1BIND 9
2
3 BIND version 9 is a major rewrite of nearly all aspects of the
4 underlying BIND architecture. Some of the important features of
5 BIND 9 are:
6
7 - DNS Security
8 DNSSEC (signed zones)
9 TSIG (signed DNS requests)
10
11 - IP version 6
12 Answers DNS queries on IPv6 sockets
13 IPv6 resource records (AAAA)
14 Experimental IPv6 Resolver Library
15
16 - DNS Protocol Enhancements
17 IXFR, DDNS, Notify, EDNS0
18 Improved standards conformance
19
20 - Views
21 One server process can provide multiple "views" of
22 the DNS namespace, e.g. an "inside" view to certain
23 clients, and an "outside" view to others.
24
25 - Multiprocessor Support
26
27 - Improved Portability Architecture
28
29
30 BIND version 9 development has been underwritten by the following
31 organizations:
32
33 Sun Microsystems, Inc.
34 Hewlett Packard
35 Compaq Computer Corporation
36 IBM
37 Process Software Corporation
38 Silicon Graphics, Inc.
39 Network Associates, Inc.
40 U.S. Defense Information Systems Agency
41 USENIX Association
42 Stichting NLnet - NLnet Foundation
43 Nominum, Inc.
44
45 For a summary of functional enhancements in previous
46 releases, see the HISTORY file.
47
48 For a detailed list of user-visible changes from
49 previous releases, see the CHANGES file.
50
51 For up-to-date release notes and errata, see
52 http://www.isc.org/software/bind9/releasenotes
53
54BIND 9.10.2-P4
55
56 BIND 9.10.2-P4 is a security release addressing the flaws
57 described in CVE-2015-5722 and CVE-2015-5986.
58
59BIND 9.10.2-P3
60
61 BIND 9.10.2-P3 is a security release addressing the flaw
62 described in CVE-2015-5477.
63
64BIND 9.10.2-P2
65
66 BIND 9.10.2-P2 is a security release addressing the flaw
67 described in CVE-2015-4620.
68
69BIND 9.10.2-P1
70
71 BIND 9.10.2-P1 is a patch release addressing several
72 bugs recently found in the response-policy zones (RPZ)
73 implementation in BIND 9.10. These mostly affect servers
74 that have multiple frequently-updated response-policy
75 zones.
76
77BIND 9.10.2
78
79 BIND 9.10.2 is a maintenance release and addresses bugs
80 found in BIND 9.10.1 and earlier, as well as the security
81 flaws described in CVE-2014-8500, CVE-2014-8680 and
82 CVE-2015-1349.
83
84BIND 9.10.1
85
86 BIND 9.10.1 is a maintenance release and addresses bugs
87 found in BIND 9.10.0 and earlier.
88
89 This release addresses the security flaws described in
90 CVE-2014-3214 and CVE-2014-3859.
91
92BIND 9.10.0
93
94 BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
95 releases. New features include:
96
97 - DNS Response-rate limiting (DNS RRL), which blunts the
98 impact of reflection and amplification attacks, is always
99 compiled in and no longer requires a compile-time option
100 to enable it.
101 - An experimental "Source Identity Token" (SIT) EDNS option
102 is now available. Similar to DNS Cookies as invented by
103 Donald Eastlake 3rd, these are designed to enable clients
104 to detect off-path spoofed responses, and to enable servers
105 to detect spoofed-source queries. Servers can be configured
106 to send smaller responses to clients that have not identified
107 themselves using a SIT option, reducing the effectiveness of
108 amplification attacks. RRL processing has also been updated;
109 clients proven to be legitimate via SIT are not subject to
110 rate limiting. Use "configure --enable-sit" to enable this
111 feature in BIND.
112 - A new zone file format, "map", stores zone data in a
113 format that can be mapped directly into memory, allowing
114 significantly faster zone loading.
115 - "delv" (domain entity lookup and validation) is a new tool
116 with dig-like semantics for looking up DNS data and performing
117 internal DNSSEC validation. This allows easy validation in
118 environments where the resolver may not be trustworthy, and
119 assists with troubleshooting of DNSSEC problems. (NOTE:
120 In previous development releases of BIND 9.10, this utility
121 was called "delve". The spelling has been changed to avoid
122 confusion with the "delve" utility included with the Xapian
123 search engine.)
124 - Improved EDNS(0) processing for better resolver performance
125 and reliability over slow or lossy connections.
