1*00b67f09SDavid van MoolenbroekSummary of functional enhancements from prior major releases of BIND 9: 2*00b67f09SDavid van Moolenbroek 3*00b67f09SDavid van MoolenbroekBIND 9.8.0 4*00b67f09SDavid van Moolenbroek 5*00b67f09SDavid van Moolenbroek BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier 6*00b67f09SDavid van Moolenbroek releases. New features include: 7*00b67f09SDavid van Moolenbroek 8*00b67f09SDavid van Moolenbroek - Built-in trust anchor for the root zone, which can be 9*00b67f09SDavid van Moolenbroek switched on via "dnssec-validation auto;" 10*00b67f09SDavid van Moolenbroek - Support for DNS64. 11*00b67f09SDavid van Moolenbroek - Support for response policy zones (RPZ). 12*00b67f09SDavid van Moolenbroek - Support for writable DLZ zones. 13*00b67f09SDavid van Moolenbroek - Improved ease of configuration of GSS/TSIG for 14*00b67f09SDavid van Moolenbroek interoperability with Active Directory 15*00b67f09SDavid van Moolenbroek - Support for GOST signing algorithm for DNSSEC. 16*00b67f09SDavid van Moolenbroek - Removed RTT Banding from server selection algorithm. 17*00b67f09SDavid van Moolenbroek - New "static-stub" zone type. 18*00b67f09SDavid van Moolenbroek - Allow configuration of resolver timeouts via 19*00b67f09SDavid van Moolenbroek "resolver-query-timeout" option. 20*00b67f09SDavid van Moolenbroek - The DLZ "dlopen" driver is now built by default. 21*00b67f09SDavid van Moolenbroek - Added a new include file with function typedefs 22*00b67f09SDavid van Moolenbroek for the DLZ "dlopen" driver. 23*00b67f09SDavid van Moolenbroek - Made "--with-gssapi" default. 24*00b67f09SDavid van Moolenbroek - More verbose error reporting from DLZ LDAP. 25*00b67f09SDavid van Moolenbroek 26*00b67f09SDavid van MoolenbroekBIND 9.7.0 27*00b67f09SDavid van Moolenbroek 28*00b67f09SDavid van Moolenbroek BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier 29*00b67f09SDavid van Moolenbroek releases. Most are intended to simplify DNSSEC configuration. 30*00b67f09SDavid van Moolenbroek New features include: 31*00b67f09SDavid van Moolenbroek 32*00b67f09SDavid van Moolenbroek - Fully automatic signing of zones by "named". 33*00b67f09SDavid van Moolenbroek - Simplified configuration of DNSSEC Lookaside Validation (DLV). 34*00b67f09SDavid van Moolenbroek - Simplified configuration of Dynamic DNS, using the "ddns-confgen" 35*00b67f09SDavid van Moolenbroek command line tool or the "local" update-policy option. (As a side 36*00b67f09SDavid van Moolenbroek effect, this also makes it easier to configure automatic zone 37*00b67f09SDavid van Moolenbroek re-signing.) 38*00b67f09SDavid van Moolenbroek - New named option "attach-cache" that allows multiple views to 39*00b67f09SDavid van Moolenbroek share a single cache. 40*00b67f09SDavid van Moolenbroek - DNS rebinding attack prevention. 41*00b67f09SDavid van Moolenbroek - New default values for dnssec-keygen parameters. 42*00b67f09SDavid van Moolenbroek - Support for RFC 5011 automated trust anchor maintenance 43*00b67f09SDavid van Moolenbroek - Smart signing: simplified tools for zone signing and key 44*00b67f09SDavid van Moolenbroek maintenance. 45*00b67f09SDavid van Moolenbroek - The "statistics-channels" option is now available on Windows. 46*00b67f09SDavid van Moolenbroek - A new DNSSEC-aware libdns API for use by non-BIND9 applications 47*00b67f09SDavid van Moolenbroek - On some platforms, named and other binaries can now print out 48*00b67f09SDavid van Moolenbroek a stack backtrace on assertion failure, to aid in debugging. 