+4609. [cleanup] Rearrange makefiles to enable parallel execution
+ (i.e. "make -j"). [RT #45078]
+
4608. [func] DiG now warns about .local queries which are reserved
for Multicast DNS. [RT #44783]
+Functional enhancements from prior major releases of BIND 9
+
+BIND 9.9.0
+
+BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
+releases. New features include:
+
+ * Inline signing, allowing automatic DNSSEC signing of master zones
+ without modification of the zonefile, or "bump in the wire" signing in
+ slaves.
+ * NXDOMAIN redirection.
+ * New 'rndc flushtree' command clears all data under a given name from
+ the DNS cache.
+ * New 'rndc sync' command dumps pending changes in a dynamic zone to
+ disk without a freeze/thaw cycle.
+ * New 'rndc signing' command displays or clears signing status records
+ in 'auto-dnssec' zones.
+ * NSEC3 parameters for 'auto-dnssec' zones can now be set prior to
+ signing, eliminating the need to initially sign with NSEC.
+ * Startup time improvements on large authoritative servers.
+ * Slave zones are now saved in raw format by default.
+ * Several improvements to response policy zones (RPZ).
+ * Improved hardware scalability by using multiple threads to listen for
+ queries and using finer-grained client locking
+ * The 'also-notify' option now takes the same syntax as 'masters', so it
+ can used named masterlists and TSIG keys.
+ * 'dnssec-signzone -D' writes an output file containing only DNSSEC
+ data, which can be included by the primary zone file.
+ * 'dnssec-signzone -R' forces removal of signatures that are not expired
+ but were created by a key which no longer exists.
+ * 'dnssec-signzone -X' allows a separate expiration date to be specified
+ for DNSKEY signatures from other signatures.
+ * New '-L' option to dnssec-keygen, dnssec-settime, and
+ dnssec-keyfromlabel sets the default TTL for the key.
+ * dnssec-dsfromkey now supports reading from standard input, to make it
+ easier to convert DNSKEY to DS.
+ * RFC 1918 reverse zones have been added to the empty-zones table per
+ RFC 6303.
+ * Dynamic updates can now optionally set the zone's SOA serial number to
+ the current UNIX time.
+ * DLZ modules can now retrieve the source IP address of the querying
+ client.
+ * 'request-ixfr' option can now be set at the per-zone level.
+ * 'dig +rrcomments' turns on comments about DNSKEY records, indicating
+ their key ID, algorithm and function
+ * Simplified nsupdate syntax and added readline support
+
+BIND 9.8.0
+
+BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
+releases. New features include:
+
+ * Built-in trust anchor for the root zone, which can be switched on via
+ "dnssec-validation auto;"
+ * Support for DNS64.
+ * Support for response policy zones (RPZ).
+ * Support for writable DLZ zones.
+ * Improved ease of configuration of GSS/TSIG for interoperability with
+ Active Directory
+ * Support for GOST signing algorithm for DNSSEC.
+ * Removed RTT Banding from server selection algorithm.
+ * New "static-stub" zone type.
+ * Allow configuration of resolver timeouts via "resolver-query-timeout"
+ option.
+ * The DLZ "dlopen" driver is now built by default.
+ * Added a new include file with function typedefs for the DLZ "dlopen"
+ driver.
+ * Made "--with-gssapi" default.
+ * More verbose error reporting from DLZ LDAP.
+
+BIND 9.7.0
+
+BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
+releases. Most are intended to simplify DNSSEC configuration. New features
+include:
+
+ * Fully automatic signing of zones by "named".
+ * Simplified configuration of DNSSEC Lookaside Validation (DLV).
+ * Simplified configuration of Dynamic DNS, using the "ddns-confgen"
+ command line tool or the "local" update-policy option. (As a side
+ effect, this also makes it easier to configure automatic zone
+ re-signing.)
+ * New named option "attach-cache" that allows multiple views to share a
+ single cache.
+ * DNS rebinding attack prevention.
+ * New default values for dnssec-keygen parameters.
+ * Support for RFC 5011 automated trust anchor maintenance
+ * Smart signing: simplified tools for zone signing and key maintenance.
+ * The "statistics-channels" option is now available on Windows.
+ * A new DNSSEC-aware libdns API for use by non-BIND9 applications
+ * On some platforms, named and other binaries can now print out a stack
+ backtrace on assertion failure, to aid in debugging.
+ * A "tools only" installation mode on Windows, which only installs dig,
+ host, nslookup and nsupdate.
+ * Improved PKCS#11 support, including Keyper support and explicit
+ OpenSSL engine selection.
+
+BIND 9.6.0
+
+ * Full NSEC3 support
+ * Automatic zone re-signing
+ * New update-policy methods tcp-self and 6to4-self
+ * The BIND 8 resolver library, libbind, has been removed from the BIND 9
+ distribution and is now available as a separate download.
+ * Change the default pid file location from /var/run to /var/run/
+ {named,lwresd} for improved chroot/setuid support.
+
+BIND 9.5.0
+
+ * GSS-TSIG support (RFC 3645).
+ * DHCID support.
+ * Experimental http server and statistics support for named via xml.
+ * More detailed statistics counters including those supported in BIND 8.
+ * Faster ACL processing.
+ * Use Doxygen to generate internal documentation.
+ * Efficient LRU cache-cleaning mechanism.
+ * NSID support.
+
+BIND 9.4.0
+
+ * Implemented "additional section caching (or acache)", an internal
+ cache framework for additional section content to improve response
+ performance. Several configuration options were provided to control
+ the behavior.
+ * New notify type 'master-only'. Enable notify for master zones only.
+ * Accept 'notify-source' style syntax for query-source.
+ * rndc now allows addresses to be set in the server clauses.
+ * New option "allow-query-cache". This lets "allow-query" be used to
+ specify the default zone access level rather than having to have every
+ zone override the global value. "allow-query-cache" can be set at both
+ the options and view levels. If "allow-query-cache" is not set then
+ "allow-recursion" is used if set, otherwise "allow-query" is used if
+ set unless "recursion no;" is set in which case "none;" is used,
+ otherwise the default (localhost; localnets;) is used.
+ * rndc: the source address can now be specified.
+ * ixfr-from-differences now takes master and slave in addition to yes
+ and no at the options and view levels.
+ * Allow the journal's name to be changed via named.conf.
