59663800d2ec04777dae2791dd92aa563faf94c8Evan Hunt<!--
574176a88d7fc412312e11a274d74cd2f122a0f4Tinderbox User - Copyright (C) 2017, 2018 Internet Systems Consortium, Inc. ("ISC")
1ca2cf024391992fe14b2df7d3ae0f575d074452Evan Hunt -
1ca2cf024391992fe14b2df7d3ae0f575d074452Evan Hunt - This Source Code Form is subject to the terms of the Mozilla Public
1ca2cf024391992fe14b2df7d3ae0f575d074452Evan Hunt - License, v. 2.0. If a copy of the MPL was not distributed with this
1ca2cf024391992fe14b2df7d3ae0f575d074452Evan Hunt - file, You can obtain one at http://mozilla.org/MPL/2.0/.
59663800d2ec04777dae2791dd92aa563faf94c8Evan Hunt-->
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt# BIND 9
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt### Contents
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt1. [Introduction](#intro)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt1. [Reporting bugs and getting help](#help)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt1. [Contributing to BIND](#contrib)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt1. [BIND 9.11 features](#features)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt1. [Building BIND](#build)
070d7e5b0c858224798afdbe0f73164b42174856Mark Andrews1. [macOS](#macos)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt1. [Compile-time options](#opts)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt1. [Automated testing](#testing)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt1. [Documentation](#doc)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt1. [Change log](#changes)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt1. [Acknowledgments](#ack)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt### <a name="intro"/> Introduction
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntBIND (Berkeley Internet Name Domain) is a complete, highly portable
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntimplementation of the DNS (Domain Name System) protocol.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntThe BIND name server, `named`, is able to serve as an authoritative name
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntserver, recursive resolver, DNS forwarder, or all three simultaneously. It
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntimplements views for split-horizon DNS, automatic DNSSEC zone signing and
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntkey management, catalog zones to facilitate provisioning of zone data
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntthroughout a name server constellation, response policy zones (RPZ) to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntprotect clients from malicious data, response rate limiting (RRL) and
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntrecursive query limits to reduce distributed denial of service attacks,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntand many other advanced DNS features. BIND also includes a suite of
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntadministrative tools, including the `dig` and `delv` DNS lookup tools,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt`nsupdate` for dynamic DNS zone updates, `rndc` for remote name server
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntadministration, and more.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntBIND 9 is a complete re-write of the BIND architecture that was used in
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntversions 4 and 8. Internet Systems Consortium
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt([https://www.isc.org](https://www.isc.org)), a 501(c)(3) public benefit
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntcorporation dedicated to providing software and services in support of the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntInternet infrastructure, developed BIND 9 and is responsible for its
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntongoing maintenance and improvement. BIND is open source software
4100890e5aacfb7e5e80f651b26fa057d542560bEvan Huntlicenced under the terms of ISC License for all versions up to and
4100890e5aacfb7e5e80f651b26fa057d542560bEvan Huntincluding BIND 9.10, and the Mozilla Public License version 2.0 for all
4100890e5aacfb7e5e80f651b26fa057d542560bEvan Huntsubsequent verisons.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntFor a summary of features introduced in past major releases of BIND,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntsee the file [HISTORY](HISTORY.md).
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntFor a detailed list of changes made throughout the history of BIND 9, see
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntthe file [CHANGES](CHANGES). See [below](#changes) for details on the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntCHANGES file format.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntFor up-to-date release notes and errata, see
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt[http://www.isc.org/software/bind9/releasenotes](http://www.isc.org/software/bind9/releasenotes)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt### <a name="help"/> Reporting bugs and getting help
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej SurýTo report non-security-sensitive bugs or request new features, you may
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej Surýopen an Issue in the BIND 9 project on the
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej Surý[ISC GitLab server](https://gitlab.isc.org) at
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej Surý[https://gitlab.isc.org/isc-projects/bind9](https://gitlab.isc.org/isc-projects/bind9).