49*00b67f09SDavid van Moolenbroek - A "tools only" installation mode on Windows, which only installs 50*00b67f09SDavid van Moolenbroek dig, host, nslookup and nsupdate. 51*00b67f09SDavid van Moolenbroek - Improved PKCS#11 support, including Keyper support and explicit 52*00b67f09SDavid van Moolenbroek OpenSSL engine selection. 53*00b67f09SDavid van Moolenbroek 54*00b67f09SDavid van MoolenbroekBIND 9.6.0 55*00b67f09SDavid van Moolenbroek 56*00b67f09SDavid van Moolenbroek Full NSEC3 support 57*00b67f09SDavid van Moolenbroek 58*00b67f09SDavid van Moolenbroek Automatic zone re-signing 59*00b67f09SDavid van Moolenbroek 60*00b67f09SDavid van Moolenbroek New update-policy methods tcp-self and 6to4-self 61*00b67f09SDavid van Moolenbroek 62*00b67f09SDavid van Moolenbroek The BIND 8 resolver library, libbind, has been removed from the 63*00b67f09SDavid van Moolenbroek BIND 9 distribution and is now available as a separate download. 64*00b67f09SDavid van Moolenbroek 65*00b67f09SDavid van Moolenbroek Change the default pid file location from /var/run to 66*00b67f09SDavid van Moolenbroek /var/run/{named,lwresd} for improved chroot/setuid support. 67*00b67f09SDavid van Moolenbroek 68*00b67f09SDavid van MoolenbroekBIND 9.5.0 69*00b67f09SDavid van Moolenbroek 70*00b67f09SDavid van Moolenbroek GSS-TSIG support (RFC 3645). 71*00b67f09SDavid van Moolenbroek 72*00b67f09SDavid van Moolenbroek DHCID support. 73*00b67f09SDavid van Moolenbroek 74*00b67f09SDavid van Moolenbroek Experimental http server and statistics support for named via xml. 75*00b67f09SDavid van Moolenbroek 76*00b67f09SDavid van Moolenbroek More detailed statistics counters including those supported in BIND 8. 77*00b67f09SDavid van Moolenbroek 78*00b67f09SDavid van Moolenbroek Faster ACL processing. 79*00b67f09SDavid van Moolenbroek 80*00b67f09SDavid van Moolenbroek Use Doxygen to generate internal documentation. 81*00b67f09SDavid van Moolenbroek 82*00b67f09SDavid van Moolenbroek Efficient LRU cache-cleaning mechanism. 83*00b67f09SDavid van Moolenbroek 84*00b67f09SDavid van Moolenbroek NSID support. 85*00b67f09SDavid van Moolenbroek 86*00b67f09SDavid van MoolenbroekBIND 9.4.0 87*00b67f09SDavid van Moolenbroek 88*00b67f09SDavid van Moolenbroek Implemented "additional section caching (or acache)", an 89*00b67f09SDavid van Moolenbroek internal cache framework for additional section content to 90*00b67f09SDavid van Moolenbroek improve response performance. Several configuration options 91*00b67f09SDavid van Moolenbroek were provided to control the behavior. 92*00b67f09SDavid van Moolenbroek 93*00b67f09SDavid van Moolenbroek New notify type 'master-only'. Enable notify for master 94*00b67f09SDavid van Moolenbroek zones only. 95*00b67f09SDavid van Moolenbroek 96*00b67f09SDavid van Moolenbroek Accept 'notify-source' style syntax for query-source. 97*00b67f09SDavid van Moolenbroek 98*00b67f09SDavid van Moolenbroek rndc now allows addresses to be set in the server clauses. 99*00b67f09SDavid van Moolenbroek 100*00b67f09SDavid van Moolenbroek New option "allow-query-cache". This lets "allow-query" 101*00b67f09SDavid van Moolenbroek be used to specify the default zone access level rather 102*00b67f09SDavid van Moolenbroek than having to have every zone override the global value. 