README.md revision e609b6b32bc8455692e1497a4568c68d7bfb9f36
1ca2cf024391992fe14b2df7d3ae0f575d074452Evan Hunt - Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
1ca2cf024391992fe14b2df7d3ae0f575d074452Evan Hunt - This Source Code Form is subject to the terms of the Mozilla Public
1ca2cf024391992fe14b2df7d3ae0f575d074452Evan Hunt - License, v. 2.0. If a copy of the MPL was not distributed with this
1ca2cf024391992fe14b2df7d3ae0f575d074452Evan Hunt - file, You can obtain one at http://mozilla.org/MPL/2.0/.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt1. [Introduction](#intro)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt1. [Reporting bugs and getting help](#help)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt1. [Contributing to BIND](#contrib)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt1. [BIND 9.11 features](#features)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt1. [Building BIND](#build)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt1. [Compile-time options](#opts)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt1. [Automated testing](#testing)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt1. [Documentation](#doc)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt1. [Change log](#changes)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt1. [Acknowledgments](#ack)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntBIND (Berkeley Internet Name Domain) is a complete, highly portable
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntimplementation of the DNS (Domain Name System) protocol.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntThe BIND name server, `named`, is able to serve as an authoritative name
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntserver, recursive resolver, DNS forwarder, or all three simultaneously. It
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntimplements views for split-horizon DNS, automatic DNSSEC zone signing and
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntkey management, catalog zones to facilitate provisioning of zone data
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntthroughout a name server constellation, response policy zones (RPZ) to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntprotect clients from malicious data, response rate limiting (RRL) and
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntrecursive query limits to reduce distributed denial of service attacks,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntand many other advanced DNS features. BIND also includes a suite of
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntadministrative tools, including the `dig` and `delv` DNS lookup tools,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt`nsupdate` for dynamic DNS zone updates, `rndc` for remote name server
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntadministration, and more.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntBIND 9 is a complete re-write of the BIND architecture that was used in
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntversions 4 and 8. Internet Systems Consortium
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt([https://www.isc.org](https://www.isc.org)), a 501(c)(3) public benefit
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntcorporation dedicated to providing software and services in support of the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntInternet infrastructure, developed BIND 9 and is responsible for its
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntongoing maintenance and improvement. BIND is open source software
4100890e5aacfb7e5e80f651b26fa057d542560bEvan Huntlicenced under the terms of ISC License for all versions up to and
4100890e5aacfb7e5e80f651b26fa057d542560bEvan Huntincluding BIND 9.10, and the Mozilla Public License version 2.0 for all
4100890e5aacfb7e5e80f651b26fa057d542560bEvan Huntsubsequent verisons.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntFor a summary of features introduced in past major releases of BIND,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntsee the file [HISTORY](HISTORY.md).
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntFor a detailed list of changes made throughout the history of BIND 9, see
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntthe file [CHANGES](CHANGES). See [below](#changes) for details on the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntCHANGES file format.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntFor up-to-date release notes and errata, see
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt[http://www.isc.org/software/bind9/releasenotes](http://www.isc.org/software/bind9/releasenotes)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt### <a name="help"/> Reporting bugs and getting help
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntPlease report assertion failure errors and suspected security issues to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt[security-officer@isc.org](mailto:security-officer@isc.org).
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntGeneral bug reports can be sent to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt[bind9-bugs@isc.org](mailto:bind9-bugs@isc.org).
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntFeature requests can be sent to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt[bind-suggest@isc.org](mailto:bind-suggest@isc.org).
e609b6b32bc8455692e1497a4568c68d7bfb9f36Evan HuntPlease note that, while tickets submitted to ISC's ticketing system
e609b6b32bc8455692e1497a4568c68d7bfb9f36Evan Huntare not initially publicly readable by default, they can be made publicly
e609b6b32bc8455692e1497a4568c68d7bfb9f36Evan Huntacessible afterward. Please do not include information in bug reports that
e609b6b32bc8455692e1497a4568c68d7bfb9f36Evan Huntyou consider to be confidential. In particular, when sending the contents of
e609b6b32bc8455692e1497a4568c68d7bfb9f36Evan Huntyour configuration file, it is advisable to obscure key secrets: this can
e609b6b32bc8455692e1497a4568c68d7bfb9f36Evan Huntbe done automatically by using `named-checkconf -px`.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntProfessional support and training for BIND are available from
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntISC at [https://www.isc.org/support](https://www.isc.org/support).