126 - A new "configure --with-tuning=large" option tunes certain
127 compiled-in constants and default settings to values better
128 suited to large servers with abundant memory. This can
129 improve performance on such servers, but will consume more
130 memory and may degrade performance on smaller systems.
131 - Substantial improvement in response-policy zone (RPZ)
132 performance. Up to 32 response-policy zones can be
133 configured with minimal performance loss.
134 - To improve recursive resolver performance, cache records
135 which are still being requested by clients can now be
136 automatically refreshed from the authoritative server
137 before they expire, reducing or eliminating the time
138 window in which no answer is available in the cache.
139 - New "rpz-client-ip" triggers and drop policies allowing
140 response policies based on the IP address of the client.
141 - ACLs can now be specified based on geographic location
142 using the MaxMind GeoIP databases. Use "configure
143 --with-geoip" to enable.
144 - Zone data can now be shared between views, allowing
145 multiple views to serve the same zones authoritatively
146 without storing multiple copies in memory.
147 - New XML schema (version 3) for the statistics channel
148 includes many new statistics and uses a flattened XML tree
149 for faster parsing. The older schema is now deprecated.
150 - A new stylesheet, based on the Google Charts API, displays
151 XML statistics in charts and graphs on javascript-enabled
152 browsers.
153 - The statistics channel can now provide data in JSON
154 format as well as XML.
155 - New stats counters track TCP and UDP queries received
156 per zone, and EDNS options received in total.
157 - The internal and export versions of the BIND libraries
158 (libisc, libdns, etc) have been unified so that external
159 library clients can use the same libraries as BIND itself.
160 - A new compile-time option, "configure --enable-native-pkcs11",
161 allows BIND 9 cryptography functions to use the PKCS#11 API
162 natively, so that BIND can drive a cryptographic hardware
163 service module (HSM) directly instead of using a modified
164 OpenSSL as an intermediary. (Note: This feature requires an
165 HSM to have a full implementation of the PKCS#11 API; many
166 current HSMs only have partial implementations. The new
167 "pkcs11-tokens" command can be used to check API completeness.
168 Native PKCS#11 is known to work with the Thales nShield HSM
169 and with SoftHSM version 2 from the Open DNSSEC project.)
170 - The new "max-zone-ttl" option enforces maximum TTLs for
171 zones. This can simplify the process of rolling DNSSEC keys
172 by guaranteeing that cached signatures will have expired
173 within the specified amount of time.
174 - "dig +subnet" sends an EDNS CLIENT-SUBNET option when
175 querying.
176 - "dig +expire" sends an EDNS EXPIRE option when querying.
177 When this option is sent with an SOA query to a server
178 that supports it, it will report the expiry time of
179 a slave zone.
180 - New "dnssec-coverage" tool to check DNSSEC key coverage
181 for a zone and report if a lapse in signing coverage has
182 been inadvertently scheduled.
183 - Signing algorithm flexibility and other improvements
184 for the "rndc" control channel.
185 - "named-checkzone" and "named-compilezone" can now read
186 journal files, allowing them to process dynamic zones.
187 - Multiple DLZ databases can now be configured. Individual
188 zones can be configured to be served from a specific DLZ
189 database. DLZ databases now serve zones of type "master"
190 and "redirect".
191 - "rndc zonestatus" reports information about a specified zone.
192 - "named" now listens on IPv6 as well as IPv4 interfaces
193 by default.
194 - "named" now preserves the capitalization of names
195 when responding to queries: for instance, a query for
196 "example.com" may be answered with "example.COM" if the
197 name was configured that way in the zone file. Some
198 clients have a bug causing them to depend on the older
199 behavior, in which the case of the answer always matched
200 the case of the query, rather than the case of the name
201 configured in the DNS. Such clients can now be specified
202 in the new "no-case-compress" ACL; this will restore the
203 older behavior of "named" for those clients only.
204 - new "dnssec-importkey" command allows the use of offline
205 DNSSEC keys with automatic DNSKEY management.
206 - New "named-rrchecker" tool to verify the syntactic
207 correctness of individual resource records.
208 - When re-signing a zone, the new "dnssec-signzone -Q" option
209 drops signatures from keys that are still published but are
210 no longer active.
211 - "named-checkconf -px" will print the contents of configuration
212 files with the shared secrets obscured, making it easier to
213 share configuration (e.g. when submitting a bug report)
214 without revealing private information.