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej Surý
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej SurýPlease note that, unless you explicitly mark the newly created Issue as
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej Surý"confidential", it will be publicly readable. Please do not include any
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej Surýinformation in bug reports that you consider to be confidential unless
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej Surýthe issue has been marked as such. In particular, if submitting the
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej Surýcontents of your configuration file in a non-confidential Issue, it is
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej Surýadvisable to obscure key secrets: this can be done automatically by
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej Surýusing `named-checkconf -px`.
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej Surý
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej SurýIf the bug you are reporting is a potential security issue, such as an
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej Surýassertion failure or other crash in `named`, please do *NOT* use GitLab to
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej Surýreport it. Instead, please send mail to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt[security-officer@isc.org](mailto:security-officer@isc.org).
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntProfessional support and training for BIND are available from
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntISC at [https://www.isc.org/support](https://www.isc.org/support).
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntTo join the __BIND Users__ mailing list, or view the archives, visit
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt[https://lists.isc.org/mailman/listinfo/bind-users](https://lists.isc.org/mailman/listinfo/bind-users).
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntIf you're planning on making changes to the BIND 9 source code, you
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntmay also want to join the __BIND Workers__ mailing list, at
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt[https://lists.isc.org/mailman/listinfo/bind-workers](https://lists.isc.org/mailman/listinfo/bind-workers).
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt### <a name="contrib"/> Contributing to BIND
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
e609b6b32bc8455692e1497a4568c68d7bfb9f36Evan HuntISC maintains a public git repository for BIND; details can be found
e609b6b32bc8455692e1497a4568c68d7bfb9f36Evan Huntat [http://www.isc.org/git/](http://www.isc.org/git/), and also on Github
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntat [https://github.com/isc-projects](https://github.com/isc-projects).
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntInformation for BIND contributors can be found in the following files:
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- General information: [doc/dev/contrib.md](doc/dev/contrib.md)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- BIND 9 code style: [doc/dev/style.md](doc/dev/style.md)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- BIND architecture and developer guide: [doc/dev/dev.md](doc/dev/dev.md)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej SurýPatches for BIND may be submitted as
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej Surý[Merge Requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests)
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej Surýin the [ISC GitLab server](https://gitlab.isc.org) at
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej Surýat [https://gitlab.isc.org/isc-projects/bind9/merge_requests](https://gitlab.isc.org/isc-projects/bind9/merge_requests).
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej Surý
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej SurýBy default, external contributors don't have ability to fork BIND in the
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej SurýGitLab server, but if you wish to contribute code to BIND, you may request
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej Surýpermission to do so. Thereafter, you can create git branches and directly
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej Surýsubmit requests that they be reviewed and merged.