+ * 'rndc notify zone [class [view]]' resend the NOTIFY messages for the
+ specified zone.
+ * 'dig +trace' now randomly selects the next servers to try. Report if
+ there is a bad delegation.
+ * Improve check-names error messages.
+ * Make public the function to read a key file, dst_key_read_public().
+ * dig now returns the byte count for axfr/ixfr.
+ * allow-update is now settable at the options / view level.
+ * named-checkconf now checks the logging configuration.
+ * host now can turn on memory debugging flags with '-m'.
+ * Don't send notify messages to self.
+ * Perform sanity checks on NS records which refer to 'in zone' names.
+ * New zone option "notify-delay". Specify a minimum delay between sets
+ of NOTIFY messages.
+ * Extend adjusting TTL warning messages.
+ * Named and named-checkzone can now both check for non-terminal wildcard
+ records.
+ * "rndc freeze/thaw" now freezes/thaws all zones.
+ * named-checkconf now check acls to verify that they only refer to
+ existing acls.
+ * The server syntax has been extended to support a range of servers.
+ * Report differences between hints and real NS rrset and associated
+ address records.
+ * Preserve the case of domain names in rdata during zone transfers.
+ * Restructured the data locking framework using architecture dependent
+ atomic operations (when available), improving response performance on
+ multi-processor machines significantly. x86, x86_64, alpha, powerpc,
+ and mips are currently supported.
+ * UNIX domain controls are now supported.
+ * Add support for additional zone file formats for improving loading
+ performance. The masterfile-format option in named.conf can be used to
+ specify a non-default format. A separate command named-compilezone was
+ provided to generate zone files in the new format. Additionally, the
+ -I and -O options for dnssec-signzone specify the input and output
+ formats.
+ * dnssec-signzone can now randomize signature end times (dnssec-signzone
+ -j jitter).
+ * Add support for CH A record.
+ * Add additional zone data constancy checks. named-checkzone has
+ extended checking of NS, MX and SRV record and the hosts they
+ reference. named has extended post zone load checks. New zone options:
+ check-mx and integrity-check.
+ * edns-udp-size can now be overridden on a per server basis.
+ * dig can now specify the EDNS version when making a query.
+ * Added framework for handling multiple EDNS versions.
+ * Additional memory debugging support to track size and mctx arguments.
+ * Detect duplicates of UDP queries we are recursing on and drop them.
+ New stats category "duplicates".
+ * "USE INTERNAL MALLOC" is now runtime selectable.
+ * The lame cache is now done on a basis as some servers only appear to
+ be lame for certain query types.
+ * Limit the number of recursive clients that can be waiting for a single
+ query () to resolve. New options clients-per-query and
+ max-clients-per-query.
+ * dig: report the number of extra bytes still left in the packet after
+ processing all the records.
+ * Support for IPSECKEY rdata type.
+ * Raise the UDP recieve buffer size to 32k if it is less than 32k.
+ * x86 and x86_64 now have seperate atomic locking implementations.
+ * named-checkconf now validates update-policy entries.
+ * Attempt to make the amount of work performed in a iteration self
+ tuning. The covers nodes clean from the cache per iteration, nodes
+ written to disk when rewriting a master file and nodes destroyed per
+ iteration when destroying a zone or a cache.
+ * ISC string copy API.
+ * Automatic empty zone creation for D.F.IP6.ARPA and friends. Note: RFC
+ 1918 zones are not yet covered by this but are likely to be in a
+ future release.
+ * New options: empty-server, empty-contact, empty-zones-enable and
+ disable-empty-zone.
+ * dig now has a '-q queryname' and '+showsearch' options.
+ * host/nslookup now continue (default)/fail on SERVFAIL.
+ * dig now warns if 'RA' is not set in the answer when 'RD' was set in
+ the query. host/nslookup skip servers that fail to set 'RA' when 'RD'
+ is set unless a server is explicitly set.
+ * Integrate contibuted DLZ code into named.
+ * Integrate contibuted IDN code from JPNIC.
+ * libbind: corresponds to that from BIND 8.4.7.
+
+BIND 9.3.0
+
+ * DNSSEC is now DS based (RFC 3658).
+ * DNSSEC lookaside validation.
+ * check-names is now implemented.
+ * rrset-order is more complete.
+ * IPv4/IPv6 transition support, dual-stack-servers.
+ * IXFR deltas can now be generated when loading master files,
+ ixfr-from-differences.
+ * It is now possible to specify the size of a journal, max-journal-size.
+ * It is now possible to define a named set of master servers to be used
+ in masters clause, masters.
+ * The advertised EDNS UDP size can now be set, edns-udp-size.
+ * allow-v6-synthesis has been obsoleted.
+ * Zones containing MD and MF will now be rejected.
+ * dig, nslookup name. now report "Not Implemented" as NOTIMP rather than
+ NOTIMPL. This will have impact on scripts that are looking for
+ NOTIMPL.
+ * libbind: corresponds to that from BIND 8.4.5.
+
+BIND 9.2.0
+
+ * The size of the cache can now be limited using the "max-cache-size"
+ option.
+ * The server can now automatically convert RFC1886-style recursive
+ lookup requests into RFC2874-style lookups, when enabled using the new
+ option "allow-v6-synthesis". This allows stub resolvers that support
+ AAAA records but not A6 record chains or binary labels to perform
+ lookups in domains that make use of these IPv6 DNS features.
+ * Performance has been improved.
+ * The man pages now use the more portable "man" macros rather than the
+ "mandoc" macros, and are installed by "make install".
+ * The named.conf parser has been completely rewritten. It now supports
+ "include" directives in more places such as inside "view" statements,
+ and it no longer has any reserved words.
+ * The "rndc status" command is now implemented.
+ * rndc can now be configured automatically.
+ * A BIND 8 compatible stub resolver library is now included in lib/bind.
+ * OpenSSL has been removed from the distribution. This means that to use
+ DNSSEC, OpenSSL must be installed and the --with-openssl option must
+ be supplied to configure. This does not apply to the use of TSIG,
+ which does not require OpenSSL.
+ * The source distribution now builds on Windows. See win32utils/
+ readme1.txt and win32utils/win32-build.txt for details.