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntTo join the __BIND Users__ mailing list, or view the archives, visit
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt[https://lists.isc.org/mailman/listinfo/bind-users](https://lists.isc.org/mailman/listinfo/bind-users).
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntIf you're planning on making changes to the BIND 9 source code, you
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntmay also want to join the __BIND Workers__ mailing list, at
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt[https://lists.isc.org/mailman/listinfo/bind-workers](https://lists.isc.org/mailman/listinfo/bind-workers).
e609b6b32bc8455692e1497a4568c68d7bfb9f36Evan HuntISC maintains a public git repository for BIND; details can be found
e609b6b32bc8455692e1497a4568c68d7bfb9f36Evan Huntat [http://www.isc.org/git/](http://www.isc.org/git/), and also on Github
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntat [https://github.com/isc-projects](https://github.com/isc-projects).
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntInformation for BIND contributors can be found in the following files:
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- General information: [doc/dev/contrib.md](doc/dev/contrib.md)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- BIND 9 code style: [doc/dev/style.md](doc/dev/style.md)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt- BIND architecture and developer guide: [doc/dev/dev.md](doc/dev/dev.md)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntPatches for BIND may be submitted either as Github pull requests
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntor via email. When submitting a patch via email, please prepend the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntsubject header with "`[PATCH]`" so it will be easier for us to find.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntIf your patch introduces a new feature in BIND, please submit it to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt[bind-suggest@isc.org](mailto:bind-suggest@isc.org); if it fixes a bug,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntplease submit it to [bind9-bugs@isc.org](mailto:bind9-bugs@isc.org).
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntBIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntreleases. New features include:
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* Added support for Catalog Zones, a new method for provisioning servers: a
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt list of zones to be served is stored in a DNS zone, along with their
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt configuration parameters. Changes to the catalog zone are propagated to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt slaves via normal AXFR/IXFR, whereupon the zones that are listed in it
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt are automatically added, deleted or reconfigured.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* Added support for "dnstap", a fast and flexible method of capturing and
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt logging DNS traffic.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* Added support for "dyndb", a new API for loading zone data from an
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt external database, developed by Red Hat for the FreeIPA project.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* "fetchlimit" quotas are now compiled in by default. These are for the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt use of recursive resolvers that are are under high query load for domains
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt whose authoritative servers are nonresponsive or are experiencing a
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt denial of service attack:
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt * `fetches-per-server` limits the number of simultaneous queries that
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt can be sent to any single authoritative server. The configured value
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt is a starting point; it is automatically adjusted downward if the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt server is partially or completely non-responsive. The algorithm used
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt to adjust the quota can be configured via the "fetch-quota-params"
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt * `fetches-per-zone` limits the number of simultaneous queries that can
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt be sent for names within a single domain. (Note: Unlike
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt `fetches-per-server`, this value is not self-tuning.)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt * New stats counters have been added to count queries spilled due to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt these quotas.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* Added a new `dnssec-keymgr` key mainenance utility, which can generate or
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt update keys as needed to ensure that a zone's keys match a defined DNSSEC
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE" and
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt is no longer optional. EDNS COOKIE is a mechanism enabling clients to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt detect off-path spoofed responses, and servers to detect spoofed-source
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt queries. Clients that identify themselves using COOKIE options are not
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt subject to response rate limiting (RRL) and can receive larger UDP
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* SERVFAIL responses can now be cached for a limited time (defaulting to 1
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt second, with an upper limit of 30). This can reduce the frequency of
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt retries when a query is persistently failing.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* Added an `nsip-wait-recurse` switch to RPZ. This causes NSIP rules to be
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt skipped if a name server IP address isn't in the cache yet; the address
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt will be looked up and the rule will be applied on future queries.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* Added a Python RNDC module. This allows multiple commands to sent over a
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt persistent RNDC channel, which saves time.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* The `controls` block in named.conf can now grant read-only `rndc` access
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt to specified clients or keys. Read-only clients could, for example, check
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt `rndc status` but could not reconfigure or shut down the server.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `rndc` commands can now return arbitrarily large amounts of text to the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* The zone serial number of a dynamically updatable zone can now be set via
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt `rndc signing -serial <number> <zonename>`. This allows inline-signing
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt zones to be set to a specific serial number.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* The new `rndc nta` command can be used to set a Negative Trust Anchor
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt (NTA), disabling DNSSEC validation for a specific domain; this can be
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt used when responses from a domain are known to be failing validation due
