59663800d2ec04777dae2791dd92aa563faf94c8Evan Hunt - Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
59663800d2ec04777dae2791dd92aa563faf94c8Evan Hunt - This Source Code Form is subject to the terms of the Mozilla Public
59663800d2ec04777dae2791dd92aa563faf94c8Evan Hunt - License, v. 2.0. If a copy of the MPL was not distributed with this
59663800d2ec04777dae2791dd92aa563faf94c8Evan Hunt - file, You can obtain one at http://mozilla.org/MPL/2.0/.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt### Functional enhancements from prior major releases of BIND 9
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt#### BIND 9.10.0
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntBIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntreleases. New features include:
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - DNS Response-rate limiting (DNS RRL), which blunts the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt impact of reflection and amplification attacks, is always
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt compiled in and no longer requires a compile-time option
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt to enable it.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - An experimental "Source Identity Token" (SIT) EDNS option
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt is now available. Similar to DNS Cookies as invented by
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt Donald Eastlake 3rd, these are designed to enable clients
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt to detect off-path spoofed responses, and to enable servers
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt to detect spoofed-source queries. Servers can be configured
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt to send smaller responses to clients that have not identified
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt themselves using a SIT option, reducing the effectiveness of
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt amplification attacks. RRL processing has also been updated;
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt clients proven to be legitimate via SIT are not subject to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt rate limiting. Use "configure --enable-sit" to enable this
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt feature in BIND.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - A new zone file format, "map", stores zone data in a
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt format that can be mapped directly into memory, allowing
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt significantly faster zone loading.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - "delv" (domain entity lookup and validation) is a new tool
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt with dig-like semantics for looking up DNS data and performing
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt internal DNSSEC validation. This allows easy validation in
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt environments where the resolver may not be trustworthy, and
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt assists with troubleshooting of DNSSEC problems. (NOTE:
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt In previous development releases of BIND 9.10, this utility
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt was called "delve". The spelling has been changed to avoid
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt confusion with the "delve" utility included with the Xapian
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt search engine.)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - Improved EDNS(0) processing for better resolver performance
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt and reliability over slow or lossy connections.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - A new "configure --with-tuning=large" option tunes certain
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt compiled-in constants and default settings to values better
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt suited to large servers with abundant memory. This can
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt improve performance on such servers, but will consume more
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt memory and may degrade performance on smaller systems.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - Substantial improvement in response-policy zone (RPZ)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt performance. Up to 32 response-policy zones can be
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt configured with minimal performance loss.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - To improve recursive resolver performance, cache records
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt which are still being requested by clients can now be
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt automatically refreshed from the authoritative server
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt before they expire, reducing or eliminating the time
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt window in which no answer is available in the cache.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - New "rpz-client-ip" triggers and drop policies allowing
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt response policies based on the IP address of the client.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - ACLs can now be specified based on geographic location
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt using the MaxMind GeoIP databases. Use "configure
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt --with-geoip" to enable.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - Zone data can now be shared between views, allowing
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt multiple views to serve the same zones authoritatively
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt without storing multiple copies in memory.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - New XML schema (version 3) for the statistics channel
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt includes many new statistics and uses a flattened XML tree
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt for faster parsing. The older schema is now deprecated.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - A new stylesheet, based on the Google Charts API, displays
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt XML statistics in charts and graphs on javascript-enabled
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - The statistics channel can now provide data in JSON
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt format as well as XML.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - New stats counters track TCP and UDP queries received
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt per zone, and EDNS options received in total.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - The internal and export versions of the BIND libraries
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt (libisc, libdns, etc) have been unified so that external
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt library clients can use the same libraries as BIND itself.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - A new compile-time option, "configure --enable-native-pkcs11",
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt allows BIND 9 cryptography functions to use the PKCS#11 API
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt natively, so that BIND can drive a cryptographic hardware
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt service module (HSM) directly instead of using a modified
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt OpenSSL as an intermediary. (Note: This feature requires an
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt HSM to have a full implementation of the PKCS#11 API; many
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt current HSMs only have partial implementations. The new
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt "pkcs11-tokens" command can be used to check API completeness.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt Native PKCS#11 is known to work with the Thales nShield HSM
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt and with SoftHSM version 2 from the Open DNSSEC project.)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - The new "max-zone-ttl" option enforces maximum TTLs for
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt zones. This can simplify the process of rolling DNSSEC keys
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt by guaranteeing that cached signatures will have expired
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt within the specified amount of time.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - "dig +subnet" sends an EDNS CLIENT-SUBNET option when
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - "dig +expire" sends an EDNS EXPIRE option when querying.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt When this option is sent with an SOA query to a server
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt that supports it, it will report the expiry time of
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt a slave zone.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - New "dnssec-coverage" tool to check DNSSEC key coverage
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt for a zone and report if a lapse in signing coverage has
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt been inadvertently scheduled.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - Signing algorithm flexibility and other improvements
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt for the "rndc" control channel.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - "named-checkzone" and "named-compilezone" can now read
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt journal files, allowing them to process dynamic zones.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - Multiple DLZ databases can now be configured. Individual
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt zones can be configured to be served from a specific DLZ
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt database. DLZ databases now serve zones of type "master"
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt and "redirect".
