BIND 9
- BIND version 9 is a major rewrite of nearly all aspects of the
- underlying BIND architecture. Some of the important features of
- BIND 9 are:
+ BIND version 9 is a major rewrite of nearly all aspects of the
+ underlying BIND architecture. Some of the important features of
+ BIND 9 are:
- - DNS Security
- DNSSEC (signed zones)
- TSIG (signed DNS requests)
+ - DNS Security
+ DNSSEC (signed zones)
+ TSIG (signed DNS requests)
- - IP version 6
- Answers DNS queries on IPv6 sockets
- IPv6 resource records (AAAA)
- Experimental IPv6 Resolver Library
+ - IP version 6
+ Answers DNS queries on IPv6 sockets
+ IPv6 resource records (AAAA)
+ Experimental IPv6 Resolver Library
- - DNS Protocol Enhancements
- IXFR, DDNS, Notify, EDNS0
- Improved standards conformance
+ - DNS Protocol Enhancements
+ IXFR, DDNS, Notify, EDNS0
+ Improved standards conformance
- - Views
- One server process can provide multiple "views" of
- the DNS namespace, e.g. an "inside" view to certain
- clients, and an "outside" view to others.
+ - Views
+ One server process can provide multiple "views" of
+ the DNS namespace, e.g. an "inside" view to certain
+ clients, and an "outside" view to others.
- - Multiprocessor Support
+ - Multiprocessor Support
- - Improved Portability Architecture
+ - Improved Portability Architecture
- BIND version 9 development has been underwritten by the following
- organizations:
+ BIND version 9 development has been underwritten by the following
+ organizations:
- Sun Microsystems, Inc.
- Hewlett Packard
- Compaq Computer Corporation
- IBM
- Process Software Corporation
- Silicon Graphics, Inc.
- Network Associates, Inc.
- U.S. Defense Information Systems Agency
- USENIX Association
- Stichting NLnet - NLnet Foundation
- Nominum, Inc.
+ Sun Microsystems, Inc.
+ Hewlett Packard
+ Compaq Computer Corporation
+ IBM
+ Process Software Corporation
+ Silicon Graphics, Inc.
+ Network Associates, Inc.
+ U.S. Defense Information Systems Agency
+ USENIX Association
+ Stichting NLnet - NLnet Foundation
+ Nominum, Inc.
- For a summary of functional enhancements in previous
- releases, see the HISTORY file.
+ For a summary of functional enhancements in previous
+ releases, see the HISTORY file.
- For a detailed list of user-visible changes from
- previous releases, see the CHANGES file.
+ For a detailed list of user-visible changes from
+ previous releases, see the CHANGES file.
For up-to-date release notes and errata, see
http://www.isc.org/software/bind9/releasenotes
BIND 9.10.0
- Named now listens on both IPv4 and IPv6 interfaces by default.
+ BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
+ releases. New features include:
+
+ - DNS Response-rate limiting (DNS RRL) blunts the impact of
+ reflection and amplification attacks.
+ - New zone file format "map" is an image of a zone database
+ that can be loaded directly into memory, allowing much faster
+ zone loading.
+ - Up to 32 response-policy zones (RPZ) can now be configured.
+ RPZ performance has been substantially improved.
+ - ACLs can now be specified based on geographic location
+ using the MacMind GeoIP databases.
+ - New XML schema (version 3) for the statistics channel
+ includes many new statistics and uses a flattened XML tree
+ for faster parsing.
+ - A new stylesheet, based on the Google Charts API, displays
+ XML statistics in charts and graphs on javascript-enabled
+ browsers.
+ - The statistics channel can now provide data in JSON
+ format as well as XML.
+ - New 'dnssec-coverage' tool to check DNSSEC key coverage
+ for a zone and report if a lapse in signing coverage has
+ been inadvertently scheduled.
+ - Signing algorithm flexibility and other improvements
+ for the "rndc" control channel.
+ - 'named-checkzone' and 'named-compilezone' can now read
+ journal files, allowing them to process dynamic zones.
+ - Multiple DLZ databases can now be configured. Individual
+ zones can be configured to be served from a specific DLZ
+ database. DLZ databases now serve zones of type "master"
+ and "redirect".
+ - "rndc zonestatus" reports information about a specified zone.
+ - "named" now listens on IPv6 as well as IPv4 interfaces
+ by default.
