2N/A - Copyright (C) 2017, 2018 Internet Systems Consortium, Inc. ("ISC") 2N/A - This Source Code Form is subject to the terms of the Mozilla Public 2N/A - License, v. 2.0. If a copy of the MPL was not distributed with this 2N/A1. [Introduction](#intro)
2N/A1. [Reporting bugs and getting help](#help)
2N/A1. [Contributing to BIND](#contrib)
2N/A1. [BIND 9.11 features](#features)
2N/A1. [Building BIND](#build)
2N/A1. [Compile-time options](#opts)
2N/A1. [Automated testing](#testing)
2N/A1. [Documentation](#doc)
2N/A1. [Change log](#changes)
2N/A1. [Acknowledgments](#ack)
2N/A### <
a name="intro"/> Introduction
2N/ABIND (Berkeley Internet Name Domain) is a complete, highly portable
2N/Aimplementation of the DNS (Domain Name System) protocol.
2N/AThe BIND name server, `named`, is able to serve as an authoritative name
2N/Aserver, recursive resolver, DNS forwarder, or all three simultaneously. It
2N/Aimplements views for split-horizon DNS, automatic DNSSEC zone signing and
2N/Akey management, catalog zones to facilitate provisioning of zone data
2N/Athroughout a name server constellation, response policy zones (RPZ) to
2N/Aprotect clients from malicious data, response rate limiting (RRL) and
2N/Arecursive query limits to reduce distributed denial of service attacks,
2N/Aand many other advanced DNS features. BIND also includes a suite of
2N/Aadministrative tools, including the `dig` and `delv` DNS lookup tools,
2N/A`nsupdate` for dynamic DNS zone updates, `rndc` for remote name server
2N/Aadministration, and more.
2N/ABIND 9 is a complete re-write of the BIND architecture that was used in
2N/Aversions 4 and 8. Internet Systems Consortium
2N/Acorporation dedicated to providing software and services in support of the
2N/AInternet infrastructure, developed BIND 9 and is responsible for its
2N/Aongoing maintenance and improvement. BIND is open source software
2N/Alicenced under the terms of ISC License for all versions up to and
2N/Aincluding BIND 9.10, and the Mozilla Public License version 2.0 for all
2N/AFor a summary of features introduced in past major releases of BIND,
2N/AFor a detailed list of changes made throughout the history of BIND 9, see
2N/Athe file [CHANGES](CHANGES). See [below](#changes) for details on the
2N/AFor up-to-date release notes and errata, see
2N/A### <
a name="help"/> Reporting bugs and getting help
2N/APlease report assertion failure errors and suspected security issues to
2N/A[security-officer@isc.org](mailto:security-officer@isc.org).
2N/AGeneral bug reports can be sent to
2N/A[bind9-bugs@isc.org](mailto:bind9-bugs@isc.org).
2N/AFeature requests can be sent to
2N/A[bind-suggest@isc.org](mailto:bind-suggest@isc.org).
2N/APlease note that, while tickets submitted to ISC's ticketing system
2N/Aare not initially publicly readable by default, they can be made publicly
2N/Aacessible afterward. Please do not include information in bug reports that
2N/Ayou consider to be confidential. In particular, when sending the contents of
2N/Ayour configuration file, it is advisable to obscure key secrets: this can
2N/Abe done automatically by using `named-checkconf -px`.
2N/AProfessional support and training for BIND are available from
2N/ATo join the __BIND Users__ mailing list, or view the archives, visit
2N/AIf you're planning on making changes to the BIND 9 source code, you
2N/Amay also want to join the __BIND Workers__ mailing list, at
2N/A### <
a name="contrib"/> Contributing to BIND
2N/AISC maintains a public git repository for BIND; details can be found
2N/AInformation for BIND contributors can be found in the following files:
2N/APatches for BIND may be submitted either as Github pull requests
2N/Aor via email. When submitting a patch via email, please prepend the
2N/Asubject header with "`[PATCH]`" so it will be easier for us to find.
2N/AIf your patch introduces a new feature in BIND, please submit it to
2N/A[bind-suggest@isc.org](mailto:bind-suggest@isc.org); if it fixes a bug,
2N/Aplease submit it to [bind9-bugs@isc.org](mailto:bind9-bugs@isc.org).