215 - "rndc scan" causes named to re-scan network interfaces for
216 changes in local addresses.
217 - On operating systems with support for routing sockets,
218 network interfaces are re-scanned automatically whenever
219 they change.
220 - "tsig-keygen" is now available as an alternate command
221 name to use for "ddns-confgen".
222
223BIND 9.9.0
224
225 BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
226 releases. New features include:
227
228 - Inline signing, allowing automatic DNSSEC signing of
229 master zones without modification of the zonefile, or
230 "bump in the wire" signing in slaves.
231 - NXDOMAIN redirection.
232 - New 'rndc flushtree' command clears all data under a given
233 name from the DNS cache.
234 - New 'rndc sync' command dumps pending changes in a dynamic
235 zone to disk without a freeze/thaw cycle.
236 - New 'rndc signing' command displays or clears signing status
237 records in 'auto-dnssec' zones.
238 - NSEC3 parameters for 'auto-dnssec' zones can now be set prior
239 to signing, eliminating the need to initially sign with NSEC.
240 - Startup time improvements on large authoritative servers.
241 - Slave zones are now saved in raw format by default.
242 - Several improvements to response policy zones (RPZ).
243 - Improved hardware scalability by using multiple threads
244 to listen for queries and using finer-grained client locking
245 - The 'also-notify' option now takes the same syntax as
246 'masters', so it can used named masterlists and TSIG keys.
247 - 'dnssec-signzone -D' writes an output file containing only DNSSEC
248 data, which can be included by the primary zone file.
249 - 'dnssec-signzone -R' forces removal of signatures that are
250 not expired but were created by a key which no longer exists.
251 - 'dnssec-signzone -X' allows a separate expiration date to
252 be specified for DNSKEY signatures from other signatures.
253 - New '-L' option to dnssec-keygen, dnssec-settime, and
254 dnssec-keyfromlabel sets the default TTL for the key.
255 - dnssec-dsfromkey now supports reading from standard input,
256 to make it easier to convert DNSKEY to DS.
257 - RFC 1918 reverse zones have been added to the empty-zones
258 table per RFC 6303.
259 - Dynamic updates can now optionally set the zone's SOA serial
260 number to the current UNIX time.
261 - DLZ modules can now retrieve the source IP address of
262 the querying client.
263 - 'request-ixfr' option can now be set at the per-zone level.
264 - 'dig +rrcomments' turns on comments about DNSKEY records,
265 indicating their key ID, algorithm and function
266 - Simplified nsupdate syntax and added readline support
267
268Building
269
270 BIND 9 currently requires a UNIX system with an ANSI C compiler,
271 basic POSIX support, and a 64 bit integer type.
272
273 We've had successful builds and tests on the following systems:
274
275 COMPAQ Tru64 UNIX 5.1B
276 Fedora Core 6
277 FreeBSD 4.10, 5.2.1, 6.2
278 HP-UX 11.11
279 Mac OS X 10.5
280 NetBSD 3.x, 4.0-beta, 5.0-beta
281 OpenBSD 3.3 and up
282 Solaris 8, 9, 9 (x86), 10
283 Ubuntu 7.04, 7.10
284 Windows XP/2003/2008
285
286 NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
287 Windows, including Windows NT and Windows 2000, are no longer
288 supported.
289
290 We have recent reports from the user community that a supported
291 version of BIND will build and run on the following systems:
292
293 AIX 4.3, 5L
294 CentOS 4, 4.5, 5
295 Darwin 9.0.0d1/ARM
296 Debian 4, 5, 6
297 Fedora Core 5, 7, 8
298 FreeBSD 6, 7, 8
299 HP-UX 11.23 PA
300 MacOS X 10.5, 10.6, 10.7
301 Red Hat Enterprise Linux 4, 5, 6
302 SCO OpenServer 5.0.6
303 Slackware 9, 10
304 SuSE 9, 10
305
306 To build, just
307
308 ./configure
309 make
310
311 Do not use a parallel "make".
312
313 Several environment variables that can be set before running
314 configure will affect compilation:
315
316 CC
317 The C compiler to use. configure tries to figure
318 out the right one for supported systems.
319
320 CFLAGS
321 C compiler flags. Defaults to include -g and/or -O2
322 as supported by the compiler. Please include '-g'
323 if you need to set CFLAGS.