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - "rndc zonestatus" reports information about a specified zone.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - "named" now listens on IPv6 as well as IPv4 interfaces
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - "named" now preserves the capitalization of names
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt when responding to queries: for instance, a query for
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt "example.com" may be answered with "example.COM" if the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt name was configured that way in the zone file. Some
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt clients have a bug causing them to depend on the older
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt behavior, in which the case of the answer always matched
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt the case of the query, rather than the case of the name
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt configured in the DNS. Such clients can now be specified
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt in the new "no-case-compress" ACL; this will restore the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt older behavior of "named" for those clients only.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - new "dnssec-importkey" command allows the use of offline
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt DNSSEC keys with automatic DNSKEY management.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - New "named-rrchecker" tool to verify the syntactic
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt correctness of individual resource records.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - When re-signing a zone, the new "dnssec-signzone -Q" option
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt drops signatures from keys that are still published but are
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt no longer active.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - "named-checkconf -px" will print the contents of configuration
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt files with the shared secrets obscured, making it easier to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt share configuration (e.g. when submitting a bug report)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt without revealing private information.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - "rndc scan" causes named to re-scan network interfaces for
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt changes in local addresses.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - On operating systems with support for routing sockets,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt network interfaces are re-scanned automatically whenever
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt they change.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - "tsig-keygen" is now available as an alternate command
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt name to use for "ddns-confgen".
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt#### BIND 9.9.0
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntBIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntreleases. New features include:
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Inline signing, allowing automatic DNSSEC signing of
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt master zones without modification of the zonefile, or
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt "bump in the wire" signing in slaves.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- NXDOMAIN redirection.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- New 'rndc flushtree' command clears all data under a given
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt name from the DNS cache.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- New 'rndc sync' command dumps pending changes in a dynamic
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- New 'rndc signing' command displays or clears signing status
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt records in 'auto-dnssec' zones.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- NSEC3 parameters for 'auto-dnssec' zones can now be set prior
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt to signing, eliminating the need to initially sign with NSEC.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Startup time improvements on large authoritative servers.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Slave zones are now saved in raw format by default.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Several improvements to response policy zones (RPZ).
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Improved hardware scalability by using multiple threads
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt to listen for queries and using finer-grained client locking
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- The 'also-notify' option now takes the same syntax as
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt 'masters', so it can used named masterlists and TSIG keys.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- 'dnssec-signzone -D' writes an output file containing only DNSSEC
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt data, which can be included by the primary zone file.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- 'dnssec-signzone -R' forces removal of signatures that are
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt not expired but were created by a key which no longer exists.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- 'dnssec-signzone -X' allows a separate expiration date to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt be specified for DNSKEY signatures from other signatures.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- New '-L' option to dnssec-keygen, dnssec-settime, and
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt dnssec-keyfromlabel sets the default TTL for the key.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- dnssec-dsfromkey now supports reading from standard input,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt to make it easier to convert DNSKEY to DS.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- RFC 1918 reverse zones have been added to the empty-zones
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt table per RFC 6303.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Dynamic updates can now optionally set the zone's SOA serial
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt number to the current UNIX time.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- DLZ modules can now retrieve the source IP address of
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt the querying client.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- 'request-ixfr' option can now be set at the per-zone level.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- 'dig +rrcomments' turns on comments about DNSKEY records,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt indicating their key ID, algorithm and function
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Simplified nsupdate syntax and added readline support
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt#### BIND 9.8.0
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntBIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntreleases. New features include:
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Built-in trust anchor for the root zone, which can be
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt switched on via "dnssec-validation auto;"
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Support for DNS64.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Support for response policy zones (RPZ).
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Support for writable DLZ zones.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt interoperability with Active Directory
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Support for GOST signing algorithm for DNSSEC.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Removed RTT Banding from server selection algorithm.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- New "static-stub" zone type.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Allow configuration of resolver timeouts via
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt "resolver-query-timeout" option.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- The DLZ "dlopen" driver is now built by default.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Added a new include file with function typedefs
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt for the DLZ "dlopen" driver.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Made "--with-gssapi" default.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- More verbose error reporting from DLZ LDAP.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt#### BIND 9.7.0
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntBIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntreleases. Most are intended to simplify DNSSEC configuration.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntNew features include:
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Fully automatic signing of zones by "named".