2N/A### <
a name="features"/> BIND 9.11 features
2N/ABIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
2N/Areleases. New features include:
2N/A* Added support for Catalog Zones, a new method for provisioning servers: a
2N/A list of zones to be served is stored in a DNS zone, along with their
2N/A configuration parameters. Changes to the catalog zone are propagated to
2N/A slaves via normal
AXFR/
IXFR, whereupon the zones that are listed in it
2N/A are automatically added, deleted or reconfigured.
2N/A* Added support for "dnstap", a fast and flexible method of capturing and
2N/A logging DNS traffic.
2N/A* Added support for "dyndb", a new API for loading zone data from an
2N/A external database, developed by Red Hat for the FreeIPA project.
2N/A* "fetchlimit" quotas are now compiled in by default. These are for the
2N/A use of recursive resolvers that are are under high query load for domains
2N/A whose authoritative servers are nonresponsive or are experiencing a
2N/A denial of service attack:
2N/A * `fetches-per-server` limits the number of simultaneous queries that
2N/A can be sent to any single authoritative server. The configured value
2N/A is a starting point; it is automatically adjusted downward if the
2N/A server is partially or completely non-responsive. The algorithm used
2N/A to adjust the quota can be configured via the "fetch-quota-params"
2N/A * `fetches-per-zone` limits the number of simultaneous queries that can
2N/A be sent for names within a single domain. (Note: Unlike
2N/A `fetches-per-server`, this value is not self-tuning.)
2N/A * New stats counters have been added to count queries spilled due to
2N/A* Added a new `dnssec-keymgr` key mainenance utility, which can generate or
2N/A update keys as needed to ensure that a zone's keys match a defined DNSSEC
2N/A* The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE" and
2N/A is no longer optional. EDNS COOKIE is a mechanism enabling clients to
2N/A detect off-path spoofed responses, and servers to detect spoofed-source
2N/A queries. Clients that identify themselves using COOKIE options are not
2N/A subject to response rate limiting (RRL) and can receive larger UDP
2N/A* SERVFAIL responses can now be cached for a limited time (defaulting to 1
2N/A second, with an upper limit of 30). This can reduce the frequency of
2N/A retries when a query is persistently failing.
2N/A* Added an `nsip-wait-recurse` switch to RPZ. This causes NSIP rules to be
2N/A skipped if a name server IP address isn't in the cache yet; the address
2N/A will be looked up and the rule will be applied on future queries.
2N/A* Added a Python RNDC module. This allows multiple commands to sent over a
2N/A persistent RNDC channel, which saves time.
2N/A* The `controls` block in
named.conf can now grant read-only `rndc` access
2N/A to specified clients or keys. Read-only clients could, for example, check
2N/A `rndc status` but could not reconfigure or shut down the server.
2N/A* `rndc` commands can now return arbitrarily large amounts of text to the
2N/A* The zone serial number of a dynamically updatable zone can now be set via
2N/A `rndc signing -serial <
number> <
zonename>`. This allows inline-signing
2N/A zones to be set to a specific serial number.
2N/A* The new `rndc nta` command can be used to set a Negative Trust Anchor
2N/A (NTA), disabling DNSSEC validation for a specific domain; this can be
2N/A used when responses from a domain are known to be failing validation due
2N/A to administrative error rather than because of a spoofing attack.
2N/A Negative trust anchors are strictly temporary; by default they expire
2N/A after one hour, but can be configured to last up to one week.
2N/A* `rndc delzone` can now be used on zones that were not originally created
2N/A* `rndc modzone` reconfigures a single zone, without requiring the entire
2N/A server to be reconfigured.
2N/A* `rndc showzone` displays the current configuration of a zone.
2N/A* `rndc managed-keys` can be used to check the status of RFC 5001 managed
2N/A trust anchors, or to force trust anchors to be refreshed.
2N/A* `max-cache-size` can now be set to a percentage of available memory. The
2N/A* Update forwarding performance has been improved by allowing a single TCP
2N/A connection to be shared by multiple updates.
2N/A* The EDNS Client Subnet (ECS) option is now supported for authoritative
2N/A servers; if a query contains an ECS option then ACLs containing `geoip`
2N/A or `ecs` elements can match against the the address encoded in the
2N/A option. This can be used to select a view for a query, so that different
2N/A answers can be provided depending on the client network.
2N/A* The EDNS EXPIRE option has been implemented on the client side, allowing
2N/A a slave server to set the expiration timer correctly when transferring
2N/A zone data from another slave server.
