prefix using "--with-geoip=/prefix".
-For DNSTAP packet logging, you must have libfstrm https://github.com/
-farsightsec/fstrm and libprotobuf-c https://developers.google.com/
-protocol-buffers, and BIND must be configured with "--enable-dnstap".
+For DNSTAP packet logging, you must have installed libfstrm https://
+github.com/farsightsec/fstrm and libprotobuf-c https://
+developers.google.com/protocol-buffers, and BIND must be configured with
+"--enable-dnstap".
-Python requires the 'argparse' and 'ply' modules to be available.
-'argparse' is a standard module as of Python 2.7 and Python 3.2. 'ply' is
-available from https://pypi.python.org/pypi/ply.
+Portions of BIND that are written in Python, including dnssec-keymgr,
+dnssec-coverage, dnssec-checkds, and some of the system tests, require the
+'argparse' and 'ply' modules to be available. 'argparse' is a standard
+module as of Python 2.7 and Python 3.2. 'ply' is available from https://
+pypi.python.org/pypi/ply.
On some platforms it is necessary to explicitly request large file support
to handle files bigger than 2GB. This can be done by using
A system test suite can be run with make test. The system tests require
you to configure a set of virtual IP addresses on your system (this allows
multiple servers to run locally and communicate with one another). These
-IP addresses can be configured by by running the script bin/tests/system/
+IP addresses can be configured by running the command bin/tests/system/
ifconfig.sh up as root.
Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
Feature requests can be sent to
[bind-suggest@isc.org](mailto:bind-suggest@isc.org).
-Please note that, while ISC's ticketing system is not currently publicly
-readable, this may change in the future. Please do not include information
-in bug reports that you consider to be confidential. For example, when
-sending the contents of your configuration file, it is advisable to obscure
-key secrets; this can be done automatically by using `named-checkconf
--px`.
+Please note that, while tickets submitted to ISC's ticketing system
+are not initially publicly readable by default, they can be made publicly
+acessible afterward. Please do not include information in bug reports that
+you consider to be confidential. In particular, when sending the contents of
+your configuration file, it is advisable to obscure key secrets: this can
+be done automatically by using `named-checkconf -px`.
Professional support and training for BIND are available from
ISC at [https://www.isc.org/support](https://www.isc.org/support).
### <a name="contrib"/> Contributing to BIND
-A public git repository for BIND is maintained at
-[http://www.isc.org/git/](http://www.isc.org/git/), and also on Github
+ISC maintains a public git repository for BIND; details can be found
+at [http://www.isc.org/git/](http://www.isc.org/git/), and also on Github
at [https://github.com/isc-projects](https://github.com/isc-projects).
Information for BIND contributors can be found in the following files:
* Cached, validated NSEC and other records can now be used to synthesize
NXDOMAIN responses.
* The DNS Response Policy Service API (DNSRPS) is now supported.
-* Setting `max-journal-size default` now limits the size of journal files
+* Setting `'max-journal-size default'` now limits the size of journal files
to twice the size of the zone.
-* The query handling code has been substantially refactored for improved
- readability, maintainability and testability .
* `dnstap-read -x` prints a hex dump of the wire format of each logged
DNS message.
* `dnstap` output files can now be configured to roll automatically when
8601 (UTC) formats.
* Logging channels and `dnstap` output files can now be configured to use a
timestamp as the suffix when rolling to a new file.
-* `named-checkconf -l` lists zones found in `named.conf`.
+* `'named-checkconf -l'` lists zones found in `named.conf`.
* Added support for the EDNS Padding and Keepalive options.
* 'new-zones-directory' option sets the location where the configuration
data for zones added by rndc addzone is stored
For the server to support DNSSEC, you need to build it with crypto support.