+ * This distribution also includes a new lightweight stub resolver
+ library and associated resolver daemon that fully support forward and
+ reverse lookups of both IPv4 and IPv6 addresses. This library is
+ considered experimental and is not a complete replacement for the BIND
+ 8 resolver library. Applications that use the BIND 8 res_* functions
+ to perform DNS lookups or dynamic updates still need to be linked
+ against the BIND 8 libraries. For DNS lookups, they can also use the
+ new "getrrsetbyname()" API.
+ * BIND 9.2 is capable of acting as an authoritative server for DNSSEC
+ secured zones. This functionality is believed to be stable and
+ complete except for lacking support for verifications involving
+ wildcard records in secure zones.
+ * When acting as a caching server, BIND 9.2 can be configured to perform
+ DNSSEC secure resolution on behalf of its clients. This part of the
+ DNSSEC implementation is still considered experimental. For detailed
+ information about the state of the DNSSEC implementation, see the file
+ doc/misc/dnssec.
+
--->
### Functional enhancements from prior major releases of BIND 9
-#### BIND 9.11
-
-BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
-releases. New features include:
-
-- Added support for Catalog Zones, a new method for provisioning servers: a
- list of zones to be served is stored in a DNS zone, along with their
- configuration parameters. Changes to the catalog zone are propagated to
- slaves via normal AXFR/IXFR, whereupon the zones that are listed in it
- are automatically added, deleted or reconfigured.
-- Added support for "dnstap", a fast and flexible method of capturing and
- logging DNS traffic.
-- Added support for "dyndb", a new API for loading zone data from an
- external database, developed by Red Hat for the FreeIPA project.
-- "fetchlimit" quotas are now compiled in by default. These are for the
- use of recursive resolvers that are are under high query load for domains
- whose authoritative servers are nonresponsive or are experiencing a
- denial of service attack:
- - "fetches-per-server" limits the number of simultaneous queries that
- can be sent to any single authoritative server. The configured value
- is a starting point; it is automatically adjusted downward if the
- server is partially or completely non-responsive. The algorithm used
- to adjust the quota can be configured via the "fetch-quota-params"
- option.
- - "fetches-per-zone" limits the number of simultaneous queries that can
- be sent for names within a single domain. (Note: Unlike
- "fetches-per-server", this value is not self-tuning.)
- - New stats counters have been added to count queries spilled due to
- these quotas.
-- Added a new "dnssec-keymgr" key mainenance utility, which can generate or
- update keys as needed to ensure that a zone's keys match a defined DNSSEC
- policy.
-- The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE" and
- is no longer optional. EDNS COOKIE is a mechanism enabling clients to
- detect off-path spoofed responses, and servers to detect spoofed-source
- queries. Clients that identify themselves using COOKIE options are not
- subject to response rate limiting (RRL) and can receive larger UDP
- responses.
-- SERVFAIL responses can now be cached for a limited time (defaulting to 1
- second, with an upper limit of 30). This can reduce the frequency of
- retries when a query is persistently failing.
-- Added an "nsip-wait-recurse" switch to RPZ. This causes NSIP rules to be
- skipped if a name server IP address isn't in the cache yet; the address
- will be looked up and the rule will be applied on future queries.
-- Added a Python RNDC module. This allows multiple commands to sent over a
- persistent RNDC channel, which saves time.
-- The "controls" block in named.conf can now grant read-only "rndc" access
- to specified clients or keys. Read-only clients could, for example, check
- "rndc status" but could not reconfigure or shut down the server.
-- "rndc" commands can now return arbitrarily large amounts of text to the
- caller.
-- The zone serial number of a dynamically updatable zone can now be set via
- "rndc signing -serial <number> <zonename>". This allows inline-signing
- zones to be set to a specific serial number.
-- The new "rndc nta" command can be used to set a Negative Trust Anchor
- (NTA), disabling DNSSEC validation for a specific domain; this can be
- used when responses from a domain are known to be failing validation due
- to administrative error rather than because of a spoofing attack.
- Negative trust anchors are strictly temporary; by default they expire
- after one hour, but can be configured to last up to one week.
-- "rndc delzone" can now be used on zones that were not originally created
- by "rndc addzone".
-- "rndc modzone" reconfigures a single zone, without requiring the entire
- server to be reconfigured.
-- "rndc showzone" displays the current configuration of a zone.
-- "rndc managed-keys" can be used to check the status of RFC 5001 managed
- trust anchors, or to force trust anchors to be refreshed.
-- "max-cache-size" can now be set to a percentage of available memory. The
- default is 90%.
-- Update forwarding performance has been improved by allowing a single TCP
- connection to be shared by multiple updates.
-- The EDNS Client Subnet (ECS) option is now supported for authoritative
- servers; if a query contains an ECS option then ACLs containing "geoip"
- or "ecs" elements can match against the the address encoded in the
- option. This can be used to select a view for a query, so that different
- answers can be provided depending on the client network.
-- The EDNS EXPIRE option has been implemented on the client side, allowing
- a slave server to set the expiration timer correctly when transferring
- zone data from another slave server.
-- The key generation and manipulation tools (dnssec-keygen, dnssec-settime,
- dnssec-importkey, dnssec-keyfromlabel) now take "-Psync" and "-Dsync"
- options to set the publication and deletion times of CDS and CDNSKEY
- parent-synchronization records. Both named and dnssec-signzone can now
- publish and remove these records at the scheduled times.
-- A new "minimal-any" option reduces the size of UDP responses for query
- type ANY by returning a single arbitrarily selected RRset instead of all
- RRsets.
-- A new "masterfile-style" zone option controls the formatting of text zone
- files: When set to "full", a zone file is dumped in
- single-line-per-record format.
-- "serial-update-method" can now be set to "date". On update, the serial
- number will be set to the current date in YYYYMMDDNN format.
-- "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
-- "named -L <filename>" causes named to send log messages to the specified
- file by default instead of to the system log.
-- "dig +ttlunits" prints TTL values with time-unit suffixes: w, d, h, m, s
- for weeks, days, hours, minutes, and seconds.
-- "dig +unknownformat" prints dig output in RFC 3597 "unknown record"
- presentation format.
-- "dig +ednsopt" allows dig to set arbitrary EDNS options on requests.
-- "dig +ednsflags" allows dig to set yet-to-be-defined EDNS flags on
- requests.
-- "mdig" is an alternate version of dig which sends multiple pipelined TCP
- queries to a server. Instead of waiting for a response after sending a
- query, it sends all queries immediately and displays responses in the
- order received.