103*00b67f09SDavid van Moolenbroek "allow-query-cache" can be set at both the options and view 104*00b67f09SDavid van Moolenbroek levels. If "allow-query-cache" is not set then "allow-recursion" 105*00b67f09SDavid van Moolenbroek is used if set, otherwise "allow-query" is used if set 106*00b67f09SDavid van Moolenbroek unless "recursion no;" is set in which case "none;" is used, 107*00b67f09SDavid van Moolenbroek otherwise the default (localhost; localnets;) is used. 108*00b67f09SDavid van Moolenbroek 109*00b67f09SDavid van Moolenbroek rndc: the source address can now be specified. 110*00b67f09SDavid van Moolenbroek 111*00b67f09SDavid van Moolenbroek ixfr-from-differences now takes master and slave in addition 112*00b67f09SDavid van Moolenbroek to yes and no at the options and view levels. 113*00b67f09SDavid van Moolenbroek 114*00b67f09SDavid van Moolenbroek Allow the journal's name to be changed via named.conf. 115*00b67f09SDavid van Moolenbroek 116*00b67f09SDavid van Moolenbroek 'rndc notify zone [class [view]]' resend the NOTIFY messages 117*00b67f09SDavid van Moolenbroek for the specified zone. 118*00b67f09SDavid van Moolenbroek 119*00b67f09SDavid van Moolenbroek 'dig +trace' now randomly selects the next servers to try. 120*00b67f09SDavid van Moolenbroek Report if there is a bad delegation. 121*00b67f09SDavid van Moolenbroek 122*00b67f09SDavid van Moolenbroek Improve check-names error messages. 123*00b67f09SDavid van Moolenbroek 124*00b67f09SDavid van Moolenbroek Make public the function to read a key file, dst_key_read_public(). 125*00b67f09SDavid van Moolenbroek 126*00b67f09SDavid van Moolenbroek dig now returns the byte count for axfr/ixfr. 127*00b67f09SDavid van Moolenbroek 128*00b67f09SDavid van Moolenbroek allow-update is now settable at the options / view level. 129*00b67f09SDavid van Moolenbroek 130*00b67f09SDavid van Moolenbroek named-checkconf now checks the logging configuration. 131*00b67f09SDavid van Moolenbroek 132*00b67f09SDavid van Moolenbroek host now can turn on memory debugging flags with '-m'. 133*00b67f09SDavid van Moolenbroek 134*00b67f09SDavid van Moolenbroek Don't send notify messages to self. 135*00b67f09SDavid van Moolenbroek 136*00b67f09SDavid van Moolenbroek Perform sanity checks on NS records which refer to 'in zone' names. 137*00b67f09SDavid van Moolenbroek 138*00b67f09SDavid van Moolenbroek New zone option "notify-delay". Specify a minimum delay 139*00b67f09SDavid van Moolenbroek between sets of NOTIFY messages. 140*00b67f09SDavid van Moolenbroek 141*00b67f09SDavid van Moolenbroek Extend adjusting TTL warning messages. 142*00b67f09SDavid van Moolenbroek 143*00b67f09SDavid van Moolenbroek Named and named-checkzone can now both check for non-terminal 144*00b67f09SDavid van Moolenbroek wildcard records. 145*00b67f09SDavid van Moolenbroek 146*00b67f09SDavid van Moolenbroek "rndc freeze/thaw" now freezes/thaws all zones. 147*00b67f09SDavid van Moolenbroek 148*00b67f09SDavid van Moolenbroek named-checkconf now check acls to verify that they only 149*00b67f09SDavid van Moolenbroek refer to existing acls. 150*00b67f09SDavid van Moolenbroek 151*00b67f09SDavid van Moolenbroek The server syntax has been extended to support a range of 152*00b67f09SDavid van Moolenbroek servers. 153*00b67f09SDavid van Moolenbroek 154*00b67f09SDavid van Moolenbroek Report differences between hints and real NS rrset and 155*00b67f09SDavid van Moolenbroek associated address records. 156*00b67f09SDavid van Moolenbroek 157*00b67f09SDavid van Moolenbroek Preserve the case of domain names in rdata during zone 158*00b67f09SDavid van Moolenbroek transfers. 159*00b67f09SDavid van Moolenbroek 160*00b67f09SDavid van Moolenbroek Restructured the data locking framework using architecture 161*00b67f09SDavid van Moolenbroek dependent atomic operations (when available), improving 162*00b67f09SDavid van Moolenbroek response performance on multi-processor machines significantly. 