To use OpenSSL, you should have OpenSSL 1.0.2e or newer installed. If the
OpenSSL library is installed in a nonstandard location, specify the prefix
-using "--with-openssl=/prefix" on the configure command line. To use a
+using "--with-openssl=<PREFIX>" on the configure command line. To use a
PKCS#11 hardware service module for cryptographic operations, specify the
-path to the PKCS#11 provider library using "--with-pkcs11=/prefix", and
+path to the PKCS#11 provider library using "--with-pkcs11=<PREFIX>", and
configure BIND with "--enable-native-pkcs11".
To support the HTTP statistics channel, the server must be linked with at
"--with-geoip". If the library is installed in a nonstandard location, use
specify the prefix using "--with-geoip=/prefix".
-For DNSTAP packet logging, you must have libfstrm
+For DNSTAP packet logging, you must have installed libfstrm
[https://github.com/farsightsec/fstrm](https://github.com/farsightsec/fstrm)
and libprotobuf-c
[https://developers.google.com/protocol-buffers](https://developers.google.com/protocol-buffers),
and BIND must be configured with "--enable-dnstap".
-Python requires the 'argparse' and 'ply' modules to be available.
+Portions of BIND that are written in Python, including
+`dnssec-keymgr`, `dnssec-coverage`, `dnssec-checkds`, and some of the
+system tests, require the 'argparse' and 'ply' modules to be available.
'argparse' is a standard module as of Python 2.7 and Python 3.2.
'ply' is available from [https://pypi.python.org/pypi/ply](https://pypi.python.org/pypi/ply).
A system test suite can be run with `make test`. The system tests require
you to configure a set of virtual IP addresses on your system (this allows
multiple servers to run locally and communicate with one another). These
-IP addresses can be configured by by running the script
+IP addresses can be configured by running the command
`bin/tests/system/ifconfig.sh up` as root.
Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <listitem>
+ <para>
+ If key's sync publication date is set and in the past,
+ synchronization records (type CDS and/or CDNSKEY) are
+ created.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <listitem>
+ <para>
+ If key's sync deletion date is set and in the past,
+ synchronization records (type CDS and/or CDNSKEY) are
+ removed.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</listitem>
</varlistentry>
<command>print-time</command> can be set to
<userinput>yes</userinput>, <userinput>no</userinput>,
or a time format specifier, which may be one of
- <option>local</option>, <option>iso8601</option> or
- <option>iso8601-utc</option>. If set to
+ <userinput>local</userinput>, <userinput>iso8601</userinput> or
+ <userinput>iso8601-utc</userinput>. If set to
<userinput>no</userinput>, then the date and time will
not be logged. If set to <userinput>yes</userinput>
- or <option>local</option>, the date and time are logged
+ or <userinput>local</userinput>, the date and time are logged
in a human readable format, using the local time zone.
- If set to <option>iso8601</option> the local time is
+ If set to <userinput>iso8601</userinput> the local time is
logged in ISO8601 format. If set to
- <option>iso8601-utc</option>, then the date and time
+ <userinput>iso8601-utc</userinput>, then the date and time
are logged in ISO8601 format, with time zone set to
- UTC. The default is <option>local</option>.
+ UTC. The default is <userinput>local</userinput>.
</para>
<para>
<command>print-time</command> may
<para>
Specifies the directory in which to store the configuration
parameters for zones added via <command>rndc addzone</command>.
- By default, this is the working directory.
+ By default, this is the working directory. If set to a relative
+ path, it will be relative to the working directory.
</para>
</listitem>
</varlistentry>
<listitem>
<para>
Specifies the TTL to be returned on stale answers.
- The default is 1 second. The minimal allowed is
+ The default is 1 second. The minimum allowed is
also 1 second; a value of 0 will be updated silently
- to 1 second. For stale answers to be returned
+ to 1 second. For stale answers to be returned,
+ they must be enabled (either in the configuration file
+ using <command>stale-answer-enable</command> or via
+ <command>rndc</command>), and
<option>max-stale-ttl</option> must be set to a
- non zero value and they must not have been disabled
- by <command>rndc</command>.
+ nonzero value.
