responding to queries.
- New 'named-rrchecker' tool to verify the syntactic
correctness of individual resource records.
+ - When re-signing a zone, the new "dnssec-signzone -Q" option
+ drops signatures from keys that are still published but are
+ no longer active.
BIND 9.9.0
- BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
- releases. New features include:
-
- - Inline signing, allowing automatic DNSSEC signing of
- master zones without modification of the zonefile, or
- "bump in the wire" signing in slaves.
- - NXDOMAIN redirection.
- - New 'rndc flushtree' command clears all data under a given
- name from the DNS cache.
- - New 'rndc sync' command dumps pending changes in a dynamic
- zone to disk without a freeze/thaw cycle.
- - New 'rndc signing' command displays or clears signing status
- records in 'auto-dnssec' zones.
- - NSEC3 parameters for 'auto-dnssec' zones can now be set prior
- to signing, eliminating the need to initially sign with NSEC.
- - Startup time improvements on large authoritative servers.
- - Slave zones are now saved in raw format by default.
- - Several improvements to response policy zones (RPZ).
- - Improved hardware scalability by using multiple threads
- to listen for queries and using finer-grained client locking
- - The 'also-notify' option now takes the same syntax as
- 'masters', so it can used named masterlists and TSIG keys.
- - 'dnssec-signzone -D' writes an output file containing only DNSSEC
- data, which can be included by the primary zone file.
- - 'dnssec-signzone -R' forces removal of signatures that are
- not expired but were created by a key which no longer exists.
- - 'dnssec-signzone -X' allows a separate expiration date to
- be specified for DNSKEY signatures from other signatures.
- - New '-L' option to dnssec-keygen, dnssec-settime, and
- dnssec-keyfromlabel sets the default TTL for the key.
- - dnssec-dsfromkey now supports reading from standard input,
- to make it easier to convert DNSKEY to DS.
- - RFC 1918 reverse zones have been added to the empty-zones
- table per RFC 6303.
- - Dynamic updates can now optionally set the zone's SOA serial
- number to the current UNIX time.
- - DLZ modules can now retrieve the source IP address of
- the querying client.
- - 'request-ixfr' option can now be set at the per-zone level.
- - 'dig +rrcomments' turns on comments about DNSKEY records,
- indicating their key ID, algorithm and function
- - Simplified nsupdate syntax and added readline support
+ BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
+ releases. New features include:
+
+ - Inline signing, allowing automatic DNSSEC signing of
+ master zones without modification of the zonefile, or
+ "bump in the wire" signing in slaves.
+ - NXDOMAIN redirection.
+ - New 'rndc flushtree' command clears all data under a given
+ name from the DNS cache.
+ - New 'rndc sync' command dumps pending changes in a dynamic
+ zone to disk without a freeze/thaw cycle.
+ - New 'rndc signing' command displays or clears signing status
+ records in 'auto-dnssec' zones.
+ - NSEC3 parameters for 'auto-dnssec' zones can now be set prior
+ to signing, eliminating the need to initially sign with NSEC.
+ - Startup time improvements on large authoritative servers.
+ - Slave zones are now saved in raw format by default.
+ - Several improvements to response policy zones (RPZ).
+ - Improved hardware scalability by using multiple threads
+ to listen for queries and using finer-grained client locking
+ - The 'also-notify' option now takes the same syntax as
+ 'masters', so it can used named masterlists and TSIG keys.
+ - 'dnssec-signzone -D' writes an output file containing only DNSSEC
+ data, which can be included by the primary zone file.
+ - 'dnssec-signzone -R' forces removal of signatures that are
+ not expired but were created by a key which no longer exists.
+ - 'dnssec-signzone -X' allows a separate expiration date to
+ be specified for DNSKEY signatures from other signatures.
+ - New '-L' option to dnssec-keygen, dnssec-settime, and
+ dnssec-keyfromlabel sets the default TTL for the key.
+ - dnssec-dsfromkey now supports reading from standard input,
+ to make it easier to convert DNSKEY to DS.
+ - RFC 1918 reverse zones have been added to the empty-zones
+ table per RFC 6303.
+ - Dynamic updates can now optionally set the zone's SOA serial
+ number to the current UNIX time.
+ - DLZ modules can now retrieve the source IP address of
+ the querying client.
+ - 'request-ixfr' option can now be set at the per-zone level.
+ - 'dig +rrcomments' turns on comments about DNSKEY records,
+ indicating their key ID, algorithm and function
+ - Simplified nsupdate syntax and added readline support
Building
- BIND 9 currently requires a UNIX system with an ANSI C compiler,
- basic POSIX support, and a 64 bit integer type.