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt to administrative error rather than because of a spoofing attack.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt Negative trust anchors are strictly temporary; by default they expire
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt after one hour, but can be configured to last up to one week.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `rndc delzone` can now be used on zones that were not originally created
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt by "rndc addzone".
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `rndc modzone` reconfigures a single zone, without requiring the entire
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt server to be reconfigured.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `rndc showzone` displays the current configuration of a zone.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `rndc managed-keys` can be used to check the status of RFC 5001 managed
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt trust anchors, or to force trust anchors to be refreshed.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `max-cache-size` can now be set to a percentage of available memory. The
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt default is 90%.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* Update forwarding performance has been improved by allowing a single TCP
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt connection to be shared by multiple updates.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* The EDNS Client Subnet (ECS) option is now supported for authoritative
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt servers; if a query contains an ECS option then ACLs containing `geoip`
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt or `ecs` elements can match against the the address encoded in the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt option. This can be used to select a view for a query, so that different
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt answers can be provided depending on the client network.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* The EDNS EXPIRE option has been implemented on the client side, allowing
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt a slave server to set the expiration timer correctly when transferring
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt zone data from another slave server.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* The key generation and manipulation tools (`dnssec-keygen`,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt `dnssec-settime`, `dnssec-importkey`, `dnssec-keyfromlabel`) now take
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt `-Psync` and `-Dsync` options to set the publication and deletion times
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt of CDS and CDNSKEY parent-synchronization records. Both `named` and
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt `dnssec-signzone` can now publish and remove these records at the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt scheduled times.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* A new `minimal-any` option reduces the size of UDP responses for query
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt type ANY by returning a single arbitrarily selected RRset instead of all
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* A new `masterfile-style` zone option controls the formatting of text zone
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt files: When set to `full`, a zone file is dumped in
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt single-line-per-record format.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `serial-update-method` can now be set to `date`. On update, the serial
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt number will be set to the current date in YYYYMMDDNN format.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `dnssec-signzone -N date` sets the serial number to YYYYMMDDNN.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `named -L <filename>` causes named to send log messages to the specified
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt file by default instead of to the system log.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `dig +ttlunits` prints TTL values with time-unit suffixes: w, d, h, m, s
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt for weeks, days, hours, minutes, and seconds.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `dig +unknownformat` prints dig output in RFC 3597 "unknown record"
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt presentation format.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `dig +ednsopt` allows dig to set arbitrary EDNS options on requests.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `dig +ednsflags` allows dig to set yet-to-be-defined EDNS flags on
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `mdig` is an alternate version of dig which sends multiple pipelined TCP
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt queries to a server. Instead of waiting for a response after sending a
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt query, it sends all queries immediately and displays responses in the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt order received.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `serial-query-rate` no longer controls NOTIFY messages. These are
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt separately controlled by `notify-rate` and `startup-notify-rate`.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* `nsupdate` now performs `check-names` processing by default on records to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt be added. This can be disabled with `check-names no`.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* The statistics channel now supports DEFLATE compression, reducing the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt size of the data sent over the network when querying statistics.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* New counters have been added to the statistics channel to track the sizes
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt of incoming queries and outgoing responses in histogram buckets, as
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt specified in RSSAC002.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* A new NXDOMAIN redirect method (option `nxdomain-redirect`) has been
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt added, allowing redirection to a specified DNS namespace instead of a
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt single redirect zone.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* When starting up, named now ensures that no other named process is
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt already running.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* Files created by named to store information, including `mkeys` and `nzf`
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt files, are now named after their corresponding views unless the view name
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt contains characters incompatible with use as a filename. Old style
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt filenames (based on the hash of the view name) will still work.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt#### BIND 9.11.1
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntBIND 9.11.1 is a maintenance release, and addresses the security
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntflaws disclosed in CVE-2016-6170, CVE-2016-8864, CVE-2016-9131,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntCVE-2016-9147, CVE-2016-9444, CVE-2016-9778, CVE-2017-3135,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntCVE-2017-3136, CVE-2017-3137 and CVE-2017-3138.