</para>
</listitem>
</varlistentry>
</varlistentry>
<varlistentry>
- <term><command>serve-stale-enable</command></term>
+ <term><command>stale-answer-enable</command></term>
<listitem>
<para>
Enable the returning of stale answers when the
nameservers for the zone are not answering. This
- is off by default but can be enabled/disabled via
- <command>rndc server-stale on</command> and
- <command>rndc server-stale off</command> which
- override the named.conf setting. <command>rndc
- server-stale reset</command> will restore control
- via named.conf.
+ is off by default, but can be enabled/disabled via
+ <command>rndc serve-stale on</command> and
+ <command>rndc serve-stale off</command>, which
+ override the <filename>named.conf</filename>
+ setting. <command>rndc serve-stale reset</command>
+ restores the setting to the one specified in
+ <filename>named.conf</filename>. Note that
+ reloading or reconfiguring <command>named</command>
+ will not re-enable serving of stale records if they
+ have been disabled via <command>rndc</command>.
</para>
</listitem>
</varlistentry>
anything other than the changes you made to our software.
</para>
<para>
- This requirement will not affect anyone who is using BIND
- without redistributing it, nor anyone redistributing it without
- changes, therefore this change will be without consequence
- for most individuals and organizations who are using BIND.
+ This requirement will not affect anyone who is using BIND, with
+ or without modifications, without redistributing it, nor anyone
+ redistributing it without changes. Therefore, this change will be
+ without consequence for most individuals and organizations who are
+ using BIND.
</para>
<para>
Those unsure whether or not the license change affects their
</para>
</section>
- <section xml:id="win_support"><info><title>Windows XP No Longer Supported</title></info>
+ <section xml:id="win_support"><info><title>Legacy Windows No Longer Supported</title></info>
<para>
- As of BIND 9.11.2, Windows XP is no longer a supported platform for
- BIND, and Windows XP binaries are no longer available for download
+ As of BIND 9.11.2, Windows XP and Windows 2003 are no longer supported
+ platforms for BIND; "XP" binaries are no longer available for download
from ISC.
</para>
</section>
zone's validated CDS or CDNSKEY records. It can produce a
<filename>dsset</filename> file suitable for input to
<command>dnssec-signzone</command>, or a series of
- <command>nsupdate</command> to update the parent zone via dynamic
- DNS. Thanks to Tony Finch for the contribution. [RT #46090]
+ <command>nsupdate</command> commands to update the parent zone
+ via dynamic DNS. Thanks to Tony Finch for the contribution.
+ [RT #46090]
</para>
</listitem>
<listitem>
<para>
- <command>nsupdate</command> and <command>rndc</command> now accepts
+ <command>nsupdate</command> and <command>rndc</command> now accept
command line options <command>-4</command> and <command>-6</command>
which force using only IPv4 or only IPv6, respectively. [RT #45632]
</para>
these algorithms must be supported in OpenSSL;
currently they are only available in the development branch
of OpenSSL at
- <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://github.com/openssl/openssl">https://github.com/openssl/openssl</link>.
+ <link xmlns:xlink="http://www.w3.org/1999/xlink"
+ xlink:href="https://github.com/openssl/openssl">
+ https://github.com/openssl/openssl</link>.
[RT #44696]
</para>
</listitem>
<listitem>
<para>
- EDNS KEY TAG options are verified and printed.
+ When parsing DNS messages, EDNS KEY TAG options are checked
+ for correctness. When printing messages (for example, in
+ <command>dig</command>), EDNS KEY TAG options are printed
+ in readable format.
</para>
</listitem>
</itemizedlist>
are now fully rolled back in the event of failure. [RT #45841]
</para>
</listitem>
- <listitem>
- <para>
- Fixed a bug that was introduced in an earlier development
- release which caused multi-packet AXFR and IXFR messages to fail
- validation if not all packets contained TSIG records; this
- caused interoperability problems with some other DNS
- implementations. [RT #45509]
- </para>
- </listitem>
<listitem>
<para>
Multiple <command>cookie-secret</command> clauses are now
projects / thirdparty / bind9.git / commitdiff