-
- We've had successful builds and tests on the following systems:
-
- COMPAQ Tru64 UNIX 5.1B
- Fedora Core 6
- FreeBSD 4.10, 5.2.1, 6.2
- HP-UX 11.11
- Mac OS X 10.5
- NetBSD 3.x, 4.0-beta, 5.0-beta
- OpenBSD 3.3 and up
- Solaris 8, 9, 9 (x86), 10
- Ubuntu 7.04, 7.10
- Windows XP/2003/2008
-
- NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
- Windows, including Windows NT and Windows 2000, are no longer
- supported.
-
- We have recent reports from the user community that a supported
- version of BIND will build and run on the following systems:
-
- AIX 4.3, 5L
- CentOS 4, 4.5, 5
- Darwin 9.0.0d1/ARM
- Debian 4, 5, 6
- Fedora Core 5, 7, 8
- FreeBSD 6, 7, 8
- HP-UX 11.23 PA
- MacOS X 10.5, 10.6, 10.7
- Red Hat Enterprise Linux 4, 5, 6
- SCO OpenServer 5.0.6
- Slackware 9, 10
- SuSE 9, 10
-
- To build, just
-
- ./configure
- make
-
- Do not use a parallel "make".
-
- Several environment variables that can be set before running
- configure will affect compilation:
-
- CC
- The C compiler to use. configure tries to figure
- out the right one for supported systems.
-
- CFLAGS
- C compiler flags. Defaults to include -g and/or -O2
- as supported by the compiler. Please include '-g'
- if you need to set CFLAGS.
-
- STD_CINCLUDES
- System header file directories. Can be used to specify
- where add-on thread or IPv6 support is, for example.
- Defaults to empty string.
-
- STD_CDEFINES
- Any additional preprocessor symbols you want defined.
- Defaults to empty string.
-
- Possible settings:
- Change the default syslog facility of named/lwresd.
- -DISC_FACILITY=LOG_LOCAL0
- Enable DNSSEC signature chasing support in dig.
- -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
- -DDIG_SIGCHASE_BU=1)
- Disable dropping queries from particular well known ports.
- -DNS_CLIENT_DROPPORT=0
- Sibling glue checking in named-checkzone is enabled by default.
- To disable the default check set. -DCHECK_SIBLING=0
- named-checkzone checks out-of-zone addresses by default.
- To disable this default set. -DCHECK_LOCAL=0
- To create the default pid files in ${localstatedir}/run rather
- than ${localstatedir}/run/{named,lwresd}/ set.
- -DNS_RUN_PID_DIR=0
- Enable workaround for Solaris kernel bug about /dev/poll
- -DISC_SOCKET_USE_POLLWATCH=1
- The watch timeout is also configurable, e.g.,
- -DISC_SOCKET_POLLWATCH_TIMEOUT=20
-
- LDFLAGS
- Linker flags. Defaults to empty string.
-
- The following need to be set when cross compiling.
-
- BUILD_CC
- The native C compiler.
- BUILD_CFLAGS (optional)
- BUILD_CPPFLAGS (optional)
- Possible Settings:
- -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
- BUILD_LDFLAGS (optional)
- BUILD_LIBS (optional)
-
- On most platforms, BIND 9 is built with multithreading
- support, allowing it to take advantage of multiple CPUs.
- You can configure this by specifying "--enable-threads" or
- "--disable-threads" on the configure command line. The default
- is to enable threads, except on some older operating systems
- on which threads are known to have had problems in the past.
- (Note: Prior to BIND 9.10, the default was to disable threads on
- Linux systems; this has been reversed. On Linux systems, the
- threaded build is known to change BIND's behavior with respect
- to file permissions; it may be necessary to specify a user with
- the -u option when running named.)
-
- To build shared libraries, specify "--with-libtool" on the
- configure command line.
-
- For the server to support DNSSEC, you need to build it
- with crypto support. You must have OpenSSL 0.9.5a
- or newer installed and specify "--with-openssl" on the
- configure command line. If OpenSSL is installed under
- a nonstandard prefix, you can tell configure where to
- look for it using "--with-openssl=/prefix".
-
- To support the HTTP statistics channel, the server must
- be linked with at least one of the following: libxml2
- (http://xmlsoft.org) or json-c (https://github.com/json-c).
- If these are installed at a nonstandard prefix, use
- "--with-libxml2=/prefix" or "--with-libjson=/prefix".