BIND 9.9.0
- BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
- releases. New features include:
+ BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
+ releases. New features include:
- Inline signing, allowing automatic DNSSEC signing of
- master zones without modification of the zonefile, or
+ master zones without modification of the zonefile, or
"bump in the wire" signing in slaves.
- NXDOMAIN redirection.
- New 'rndc flushtree' command clears all data under a given
indicating their key ID, algorithm and function
- Simplified nsupdate syntax and added readline support
-BIND 9.8.0
-
- BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
- releases. New features include:
-
- - Built-in trust anchor for the root zone, which can be
- switched on via "dnssec-validation auto;"
- - Support for DNS64.
- - Support for response policy zones (RPZ).
- - Support for writable DLZ zones.
- - Improved ease of configuration of GSS/TSIG for
- interoperability with Active Directory
- - Support for GOST signing algorithm for DNSSEC.
- - Removed RTT Banding from server selection algorithm.
- - New "static-stub" zone type.
- - Allow configuration of resolver timeouts via
- "resolver-query-timeout" option.
- - The DLZ "dlopen" driver is now built by default.
- - Added a new include file with function typedefs
- for the DLZ "dlopen" driver.
- - Made "--with-gssapi" default.
- - More verbose error reporting from DLZ LDAP.
-
-
Building
- BIND 9 currently requires a UNIX system with an ANSI C compiler,
- basic POSIX support, and a 64 bit integer type.
+ BIND 9 currently requires a UNIX system with an ANSI C compiler,
+ basic POSIX support, and a 64 bit integer type.
- We've had successful builds and tests on the following systems:
+ We've had successful builds and tests on the following systems:
- COMPAQ Tru64 UNIX 5.1B
- Fedora Core 6
- FreeBSD 4.10, 5.2.1, 6.2
- HP-UX 11.11
- Mac OS X 10.5
- NetBSD 3.x, 4.0-beta, 5.0-beta
- OpenBSD 3.3 and up
- Solaris 8, 9, 9 (x86), 10
- Ubuntu 7.04, 7.10
- Windows XP/2003/2008
+ COMPAQ Tru64 UNIX 5.1B
+ Fedora Core 6
+ FreeBSD 4.10, 5.2.1, 6.2
+ HP-UX 11.11
+ Mac OS X 10.5
+ NetBSD 3.x, 4.0-beta, 5.0-beta
+ OpenBSD 3.3 and up
+ Solaris 8, 9, 9 (x86), 10
+ Ubuntu 7.04, 7.10
+ Windows XP/2003/2008
NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
Windows, including Windows NT and Windows 2000, are no longer
supported.
- We have recent reports from the user community that a supported
- version of BIND will build and run on the following systems:
-
- AIX 4.3, 5L
- CentOS 4, 4.5, 5
- Darwin 9.0.0d1/ARM
- Debian 4, 5, 6
- Fedora Core 5, 7, 8
- FreeBSD 6, 7, 8
- HP-UX 11.23 PA
- MacOS X 10.5, 10.6, 10.7
- Red Hat Enterprise Linux 4, 5, 6
- SCO OpenServer 5.0.6
- Slackware 9, 10
- SuSE 9, 10
-
- To build, just
-
- ./configure
- make
-
- Do not use a parallel "make".
-
- Several environment variables that can be set before running
- configure will affect compilation:
-
- CC
- The C compiler to use. configure tries to figure
- out the right one for supported systems.
-
- CFLAGS
- C compiler flags. Defaults to include -g and/or -O2
- as supported by the compiler. Please include '-g'
- if you need to set CFLAGS.
-
- STD_CINCLUDES
- System header file directories. Can be used to specify
- where add-on thread or IPv6 support is, for example.
- Defaults to empty string.
-
- STD_CDEFINES
- Any additional preprocessor symbols you want defined.
- Defaults to empty string.
-
- Possible settings:
- Change the default syslog facility of named/lwresd.
- -DISC_FACILITY=LOG_LOCAL0
- Enable DNSSEC signature chasing support in dig.
- -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
- -DDIG_SIGCHASE_BU=1)
- Disable dropping queries from particular well known ports.
- -DNS_CLIENT_DROPPORT=0
- Sibling glue checking in named-checkzone is enabled by default.
- To disable the default check set. -DCHECK_SIBLING=0
- named-checkzone checks out-of-zone addresses by default.
- To disable this default set. -DCHECK_LOCAL=0
- To create the default pid files in ${localstatedir}/run rather
- than ${localstatedir}/run/{named,lwresd}/ set.