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej Surý
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej SurýIf you prefer, you may also submit code by opening a
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej Surý[GitLab Issue](https://gitlab.isc.org/isc-projects/bind9/issues) and
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej Surýincluding your patch as an attachment, preferably generated by
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej Surý`git format-patch`.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt### <a name="features"/> BIND 9.11 features
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntBIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntreleases. New features include:
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* Added support for Catalog Zones, a new method for provisioning servers: a
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt list of zones to be served is stored in a DNS zone, along with their
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt configuration parameters. Changes to the catalog zone are propagated to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt slaves via normal AXFR/IXFR, whereupon the zones that are listed in it
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt are automatically added, deleted or reconfigured.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* Added support for "dnstap", a fast and flexible method of capturing and
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt logging DNS traffic.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* Added support for "dyndb", a new API for loading zone data from an
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt external database, developed by Red Hat for the FreeIPA project.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* "fetchlimit" quotas are now compiled in by default. These are for the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt use of recursive resolvers that are are under high query load for domains
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt whose authoritative servers are nonresponsive or are experiencing a
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt denial of service attack:
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt * `fetches-per-server` limits the number of simultaneous queries that
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt can be sent to any single authoritative server. The configured value
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt is a starting point; it is automatically adjusted downward if the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt server is partially or completely non-responsive. The algorithm used
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt to adjust the quota can be configured via the "fetch-quota-params"
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt option.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt * `fetches-per-zone` limits the number of simultaneous queries that can
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt be sent for names within a single domain. (Note: Unlike
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt `fetches-per-server`, this value is not self-tuning.)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt * New stats counters have been added to count queries spilled due to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt these quotas.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* Added a new `dnssec-keymgr` key mainenance utility, which can generate or
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt update keys as needed to ensure that a zone's keys match a defined DNSSEC
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt policy.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE" and
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt is no longer optional. EDNS COOKIE is a mechanism enabling clients to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt detect off-path spoofed responses, and servers to detect spoofed-source
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt queries. Clients that identify themselves using COOKIE options are not
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt subject to response rate limiting (RRL) and can receive larger UDP
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt responses.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* SERVFAIL responses can now be cached for a limited time (defaulting to 1
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt second, with an upper limit of 30). This can reduce the frequency of
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt retries when a query is persistently failing.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* Added an `nsip-wait-recurse` switch to RPZ. This causes NSIP rules to be
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt skipped if a name server IP address isn't in the cache yet; the address
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt will be looked up and the rule will be applied on future queries.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* Added a Python RNDC module. This allows multiple commands to sent over a
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt persistent RNDC channel, which saves time.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* The `controls` block in named.conf can now grant read-only `rndc` access
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt to specified clients or keys. Read-only clients could, for example, check
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt `rndc status` but could not reconfigure or shut down the server.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `rndc` commands can now return arbitrarily large amounts of text to the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt caller.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* The zone serial number of a dynamically updatable zone can now be set via
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt `rndc signing -serial <number> <zonename>`. This allows inline-signing
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt zones to be set to a specific serial number.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* The new `rndc nta` command can be used to set a Negative Trust Anchor
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt (NTA), disabling DNSSEC validation for a specific domain; this can be
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt used when responses from a domain are known to be failing validation due
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt to administrative error rather than because of a spoofing attack.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt Negative trust anchors are strictly temporary; by default they expire
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt after one hour, but can be configured to last up to one week.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `rndc delzone` can now be used on zones that were not originally created
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt by "rndc addzone".
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `rndc modzone` reconfigures a single zone, without requiring the entire
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt server to be reconfigured.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `rndc showzone` displays the current configuration of a zone.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `rndc managed-keys` can be used to check the status of RFC 5001 managed
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt trust anchors, or to force trust anchors to be refreshed.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `max-cache-size` can now be set to a percentage of available memory. The