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Simplified configuration of DNSSEC Lookaside Validation (DLV).
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt command line tool or the "local" update-policy option. (As a side
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt effect, this also makes it easier to configure automatic zone
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt re-signing.)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- New named option "attach-cache" that allows multiple views to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt share a single cache.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- DNS rebinding attack prevention.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- New default values for dnssec-keygen parameters.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Support for RFC 5011 automated trust anchor maintenance
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Smart signing: simplified tools for zone signing and key
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt maintenance.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- The "statistics-channels" option is now available on Windows.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- A new DNSSEC-aware libdns API for use by non-BIND9 applications
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- On some platforms, named and other binaries can now print out
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt a stack backtrace on assertion failure, to aid in debugging.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- A "tools only" installation mode on Windows, which only installs
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt dig, host, nslookup and nsupdate.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Improved PKCS#11 support, including Keyper support and explicit
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt OpenSSL engine selection.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt#### BIND 9.6.0
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Full NSEC3 support
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Automatic zone re-signing
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- New update-policy methods tcp-self and 6to4-self
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- The BIND 8 resolver library, libbind, has been removed from the BIND 9
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt distribution and is now available as a separate download.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Change the default pid file location from /var/run to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt /var/run/{named,lwresd} for improved chroot/setuid support.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt#### BIND 9.5.0
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- GSS-TSIG support (RFC 3645).
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- DHCID support.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Experimental http server and statistics support for named via xml.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- More detailed statistics counters including those supported in BIND 8.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Faster ACL processing.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Use Doxygen to generate internal documentation.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Efficient LRU cache-cleaning mechanism.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- NSID support.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Implemented "additional section caching (or acache)", an internal cache
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt framework for additional section content to improve response performance.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt Several configuration options were provided to control the behavior.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- New notify type 'master-only'. Enable notify for master zones only.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Accept 'notify-source' style syntax for query-source.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- rndc now allows addresses to be set in the server clauses.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- New option "allow-query-cache". This lets "allow-query" be used to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt specify the default zone access level rather than having to have every
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt zone override the global value. "allow-query-cache" can be set at both
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt the options and view levels. If "allow-query-cache" is not set then
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt "allow-recursion" is used if set, otherwise "allow-query" is used if set
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt unless "recursion no;" is set in which case "none;" is used, otherwise
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt the default (localhost; localnets;) is used.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- rndc: the source address can now be specified.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- ixfr-from-differences now takes master and slave in addition to yes and
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt no at the options and view levels.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Allow the journal's name to be changed via named.conf.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- 'rndc notify zone [class [view]]' resend the NOTIFY messages for the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt specified zone.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- 'dig +trace' now randomly selects the next servers to try. Report if
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt there is a bad delegation.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Improve check-names error messages.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Make public the function to read a key file, dst_key_read_public().
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- allow-update is now settable at the options / view level.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- named-checkconf now checks the logging configuration.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- host now can turn on memory debugging flags with '-m'.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Don't send notify messages to self.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Perform sanity checks on NS records which refer to 'in zone' names.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- New zone option "notify-delay". Specify a minimum delay between sets of
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt NOTIFY messages.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Extend adjusting TTL warning messages.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Named and named-checkzone can now both check for non-terminal wildcard
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- named-checkconf now check acls to verify that they only refer to existing
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- The server syntax has been extended to support a range of servers.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Report differences between hints and real NS rrset and associated address
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Preserve the case of domain names in rdata during zone transfers.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Restructured the data locking framework using architecture dependent
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt atomic operations (when available), improving response performance on
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt multi-processor machines significantly. x86, x86_64, alpha, powerpc, and
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt mips are currently supported.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- UNIX domain controls are now supported.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Add support for additional zone file formats for improving loading
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt performance. The masterfile-format option in named.conf can be used to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt specify a non-default format. A separate command named-compilezone was
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt provided to generate zone files in the new format. Additionally, the -I
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt and -O options for dnssec-signzone specify the input and output formats.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- dnssec-signzone can now randomize signature end times (dnssec-signzone -j
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Add support for CH A record.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Add additional zone data constancy checks. named-checkzone has extended
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt checking of NS, MX and SRV record and the hosts they reference. named
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt has extended post zone load checks. New zone options: check-mx and
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt integrity-check.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- edns-udp-size can now be overridden on a per server basis.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- dig can now specify the EDNS version when making a query.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Added framework for handling multiple EDNS versions.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Additional memory debugging support to track size and mctx arguments.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Detect duplicates of UDP queries we are recursing on and drop them. New
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt stats category "duplicates".