- -DNS_RUN_PID_DIR=0
- Enable workaround for Solaris kernel bug about /dev/poll
- -DISC_SOCKET_USE_POLLWATCH=1
- The watch timeout is also configurable, e.g.,
- -DISC_SOCKET_POLLWATCH_TIMEOUT=20
-
- LDFLAGS
- Linker flags. Defaults to empty string.
-
- The following need to be set when cross compiling.
-
- BUILD_CC
- The native C compiler.
- BUILD_CFLAGS (optional)
- BUILD_CPPFLAGS (optional)
- Possible Settings:
- -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
- BUILD_LDFLAGS (optional)
- BUILD_LIBS (optional)
-
- To build shared libraries, specify "--with-libtool" on the
- configure command line.
-
- For the server to support DNSSEC, you need to build it
- with crypto support. You must have OpenSSL 0.9.5a
- or newer installed and specify "--with-openssl" on the
- configure command line. If OpenSSL is installed under
- a nonstandard prefix, you can tell configure where to
- look for it using "--with-openssl=/prefix".
+ We have recent reports from the user community that a supported
+ version of BIND will build and run on the following systems:
+
+ AIX 4.3, 5L
+ CentOS 4, 4.5, 5
+ Darwin 9.0.0d1/ARM
+ Debian 4, 5, 6
+ Fedora Core 5, 7, 8
+ FreeBSD 6, 7, 8
+ HP-UX 11.23 PA
+ MacOS X 10.5, 10.6, 10.7
+ Red Hat Enterprise Linux 4, 5, 6
+ SCO OpenServer 5.0.6
+ Slackware 9, 10
+ SuSE 9, 10
+
+ To build, just
+
+ ./configure
+ make
+
+ Do not use a parallel "make".
+
+ Several environment variables that can be set before running
+ configure will affect compilation:
+
+ CC
+ The C compiler to use. configure tries to figure
+ out the right one for supported systems.
+
+ CFLAGS
+ C compiler flags. Defaults to include -g and/or -O2
+ as supported by the compiler. Please include '-g'
+ if you need to set CFLAGS.
+
+ STD_CINCLUDES
+ System header file directories. Can be used to specify
+ where add-on thread or IPv6 support is, for example.
+ Defaults to empty string.
+
+ STD_CDEFINES
+ Any additional preprocessor symbols you want defined.
+ Defaults to empty string.
+
+ Possible settings:
+ Change the default syslog facility of named/lwresd.
+ -DISC_FACILITY=LOG_LOCAL0
+ Enable DNSSEC signature chasing support in dig.
+ -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
+ -DDIG_SIGCHASE_BU=1)
+ Disable dropping queries from particular well known ports.
+ -DNS_CLIENT_DROPPORT=0
+ Sibling glue checking in named-checkzone is enabled by default.
+ To disable the default check set. -DCHECK_SIBLING=0
+ named-checkzone checks out-of-zone addresses by default.
+ To disable this default set. -DCHECK_LOCAL=0
+ To create the default pid files in ${localstatedir}/run rather
+ than ${localstatedir}/run/{named,lwresd}/ set.
+ -DNS_RUN_PID_DIR=0
+ Enable workaround for Solaris kernel bug about /dev/poll
+ -DISC_SOCKET_USE_POLLWATCH=1
+ The watch timeout is also configurable, e.g.,
+ -DISC_SOCKET_POLLWATCH_TIMEOUT=20
+
+ LDFLAGS
+ Linker flags. Defaults to empty string.
+
+ The following need to be set when cross compiling.
+
+ BUILD_CC
+ The native C compiler.
+ BUILD_CFLAGS (optional)
+ BUILD_CPPFLAGS (optional)
+ Possible Settings:
+ -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
+ BUILD_LDFLAGS (optional)
+ BUILD_LIBS (optional)
+
+ To build shared libraries, specify "--with-libtool" on the
+ configure command line.
+
+ For the server to support DNSSEC, you need to build it
+ with crypto support. You must have OpenSSL 0.9.5a
+ or newer installed and specify "--with-openssl" on the
+ configure command line. If OpenSSL is installed under
+ a nonstandard prefix, you can tell configure where to
+ look for it using "--with-openssl=/prefix".
To support the HTTP statistics channel, the server must
be linked with at least one of the following: libxml2
If these are installed at a nonstandard prefix, use
"--with-libxml2=/prefix" or "--with-libjson=/prefix".
- On some platforms it is necessary to explictly request large
- file support to handle files bigger than 2GB. This can be
- done by "--enable-largefile" on the configure command line.