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt default is 90%.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* Update forwarding performance has been improved by allowing a single TCP
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt connection to be shared by multiple updates.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* The EDNS Client Subnet (ECS) option is now supported for authoritative
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt servers; if a query contains an ECS option then ACLs containing `geoip`
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt or `ecs` elements can match against the the address encoded in the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt option. This can be used to select a view for a query, so that different
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt answers can be provided depending on the client network.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* The EDNS EXPIRE option has been implemented on the client side, allowing
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt a slave server to set the expiration timer correctly when transferring
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt zone data from another slave server.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* The key generation and manipulation tools (`dnssec-keygen`,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt `dnssec-settime`, `dnssec-importkey`, `dnssec-keyfromlabel`) now take
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt `-Psync` and `-Dsync` options to set the publication and deletion times
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt of CDS and CDNSKEY parent-synchronization records. Both `named` and
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt `dnssec-signzone` can now publish and remove these records at the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt scheduled times.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* A new `minimal-any` option reduces the size of UDP responses for query
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt type ANY by returning a single arbitrarily selected RRset instead of all
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt RRsets.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* A new `masterfile-style` zone option controls the formatting of text zone
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt files: When set to `full`, a zone file is dumped in
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt single-line-per-record format.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `serial-update-method` can now be set to `date`. On update, the serial
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt number will be set to the current date in YYYYMMDDNN format.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `dnssec-signzone -N date` sets the serial number to YYYYMMDDNN.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `named -L <filename>` causes named to send log messages to the specified
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt file by default instead of to the system log.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `dig +ttlunits` prints TTL values with time-unit suffixes: w, d, h, m, s
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt for weeks, days, hours, minutes, and seconds.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `dig +unknownformat` prints dig output in RFC 3597 "unknown record"
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt presentation format.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `dig +ednsopt` allows dig to set arbitrary EDNS options on requests.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `dig +ednsflags` allows dig to set yet-to-be-defined EDNS flags on
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt requests.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `mdig` is an alternate version of dig which sends multiple pipelined TCP
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt queries to a server. Instead of waiting for a response after sending a
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt query, it sends all queries immediately and displays responses in the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt order received.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `serial-query-rate` no longer controls NOTIFY messages. These are
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt separately controlled by `notify-rate` and `startup-notify-rate`.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `nsupdate` now performs `check-names` processing by default on records to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt be added. This can be disabled with `check-names no`.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* The statistics channel now supports DEFLATE compression, reducing the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt size of the data sent over the network when querying statistics.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* New counters have been added to the statistics channel to track the sizes
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt of incoming queries and outgoing responses in histogram buckets, as
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt specified in RSSAC002.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* A new NXDOMAIN redirect method (option `nxdomain-redirect`) has been
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt added, allowing redirection to a specified DNS namespace instead of a
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt single redirect zone.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* When starting up, named now ensures that no other named process is
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt already running.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* Files created by named to store information, including `mkeys` and `nzf`
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt files, are now named after their corresponding views unless the view name
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt contains characters incompatible with use as a filename. Old style
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt filenames (based on the hash of the view name) will still work.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt#### BIND 9.11.1
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntBIND 9.11.1 is a maintenance release, and addresses the security
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntflaws disclosed in CVE-2016-6170, CVE-2016-8864, CVE-2016-9131,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntCVE-2016-9147, CVE-2016-9444, CVE-2016-9778, CVE-2017-3135,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntCVE-2017-3136, CVE-2017-3137 and CVE-2017-3138.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
3440cf9c60cd5d35634e7f274fd3eccbba2173a5Evan Hunt#### BIND 9.11.2
3440cf9c60cd5d35634e7f274fd3eccbba2173a5Evan Hunt
a03f4b1ea4f1a4a70963fbeb606841c217f9e5f3Evan HuntBIND 9.11.2 is a maintenance release, and addresses the security flaws
a03f4b1ea4f1a4a70963fbeb606841c217f9e5f3Evan Huntdisclosed in CVE-2017-3140, CVE-2017-3141, CVE-2017-3142 and CVE-2017-3143.
a03f4b1ea4f1a4a70963fbeb606841c217f9e5f3Evan HuntIt also addresses several bugs related to the use of an LMDB database to
a03f4b1ea4f1a4a70963fbeb606841c217f9e5f3Evan Huntstore data related to zones added via `rndc addzone` or catalog zones.
3440cf9c60cd5d35634e7f274fd3eccbba2173a5Evan Hunt
ad309e8dfa0601d6053aaa12770a98a6940f89deEvan Hunt#### BIND 9.11.3
ad309e8dfa0601d6053aaa12770a98a6940f89deEvan Hunt
ad309e8dfa0601d6053aaa12770a98a6940f89deEvan HuntBIND 9.11.3 is a maintenance release, and addresses the security flaw
ad309e8dfa0601d6053aaa12770a98a6940f89deEvan Huntdisclosed in CVE-2017-3145.