324
325 STD_CINCLUDES
326 System header file directories. Can be used to specify
327 where add-on thread or IPv6 support is, for example.
328 Defaults to empty string.
329
330 STD_CDEFINES
331 Any additional preprocessor symbols you want defined.
332 Defaults to empty string.
333
334 Possible settings:
335 Change the default syslog facility of named/lwresd.
336 -DISC_FACILITY=LOG_LOCAL0
337 Enable DNSSEC signature chasing support in dig.
338 -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
339 -DDIG_SIGCHASE_BU=1)
340 Disable dropping queries from particular well known ports.
341 -DNS_CLIENT_DROPPORT=0
342 Sibling glue checking in named-checkzone is enabled by default.
343 To disable the default check set. -DCHECK_SIBLING=0
344 named-checkzone checks out-of-zone addresses by default.
345 To disable this default set. -DCHECK_LOCAL=0
346 To create the default pid files in ${localstatedir}/run rather
347 than ${localstatedir}/run/{named,lwresd}/ set.
348 -DNS_RUN_PID_DIR=0
349 Enable workaround for Solaris kernel bug about /dev/poll
350 -DISC_SOCKET_USE_POLLWATCH=1
351 The watch timeout is also configurable, e.g.,
352 -DISC_SOCKET_POLLWATCH_TIMEOUT=20
353
354 LDFLAGS
355 Linker flags. Defaults to empty string.
356
357 The following need to be set when cross compiling.
358
359 BUILD_CC
360 The native C compiler.
361 BUILD_CFLAGS (optional)
362 BUILD_CPPFLAGS (optional)
363 Possible Settings:
364 -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
365 BUILD_LDFLAGS (optional)
366 BUILD_LIBS (optional)
367
368 On most platforms, BIND 9 is built with multithreading
369 support, allowing it to take advantage of multiple CPUs.
370 You can configure this by specifying "--enable-threads" or
371 "--disable-threads" on the configure command line. The default
372 is to enable threads, except on some older operating systems
373 on which threads are known to have had problems in the past.
374 (Note: Prior to BIND 9.10, the default was to disable threads on
375 Linux systems; this has been reversed. On Linux systems, the
376 threaded build is known to change BIND's behavior with respect
377 to file permissions; it may be necessary to specify a user with
378 the -u option when running named.)
379
380 To build shared libraries, specify "--with-libtool" on the
381 configure command line.
382
383 Certain compiled-in constants and default settings can be
384 increased to values better suited to large servers with abundant
385 memory resources (e.g, 64-bit servers with 12G or more of memory)
386 by specifying "--with-tuning=large" on the configure command
387 line. This can improve performance on big servers, but will
388 consume more memory and may degrade performance on smaller
389 systems.
390
391 For the server to support DNSSEC, you need to build it
392 with crypto support. You must have OpenSSL 0.9.5a
393 or newer installed and specify "--with-openssl" on the
394 configure command line. If OpenSSL is installed under
395 a nonstandard prefix, you can tell configure where to
396 look for it using "--with-openssl=/prefix".
397
398 To support the HTTP statistics channel, the server must
399 be linked with at least one of the following: libxml2
400 (http://xmlsoft.org) or json-c (https://github.com/json-c).
401 If these are installed at a nonstandard prefix, use
402 "--with-libxml2=/prefix" or "--with-libjson=/prefix".
403
404 On some platforms it is necessary to explicitly request large
405 file support to handle files bigger than 2GB. This can be
406 done by "--enable-largefile" on the configure command line.
407
408 Support for the "fixed" rrset-order option can be enabled
409 or disabled by specifying "--enable-fixed-rrset" or
410 "--disable-fixed-rrset" on the configure command line.
411 The default is "disabled", to reduce memory footprint.
412
413 If your operating system has integrated support for IPv6, it
414 will be used automatically. If you have installed KAME IPv6
415 separately, use "--with-kame[=PATH]" to specify its location.
416
417 "make install" will install "named" and the various BIND 9 libraries.
418 By default, installation is into /usr/local, but this can be changed
419 with the "--prefix" option when running "configure".
420
421 You may specify the option "--sysconfdir" to set the directory
422 where configuration files like "named.conf" go by default,
423 and "--localstatedir" to set the default parent directory
424 of "run/named.pid". For backwards compatibility with BIND 8,
425 --sysconfdir defaults to "/etc" and --localstatedir defaults to
426 "/var" if no --prefix option is given. If there is a --prefix
427 option, sysconfdir defaults to "$prefix/etc" and localstatedir
428 defaults to "$prefix/var".