2N/A* The key generation and manipulation tools (`dnssec-keygen`,
2N/A `dnssec-settime`, `dnssec-importkey`, `dnssec-keyfromlabel`) now take
2N/A `-Psync` and `-Dsync` options to set the publication and deletion times
2N/A of CDS and CDNSKEY parent-synchronization records. Both `named` and
2N/A `dnssec-signzone` can now publish and remove these records at the
2N/A* A new `minimal-any` option reduces the size of UDP responses for query
2N/A type ANY by returning a single arbitrarily selected RRset instead of all
2N/A* A new `masterfile-style` zone option controls the formatting of text zone
2N/A files: When set to `full`, a zone file is dumped in
2N/A single-line-per-record format.
2N/A* `serial-update-method` can now be set to `date`. On update, the serial
2N/A number will be set to the current date in YYYYMMDDNN format.
2N/A* `dnssec-signzone -N date` sets the serial number to YYYYMMDDNN.
2N/A* `named -L <
filename>` causes named to send log messages to the specified
2N/A file by default instead of to the system log.
2N/A* `dig +ttlunits` prints TTL values with time-unit suffixes: w, d, h, m, s
2N/A for weeks, days, hours, minutes, and seconds.
2N/A* `dig +unknownformat` prints dig output in RFC 3597 "unknown record"
2N/A presentation format.
2N/A* `dig +ednsopt` allows dig to set arbitrary EDNS options on requests.
2N/A* `dig +ednsflags` allows dig to set yet-to-be-defined EDNS flags on
2N/A* `mdig` is an alternate version of dig which sends multiple pipelined TCP
2N/A queries to a server. Instead of waiting for a response after sending a
2N/A query, it sends all queries immediately and displays responses in the
2N/A* `serial-query-rate` no longer controls NOTIFY messages. These are
2N/A separately controlled by `notify-rate` and `startup-notify-rate`.
2N/A* `nsupdate` now performs `check-names` processing by default on records to
2N/A be added. This can be disabled with `check-names no`.
2N/A* The statistics channel now supports DEFLATE compression, reducing the
2N/A size of the data sent over the network when querying statistics.
2N/A* New counters have been added to the statistics channel to track the sizes
2N/A of incoming queries and outgoing responses in histogram buckets, as
2N/A specified in RSSAC002.
2N/A* A new NXDOMAIN redirect method (option `nxdomain-redirect`) has been
2N/A added, allowing redirection to a specified DNS namespace instead of a
2N/A single redirect zone.
2N/A* When starting up, named now ensures that no other named process is
2N/A* Files created by named to store information, including `mkeys` and `nzf`
2N/A files, are now named after their corresponding views unless the view name
2N/A contains characters incompatible with use as a filename. Old style
2N/A filenames (based on the hash of the view name) will still work.
2N/ABIND 9.11.1 is a maintenance release, and addresses the security
2N/Aflaws disclosed in CVE-2016-6170, CVE-2016-8864, CVE-2016-9131,
2N/ACVE-2016-9147, CVE-2016-9444, CVE-2016-9778, CVE-2017-3135,
2N/ACVE-2017-3136, CVE-2017-3137 and CVE-2017-3138.
2N/ABIND 9.11.2 is a maintenance release, and addresses the security flaws
2N/Adisclosed in CVE-2017-3140, CVE-2017-3141, CVE-2017-3142 and CVE-2017-3143.
2N/AIt also addresses several bugs related to the use of an LMDB database to
2N/Astore data related to zones added via `rndc addzone` or catalog zones.
2N/ABIND 9.11.3 is a maintenance release, and addresses the security flaw
2N/Adisclosed in CVE-2017-3145.
2N/A### <
a name="build"/> Building BIND
2N/ABIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
2N/Asupport, and a 64-bit integer type. Successful builds have been observed on
2N/Amany versions of Linux and UNIX, including RedHat, Fedora, Debian, Ubuntu,
2N/ASuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris, HP-UX, AIX,
2N/ASCO OpenServer, and OpenWRT.
2N/ABIND is also available for Windows XP, 2003, 2008, and higher. See
2N/ATo build on a UNIX or Linux system, use:
2N/AIf you're planning on making changes to the BIND 9 source, you should run
2N/A`make depend`. If you're using Emacs, you might find `make tags` helpful.