ad309e8dfa0601d6053aaa12770a98a6940f89deEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt### <a name="build"/> Building BIND
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntBIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntsupport, and a 64-bit integer type. Successful builds have been observed on
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntmany versions of Linux and UNIX, including RedHat, Fedora, Debian, Ubuntu,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntSuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris, HP-UX, AIX,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntSCO OpenServer, and OpenWRT.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntBIND is also available for Windows XP, 2003, 2008, and higher. See
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt`win32utils/readme1st.txt` for details on building for Windows systems.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntTo build on a UNIX or Linux system, use:
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt $ /configure
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt $ make
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntIf you're planning on making changes to the BIND 9 source, you should run
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt`make depend`. If you're using Emacs, you might find `make tags` helpful.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntSeveral environment variables that can be set before running `configure` will
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntaffect compilation:
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt|Variable|Description |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt|--------------------|-----------------------------------------------|
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt|`CC`|The C compiler to use. `configure` tries to figure out the right one for supported systems.|
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt|`CFLAGS`|C compiler flags. Defaults to include -g and/or -O2 as supported by the compiler. Please include '-g' if you need to set `CFLAGS`. |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt|`STD_CINCLUDES`|System header file directories. Can be used to specify where add-on thread or IPv6 support is, for example. Defaults to empty string.|
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt|`STD_CDEFINES`|Any additional preprocessor symbols you want defined. Defaults to empty string. For a list of possible settings, see the file [OPTIONS](OPTIONS.md).|
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt|`LDFLAGS`|Linker flags. Defaults to empty string.|
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt|`BUILD_CC`|Needed when cross-compiling: the native C compiler to use when building for the target system.|
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt|`BUILD_CFLAGS`|Optional, used for cross-compiling|
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt|`BUILD_CPPFLAGS`||
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt|`BUILD_LDFLAGS`||
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt|`BUILD_LIBS`||
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
070d7e5b0c858224798afdbe0f73164b42174856Mark Andrews#### <a name="macos"> macOS
5a8e8bacd99efe33c85a666ec4586c9d769ec61cMark Andrews
070d7e5b0c858224798afdbe0f73164b42174856Mark AndrewsBuilding on macOS assumes that the "Command Tools for Xcode" is installed.
5a8e8bacd99efe33c85a666ec4586c9d769ec61cMark AndrewsThis can be downloaded from https://developer.apple.com/download/more/
1e55e5021504da2d7a4d26de05ad2d3efcf9a3cfMark Andrewsor if you have Xcode already installed you can run "xcode-select --install".
5a8e8bacd99efe33c85a666ec4586c9d769ec61cMark AndrewsThis will add /usr/include to the system and install the compiler and other
5a8e8bacd99efe33c85a666ec4586c9d769ec61cMark Andrewstools so that they can be easily found.
5a8e8bacd99efe33c85a666ec4586c9d769ec61cMark Andrews
5a8e8bacd99efe33c85a666ec4586c9d769ec61cMark Andrews
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt#### <a name="opts"/> Compile-time options
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntTo see a full list of configuration options, run `configure --help`.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntOn most platforms, BIND 9 is built with multithreading support, allowing it
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntto take advantage of multiple CPUs. You can configure this by specifying
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt`--enable-threads` or `--disable-threads` on the `configure` command line.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntThe default is to enable threads, except on some older operating systems on
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntwhich threads are known to have had problems in the past. (Note: Prior to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntBIND 9.10, the default was to disable threads on Linux systems; this has
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntnow been reversed. On Linux systems, the threaded build is known to change
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntBIND's behavior with respect to file permissions; it may be necessary to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntspecify a user with the -u option when running `named`.)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntTo build shared libraries, specify `--with-libtool` on the `configure`
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntcommand line.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntCertain compiled-in constants and default settings can be increased to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntvalues better suited to large servers with abundant memory resources (e.g,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt64-bit servers with 12G or more of memory) by specifying
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt`--with-tuning=large` on the `configure` command line. This can improve
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntperformance on big servers, but will consume more memory and may degrade
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntperformance on smaller systems.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntFor the server to support DNSSEC, you need to build it with crypto support.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntTo use OpenSSL, you should have OpenSSL 1.0.2e or newer installed. If the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntOpenSSL library is installed in a nonstandard location, specify the prefix
e609b6b32bc8455692e1497a4568c68d7bfb9f36Evan Huntusing "--with-openssl=&lt;PREFIX&gt;" on the configure command line. To use a
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntPKCS#11 hardware service module for cryptographic operations, specify the
e609b6b32bc8455692e1497a4568c68d7bfb9f36Evan Huntpath to the PKCS#11 provider library using "--with-pkcs11=&lt;PREFIX&gt;", and
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntconfigure BIND with "--enable-native-pkcs11".