163*00b67f09SDavid van Moolenbroek x86, x86_64, alpha, powerpc, and mips are currently supported. 164*00b67f09SDavid van Moolenbroek 165*00b67f09SDavid van Moolenbroek UNIX domain controls are now supported. 166*00b67f09SDavid van Moolenbroek 167*00b67f09SDavid van Moolenbroek Add support for additional zone file formats for improving 168*00b67f09SDavid van Moolenbroek loading performance. The masterfile-format option in 169*00b67f09SDavid van Moolenbroek named.conf can be used to specify a non-default format. A 170*00b67f09SDavid van Moolenbroek separate command named-compilezone was provided to generate 171*00b67f09SDavid van Moolenbroek zone files in the new format. Additionally, the -I and -O 172*00b67f09SDavid van Moolenbroek options for dnssec-signzone specify the input and output 173*00b67f09SDavid van Moolenbroek formats. 174*00b67f09SDavid van Moolenbroek 175*00b67f09SDavid van Moolenbroek dnssec-signzone can now randomize signature end times 176*00b67f09SDavid van Moolenbroek (dnssec-signzone -j jitter). 177*00b67f09SDavid van Moolenbroek 178*00b67f09SDavid van Moolenbroek Add support for CH A record. 179*00b67f09SDavid van Moolenbroek 180*00b67f09SDavid van Moolenbroek Add additional zone data constancy checks. named-checkzone 181*00b67f09SDavid van Moolenbroek has extended checking of NS, MX and SRV record and the hosts 182*00b67f09SDavid van Moolenbroek they reference. named has extended post zone load checks. 183*00b67f09SDavid van Moolenbroek New zone options: check-mx and integrity-check. 184*00b67f09SDavid van Moolenbroek 185*00b67f09SDavid van Moolenbroek 186*00b67f09SDavid van Moolenbroek edns-udp-size can now be overridden on a per server basis. 187*00b67f09SDavid van Moolenbroek 188*00b67f09SDavid van Moolenbroek dig can now specify the EDNS version when making a query. 189*00b67f09SDavid van Moolenbroek 190*00b67f09SDavid van Moolenbroek Added framework for handling multiple EDNS versions. 191*00b67f09SDavid van Moolenbroek 192*00b67f09SDavid van Moolenbroek Additional memory debugging support to track size and mctx 193*00b67f09SDavid van Moolenbroek arguments. 194*00b67f09SDavid van Moolenbroek 195*00b67f09SDavid van Moolenbroek Detect duplicates of UDP queries we are recursing on and 196*00b67f09SDavid van Moolenbroek drop them. New stats category "duplicates". 197*00b67f09SDavid van Moolenbroek 198*00b67f09SDavid van Moolenbroek "USE INTERNAL MALLOC" is now runtime selectable. 199*00b67f09SDavid van Moolenbroek 200*00b67f09SDavid van Moolenbroek The lame cache is now done on a <qname,qclass,qtype> basis 201*00b67f09SDavid van Moolenbroek as some servers only appear to be lame for certain query 202*00b67f09SDavid van Moolenbroek types. 203*00b67f09SDavid van Moolenbroek 204*00b67f09SDavid van Moolenbroek Limit the number of recursive clients that can be waiting 205*00b67f09SDavid van Moolenbroek for a single query (<qname,qtype,qclass>) to resolve. New 206*00b67f09SDavid van Moolenbroek options clients-per-query and max-clients-per-query. 207*00b67f09SDavid van Moolenbroek 208*00b67f09SDavid van Moolenbroek dig: report the number of extra bytes still left in the 209*00b67f09SDavid van Moolenbroek packet after processing all the records. 