2N/ASeveral environment variables that can be set before running `configure` will
2N/A|Variable|Description |
2N/A|--------------------|-----------------------------------------------|
2N/A|`CC`|The C compiler to use. `configure` tries to figure out the right one for supported systems.|
2N/A|`CFLAGS`|C compiler flags. Defaults to include -g
and/
or -O2 as supported by the compiler. Please include '-g' if you need to set `CFLAGS`. |
2N/A|`STD_CINCLUDES`|System header file directories. Can be used to specify where add-on thread or IPv6 support is, for example. Defaults to empty string.|
2N/A|`STD_CDEFINES`|Any additional preprocessor symbols you want defined. Defaults to empty string. For a list of possible settings, see the file [OPTIONS](
OPTIONS.md).|
2N/A|`LDFLAGS`|Linker flags. Defaults to empty string.|
2N/A|`BUILD_CC`|Needed when cross-compiling: the native C compiler to use when building for the target system.|
2N/A|`BUILD_CFLAGS`|Optional, used for cross-compiling|
2N/A#### <
a name="macos"> macOS
2N/ABuilding on macOS assumes that the "Command Tools for Xcode" is installed.
2N/Aor if you have Xcode already installed you can run "xcode-select --install".
2N/AThis will add /
usr/
include to the system and install the compiler and other
2N/Atools so that they can be easily found.
2N/A#### <
a name="opts"/> Compile-time options
2N/ATo see a full list of configuration options, run `configure --help`.
2N/AOn most platforms, BIND 9 is built with multithreading support, allowing it
2N/Ato take advantage of multiple CPUs. You can configure this by specifying
2N/A`--enable-threads` or `--disable-threads` on the `configure` command line.
2N/AThe default is to enable threads, except on some older operating systems on
2N/Awhich threads are known to have had problems in the past. (Note: Prior to
2N/ABIND 9.10, the default was to disable threads on Linux systems; this has
2N/Anow been reversed. On Linux systems, the threaded build is known to change
2N/ABIND's behavior with respect to file permissions; it may be necessary to
2N/Aspecify a user with the -u option when running `named`.)
2N/ATo build shared libraries, specify `--with-libtool` on the `configure`
2N/ACertain compiled-in constants and default settings can be increased to
2N/Avalues better suited to large servers with abundant memory resources (
e.g,
2N/A64-bit servers with 12G or more of memory) by specifying
2N/A`--with-tuning=large` on the `configure` command line. This can improve
2N/Aperformance on big servers, but will consume more memory and may degrade
2N/Aperformance on smaller systems.
2N/AFor the server to support DNSSEC, you need to build it with crypto support.
2N/ATo use OpenSSL, you should have OpenSSL 1.0.2e or newer installed. If the
2N/AOpenSSL library is installed in a nonstandard location, specify the prefix
2N/Ausing "--with-openssl=<PREFIX>" on the configure command line. To use a
2N/APKCS#11 hardware service module for cryptographic operations, specify the
2N/Apath to the PKCS#11 provider library using "--with-pkcs11=<PREFIX>", and
2N/Aconfigure BIND with "--enable-native-pkcs11".
2N/ATo support the HTTP statistics channel, the server must be linked with at
2N/Aleast one of the following: libxml2
2N/Ainstalled at a nonstandard location, specify the prefix using
2N/A`--with-libxml2=/prefix` or `--with-libjson=/prefix`.
2N/ATo support compression on the HTTP statistics channel, the server must be
2N/Alinked against libzlib. If this is installed in a nonstandard location,
2N/Aspecify the prefix using `--with-zlib=/prefix`.
2N/ATo support storing configuration data for runtime-added zones in an LMDB
2N/Adatabase, the server must be linked with liblmdb. If this is installed in a
2N/Anonstandard location, specify the prefix using "with-lmdb=/prefix".
2N/ATo support GeoIP location-based ACLs, the server must be linked with
2N/AlibGeoIP. This is not turned on by default; BIND must be configured with
2N/A"--with-geoip". If the library is installed in a nonstandard location, use
2N/Aspecify the prefix using "--with-geoip=/prefix".
2N/AFor DNSTAP packet logging, you must have installed libfstrm
2N/Aand BIND must be configured with "--enable-dnstap".
2N/APortions of BIND that are written in Python, including
2N/A`dnssec-keymgr`, `dnssec-coverage`, `dnssec-checkds`, and some of the
2N/Asystem tests, require the 'argparse' and 'ply' modules to be available.
2N/A'argparse' is a standard module as of Python 2.7 and Python 3.2.
2N/AOn some platforms it is necessary to explicitly request large file support
2N/Ato handle files bigger than 2GB. This can be done by using
2N/A`--enable-largefile` on the `configure` command line.
2N/ASupport for the "fixed" rrset-order option can be enabled or disabled by
2N/Aspecifying `--enable-fixed-rrset` or `--disable-fixed-rrset` on the
2N/Aconfigure command line. By default, fixed rrset-order is disabled to
2N/Areduce memory footprint.