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntTo support the HTTP statistics channel, the server must be linked with at
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntleast one of the following: libxml2
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt[http://xmlsoft.org](http://xmlsoft.org) or json-c
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt[https://github.com/json-c](https://github.com/json-c). If these are
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntinstalled at a nonstandard location, specify the prefix using
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt`--with-libxml2=/prefix` or `--with-libjson=/prefix`.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntTo support compression on the HTTP statistics channel, the server must be
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntlinked against libzlib. If this is installed in a nonstandard location,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntspecify the prefix using `--with-zlib=/prefix`.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntTo support storing configuration data for runtime-added zones in an LMDB
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntdatabase, the server must be linked with liblmdb. If this is installed in a
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntnonstandard location, specify the prefix using "with-lmdb=/prefix".
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntTo support GeoIP location-based ACLs, the server must be linked with
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntlibGeoIP. This is not turned on by default; BIND must be configured with
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt"--with-geoip". If the library is installed in a nonstandard location, use
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntspecify the prefix using "--with-geoip=/prefix".
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
e609b6b32bc8455692e1497a4568c68d7bfb9f36Evan HuntFor DNSTAP packet logging, you must have installed libfstrm
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt[https://github.com/farsightsec/fstrm](https://github.com/farsightsec/fstrm)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntand libprotobuf-c
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt[https://developers.google.com/protocol-buffers](https://developers.google.com/protocol-buffers),
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntand BIND must be configured with "--enable-dnstap".
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
e609b6b32bc8455692e1497a4568c68d7bfb9f36Evan HuntPortions of BIND that are written in Python, including
e609b6b32bc8455692e1497a4568c68d7bfb9f36Evan Hunt`dnssec-keymgr`, `dnssec-coverage`, `dnssec-checkds`, and some of the
e609b6b32bc8455692e1497a4568c68d7bfb9f36Evan Huntsystem tests, require the 'argparse' and 'ply' modules to be available.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt'argparse' is a standard module as of Python 2.7 and Python 3.2.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt'ply' is available from [https://pypi.python.org/pypi/ply](https://pypi.python.org/pypi/ply).
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntOn some platforms it is necessary to explicitly request large file support
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntto handle files bigger than 2GB. This can be done by using
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt`--enable-largefile` on the `configure` command line.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntSupport for the "fixed" rrset-order option can be enabled or disabled by
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntspecifying `--enable-fixed-rrset` or `--disable-fixed-rrset` on the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntconfigure command line. By default, fixed rrset-order is disabled to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntreduce memory footprint.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntIf your operating system has integrated support for IPv6, it will be used
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntautomatically. If you have installed KAME IPv6 separately, use
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt`--with-kame[=PATH]` to specify its location.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt`make install` will install `named` and the various BIND 9 libraries. By
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntdefault, installation is into /usr/local, but this can be changed with the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt`--prefix` option when running `configure`.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntYou may specify the option `--sysconfdir` to set the directory where
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntconfiguration files like `named.conf` go by default, and `--localstatedir`
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntto set the default parent directory of `run/named.pid`. For backwards
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntcompatibility with BIND 8, `--sysconfdir` defaults to `/etc` and
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt`--localstatedir` defaults to `/var` if no `--prefix` option is given. If
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntthere is a `--prefix` option, sysconfdir defaults to `$prefix/etc` and
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntlocalstatedir defaults to `$prefix/var`.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt### <a name="testing"/> Automated testing
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntA system test suite can be run with `make test`. The system tests require
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntyou to configure a set of virtual IP addresses on your system (this allows
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntmultiple servers to run locally and communicate with one another). These
e609b6b32bc8455692e1497a4568c68d7bfb9f36Evan HuntIP addresses can be configured by running the command
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt`bin/tests/system/ifconfig.sh up` as root.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntSome tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntand will be skipped if these are not available. Some tests require Python
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntand the 'dnspython' module and will be skipped if these are not available.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntSee bin/tests/system/README for further details.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntUnit tests are implemented using Automated Testing Framework (ATF).