3440cf9c60cd5d35634e7f274fd3eccbba2173a5Evan Hunt#### BIND 9.11.2
a03f4b1ea4f1a4a70963fbeb606841c217f9e5f3Evan HuntBIND 9.11.2 is a maintenance release, and addresses the security flaws
a03f4b1ea4f1a4a70963fbeb606841c217f9e5f3Evan Huntdisclosed in CVE-2017-3140, CVE-2017-3141, CVE-2017-3142 and CVE-2017-3143.
a03f4b1ea4f1a4a70963fbeb606841c217f9e5f3Evan HuntIt also addresses several bugs related to the use of an LMDB database to
a03f4b1ea4f1a4a70963fbeb606841c217f9e5f3Evan Huntstore data related to zones added via `rndc addzone` or catalog zones.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntBIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntsupport, and a 64-bit integer type. Successful builds have been observed on
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntmany versions of Linux and UNIX, including RedHat, Fedora, Debian, Ubuntu,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntSuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris, HP-UX, AIX,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntSCO OpenServer, and OpenWRT.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntBIND is also available for Windows XP, 2003, 2008, and higher. See
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt`win32utils/readme1st.txt` for details on building for Windows systems.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntTo build on a UNIX or Linux system, use:
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntIf you're planning on making changes to the BIND 9 source, you should run
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt`make depend`. If you're using Emacs, you might find `make tags` helpful.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntSeveral environment variables that can be set before running `configure` will
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntaffect compilation:
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt|Variable|Description |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt|--------------------|-----------------------------------------------|
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt|`CC`|The C compiler to use. `configure` tries to figure out the right one for supported systems.|
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt|`CFLAGS`|C compiler flags. Defaults to include -g and/or -O2 as supported by the compiler. Please include '-g' if you need to set `CFLAGS`. |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt|`STD_CINCLUDES`|System header file directories. Can be used to specify where add-on thread or IPv6 support is, for example. Defaults to empty string.|
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt|`STD_CDEFINES`|Any additional preprocessor symbols you want defined. Defaults to empty string. For a list of possible settings, see the file [OPTIONS](OPTIONS.md).|
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt|`LDFLAGS`|Linker flags. Defaults to empty string.|
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt|`BUILD_CC`|Needed when cross-compiling: the native C compiler to use when building for the target system.|
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt|`BUILD_CFLAGS`|Optional, used for cross-compiling|
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt|`BUILD_CPPFLAGS`||
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt|`BUILD_LDFLAGS`||
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt|`BUILD_LIBS`||
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntTo see a full list of configuration options, run `configure --help`.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntOn most platforms, BIND 9 is built with multithreading support, allowing it
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntto take advantage of multiple CPUs. You can configure this by specifying
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt`--enable-threads` or `--disable-threads` on the `configure` command line.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntThe default is to enable threads, except on some older operating systems on
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntwhich threads are known to have had problems in the past. (Note: Prior to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntBIND 9.10, the default was to disable threads on Linux systems; this has
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntnow been reversed. On Linux systems, the threaded build is known to change
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntBIND's behavior with respect to file permissions; it may be necessary to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntspecify a user with the -u option when running `named`.)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntTo build shared libraries, specify `--with-libtool` on the `configure`