-- "serial-query-rate" no longer controls NOTIFY messages. These are
- separately controlled by "notify-rate" and "startup-notify-rate".
-- "nsupdate" now performs "check-names" processing by default on records to
- be added. This can be disabled with "check-names no".
-- The statistics channel now supports DEFLATE compression, reducing the
- size of the data sent over the network when querying statistics.
-- New counters have been added to the statistics channel to track the sizes
- of incoming queries and outgoing responses in histogram buckets, as
- specified in RSSAC002.
-- A new NXDOMAIN redirect method (option "nxdomain-redirect") has been
- added, allowing redirection to a specified DNS namespace instead of a
- single redirect zone.
-- When starting up, named now ensures that no other named process is
- already running.
-- Files created by named to store information, including "mkeys" and "nzf"
- files, are now named after their corresponding views unless the view name
- contains characters incompatible with use as a filename. Old style
- filenames (based on the hash of the view name) will still work.
-
-#### BIND 9.10.0
-
-BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
-releases. New features include:
-
- - DNS Response-rate limiting (DNS RRL), which blunts the
- impact of reflection and amplification attacks, is always
- compiled in and no longer requires a compile-time option
- to enable it.
- - An experimental "Source Identity Token" (SIT) EDNS option
- is now available. Similar to DNS Cookies as invented by
- Donald Eastlake 3rd, these are designed to enable clients
- to detect off-path spoofed responses, and to enable servers
- to detect spoofed-source queries. Servers can be configured
- to send smaller responses to clients that have not identified
- themselves using a SIT option, reducing the effectiveness of
- amplification attacks. RRL processing has also been updated;
- clients proven to be legitimate via SIT are not subject to
- rate limiting. Use "configure --enable-sit" to enable this
- feature in BIND.
- - A new zone file format, "map", stores zone data in a
- format that can be mapped directly into memory, allowing
- significantly faster zone loading.
- - "delv" (domain entity lookup and validation) is a new tool
- with dig-like semantics for looking up DNS data and performing
- internal DNSSEC validation. This allows easy validation in
- environments where the resolver may not be trustworthy, and
- assists with troubleshooting of DNSSEC problems. (NOTE:
- In previous development releases of BIND 9.10, this utility
- was called "delve". The spelling has been changed to avoid
- confusion with the "delve" utility included with the Xapian
- search engine.)
- - Improved EDNS(0) processing for better resolver performance
- and reliability over slow or lossy connections.
- - A new "configure --with-tuning=large" option tunes certain
- compiled-in constants and default settings to values better
- suited to large servers with abundant memory. This can
- improve performance on such servers, but will consume more
- memory and may degrade performance on smaller systems.
- - Substantial improvement in response-policy zone (RPZ)
- performance. Up to 32 response-policy zones can be
- configured with minimal performance loss.
- - To improve recursive resolver performance, cache records
- which are still being requested by clients can now be
- automatically refreshed from the authoritative server
- before they expire, reducing or eliminating the time
- window in which no answer is available in the cache.
- - New "rpz-client-ip" triggers and drop policies allowing
- response policies based on the IP address of the client.
- - ACLs can now be specified based on geographic location
- using the MaxMind GeoIP databases. Use "configure
- --with-geoip" to enable.
- - Zone data can now be shared between views, allowing
- multiple views to serve the same zones authoritatively
- without storing multiple copies in memory.
- - New XML schema (version 3) for the statistics channel
- includes many new statistics and uses a flattened XML tree
- for faster parsing. The older schema is now deprecated.
- - A new stylesheet, based on the Google Charts API, displays
- XML statistics in charts and graphs on javascript-enabled
- browsers.
- - The statistics channel can now provide data in JSON
- format as well as XML.
- - New stats counters track TCP and UDP queries received
- per zone, and EDNS options received in total.
- - The internal and export versions of the BIND libraries
- (libisc, libdns, etc) have been unified so that external
- library clients can use the same libraries as BIND itself.
- - A new compile-time option, "configure --enable-native-pkcs11",
- allows BIND 9 cryptography functions to use the PKCS#11 API
- natively, so that BIND can drive a cryptographic hardware
- service module (HSM) directly instead of using a modified
- OpenSSL as an intermediary. (Note: This feature requires an
- HSM to have a full implementation of the PKCS#11 API; many
- current HSMs only have partial implementations. The new
- "pkcs11-tokens" command can be used to check API completeness.
- Native PKCS#11 is known to work with the Thales nShield HSM
- and with SoftHSM version 2 from the Open DNSSEC project.)
- - The new "max-zone-ttl" option enforces maximum TTLs for
- zones. This can simplify the process of rolling DNSSEC keys
- by guaranteeing that cached signatures will have expired
- within the specified amount of time.
- - "dig +subnet" sends an EDNS CLIENT-SUBNET option when
- querying.
- - "dig +expire" sends an EDNS EXPIRE option when querying.
- When this option is sent with an SOA query to a server
- that supports it, it will report the expiry time of
- a slave zone.
- - New "dnssec-coverage" tool to check DNSSEC key coverage
- for a zone and report if a lapse in signing coverage has
- been inadvertently scheduled.
- - Signing algorithm flexibility and other improvements
- for the "rndc" control channel.
- - "named-checkzone" and "named-compilezone" can now read
- journal files, allowing them to process dynamic zones.
- - Multiple DLZ databases can now be configured. Individual
- zones can be configured to be served from a specific DLZ
- database. DLZ databases now serve zones of type "master"
- and "redirect".
- - "rndc zonestatus" reports information about a specified zone.
- - "named" now listens on IPv6 as well as IPv4 interfaces
- by default.
- - "named" now preserves the capitalization of names
- when responding to queries: for instance, a query for
- "example.com" may be answered with "example.COM" if the
- name was configured that way in the zone file. Some
- clients have a bug causing them to depend on the older
- behavior, in which the case of the answer always matched
- the case of the query, rather than the case of the name
- configured in the DNS. Such clients can now be specified
- in the new "no-case-compress" ACL; this will restore the
- older behavior of "named" for those clients only.
- - new "dnssec-importkey" command allows the use of offline
- DNSSEC keys with automatic DNSKEY management.
- - New "named-rrchecker" tool to verify the syntactic
- correctness of individual resource records.
- - When re-signing a zone, the new "dnssec-signzone -Q" option
- drops signatures from keys that are still published but are
- no longer active.