210*00b67f09SDavid van Moolenbroek 211*00b67f09SDavid van Moolenbroek Support for IPSECKEY rdata type. 212*00b67f09SDavid van Moolenbroek 213*00b67f09SDavid van Moolenbroek Raise the UDP recieve buffer size to 32k if it is less than 32k. 214*00b67f09SDavid van Moolenbroek 215*00b67f09SDavid van Moolenbroek x86 and x86_64 now have seperate atomic locking implementations. 216*00b67f09SDavid van Moolenbroek 217*00b67f09SDavid van Moolenbroek named-checkconf now validates update-policy entries. 218*00b67f09SDavid van Moolenbroek 219*00b67f09SDavid van Moolenbroek Attempt to make the amount of work performed in a iteration 220*00b67f09SDavid van Moolenbroek self tuning. The covers nodes clean from the cache per 221*00b67f09SDavid van Moolenbroek iteration, nodes written to disk when rewriting a master 222*00b67f09SDavid van Moolenbroek file and nodes destroyed per iteration when destroying a 223*00b67f09SDavid van Moolenbroek zone or a cache. 224*00b67f09SDavid van Moolenbroek 225*00b67f09SDavid van Moolenbroek ISC string copy API. 226*00b67f09SDavid van Moolenbroek 227*00b67f09SDavid van Moolenbroek Automatic empty zone creation for D.F.IP6.ARPA and friends. 228*00b67f09SDavid van Moolenbroek Note: RFC 1918 zones are not yet covered by this but are 229*00b67f09SDavid van Moolenbroek likely to be in a future release. 230*00b67f09SDavid van Moolenbroek 231*00b67f09SDavid van Moolenbroek New options: empty-server, empty-contact, empty-zones-enable 232*00b67f09SDavid van Moolenbroek and disable-empty-zone. 233*00b67f09SDavid van Moolenbroek 234*00b67f09SDavid van Moolenbroek dig now has a '-q queryname' and '+showsearch' options. 235*00b67f09SDavid van Moolenbroek 236*00b67f09SDavid van Moolenbroek host/nslookup now continue (default)/fail on SERVFAIL. 237*00b67f09SDavid van Moolenbroek 238*00b67f09SDavid van Moolenbroek dig now warns if 'RA' is not set in the answer when 'RD' 239*00b67f09SDavid van Moolenbroek was set in the query. host/nslookup skip servers that fail 240*00b67f09SDavid van Moolenbroek to set 'RA' when 'RD' is set unless a server is explicitly 241*00b67f09SDavid van Moolenbroek set. 242*00b67f09SDavid van Moolenbroek 243*00b67f09SDavid van Moolenbroek Integrate contibuted DLZ code into named. 244*00b67f09SDavid van Moolenbroek 245*00b67f09SDavid van Moolenbroek Integrate contibuted IDN code from JPNIC. 246*00b67f09SDavid van Moolenbroek 247*00b67f09SDavid van Moolenbroek libbind: corresponds to that from BIND 8.4.7. 248*00b67f09SDavid van Moolenbroek 249*00b67f09SDavid van MoolenbroekBIND 9.3.0 250*00b67f09SDavid van Moolenbroek 251*00b67f09SDavid van Moolenbroek DNSSEC is now DS based (RFC 3658). 252*00b67f09SDavid van Moolenbroek See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*. 253*00b67f09SDavid van Moolenbroek 254*00b67f09SDavid van Moolenbroek DNSSEC lookaside validation. 255*00b67f09SDavid van Moolenbroek 256*00b67f09SDavid van Moolenbroek check-names is now implemented. 257*00b67f09SDavid van Moolenbroek rrset-order in more complete. 258*00b67f09SDavid van Moolenbroek 259*00b67f09SDavid van Moolenbroek IPv4/IPv6 transition support, dual-stack-servers. 260*00b67f09SDavid van Moolenbroek 261*00b67f09SDavid van Moolenbroek IXFR deltas can now be generated when loading master files, 262*00b67f09SDavid van Moolenbroek ixfr-from-differences. 263*00b67f09SDavid van Moolenbroek 264*00b67f09SDavid van Moolenbroek It is now possible to specify the size of a journal, max-journal-size. 265*00b67f09SDavid van Moolenbroek 266*00b67f09SDavid van Moolenbroek It is now possible to define a named set of master servers to be 267*00b67f09SDavid van Moolenbroek used in masters clause, masters. 