2N/AIf your operating system has integrated support for IPv6, it will be used
2N/Aautomatically. If you have installed KAME IPv6 separately, use
2N/A`--with-kame[=PATH]` to specify its location.
2N/A`make install` will install `named` and the various BIND 9 libraries. By
2N/Adefault, installation is into /
usr/
local, but this can be changed with the
2N/A`--prefix` option when running `configure`.
2N/AYou may specify the option `--sysconfdir` to set the directory where
2N/Aconfiguration files like `
named.conf` go by default, and `--localstatedir`
2N/Acompatibility with BIND 8, `--sysconfdir` defaults to `/etc` and
2N/A`--localstatedir` defaults to `/var` if no `--prefix` option is given. If
2N/Athere is a `--prefix` option, sysconfdir defaults to `$
prefix/
etc` and
2N/A### <
a name="testing"/> Automated testing
2N/AA system test suite can be run with `make test`. The system tests require
2N/Ayou to configure a set of virtual IP addresses on your system (this allows
2N/Amultiple servers to run locally and communicate with one another). These
2N/AIP addresses can be configured by running the command
2N/ASome tests require Perl and the Net::DNS
and/
or IO::Socket::INET6 modules,
2N/Aand will be skipped if these are not available. Some tests require Python
2N/Aand the 'dnspython' module and will be skipped if these are not available.
2N/AUnit tests are implemented using Automated Testing Framework (ATF).
2N/ATo run them, use `configure --with-atf`, then run `make test` or
2N/A### <
a name="doc"/> Documentation
2N/AThe *BIND 9 Administrator Reference Manual* is included with the source
2N/Adistribution, in DocBook XML, HTML and PDF format, in the `
doc/
arm`
2N/ASome of the programs in the BIND 9 distribution have man pages in their
2N/Adirectories. In particular, the command line options of `named` are
2N/AFrequently (and not-so-frequently) asked questions and their answers
2N/Acan be found in the ISC Knowledge Base at
2N/AAdditional information on various subjects can be found in other
2N/A`README` files throughout the source tree.
2N/A### <
a name="changes"/> Change log
2N/AA detailed list of all changes that have been made throughout the
2N/Adevelopment BIND 9 is included in the file CHANGES, with the most recent
2N/Achanges listed first. Change notes include tags indicating the category of
2N/Athe change that was made; these categories are:
2N/A|Category |Description |
2N/A|-------------- |-----------------------------------------------|
2N/A| [func] | New feature |
2N/A| [bug] | General bug fix |
2N/A| [security] | Fix for a significant security flaw |
2N/A| [experimental] | Used for new features when the syntax or other aspects of the design are still in flux and may change |
2N/A| [port] | Portability enhancement |
2N/A| [maint] | Updates to built-in data such as root server addresses and keys |
2N/A| [tuning] | Changes to built-in configuration defaults and constants to improve performance |
2N/A| [performance] | Other changes to improve server performance |
2N/A| [protocol] | Updates to the DNS protocol such as new RR types |
2N/A| [test] | Changes to the automatic tests, not affecting server functionality |
2N/A| [cleanup] | Minor corrections and refactoring |
2N/A| [doc] | Documentation |
2N/A| [contrib] | Changes to the contributed tools and libraries in the 'contrib' subdirectory |
2N/A| [placeholder] | Used in the master development branch to reserve change numbers for use in other branches,
e.g. when fixing a bug that only exists in older releases |
2N/AIn general, [func] and [experimental] tags will only appear in new-feature
2N/Areleases (
i.e., those with version numbers ending in zero). Some new
2N/Afunctionality may be backported to older releases on a case-by-case basis.
2N/AAll other change types may be applied to all currently-supported releases.
2N/A### <
a name="ack"/> Acknowledgments
2N/A* The original development of BIND 9 was underwritten by the
2N/A following organizations:
2N/A Sun Microsystems, Inc.
2N/A Compaq Computer Corporation
2N/A Process Software Corporation
2N/A Silicon Graphics, Inc.
2N/A Network Associates, Inc.
2N/A U.S. Defense Information Systems Agency
2N/A Stichting NLnet - NLnet Foundation
2N/A* This product includes software developed by the OpenSSL Project for use
2N/A in the OpenSSL Toolkit.
2N/A* This product includes cryptographic software written by Eric Young
2N/A* This product includes software written by Tim Hudson (tjh@cryptsoft.com)