- - "named-checkconf -px" will print the contents of configuration
- files with the shared secrets obscured, making it easier to
- share configuration (e.g. when submitting a bug report)
- without revealing private information.
- - "rndc scan" causes named to re-scan network interfaces for
- changes in local addresses.
- - On operating systems with support for routing sockets,
- network interfaces are re-scanned automatically whenever
- they change.
- - "tsig-keygen" is now available as an alternate command
- name to use for "ddns-confgen".
-
#### BIND 9.9.0
BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
+Setting the STD_CDEFINES environment variable before running configure can
+be used to enable certain compile-time options that are not explicitly
+defined in configure.
+
+Some of these settings are:
+
+Setting Description
+ Don't ovewrite memory when allocating or freeing
+-DISC_MEM_FILL=0 it; this improves performance but makes
+ debugging more difficult.
+ Don't track memory allocations by file and line
+-DISC_MEM_TRACKLINES=0 number; this improves performance but makes
+ debugging more difficult.
+-DISC_FACILITY=LOG_LOCAL0 Change the default syslog facility for named
+-DNS_CLIENT_DROPPORT=0 Disable dropping queries from particular
+ well-known ports:
+-DCHECK_SIBLING=0 Don't check sibling glue in named-checkzone
+-DCHECK_LOCAL=0 Don't check out-of-zone addresses in
+ named-checkzone
+-DNS_RUN_PID_DIR=0 Create default PID files in ${localstatedir}/run
+ rather than ${localstatedir}/run/{named,lwresd}/
+ Enable DNSSEC signature chasing support in dig.
+-DDIG_SIGCHASE=1 (Note: This feature is deprecated. Use delv
+ instead.)
+
+BIND 9
+
+Contents
+
+ 1. Introduction
+ 2. Reporting bugs and getting help
+ 3. Contributing to BIND
+ 4. BIND 9.10 features
+ 5. Building BIND
+ 6. Compile-time options
+ 7. Automated testing
+ 8. Documentation
+ 9. Change log
+10. Acknowledgments
+
+Introduction
+
+BIND (Berkeley Internet Name Domain) is a complete, highly portable
+implementation of the DNS (Domain Name System) protocol.
+
+The BIND name server, named, is able to serve as an authoritative name
+server, recursive resolver, DNS forwarder, or all three simultaneously. It
+implements views for split-horizon DNS, automatic DNSSEC zone signing and
+key management, catalog zones to facilitate provisioning of zone data
+throughout a name server constellation, response policy zones (RPZ) to
+protect clients from malicious data, response rate limiting (RRL) and
+recursive query limits to reduce distributed denial of service attacks,
+and many other advanced DNS features. BIND also includes a suite of
+administrative tools, including the dig and delv DNS lookup tools,
+nsupdate for dynamic DNS zone updates, rndc for remote name server
+administration, and more.
+
+BIND 9 is a complete re-write of the BIND architecture that was used in
+versions 4 and 8. Internet Systems Consortium (https://www.isc.org), a 501
+(c)(3) public benefit corporation dedicated to providing software and
+services in support of the Internet infrastructure, developed BIND 9 and
+is responsible for its ongoing maintenance and improvement. BIND is open
+source software licenced under the terms of the Mozilla Public License,
+version 2.0.
+
+For a summary of features introduced in past major releases of BIND, see
+the file HISTORY.
+
+For a detailed list of changes made throughout the history of BIND 9, see
+the file CHANGES. See below for details on the CHANGES file format.
+
+For up-to-date release notes and errata, see http://www.isc.org/software/
+bind9/releasenotes
+
+Reporting bugs and getting help
+
+Please report assertion failure errors and suspected security issues to
+security-officer@isc.org.
+
+General bug reports can be sent to bind9-bugs@isc.org.
+
+Feature requests can be sent to bind-suggest@isc.org.
+
+Please note that, while ISC's ticketing system is not currently publicly
+readable, this may change in the future. Please do not include information
+in bug reports that you consider to be confidential. For example, when
+sending the contents of your configuration file, it is advisable to
+obscure key secrets; this can be done automatically by using
+named-checkconf -px.
+
+Professional support and training for BIND are available from ISC at
+https://www.isc.org/support.
+
+To join the BIND Users mailing list, or view the archives, visit https://
+lists.isc.org/mailman/listinfo/bind-users.
+
+If you're planning on making changes to the BIND 9 source code, you may
+also want to join the BIND Workers mailing list, at https://lists.isc.org/
+mailman/listinfo/bind-workers.
+
+Contributing to BIND
+
+A public git repository for BIND is maintained at http://www.isc.org/git/,
+and also on Github at https://github.com/isc-projects.
+
+Information for BIND contributors can be found in the following files: -
+General information: doc/dev/contrib.md - BIND 9 code style: doc/dev/
+style.md - BIND architecture and developer guide: doc/dev/dev.md
+
+Patches for BIND may be submitted either as Github pull requests or via
+email. When submitting a patch via email, please prepend the subject
+header with "[PATCH]" so it will be easier for us to find. If your patch
+introduces a new feature in BIND, please submit it to bind-suggest@isc.org
+; if it fixes a bug, please submit it to bind9-bugs@isc.org.
+
+BIND 9.10 features
+
+BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
+releases. New features include:
+
+ * DNS Response-rate limiting (DNS RRL), which blunts the impact of
+ reflection and amplification attacks, is always compiled in and no
+ longer requires a compile-time option to enable it.
+ * An experimental "Source Identity Token" (SIT) EDNS option is now
+ available. Similar to DNS Cookies as invented by Donald Eastlake 3rd,
+ these are designed to enable clients to detect off-path spoofed
+ responses, and to enable servers to detect spoofed-source queries.
+ Servers can be configured to send smaller responses to clients that
+ have not identified themselves using a SIT option, reducing the
+ effectiveness of amplification attacks. RRL processing has also been
+ updated; clients proven to be legitimate via SIT are not subject to
+ rate limiting. Use configure --enable-sit to enable this feature in
+ BIND.
+ * A new zone file format, map, stores zone data in a format that can be
+ mapped directly into memory, allowing significantly faster zone
+ loading.