268*00b67f09SDavid van Moolenbroek 269*00b67f09SDavid van Moolenbroek The advertised EDNS UDP size can now be set, edns-udp-size. 270*00b67f09SDavid van Moolenbroek 271*00b67f09SDavid van Moolenbroek allow-v6-synthesis has been obsoleted. 272*00b67f09SDavid van Moolenbroek 273*00b67f09SDavid van Moolenbroek NOTE: 274*00b67f09SDavid van Moolenbroek * Zones containing MD and MF will now be rejected. 275*00b67f09SDavid van Moolenbroek * dig, nslookup name. now report "Not Implemented" as 276*00b67f09SDavid van Moolenbroek NOTIMP rather than NOTIMPL. This will have impact on scripts 277*00b67f09SDavid van Moolenbroek that are looking for NOTIMPL. 278*00b67f09SDavid van Moolenbroek 279*00b67f09SDavid van Moolenbroek libbind: corresponds to that from BIND 8.4.5. 280*00b67f09SDavid van Moolenbroek 281*00b67f09SDavid van MoolenbroekBIND 9.2.0 282*00b67f09SDavid van Moolenbroek 283*00b67f09SDavid van Moolenbroek The size of the cache can now be limited using the 284*00b67f09SDavid van Moolenbroek "max-cache-size" option. 285*00b67f09SDavid van Moolenbroek 286*00b67f09SDavid van Moolenbroek The server can now automatically convert RFC1886-style recursive 287*00b67f09SDavid van Moolenbroek lookup requests into RFC2874-style lookups, when enabled using the 288*00b67f09SDavid van Moolenbroek new option "allow-v6-synthesis". This allows stub resolvers that 289*00b67f09SDavid van Moolenbroek support AAAA records but not A6 record chains or binary labels to 290*00b67f09SDavid van Moolenbroek perform lookups in domains that make use of these IPv6 DNS 291*00b67f09SDavid van Moolenbroek features. 292*00b67f09SDavid van Moolenbroek 293*00b67f09SDavid van Moolenbroek Performance has been improved. 294*00b67f09SDavid van Moolenbroek 295*00b67f09SDavid van Moolenbroek The man pages now use the more portable "man" macros rather than 296*00b67f09SDavid van Moolenbroek the "mandoc" macros, and are installed by "make install". 297*00b67f09SDavid van Moolenbroek 298*00b67f09SDavid van Moolenbroek The named.conf parser has been completely rewritten. It now 299*00b67f09SDavid van Moolenbroek supports "include" directives in more places such as inside "view" 300*00b67f09SDavid van Moolenbroek statements, and it no longer has any reserved words. 301*00b67f09SDavid van Moolenbroek 302*00b67f09SDavid van Moolenbroek The "rndc status" command is now implemented. 303*00b67f09SDavid van Moolenbroek 304*00b67f09SDavid van Moolenbroek rndc can now be configured automatically. 305*00b67f09SDavid van Moolenbroek 306*00b67f09SDavid van Moolenbroek A BIND 8 compatible stub resolver library is now included in 307*00b67f09SDavid van Moolenbroek lib/bind. 308*00b67f09SDavid van Moolenbroek 309*00b67f09SDavid van Moolenbroek OpenSSL has been removed from the distribution. This means that to 310*00b67f09SDavid van Moolenbroek use DNSSEC, OpenSSL must be installed and the --with-openssl option 311*00b67f09SDavid van Moolenbroek must be supplied to configure. This does not apply to the use of 312*00b67f09SDavid van Moolenbroek TSIG, which does not require OpenSSL. 313*00b67f09SDavid van Moolenbroek 314*00b67f09SDavid van Moolenbroek The source distribution now builds on Windows. See 315*00b67f09SDavid van Moolenbroek win32utils/readme1.txt and win32utils/win32-build.txt for details. 316*00b67f09SDavid van Moolenbroek 317*00b67f09SDavid van Moolenbroek This distribution also includes a new lightweight stub 318*00b67f09SDavid van Moolenbroek resolver library and associated resolver daemon that fully 319*00b67f09SDavid van Moolenbroek support forward and reverse lookups of both IPv4 and IPv6 320*00b67f09SDavid van Moolenbroek addresses. This library is considered experimental and 321*00b67f09SDavid van Moolenbroek is not a complete replacement for the BIND 8 resolver library. 