429
430 To see additional configure options, run "configure --help".
431 Note that the help message does not reflect the BIND 8
432 compatibility defaults for sysconfdir and localstatedir.
433
434 If you're planning on making changes to the BIND 9 source, you
435 should also "make depend". If you're using Emacs, you might find
436 "make tags" helpful.
437
438 If you need to re-run configure please run "make distclean" first.
439 This will ensure that all the option changes take.
440
441 Building with gcc is not supported, unless gcc is the vendor's usual
442 compiler (e.g. the various BSD systems, Linux).
443
444 Known compiler issues:
445 * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
446 * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
447 * gcc-3.3.5 powerpc generates incorrect code at -02.
448 * Irix, MipsPRO 7.4.1m is known to cause problems.
449
450 A limited test suite can be run with "make test". Many of
451 the tests require you to configure a set of virtual IP addresses
452 on your system, and some require Perl; see bin/tests/system/README
453 for details.
454
455 SunOS 4 requires "printf" to be installed to make the shared
456 libraries. sh-utils-1.16 provides a "printf" which compiles
457 on SunOS 4.
458
459Known limitations
460
461 Linux requires kernel build 2.6.39 or later to get the
462 performance benefits from using multiple sockets.
463
464Documentation
465
466 The BIND 9 Administrator Reference Manual is included with the
467 source distribution in DocBook XML and HTML format, in the
468 doc/arm directory.
469
470 Some of the programs in the BIND 9 distribution have man pages
471 in their directories. In particular, the command line
472 options of "named" are documented in /bin/named/named.8.
473 There is now also a set of man pages for the lwres library.
474
475 If you are upgrading from BIND 8, please read the migration
476 notes in doc/misc/migration. If you are upgrading from
477 BIND 4, read doc/misc/migration-4to9.
478
479 Frequently asked questions and their answers can be found in
480 FAQ.
481
482 Additional information on various subjects can be found
483 in the other README files.
484
485
486Change Log
487
488 A detailed list of all changes to BIND 9 is included in the
489 file CHANGES, with the most recent changes listed first.
490 Change notes include tags indicating the category of the
491 change that was made; these categories are:
492
493 [func] New feature
494
495 [bug] General bug fix
496
497 [security] Fix for a significant security flaw
498
499 [experimental] Used for new features when the syntax
500 or other aspects of the design are still
501 in flux and may change
502
503 [port] Portability enhancement
504
505 [maint] Updates to built-in data such as root
506 server addresses and keys
507
508 [tuning] Changes to built-in configuration defaults
509 and constants to improve performance
510
511 [protocol] Updates to the DNS protocol such as new
512 RR types
513
514 [test] Changes to the automatic tests, not
515 affecting server functionality
516
517 [cleanup] Minor corrections and refactoring
518
519 [doc] Documentation
520
521 [contrib] Changes to the contributed tools and
522 libraries in the 'contrib' subdirectory
523
524 [placeholder] Used in the master development branch to
525 reserve change numbers for use in other
526 branches, e.g. when fixing a bug that only
527 exists in older releases
528
529 In general, [func] and [experimental] tags will only appear
530 in new-feature releases (i.e., those with version numbers
531 ending in zero). Some new functionality may be backported to
532 older releases on a case-by-case basis. All other change
533 types may be applied to all currently-supported releases.
534
535
536Bug Reports and Mailing Lists
537
538 Bug reports should be sent to:
539
540 bind9-bugs@isc.org
541
542 Feature requests can be sent to:
543
544 bind-suggest@isc.org
545
546 To join or view the archives of the BIND Users mailing list,
547 visit:
548
549 https://lists.isc.org/mailman/listinfo/bind-users
550
551 If you're planning on making changes to the BIND 9 source
552 code, you may also want to join the BIND Workers mailing
553 list:
554
555 https://lists.isc.org/mailman/listinfo/bind-workers
556
557 Information on read-only Git access, coding style and developer
558 guidelines can be found at:
559
560 http://www.isc.org/git/
561
562
563Acknowledgments
564
565 - This product includes software developed by the OpenSSL Project
566 for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/).
567 - This product includes cryptographic software written by Eric
568 Young (eay@cryptsoft.com).
569 - This product includes software written by Tim Hudson
570 (tjh@cryptsoft.com).
571