+ * delv (domain entity lookup and validation) is a new tool with dig-like
+ semantics for looking up DNS data and performing internal DNSSEC
+ validation. This allows easy validation in environments where the
+ resolver may not be trustworthy, and assists with troubleshooting of
+ DNSSEC problems. (NOTE: In previous development releases of BIND 9.10,
+ this utility was called delve. The spelling has been changed to avoid
+ confusion with the delve utility included with the Xapian search
+ engine.)
+ * Improved EDNS(0) processing for better resolver performance and
+ reliability over slow or lossy connections.
+ * A new configure --with-tuning=large option tunes certain compiled-in
+ constants and default settings to values better suited to large
+ servers with abundant memory. This can improve performance on such
+ servers, but will consume more memory and may degrade performance on
+ smaller systems.
+ * Substantial improvement in response-policy zone (RPZ) performance. Up
+ to 32 response-policy zones can be configured with minimal performance
+ loss.
+ * To improve recursive resolver performance, cache records which are
+ still being requested by clients can now be automatically refreshed
+ from the authoritative server before they expire, reducing or
+ eliminating the time window in which no answer is available in the
+ cache.
+ * New rpz-client-ip triggers and drop policies allowing response
+ policies based on the IP address of the client.
+ * ACLs can now be specified based on geographic location using the
+ MaxMind GeoIP databases. Use configure --with-geoip to enable.
+ * Zone data can now be shared between views, allowing multiple views to
+ serve the same zones authoritatively without storing multiple copies
+ in memory.
+ * New XML schema (version 3) for the statistics channel includes many
+ new statistics and uses a flattened XML tree for faster parsing. The
+ older schema is now deprecated.
+ * A new stylesheet, based on the Google Charts API, displays XML
+ statistics in charts and graphs on javascript-enabled browsers.
+ * The statistics channel can now provide data in JSON format as well as
+ XML.
+ * New stats counters track TCP and UDP queries received per zone, and
+ EDNS options received in total.
+ * The internal and export versions of the BIND libraries (libisc,
+ libdns, etc) have been unified so that external library clients can
+ use the same libraries as BIND itself.
+ * A new compile-time option, configure --enable-native-pkcs11, allows
+ BIND 9 cryptography functions to use the PKCS#11 API natively, so that
+ BIND can drive a cryptographic hardware service module (HSM) directly
+ instead of using a modified OpenSSL as an intermediary. (Note: This
+ feature requires an HSM to have a full implementation of the PKCS#11
+ API; many current HSMs only have partial implementations. The new
+ pkcs11-tokens command can be used to check API completeness. Native
+ PKCS#11 is known to work with the Thales nShield HSM and with SoftHSM
+ version 2 from the Open DNSSEC project.)
+ * The new max-zone-ttl option enforces maximum TTLs for zones. This can
+ simplify the process of rolling DNSSEC keys by guaranteeing that
+ cached signatures will have expired within the specified amount of
+ time.
+ * dig +subnet sends an EDNS CLIENT-SUBNET option when querying.
+ * dig +expire sends an EDNS EXPIRE option when querying. When this
+ option is sent with an SOA query to a server that supports it, it will
+ report the expiry time of a slave zone.
+ * New dnssec-coverage tool to check DNSSEC key coverage for a zone and
+ report if a lapse in signing coverage has been inadvertently
+ scheduled.
+ * Signing algorithm flexibility and other improvements for the rndc
+ control channel.
+ * named-checkzone and named-compilezone can now read journal files,
+ allowing them to process dynamic zones.
+ * Multiple DLZ databases can now be configured. Individual zones can be
+ configured to be served from a specific DLZ database. DLZ databases
+ now serve zones of type master and redirect.
+ * rndc zonestatus reports information about a specified zone.
+ * named now listens on IPv6 as well as IPv4 interfaces by default.
+ * named now preserves the capitalization of names when responding to
+ queries: for instance, a query for "example.com" may be answered with
+ "example.COM" if the name was configured that way in the zone file.
+ Some clients have a bug causing them to depend on the older behavior,
+ in which the case of the answer always matched the case of the query,
+ rather than the case of the name configured in the DNS. Such clients
+ can now be specified in the new no-case-compress ACL; this will
+ restore the older behavior of named for those clients only.
+ * new dnssec-importkey command allows the use of offline DNSSEC keys
+ with automatic DNSKEY management.
+ * New named-rrchecker tool to verify the syntactic correctness of
+ individual resource records.
+ * When re-signing a zone, the new dnssec-signzone -Q option drops
+ signatures from keys that are still published but are no longer
+ active.
+ * named-checkconf -px will print the contents of configuration files
+ with the shared secrets obscured, making it easier to share
+ configuration (e.g. when submitting a bug report) without revealing
+ private information.
+ * rndc scan causes named to re-scan network interfaces for changes in
+ local addresses.
+ * On operating systems with support for routing sockets, network
+ interfaces are re-scanned automatically whenever they change.
+ * tsig-keygen is now available as an alternate command name to use for
+ ddns-confgen.
+
+BIND 9.10.1
+
+BIND 9.10.1 is a maintenance release, and addresses the security flaws
+described in CVE-2014-3214 and CVE-2014-3859.
+
+BIND 9.10.2
+
+BIND 9.10.2 is a maintenance release, and addresses the security flaws
+described in CVE-2014-8500, CVE-2014-8680 and CVE-2015-1349.
+
+BIND 9.10.3
+
+BIND 9.10.3 is a maintenance release, and addresses the security flaws
+described in CVE-2015-4620, CVE-2015-5477, CVE-2015-5722, and
+CVE-2015-5986.
+
+It also makes the following new features available:
+
+ * New "fetchlimit" quotas are now available for the use of recursive
+ resolvers that are are under high query load for domains whose
+ authoritative servers are nonresponsive or are experiencing a denial
+ of service attack.
+
+ + fetches-per-server limits the number of simultaneous queries that
+ can be sent to any single authoritative server. The configured
+ value is a starting point; it is automatically adjusted downward
+ if the server is partially or completely non-responsive. The
+ algorithm used to adjust the quota can be configured via the
+ fetch-quota-params option.
+ + fetches-per-zone limits the number of simultaneous queries that
+ can be sent for names within a single domain. (Note: Unlike
+ fetches-per-server, this value is not self-tuning.)
+ + New stats counters have been added to count queries spilled due to
+ these quotas.
+
+NOTE: These features are NOT built in by default; use configure
+--enable-fetchlimit to enable them.