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- "USE INTERNAL MALLOC" is now runtime selectable.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- The lame cache is now done on a <qname,qclass,qtype> basis as some
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt servers only appear to be lame for certain query types.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Limit the number of recursive clients that can be waiting for a single
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt query (<qname,qtype,qclass>) to resolve. New options clients-per-query
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt and max-clients-per-query.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- dig: report the number of extra bytes still left in the packet after
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt processing all the records.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Support for IPSECKEY rdata type.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Raise the UDP recieve buffer size to 32k if it is less than 32k.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- x86 and x86_64 now have seperate atomic locking implementations.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- named-checkconf now validates update-policy entries.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Attempt to make the amount of work performed in a iteration self tuning.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt The covers nodes clean from the cache per iteration, nodes written to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt disk when rewriting a master file and nodes destroyed per iteration when
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt destroying a zone or a cache.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- ISC string copy API.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Automatic empty zone creation for D.F.IP6.ARPA and friends. Note: RFC
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt 1918 zones are not yet covered by this but are likely to be in a future
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- New options: empty-server, empty-contact, empty-zones-enable and
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt disable-empty-zone.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- dig now has a '-q queryname' and '+showsearch' options.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- host/nslookup now continue (default)/fail on SERVFAIL.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- dig now warns if 'RA' is not set in the answer when 'RD' was set in the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt query. host/nslookup skip servers that fail to set 'RA' when 'RD' is set
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt unless a server is explicitly set.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Integrate contibuted DLZ code into named.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Integrate contibuted IDN code from JPNIC.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- libbind: corresponds to that from BIND 8.4.7.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt#### BIND 9.3.0
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- DNSSEC is now DS based (RFC 3658).
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- DNSSEC lookaside validation.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- check-names is now implemented.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- rrset-order is more complete.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- IPv4/IPv6 transition support, dual-stack-servers.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- IXFR deltas can now be generated when loading master files,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt ixfr-from-differences.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- It is now possible to specify the size of a journal, max-journal-size.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- It is now possible to define a named set of master servers to be used in
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt masters clause, masters.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- The advertised EDNS UDP size can now be set, edns-udp-size.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- allow-v6-synthesis has been obsoleted.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Zones containing MD and MF will now be rejected.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- dig, nslookup name. now report "Not Implemented" as NOTIMP rather than
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt NOTIMPL. This will have impact on scripts that are looking for NOTIMPL.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- libbind: corresponds to that from BIND 8.4.5.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt#### BIND 9.2.0
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- The size of the cache can now be limited using the "max-cache-size"
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- The server can now automatically convert RFC1886-style recursive lookup
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt requests into RFC2874-style lookups, when enabled using the new option
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt "allow-v6-synthesis". This allows stub resolvers that support AAAA
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt records but not A6 record chains or binary labels to perform lookups in
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt domains that make use of these IPv6 DNS features.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- Performance has been improved.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- The man pages now use the more portable "man" macros rather than the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt "mandoc" macros, and are installed by "make install".
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- The named.conf parser has been completely rewritten. It now supports
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt "include" directives in more places such as inside "view" statements, and
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt it no longer has any reserved words.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- The "rndc status" command is now implemented.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- rndc can now be configured automatically.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- A BIND 8 compatible stub resolver library is now included in lib/bind.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- OpenSSL has been removed from the distribution. This means that to use
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt DNSSEC, OpenSSL must be installed and the --with-openssl option must be
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt supplied to configure. This does not apply to the use of TSIG, which
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt does not require OpenSSL.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- The source distribution now builds on Windows. See
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt win32utils/readme1.txt and win32utils/win32-build.txt for details.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- This distribution also includes a new lightweight stub resolver library
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt and associated resolver daemon that fully support forward and reverse
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt lookups of both IPv4 and IPv6 addresses. This library is considered
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt experimental and is not a complete replacement for the BIND 8 resolver
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt library. Applications that use the BIND 8 `res_*` functions to perform
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt DNS lookups or dynamic updates still need to be linked against the BIND 8
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt libraries. For DNS lookups, they can also use the new "getrrsetbyname()"
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- BIND 9.2 is capable of acting as an authoritative server for DNSSEC
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt secured zones. This functionality is believed to be stable and complete
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt except for lacking support for verifications involving wildcard records
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt in secure zones.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- When acting as a caching server, BIND 9.2 can be configured to perform
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt DNSSEC secure resolution on behalf of its clients. This part of the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt DNSSEC implementation is still considered experimental. For detailed
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt information about the state of the DNSSEC implementation, see the file