+ On some platforms it is necessary to explictly request large
+ file support to handle files bigger than 2GB. This can be
+ done by "--enable-largefile" on the configure command line.
- On some platforms, BIND 9 can be built with multithreading
- support, allowing it to take advantage of multiple CPUs.
- You can specify whether to build a multithreaded BIND 9
- by specifying "--enable-threads" or "--disable-threads"
- on the configure command line. The default is operating
- system dependent.
+ On some platforms, BIND 9 can be built with multithreading
+ support, allowing it to take advantage of multiple CPUs.
+ You can specify whether to build a multithreaded BIND 9
+ by specifying "--enable-threads" or "--disable-threads"
+ on the configure command line. The default is operating
+ system dependent.
Support for the "fixed" rrset-order option can be enabled
or disabled by specifying "--enable-fixed-rrset" or
"--disable-fixed-rrset" on the configure command line.
The default is "disabled", to reduce memory footprint.
- If your operating system has integrated support for IPv6, it
- will be used automatically. If you have installed KAME IPv6
- separately, use "--with-kame[=PATH]" to specify its location.
-
- "make install" will install "named" and the various BIND 9 libraries.
- By default, installation is into /usr/local, but this can be changed
- with the "--prefix" option when running "configure".
-
- You may specify the option "--sysconfdir" to set the directory
- where configuration files like "named.conf" go by default,
- and "--localstatedir" to set the default parent directory
- of "run/named.pid". For backwards compatibility with BIND 8,
- --sysconfdir defaults to "/etc" and --localstatedir defaults to
- "/var" if no --prefix option is given. If there is a --prefix
- option, sysconfdir defaults to "$prefix/etc" and localstatedir
- defaults to "$prefix/var".
-
- To see additional configure options, run "configure --help".
- Note that the help message does not reflect the BIND 8
- compatibility defaults for sysconfdir and localstatedir.
-
- If you're planning on making changes to the BIND 9 source, you
- should also "make depend". If you're using Emacs, you might find
- "make tags" helpful.
-
- If you need to re-run configure please run "make distclean" first.
- This will ensure that all the option changes take.
-
- Building with gcc is not supported, unless gcc is the vendor's usual
- compiler (e.g. the various BSD systems, Linux).
-
- Known compiler issues:
- * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
- * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
- * gcc-3.3.5 powerpc generates incorrect code at -02.
- * Irix, MipsPRO 7.4.1m is known to cause problems.
-
- A limited test suite can be run with "make test". Many of
- the tests require you to configure a set of virtual IP addresses
- on your system, and some require Perl; see bin/tests/system/README
- for details.
-
- SunOS 4 requires "printf" to be installed to make the shared
- libraries. sh-utils-1.16 provides a "printf" which compiles
- on SunOS 4.
+ If your operating system has integrated support for IPv6, it
+ will be used automatically. If you have installed KAME IPv6
+ separately, use "--with-kame[=PATH]" to specify its location.
+
+ "make install" will install "named" and the various BIND 9 libraries.
+ By default, installation is into /usr/local, but this can be changed
+ with the "--prefix" option when running "configure".
+
+ You may specify the option "--sysconfdir" to set the directory
+ where configuration files like "named.conf" go by default,
+ and "--localstatedir" to set the default parent directory
+ of "run/named.pid". For backwards compatibility with BIND 8,
+ --sysconfdir defaults to "/etc" and --localstatedir defaults to
+ "/var" if no --prefix option is given. If there is a --prefix
+ option, sysconfdir defaults to "$prefix/etc" and localstatedir
+ defaults to "$prefix/var".
+
+ To see additional configure options, run "configure --help".
+ Note that the help message does not reflect the BIND 8
+ compatibility defaults for sysconfdir and localstatedir.
+
+ If you're planning on making changes to the BIND 9 source, you
+ should also "make depend". If you're using Emacs, you might find
+ "make tags" helpful.
+
+ If you need to re-run configure please run "make distclean" first.
+ This will ensure that all the option changes take.
+
+ Building with gcc is not supported, unless gcc is the vendor's usual
+ compiler (e.g. the various BSD systems, Linux).
+
+ Known compiler issues:
+ * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
+ * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
+ * gcc-3.3.5 powerpc generates incorrect code at -02.
+ * Irix, MipsPRO 7.4.1m is known to cause problems.