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntcommand line.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntCertain compiled-in constants and default settings can be increased to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntvalues better suited to large servers with abundant memory resources (e.g,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt64-bit servers with 12G or more of memory) by specifying
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt`--with-tuning=large` on the `configure` command line. This can improve
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntperformance on big servers, but will consume more memory and may degrade
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntperformance on smaller systems.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntFor the server to support DNSSEC, you need to build it with crypto support.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntTo use OpenSSL, you should have OpenSSL 1.0.2e or newer installed. If the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntOpenSSL library is installed in a nonstandard location, specify the prefix
e609b6b32bc8455692e1497a4568c68d7bfb9f36Evan Huntusing "--with-openssl=<PREFIX>" on the configure command line. To use a
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntPKCS#11 hardware service module for cryptographic operations, specify the
e609b6b32bc8455692e1497a4568c68d7bfb9f36Evan Huntpath to the PKCS#11 provider library using "--with-pkcs11=<PREFIX>", and
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntconfigure BIND with "--enable-native-pkcs11".
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntTo support the HTTP statistics channel, the server must be linked with at
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntleast one of the following: libxml2
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt[https://github.com/json-c](https://github.com/json-c). If these are
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntinstalled at a nonstandard location, specify the prefix using
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt`--with-libxml2=/prefix` or `--with-libjson=/prefix`.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntTo support compression on the HTTP statistics channel, the server must be
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntlinked against libzlib. If this is installed in a nonstandard location,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntspecify the prefix using `--with-zlib=/prefix`.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntTo support storing configuration data for runtime-added zones in an LMDB
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntdatabase, the server must be linked with liblmdb. If this is installed in a
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntnonstandard location, specify the prefix using "with-lmdb=/prefix".
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntTo support GeoIP location-based ACLs, the server must be linked with
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntlibGeoIP. This is not turned on by default; BIND must be configured with
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt"--with-geoip". If the library is installed in a nonstandard location, use
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntspecify the prefix using "--with-geoip=/prefix".
e609b6b32bc8455692e1497a4568c68d7bfb9f36Evan HuntFor DNSTAP packet logging, you must have installed libfstrm
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt[https://github.com/farsightsec/fstrm](https://github.com/farsightsec/fstrm)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntand libprotobuf-c
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt[https://developers.google.com/protocol-buffers](https://developers.google.com/protocol-buffers),
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntand BIND must be configured with "--enable-dnstap".
e609b6b32bc8455692e1497a4568c68d7bfb9f36Evan HuntPortions of BIND that are written in Python, including
e609b6b32bc8455692e1497a4568c68d7bfb9f36Evan Hunt`dnssec-keymgr`, `dnssec-coverage`, `dnssec-checkds`, and some of the
e609b6b32bc8455692e1497a4568c68d7bfb9f36Evan Huntsystem tests, require the 'argparse' and 'ply' modules to be available.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt'argparse' is a standard module as of Python 2.7 and Python 3.2.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt'ply' is available from [https://pypi.python.org/pypi/ply](https://pypi.python.org/pypi/ply).