+
+ * dig now supports sending of arbitrary EDNS options by specifying them
+ on the command line.
+
+BIND 9.10.4
+
+BIND 9.10.4 is a maintenance release, and addresses the security flaws
+described in CVE-2015-8000, CVE-2015-8461, CVE-2015-8704, CVE-2015-8705,
+CVE-2016-1285, CVE-2016-1286, CVE-2016-2088, CVE-2016-2775 and
+CVE-2016-2776.
+
+BIND 9.10.5
+
+BIND 9.10.5 is a maintenance release, and addresses the security flaws
+disclosed in CVE-2016-2775, CVE-2016-2776, CVE-2016-6170, CVE-2016-8864,
+CVE-2016-9131, CVE-2016-9147, CVE-2016-9444, CVE-2017-3135, CVE-2017-3136,
+CVE-2017-3137, and CVE-2017-3138.
+
+Building BIND
+
+BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
+support, and a 64-bit integer type. Successful builds have been observed
+on many versions of Linux and UNIX, including RedHat, Fedora, Debian,
+Ubuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris,
+HP-UX, AIX, SCO OpenServer, and OpenWRT.
+
+BIND is also available for Windows XP, 2003, 2008, and higher. See
+win32utils/readme1st.txt for details on building for Windows systems.
+
+To build on a UNIX or Linux system, use:
+
+ $ ./configure
+ $ make
+
+If you're planning on making changes to the BIND 9 source, you should run
+make depend. If you're using Emacs, you might find make tags helpful.
+
+Several environment variables that can be set before running configure
+will affect compilation:
+
+Variable Description
+CC The C compiler to use. configure tries to figure out the
+ right one for supported systems.
+ C compiler flags. Defaults to include -g and/or -O2 as
+CFLAGS supported by the compiler. Please include '-g' if you need
+ to set CFLAGS.
+ System header file directories. Can be used to specify
+STD_CINCLUDES where add-on thread or IPv6 support is, for example.
+ Defaults to empty string.
+ Any additional preprocessor symbols you want defined.
+STD_CDEFINES Defaults to empty string. For a list of possible settings,
+ see the file OPTIONS.
+LDFLAGS Linker flags. Defaults to empty string.
+BUILD_CC Needed when cross-compiling: the native C compiler to use
+ when building for the target system.
+BUILD_CFLAGS Optional, used for cross-compiling
+BUILD_CPPFLAGS
+BUILD_LDFLAGS
+BUILD_LIBS
+
+Compile-time options
+
+To see a full list of configuration options, run configure --help.
+
+On most platforms, BIND 9 is built with multithreading support, allowing
+it to take advantage of multiple CPUs. You can configure this by
+specifying --enable-threads or --disable-threads on the configure command
+line. The default is to enable threads, except on some older operating
+systems on which threads are known to have had problems in the past.
+(Note: Prior to BIND 9.10, the default was to disable threads on Linux
+systems; this has now been reversed. On Linux systems, the threaded build
+is known to change BIND's behavior with respect to file permissions; it
+may be necessary to specify a user with the -u option when running named.)
+
+To build shared libraries, specify --with-libtool on the configure command
+line.
+
+Certain compiled-in constants and default settings can be increased to
+values better suited to large servers with abundant memory resources (e.g,
+64-bit servers with 12G or more of memory) by specifying --with-tuning=
+large on the configure command line. This can improve performance on big
+servers, but will consume more memory and may degrade performance on
+smaller systems.
+
+For the server to support DNSSEC, you need to build it with crypto
+support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer
+installed. If the OpenSSL library is installed in a nonstandard location,
+specify the prefix using "--with-openssl=/prefix" on the configure command
+line. To use a PKCS#11 hardware service module for cryptographic
+operations, specify the path to the PKCS#11 provider library using
+"--with-pkcs11=/prefix", and configure BIND with "--enable-native-pkcs11".
+
+To support the HTTP statistics channel, the server must be linked with at
+least one of the following: libxml2 http://xmlsoft.org or json-c https://
+github.com/json-c. If these are installed at a nonstandard location,
+specify the prefix using --with-libxml2=/prefix or --with-libjson=/prefix.
+
+To support GeoIP location-based ACLs, the server must be linked with
+libGeoIP. This is not turned on by default; BIND must be configured with
+"--with-geoip". If the library is installed in a nonstandard location, use
+specify the prefix using "--with-geoip=/prefix".
+
+Python requires the 'argparse' module to be available. 'argparse' is a
+standard module as of Python 2.7 and Python 3.2.
+
+On some platforms it is necessary to explicitly request large file support
+to handle files bigger than 2GB. This can be done by using
+--enable-largefile on the configure command line.
+
+Support for the "fixed" rrset-order option can be enabled or disabled by
+specifying --enable-fixed-rrset or --disable-fixed-rrset on the configure
+command line. By default, fixed rrset-order is disabled to reduce memory
+footprint.
+
+If your operating system has integrated support for IPv6, it will be used
+automatically. If you have installed KAME IPv6 separately, use --with-kame
+[=PATH] to specify its location.
+
+make install will install named and the various BIND 9 libraries. By
+default, installation is into /usr/local, but this can be changed with the
+--prefix option when running configure.
+
+You may specify the option --sysconfdir to set the directory where
+configuration files like named.conf go by default, and --localstatedir to
+set the default parent directory of run/named.pid. For backwards
+compatibility with BIND 8, --sysconfdir defaults to /etc and
+--localstatedir defaults to /var if no --prefix option is given. If there
+is a --prefix option, sysconfdir defaults to $prefix/etc and localstatedir
+defaults to $prefix/var.
+
+Automated testing
+
+A system test suite can be run with make test. The system tests require
+you to configure a set of virtual IP addresses on your system (this allows
+multiple servers to run locally and communicate with one another). These
+IP addresses can be configured by by running the script bin/tests/system/
+ifconfig.sh up as root.
+
+Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
+and will be skipped if these are not available. Some tests require Python
+and the 'dnspython' module and will be skipped if these are not available.
+See bin/tests/system/README for further details.
+
+Unit tests are implemented using Automated Testing Framework (ATF). To run
+them, use configure --with-atf, then run make test or make unit.
+
+Documentation
+
+The BIND 9 Administrator Reference Manual is included with the source
+distribution, in DocBook XML, HTML and PDF format, in the doc/arm
+directory.