+
+ A limited test suite can be run with "make test". Many of
+ the tests require you to configure a set of virtual IP addresses
+ on your system, and some require Perl; see bin/tests/system/README
+ for details.
+
+ SunOS 4 requires "printf" to be installed to make the shared
+ libraries. sh-utils-1.16 provides a "printf" which compiles
+ on SunOS 4.
Known limitations
- Linux requires kernel build 2.6.39 or later to get the
- performance benefits from using multiple sockets.
+ Linux requires kernel build 2.6.39 or later to get the
+ performance benefits from using multiple sockets.
Documentation
- The BIND 9 Administrator Reference Manual is included with the
- source distribution in DocBook XML and HTML format, in the
- doc/arm directory.
+ The BIND 9 Administrator Reference Manual is included with the
+ source distribution in DocBook XML and HTML format, in the
+ doc/arm directory.
- Some of the programs in the BIND 9 distribution have man pages
- in their directories. In particular, the command line
- options of "named" are documented in /bin/named/named.8.
- There is now also a set of man pages for the lwres library.
+ Some of the programs in the BIND 9 distribution have man pages
+ in their directories. In particular, the command line
+ options of "named" are documented in /bin/named/named.8.
+ There is now also a set of man pages for the lwres library.
- If you are upgrading from BIND 8, please read the migration
- notes in doc/misc/migration. If you are upgrading from
- BIND 4, read doc/misc/migration-4to9.
+ If you are upgrading from BIND 8, please read the migration
+ notes in doc/misc/migration. If you are upgrading from
+ BIND 4, read doc/misc/migration-4to9.
- Frequently asked questions and their answers can be found in
- FAQ.
+ Frequently asked questions and their answers can be found in
+ FAQ.
Additional information on various subjects can be found
in the other README files.
Change Log
- A detailed list of all changes to BIND 9 is included in the
- file CHANGES, with the most recent changes listed first.
- Change notes include tags indicating the category of the
- change that was made; these categories are:
+ A detailed list of all changes to BIND 9 is included in the
+ file CHANGES, with the most recent changes listed first.
+ Change notes include tags indicating the category of the
+ change that was made; these categories are:
- [func] New feature
+ [func] New feature
- [bug] General bug fix
+ [bug] General bug fix
- [security] Fix for a significant security flaw
+ [security] Fix for a significant security flaw
- [experimental] Used for new features when the syntax
- or other aspects of the design are still
- in flux and may change
+ [experimental] Used for new features when the syntax
+ or other aspects of the design are still
+ in flux and may change
- [port] Portability enhancement
+ [port] Portability enhancement
- [maint] Updates to built-in data such as root
- server addresses and keys
+ [maint] Updates to built-in data such as root
+ server addresses and keys
- [tuning] Changes to built-in configuration defaults
- and constants to improve performanceo
+ [tuning] Changes to built-in configuration defaults
+ and constants to improve performanceo
- [protocol] Updates to the DNS protocol such as new
- RR types
+ [protocol] Updates to the DNS protocol such as new
+ RR types
[test] Changes to the automatic tests, not
affecting server functionality
[cleanup] Minor corrections and refactoring
- [doc] Documentation
+ [doc] Documentation
- In general, [func] and [experimental] tags will only appear
- in new-feature releases (i.e., those with version numbers
- ending in zero). Some new functionality may be backported to
- older releases on a case-by-case basis. All other change
- types may be applied to all currently-supported releases.
+ In general, [func] and [experimental] tags will only appear
+ in new-feature releases (i.e., those with version numbers
+ ending in zero). Some new functionality may be backported to
+ older releases on a case-by-case basis. All other change
+ types may be applied to all currently-supported releases.
Bug Reports and Mailing Lists
- Bugs reports should be sent to
+ Bugs reports should be sent to
- bind9-bugs@isc.org
+ bind9-bugs@isc.org
- To join the BIND Users mailing list, send mail to
+ To join the BIND Users mailing list, send mail to
- bind-users-request@isc.org
+ bind-users-request@isc.org
- archives of which can be found via
+ archives of which can be found via
- http://www.isc.org/ops/lists/
+ http://www.isc.org/ops/lists/
- If you're planning on making changes to the BIND 9 source
- code, you might want to join the BIND Workers mailing list.
- Send mail to
+ If you're planning on making changes to the BIND 9 source
+ code, you might want to join the BIND Workers mailing list.
+ Send mail to
- bind-workers-request@isc.org
+ bind-workers-request@isc.org
projects / thirdparty / bind9.git / commitdiff