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntOn some platforms it is necessary to explicitly request large file support
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntto handle files bigger than 2GB. This can be done by using
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt`--enable-largefile` on the `configure` command line.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntSupport for the "fixed" rrset-order option can be enabled or disabled by
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntspecifying `--enable-fixed-rrset` or `--disable-fixed-rrset` on the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntconfigure command line. By default, fixed rrset-order is disabled to
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntreduce memory footprint.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntIf your operating system has integrated support for IPv6, it will be used
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntautomatically. If you have installed KAME IPv6 separately, use
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt`--with-kame[=PATH]` to specify its location.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt`make install` will install `named` and the various BIND 9 libraries. By
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntdefault, installation is into /usr/local, but this can be changed with the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt`--prefix` option when running `configure`.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntYou may specify the option `--sysconfdir` to set the directory where
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntconfiguration files like `named.conf` go by default, and `--localstatedir`
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntto set the default parent directory of `run/named.pid`. For backwards
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntcompatibility with BIND 8, `--sysconfdir` defaults to `/etc` and
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt`--localstatedir` defaults to `/var` if no `--prefix` option is given. If
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntthere is a `--prefix` option, sysconfdir defaults to `$prefix/etc` and
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntA system test suite can be run with `make test`. The system tests require
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntyou to configure a set of virtual IP addresses on your system (this allows
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntmultiple servers to run locally and communicate with one another). These
e609b6b32bc8455692e1497a4568c68d7bfb9f36Evan HuntIP addresses can be configured by running the command
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntSome tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntand will be skipped if these are not available. Some tests require Python
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntand the 'dnspython' module and will be skipped if these are not available.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntUnit tests are implemented using Automated Testing Framework (ATF).
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntTo run them, use `configure --with-atf`, then run `make test` or
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntThe *BIND 9 Administrator Reference Manual* is included with the source
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntdistribution, in DocBook XML, HTML and PDF format, in the `doc/arm`
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntSome of the programs in the BIND 9 distribution have man pages in their
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntdirectories. In particular, the command line options of `named` are
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntFrequently (and not-so-frequently) asked questions and their answers
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntcan be found in the ISC Knowledge Base at
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntAdditional information on various subjects can be found in other
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt`README` files throughout the source tree.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntA detailed list of all changes that have been made throughout the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntdevelopment BIND 9 is included in the file CHANGES, with the most recent
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntchanges listed first. Change notes include tags indicating the category of
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntthe change that was made; these categories are:
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt|Category |Description |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt|-------------- |-----------------------------------------------|
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt| [func] | New feature |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt| [bug] | General bug fix |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt| [security] | Fix for a significant security flaw |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt| [experimental] | Used for new features when the syntax or other aspects of the design are still in flux and may change |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt| [port] | Portability enhancement |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt| [maint] | Updates to built-in data such as root server addresses and keys |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt| [tuning] | Changes to built-in configuration defaults and constants to improve performance |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt| [performance] | Other changes to improve server performance |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt| [protocol] | Updates to the DNS protocol such as new RR types |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt| [test] | Changes to the automatic tests, not affecting server functionality |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt| [cleanup] | Minor corrections and refactoring |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt| [doc] | Documentation |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt| [contrib] | Changes to the contributed tools and libraries in the 'contrib' subdirectory |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt| [placeholder] | Used in the master development branch to reserve change numbers for use in other branches, e.g. when fixing a bug that only exists in older releases |
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntIn general, [func] and [experimental] tags will only appear in new-feature
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntreleases (i.e., those with version numbers ending in zero). Some new
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Huntfunctionality may be backported to older releases on a case-by-case basis.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan HuntAll other change types may be applied to all currently-supported releases.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* The original development of BIND 9 was underwritten by the
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt following organizations:
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt Sun Microsystems, Inc.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt Hewlett Packard
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt Compaq Computer Corporation
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt Process Software Corporation
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt Silicon Graphics, Inc.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt Network Associates, Inc.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt U.S. Defense Information Systems Agency
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt USENIX Association
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt Stichting NLnet - NLnet Foundation
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt Nominum, Inc.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* This product includes software developed by the OpenSSL Project for use
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt in the OpenSSL Toolkit.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt [http://www.OpenSSL.org/](http://www.OpenSSL.org/)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* This product includes cryptographic software written by Eric Young
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt (eay@cryptsoft.com)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt* This product includes software written by Tim Hudson (tjh@cryptsoft.com)