322*00b67f09SDavid van Moolenbroek Applications that use the BIND 8 res_* functions to perform 323*00b67f09SDavid van Moolenbroek DNS lookups or dynamic updates still need to be linked against 324*00b67f09SDavid van Moolenbroek the BIND 8 libraries. For DNS lookups, they can also use the 325*00b67f09SDavid van Moolenbroek new "getrrsetbyname()" API. 326*00b67f09SDavid van Moolenbroek 327*00b67f09SDavid van Moolenbroek BIND 9.2 is capable of acting as an authoritative server 328*00b67f09SDavid van Moolenbroek for DNSSEC secured zones. This functionality is believed to 329*00b67f09SDavid van Moolenbroek be stable and complete except for lacking support for 330*00b67f09SDavid van Moolenbroek verifications involving wildcard records in secure zones. 331*00b67f09SDavid van Moolenbroek 332*00b67f09SDavid van Moolenbroek When acting as a caching server, BIND 9.2 can be configured 333*00b67f09SDavid van Moolenbroek to perform DNSSEC secure resolution on behalf of its clients. 334*00b67f09SDavid van Moolenbroek This part of the DNSSEC implementation is still considered 335*00b67f09SDavid van Moolenbroek experimental. For detailed information about the state of the 336*00b67f09SDavid van Moolenbroek DNSSEC implementation, see the file doc/misc/dnssec. 337*00b67f09SDavid van Moolenbroek 338*00b67f09SDavid van Moolenbroek There are a few known bugs: 339*00b67f09SDavid van Moolenbroek 340*00b67f09SDavid van Moolenbroek On some systems, IPv6 and IPv4 sockets interact in 341*00b67f09SDavid van Moolenbroek unexpected ways. For details, see doc/misc/ipv6. 342*00b67f09SDavid van Moolenbroek To reduce the impact of these problems, the server 343*00b67f09SDavid van Moolenbroek no longer listens for requests on IPv6 addresses 344*00b67f09SDavid van Moolenbroek by default. If you need to accept DNS queries over 345*00b67f09SDavid van Moolenbroek IPv6, you must specify "listen-on-v6 { any; };" 346*00b67f09SDavid van Moolenbroek in the named.conf options statement. 347*00b67f09SDavid van Moolenbroek 348*00b67f09SDavid van Moolenbroek FreeBSD prior to 4.2 (and 4.2 if running as non-root) 349*00b67f09SDavid van Moolenbroek and OpenBSD prior to 2.8 log messages like 350*00b67f09SDavid van Moolenbroek "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device". 351*00b67f09SDavid van Moolenbroek This is due to a bug in "/dev/random" and impacts the 352*00b67f09SDavid van Moolenbroek server's DNSSEC support. 353*00b67f09SDavid van Moolenbroek 354*00b67f09SDavid van Moolenbroek OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and 355*00b67f09SDavid van Moolenbroek OS X 10.2 (Darwin 6.0) reports errors like 356*00b67f09SDavid van Moolenbroek "fcntl(3, F_SETFL, 4): Operation not supported by device". 357*00b67f09SDavid van Moolenbroek This is due to a bug in "/dev/random" and impacts the 358*00b67f09SDavid van Moolenbroek server's DNSSEC support. 359*00b67f09SDavid van Moolenbroek 360*00b67f09SDavid van Moolenbroek --with-libtool does not work on AIX. 361*00b67f09SDavid van Moolenbroek 362*00b67f09SDavid van Moolenbroek A bug in some versions of the Microsoft DNS server can cause zone 363*00b67f09SDavid van Moolenbroek transfers from a BIND 9 server to a W2K server to fail. For details, 364*00b67f09SDavid van Moolenbroek see the "Zone Transfers" section in doc/misc/migration. 365