To build BIND 9, the following packages must be installed:
+- a C11-compliant compiler
- ``libcrypto``, ``libssl``
- ``liburcu``
- ``libuv``
- ``perl``
- ``pkg-config`` / ``pkgconfig`` / ``pkgconf``
-BIND 9.19 requires ``libuv`` 1.34.0 or higher, using ``libuv`` >= 1.40.0
+BIND 9.20 requires ``libuv`` 1.34.0 or higher, using ``libuv`` >= 1.40.0
is recommended. Compiling or running with ``libuv`` 1.35.0 or 1.36.0 is
not supported, as this could lead to an assertion failure in the UDP
receive code. On older systems, an updated ``libuv`` package needs to be
To see a full list of configuration options, run ``configure --help``.
To improve performance, use of the ``jemalloc`` library
-(http://jemalloc.net/) is strongly recommended.
+(https://jemalloc.net/) is strongly recommended. Version 4.0.0 or newer is
+required when in use.
To support :rfc:`DNS over HTTPS (DoH) <8484>`, the server must be linked
with ``libnghttp2`` (https://nghttp2.org/). If the library is
#
# This file only contains a selection of the most common options. For a full
# list see the documentation:
-# http://www.sphinx-doc.org/en/master/config
+# https://www.sphinx-doc.org/en/master/config
# -- Path setup --------------------------------------------------------------
.. [#rfc4294] Section 5.1 - DNAME records are fully supported.
-.. [#rfc7050] RFC 7050 is updated by RFC 8880.
+.. [#rfc7050] :rfc:`7050` is updated by :rfc:`8880`.
.. [#noencryptedfwd] Forwarding DNS queries over encrypted transports is not
supported yet.
the algorithm (``RSASHA256``). The key is referenced with the PKCS#11 URI scheme and it
can contain the PKCS#11 token label (we asume that it has been initialized as bind9),
and the PKCS#11 object label (called label when generating the keys using ``pkcs11-tool``)
-and the HSM PIN. Refer to `RFC7512`_ for the full PKCS#11 URI specification.
-
-.. _`RFC7512`: https://www.rfc-editor.org/rfc/rfc7512.html
+and the HSM PIN. Refer to :rfc:`7512` for the full PKCS#11 URI specification.
Convert the KSK:
- Platforms without at least OpenSSL 1.0.2
- Windows
- Solaris 10 and older
-- Platforms that do not support IPv6 Advanced Socket API (RFC 3542)
+- Platforms that do not support IPv6 Advanced Socket API (:rfc:`3542`)
- Platforms that do not support atomic operations (via compiler or
library)
- Linux without NPTL (Native POSIX Thread Library)
Logged :any:`dnstap` messages can be parsed using the :iscman:`dnstap-read`
utility (see :ref:`man_dnstap-read` for details).
- For more information on :any:`dnstap`, see http://dnstap.info.
+ For more information on :any:`dnstap`, see https://dnstap.info.
The fstrm library has a number of tunables that are exposed in
:iscman:`named.conf`, and can be modified if necessary to improve
:short: Enables or disables session resumption through TLS session tickets.
Enables or disables session resumption through TLS session tickets,
- as defined in RFC5077. Disabling the stateless session tickets
+ as defined in :rfc:`5077`. Disabling the stateless session tickets
might be required in the cases when forward secrecy is needed,
or the TLS certificate and key pair is planned to be used across
multiple BIND instances.
certificates are updated on the disk.
BIND supports the following TLS authentication mechanisms described in
-the RFC 9103, Section 9.3: Opportunistic TLS, Strict TLS, and Mutual
+the :rfc:`9103`, Section 9.3: Opportunistic TLS, Strict TLS, and Mutual
TLS.
.. _opportunistic-tls:
Opportunistic TLS provides encryption for data but does not provide
any authentication for the channel. This mode is the default one and
it is used whenever :any:`remote-hostname` and :any:`ca-file` options are not set
-in :any:`tls` statements in use. RFC 9103 allows optional fallback to
+in :any:`tls` statements in use. :rfc:`9103` allows optional fallback to
clear-text DNS in the cases when TLS is not available. Still, BIND
intentionally does not support that in order to protect from
unexpected data leaks due to misconfiguration. Both BIND and its
The ``*`` at the beginning of these CNAME target names is special, and it
causes the original query name to be prepended to the CNAME target. So if a
user tries to visit the Conficker command and control domain
-http://racaldftn.com.ai/ (which was a valid Conficker command and control
+`racaldftn.com.ai` (which was a valid Conficker command and control
domain name on 19-October-2011), the RPZ-configured recursive name server
will send back this answer:
}
See "Hacker's Delight" by Hank Warren, section 5-1 "Counting 1
-bits", subsection "applications". http://www.hackersdelight.org
+bits", subsection "applications". https://www.hackersdelight.org
See under _"bitmap popcount shenanigans"_ in `lib/dns/qp.c` for how
this is implemented in BIND.
Phil Bagwell's hashed array-mapped tries (HAMT) use popcount for
compact trie nodes. In a HAMT, string keys are hashed, and the hash is
used as the index to the trie, with radix 2^32 or 2^64.
-http://infoscience.epfl.ch/record/64394/files/triesearches.pdf
-http://infoscience.epfl.ch/record/64398/files/idealhashtrees.pdf
+https://infoscience.epfl.ch/record/64394/files/triesearches.pdf
+https://infoscience.epfl.ch/record/64398/files/idealhashtrees.pdf
As discussed above, increasing the radix makes the tree shallower, so
it should be faster. The downside is usually much greater memory
Type values range from 0 to 65536. These have been further divided into
reserved values, values that have global definition and values that have
-local definition as defined in [RFC 6895](http://tools.ietf.org/html/rfc6895).
+local definition as defined in [RFC 6895](https://tools.ietf.org/html/rfc6895).
Please use an appropriate value. You can use a private value
(65280 - 65534) while waiting for a type assignment to be made, then
rename the file and update the type values when the assignment has been
### Queueing Events onto the ``uv_loop_t``
The upstream documentation on [the I/O
-loop](http://docs.libuv.org/en/v1.x/design.html#the-i-o-loop) describes the
+loop](https://docs.libuv.org/en/v1.x/design.html#the-i-o-loop) describes the
order in which are the various handles processed. However, it does not describe
the order in which the loop processes the events in the same buckets, and
because it is counterintuitive, it is described here.
#
# This file only contains a selection of the most common options. For a full
# list see the documentation:
-# http://www.sphinx-doc.org/en/master/config
+# https://www.sphinx-doc.org/en/master/config
# -- Path setup --------------------------------------------------------------
projects / thirdparty / bind9.git / commitdiff