-
- On some platforms it is necessary to explictly request large
- file support to handle files bigger than 2GB. This can be
- done by "--enable-largefile" on the configure command line.
-
- Support for the "fixed" rrset-order option can be enabled
- or disabled by specifying "--enable-fixed-rrset" or
- "--disable-fixed-rrset" on the configure command line.
- The default is "disabled", to reduce memory footprint.
-
- If your operating system has integrated support for IPv6, it
- will be used automatically. If you have installed KAME IPv6
- separately, use "--with-kame[=PATH]" to specify its location.
-
- "make install" will install "named" and the various BIND 9 libraries.
- By default, installation is into /usr/local, but this can be changed
- with the "--prefix" option when running "configure".
-
- You may specify the option "--sysconfdir" to set the directory
- where configuration files like "named.conf" go by default,
- and "--localstatedir" to set the default parent directory
- of "run/named.pid". For backwards compatibility with BIND 8,
- --sysconfdir defaults to "/etc" and --localstatedir defaults to
- "/var" if no --prefix option is given. If there is a --prefix
- option, sysconfdir defaults to "$prefix/etc" and localstatedir
- defaults to "$prefix/var".
-
- To see additional configure options, run "configure --help".
- Note that the help message does not reflect the BIND 8
- compatibility defaults for sysconfdir and localstatedir.
-
- If you're planning on making changes to the BIND 9 source, you
- should also "make depend". If you're using Emacs, you might find
- "make tags" helpful.
-
- If you need to re-run configure please run "make distclean" first.
- This will ensure that all the option changes take.
-
- Building with gcc is not supported, unless gcc is the vendor's usual
- compiler (e.g. the various BSD systems, Linux).
-
- Known compiler issues:
- * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
- * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
- * gcc-3.3.5 powerpc generates incorrect code at -02.
- * Irix, MipsPRO 7.4.1m is known to cause problems.
-
- A limited test suite can be run with "make test". Many of
- the tests require you to configure a set of virtual IP addresses
- on your system, and some require Perl; see bin/tests/system/README
- for details.
-
- SunOS 4 requires "printf" to be installed to make the shared
- libraries. sh-utils-1.16 provides a "printf" which compiles
- on SunOS 4.
+ BIND 9 currently requires a UNIX system with an ANSI C compiler,
+ basic POSIX support, and a 64 bit integer type.
+
+ We've had successful builds and tests on the following systems:
+
+ COMPAQ Tru64 UNIX 5.1B
+ Fedora Core 6
+ FreeBSD 4.10, 5.2.1, 6.2
+ HP-UX 11.11
+ Mac OS X 10.5
+ NetBSD 3.x, 4.0-beta, 5.0-beta
+ OpenBSD 3.3 and up
+ Solaris 8, 9, 9 (x86), 10
+ Ubuntu 7.04, 7.10
+ Windows XP/2003/2008
+
+ NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
+ Windows, including Windows NT and Windows 2000, are no longer
+ supported.
+
+ We have recent reports from the user community that a supported
+ version of BIND will build and run on the following systems:
+
+ AIX 4.3, 5L
+ CentOS 4, 4.5, 5
+ Darwin 9.0.0d1/ARM
+ Debian 4, 5, 6
+ Fedora Core 5, 7, 8
+ FreeBSD 6, 7, 8
+ HP-UX 11.23 PA
+ MacOS X 10.5, 10.6, 10.7
+ Red Hat Enterprise Linux 4, 5, 6
+ SCO OpenServer 5.0.6
+ Slackware 9, 10
+ SuSE 9, 10
+
+ To build, just
+
+ ./configure
+ make
+
+ Do not use a parallel "make".
+
+ Several environment variables that can be set before running
+ configure will affect compilation:
+
+ CC
+ The C compiler to use. configure tries to figure
+ out the right one for supported systems.
+
+ CFLAGS
+ C compiler flags. Defaults to include -g and/or -O2
+ as supported by the compiler. Please include '-g'
+ if you need to set CFLAGS.
+
+ STD_CINCLUDES
+ System header file directories. Can be used to specify
+ where add-on thread or IPv6 support is, for example.
+ Defaults to empty string.
+
+ STD_CDEFINES
+ Any additional preprocessor symbols you want defined.
+ Defaults to empty string.
+
+ Possible settings:
+ Change the default syslog facility of named/lwresd.
+ -DISC_FACILITY=LOG_LOCAL0
+ Enable DNSSEC signature chasing support in dig.
+ -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
+ -DDIG_SIGCHASE_BU=1)
+ Disable dropping queries from particular well known ports.