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntTo run them, use `configure --with-atf`, then run `make test` or
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt`make unit`.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt### <a name="doc"/> Documentation
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntThe *BIND 9 Administrator Reference Manual* is included with the source
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntdistribution, in DocBook XML, HTML and PDF format, in the `doc/arm`
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntdirectory.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntSome of the programs in the BIND 9 distribution have man pages in their
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntdirectories. In particular, the command line options of `named` are
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntdocumented in `bin/named/named.8`.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntFrequently (and not-so-frequently) asked questions and their answers
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntcan be found in the ISC Knowledge Base at
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt[https://kb.isc.org](https://kb.isc.org).
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntAdditional information on various subjects can be found in other
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt`README` files throughout the source tree.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt### <a name="changes"/> Change log
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntA detailed list of all changes that have been made throughout the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntdevelopment BIND 9 is included in the file CHANGES, with the most recent
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntchanges listed first. Change notes include tags indicating the category of
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntthe change that was made; these categories are:
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt|Category |Description |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt|-------------- |-----------------------------------------------|
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt| [func] | New feature |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt| [bug] | General bug fix |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt| [security] | Fix for a significant security flaw |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt| [experimental] | Used for new features when the syntax or other aspects of the design are still in flux and may change |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt| [port] | Portability enhancement |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt| [maint] | Updates to built-in data such as root server addresses and keys |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt| [tuning] | Changes to built-in configuration defaults and constants to improve performance |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt| [performance] | Other changes to improve server performance |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt| [protocol] | Updates to the DNS protocol such as new RR types |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt| [test] | Changes to the automatic tests, not affecting server functionality |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt| [cleanup] | Minor corrections and refactoring |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt| [doc] | Documentation |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt| [contrib] | Changes to the contributed tools and libraries in the 'contrib' subdirectory |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt| [placeholder] | Used in the master development branch to reserve change numbers for use in other branches, e.g. when fixing a bug that only exists in older releases |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntIn general, [func] and [experimental] tags will only appear in new-feature
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntreleases (i.e., those with version numbers ending in zero). Some new
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntfunctionality may be backported to older releases on a case-by-case basis.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntAll other change types may be applied to all currently-supported releases.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt### <a name="ack"/> Acknowledgments
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* The original development of BIND 9 was underwritten by the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt following organizations:
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt Sun Microsystems, Inc.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt Hewlett Packard
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt Compaq Computer Corporation
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt IBM
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt Process Software Corporation
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt Silicon Graphics, Inc.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt Network Associates, Inc.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt U.S. Defense Information Systems Agency
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt USENIX Association
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt Stichting NLnet - NLnet Foundation
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt Nominum, Inc.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* This product includes software developed by the OpenSSL Project for use
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt in the OpenSSL Toolkit.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt [http://www.OpenSSL.org/](http://www.OpenSSL.org/)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* This product includes cryptographic software written by Eric Young
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt (eay@cryptsoft.com)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* This product includes software written by Tim Hudson (tjh@cryptsoft.com)