+
+Some of the programs in the BIND 9 distribution have man pages in their
+directories. In particular, the command line options of named are
+documented in bin/named/named.8.
+
+Frequently (and not-so-frequently) asked questions and their answers can
+be found in the ISC Knowledge Base at https://kb.isc.org.
+
+Additional information on various subjects can be found in other README
+files throughout the source tree.
+
+Change log
+
+A detailed list of all changes that have been made throughout the
+development BIND 9 is included in the file CHANGES, with the most recent
+changes listed first. Change notes include tags indicating the category of
+the change that was made; these categories are:
+
+Category Description
+[func] New feature
+[bug] General bug fix
+[security] Fix for a significant security flaw
+[experimental] Used for new features when the syntax or other aspects of
+ the design are still in flux and may change
+[port] Portability enhancement
+[maint] Updates to built-in data such as root server addresses and
+ keys
+[tuning] Changes to built-in configuration defaults and constants to
+ improve performance
+[performance] Other changes to improve server performance
+[protocol] Updates to the DNS protocol such as new RR types
+[test] Changes to the automatic tests, not affecting server
+ functionality
+[cleanup] Minor corrections and refactoring
+[doc] Documentation
+[contrib] Changes to the contributed tools and libraries in the
+ 'contrib' subdirectory
+ Used in the master development branch to reserve change
+[placeholder] numbers for use in other branches, e.g. when fixing a bug
+ that only exists in older releases
+
+In general, [func] and [experimental] tags will only appear in new-feature
+releases (i.e., those with version numbers ending in zero). Some new
+functionality may be backported to older releases on a case-by-case basis.
+All other change types may be applied to all currently-supported releases.
+
+Acknowledgments
+
+ * The original development of BIND 9 was underwritten by the following
+ organizations:
+
+ Sun Microsystems, Inc.
+ Hewlett Packard
+ Compaq Computer Corporation
+ IBM
+ Process Software Corporation
+ Silicon Graphics, Inc.
+ Network Associates, Inc.
+ U.S. Defense Information Systems Agency
+ USENIX Association
+ Stichting NLnet - NLnet Foundation
+ Nominum, Inc.
+
+ * This product includes software developed by the OpenSSL Project for
+ use in the OpenSSL Toolkit. http://www.OpenSSL.org/
+ * This product includes cryptographic software written by Eric Young
+ (eay@cryptsoft.com)
+ * This product includes software written by Tim Hudson
+ (tjh@cryptsoft.com)
+
$ ./configure
$ make
-(NOTE: Using multiple processors in `make` is not reliable and is not
-advised.)
-
If you're planning on making changes to the BIND 9 source, you should run
`make depend`. If you're using Emacs, you might find `make tags` helpful.
SRCS = ${DSTSRCS} ${DNSSRCS} ${PORTDNSSRCS} @GEOIPLINKSRCS@
SUBDIRS = include
-TARGETS = include/dns/enumtype.h include/dns/enumclass.h \
- include/dns/rdatastruct.h timestamp
+TARGETS = timestamp
TESTDIRS = @UNITTESTS@
DEPENDEXTRA = ./gen -F include/dns/rdatastruct.h \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
-timestamp: libdns.@A@
+include: gen
+ ${MAKE} include/dns/enumtype.h
+ ${MAKE} include/dns/enumclass.h
+ ${MAKE} include/dns/rdatastruct.h
+ ${MAKE} code.h
+
+include/dns/enumtype.h: gen
+ ./gen -s ${srcdir} -t > $@ || { rm -f $@ ; exit 1; }
+
+include/dns/enumclass.h: gen
+ ./gen -s ${srcdir} -c > $@ || { rm -f $@ ; exit 1; }
+
+include/dns/rdatastruct.h: gen \
+ ${srcdir}/rdata/rdatastructpre.h \
+ ${srcdir}/rdata/rdatastructsuf.h
+ ./gen -s ${srcdir} -i \
+ -P ${srcdir}/rdata/rdatastructpre.h \
+ -S ${srcdir}/rdata/rdatastructsuf.h > $@ || \
+ { rm -f $@ ; exit 1; }
+
+code.h: gen
+ ./gen -s ${srcdir} > code.h || { rm -f $@ ; exit 1; }
+
+gen: gen.c
+ ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \
+ ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS}
+
+timestamp: include libdns.@A@
touch timestamp
+testdirs: libdns.@A@
+
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
include: include/dns/enumtype.h include/dns/enumclass.h \
include/dns/rdatastruct.h
-rdata.@O@: code.h
-
-include/dns/enumtype.h: gen
- ./gen -s ${srcdir} -t > $@ || { rm -f $@ ; exit 1; }
-
-include/dns/enumclass.h: gen
- ./gen -s ${srcdir} -c > $@ || { rm -f $@ ; exit 1; }
-
-include/dns/rdatastruct.h: gen \
- ${srcdir}/rdata/rdatastructpre.h \
- ${srcdir}/rdata/rdatastructsuf.h
- ./gen -s ${srcdir} -i \
- -P ${srcdir}/rdata/rdatastructpre.h \
- -S ${srcdir}/rdata/rdatastructsuf.h > $@ || \
- { rm -f $@ ; exit 1; }
-
-code.h: gen
- ./gen -s ${srcdir} > code.h || { rm -f $@ ; exit 1; }
-
-gen: gen.c
- ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \
- ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS}
+rdata.@O@: include
rbtdb64.@O@: rbtdb64.c rbtdb.c
-depend: include/dns/enumtype.h include/dns/enumclass.h \
- include/dns/rdatastruct.h code.h
-subdirs: include/dns/enumtype.h include/dns/enumclass.h \
- include/dns/rdatastruct.h code.h
-${OBJS}: include/dns/enumtype.h include/dns/enumclass.h \
- include/dns/rdatastruct.h
+depend: include
+subdirs: include
+${OBJS}: include
spnego.@O@: spnego_asn1.c spnego.h
timestamp: libirs.@A@
touch timestamp
+testdirs: libirs.@A@
+
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
timestamp: libisc.@A@ libisc-nosymtbl.@A@
touch timestamp
+testdirs: libisc.@A@ libisc-nosymtbl.@A@
+
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
timestamp: liblwres.@A@
touch timestamp
+testdirs: liblwres.@A@
+
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
projects / thirdparty / bind9.git / commitdiff