+ -DNS_CLIENT_DROPPORT=0
+ Sibling glue checking in named-checkzone is enabled by default.
+ To disable the default check set. -DCHECK_SIBLING=0
+ named-checkzone checks out-of-zone addresses by default.
+ To disable this default set. -DCHECK_LOCAL=0
+ To create the default pid files in ${localstatedir}/run rather
+ than ${localstatedir}/run/{named,lwresd}/ set.
+ -DNS_RUN_PID_DIR=0
+ Enable workaround for Solaris kernel bug about /dev/poll
+ -DISC_SOCKET_USE_POLLWATCH=1
+ The watch timeout is also configurable, e.g.,
+ -DISC_SOCKET_POLLWATCH_TIMEOUT=20
+
+ LDFLAGS
+ Linker flags. Defaults to empty string.
+
+ The following need to be set when cross compiling.
+
+ BUILD_CC
+ The native C compiler.
+ BUILD_CFLAGS (optional)
+ BUILD_CPPFLAGS (optional)
+ Possible Settings:
+ -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
+ BUILD_LDFLAGS (optional)
+ BUILD_LIBS (optional)
+
+ On most platforms, BIND 9 is built with multithreading
+ support, allowing it to take advantage of multiple CPUs.
+ You can configure this by specifying "--enable-threads" or
+ "--disable-threads" on the configure command line. The default
+ is to enable threads, except on some older operating systems
+ on which threads are known to have had problems in the past.
+ (Note: Prior to BIND 9.10, the default was to disable threads on
+ Linux systems; this has been reversed. On Linux systems, the
+ threaded build is known to change BIND's behavior with respect
+ to file permissions; it may be necessary to specify a user with
+ the -u option when running named.)
+
+ To build shared libraries, specify "--with-libtool" on the
+ configure command line.
+
+ For the server to support DNSSEC, you need to build it
+ with crypto support. You must have OpenSSL 0.9.5a
+ or newer installed and specify "--with-openssl" on the
+ configure command line. If OpenSSL is installed under
+ a nonstandard prefix, you can tell configure where to
+ look for it using "--with-openssl=/prefix".
+
+ To support the HTTP statistics channel, the server must
+ be linked with at least one of the following: libxml2
+ (http://xmlsoft.org) or json-c (https://github.com/json-c).
+ If these are installed at a nonstandard prefix, use
+ "--with-libxml2=/prefix" or "--with-libjson=/prefix".
+
+ On some platforms it is necessary to explictly request large
+ file support to handle files bigger than 2GB. This can be
+ done by "--enable-largefile" on the configure command line.
+
+ Support for the "fixed" rrset-order option can be enabled
+ or disabled by specifying "--enable-fixed-rrset" or
+ "--disable-fixed-rrset" on the configure command line.
+ The default is "disabled", to reduce memory footprint.
+
+ If your operating system has integrated support for IPv6, it
+ will be used automatically. If you have installed KAME IPv6
+ separately, use "--with-kame[=PATH]" to specify its location.
+
+ "make install" will install "named" and the various BIND 9 libraries.
+ By default, installation is into /usr/local, but this can be changed
+ with the "--prefix" option when running "configure".
+
+ You may specify the option "--sysconfdir" to set the directory
+ where configuration files like "named.conf" go by default,
+ and "--localstatedir" to set the default parent directory
+ of "run/named.pid". For backwards compatibility with BIND 8,
+ --sysconfdir defaults to "/etc" and --localstatedir defaults to
+ "/var" if no --prefix option is given. If there is a --prefix
+ option, sysconfdir defaults to "$prefix/etc" and localstatedir
+ defaults to "$prefix/var".
+
+ To see additional configure options, run "configure --help".
+ Note that the help message does not reflect the BIND 8
+ compatibility defaults for sysconfdir and localstatedir.
+
+ If you're planning on making changes to the BIND 9 source, you
+ should also "make depend". If you're using Emacs, you might find
+ "make tags" helpful.
+
+ If you need to re-run configure please run "make distclean" first.
+ This will ensure that all the option changes take.
+
+ Building with gcc is not supported, unless gcc is the vendor's usual
+ compiler (e.g. the various BSD systems, Linux).
+
+ Known compiler issues:
+ * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
+ * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
+ * gcc-3.3.5 powerpc generates incorrect code at -02.
+ * Irix, MipsPRO 7.4.1m is known to cause problems.
+
+ A limited test suite can be run with "make test". Many of
+ the tests require you to configure a set of virtual IP addresses
+ on your system, and some require Perl; see bin/tests/system/README
+ for details.
+
+ SunOS 4 requires "printf" to be installed to make the shared
+ libraries. sh-utils-1.16 provides a "printf" which compiles
+ on SunOS 4.
Known limitations
- Linux requires kernel build 2.6.39 or later to get the
- performance benefits from using multiple sockets.
+ Linux requires kernel build 2.6.39 or later to get the
+ performance benefits from using multiple sockets.
Documentation
- The BIND 9 Administrator Reference Manual is included with the
- source distribution in DocBook XML and HTML format, in the
- doc/arm directory.
+ The BIND 9 Administrator Reference Manual is included with the
+ source distribution in DocBook XML and HTML format, in the
+ doc/arm directory.
- Some of the programs in the BIND 9 distribution have man pages
- in their directories. In particular, the command line
- options of "named" are documented in /bin/named/named.8.
- There is now also a set of man pages for the lwres library.
+ Some of the programs in the BIND 9 distribution have man pages
+ in their directories. In particular, the command line
+ options of "named" are documented in /bin/named/named.8.
+ There is now also a set of man pages for the lwres library.
- If you are upgrading from BIND 8, please read the migration
- notes in doc/misc/migration. If you are upgrading from
- BIND 4, read doc/misc/migration-4to9.
+ If you are upgrading from BIND 8, please read the migration
+ notes in doc/misc/migration. If you are upgrading from
+ BIND 4, read doc/misc/migration-4to9.
- Frequently asked questions and their answers can be found in
- FAQ.
+ Frequently asked questions and their answers can be found in
+ FAQ.
- Additional information on various subjects can be found
- in the other README files.
+ Additional information on various subjects can be found
+ in the other README files.
Change Log
- A detailed list of all changes to BIND 9 is included in the
- file CHANGES, with the most recent changes listed first.
- Change notes include tags indicating the category of the
- change that was made; these categories are:
+ A detailed list of all changes to BIND 9 is included in the
+ file CHANGES, with the most recent changes listed first.
+ Change notes include tags indicating the category of the
+ change that was made; these categories are:
- [func] New feature
+ [func] New feature
- [bug] General bug fix
+ [bug] General bug fix
- [security] Fix for a significant security flaw
+ [security] Fix for a significant security flaw
- [experimental] Used for new features when the syntax
- or other aspects of the design are still
- in flux and may change
+ [experimental] Used for new features when the syntax
+ or other aspects of the design are still
+ in flux and may change
- [port] Portability enhancement
+ [port] Portability enhancement
- [maint] Updates to built-in data such as root
- server addresses and keys
+ [maint] Updates to built-in data such as root
+ server addresses and keys
- [tuning] Changes to built-in configuration defaults
- and constants to improve performanceo
+ [tuning] Changes to built-in configuration defaults
+ and constants to improve performanceo
- [protocol] Updates to the DNS protocol such as new
- RR types
+ [protocol] Updates to the DNS protocol such as new
+ RR types
- [test] Changes to the automatic tests, not
- affecting server functionality
+ [test] Changes to the automatic tests, not
+ affecting server functionality
- [cleanup] Minor corrections and refactoring
+ [cleanup] Minor corrections and refactoring
- [doc] Documentation
+ [doc] Documentation
- In general, [func] and [experimental] tags will only appear
- in new-feature releases (i.e., those with version numbers
- ending in zero). Some new functionality may be backported to
- older releases on a case-by-case basis. All other change
- types may be applied to all currently-supported releases.
+ In general, [func] and [experimental] tags will only appear
+ in new-feature releases (i.e., those with version numbers
+ ending in zero). Some new functionality may be backported to
+ older releases on a case-by-case basis. All other change
+ types may be applied to all currently-supported releases.
Bug Reports and Mailing Lists
- Bugs reports should be sent to
-
- bind9-bugs@isc.org
+ Bugs reports should be sent to
- To join the BIND Users mailing list, send mail to
+ bind9-bugs@isc.org
- bind-users-request@isc.org
+ To join the BIND Users mailing list, send mail to
- archives of which can be found via
+ bind-users-request@isc.org
- http://www.isc.org/ops/lists/
+ archives of which can be found via
- If you're planning on making changes to the BIND 9 source
- code, you might want to join the BIND Workers mailing list.
- Send mail to
+ http://www.isc.org/ops/lists/
- bind-workers-request@isc.org
+ If you're planning on making changes to the BIND 9 source
+ code, you might want to join the BIND Workers mailing list.
+ Send mail to
+ bind-workers-request@isc.org
projects / thirdparty / bind9.git / commitdiff
