README revision 1a849dab19287148f12da50d890f455f02aa3622
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt BIND version 9 is a major rewrite of nearly all aspects of the
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt underlying BIND architecture. Some of the important features of
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt - DNS Security
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt DNSSEC (signed zones)
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt TSIG (signed DNS requests)
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt - IP version 6
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt Answers DNS queries on IPv6 sockets
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt IPv6 resource records (AAAA)
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt Experimental IPv6 Resolver Library
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt - DNS Protocol Enhancements
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt IXFR, DDNS, Notify, EDNS0
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt Improved standards conformance
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt One server process can provide multiple "views" of
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt the DNS namespace, e.g. an "inside" view to certain
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt clients, and an "outside" view to others.
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt - Multiprocessor Support
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt - Improved Portability Architecture
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt BIND version 9 development has been underwritten by the following
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt organizations:
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt Sun Microsystems, Inc.
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt Hewlett Packard
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt Compaq Computer Corporation
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt Process Software Corporation
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt Silicon Graphics, Inc.
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt Network Associates, Inc.
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt U.S. Defense Information Systems Agency
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt USENIX Association
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt Stichting NLnet - NLnet Foundation
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt Nominum, Inc.
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt For a summary of functional enhancements in previous
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt releases, see the HISTORY file.
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt For a detailed list of user-visible changes from
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt previous releases, see the CHANGES file.
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt For up-to-date release notes and errata, see
e560fbdf77b08ff23ab71b107f022829bcd552dbMark Andrews BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
e560fbdf77b08ff23ab71b107f022829bcd552dbMark Andrews releases. New features include:
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt - Added support for "dnstap", a fast and flexible method of
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt capturing and logging DNS traffic.
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt - Added support for "dyndb", a new API for loading zone data
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt from an external database, developed by Red Hat for the FreeIPA
53b5a0377d08626553f3d581e821f29da44c0a88Evan Hunt - New "fetchlimit" quotas are now available for the use of
53b5a0377d08626553f3d581e821f29da44c0a88Evan Hunt recursive resolvers that are are under high query load for
53b5a0377d08626553f3d581e821f29da44c0a88Evan Hunt domains whose authoritative servers are nonresponsive or are
53b5a0377d08626553f3d581e821f29da44c0a88Evan Hunt experiencing a denial of service attack:
53b5a0377d08626553f3d581e821f29da44c0a88Evan Hunt + "fetches-per-server" limits the number of simultaneous queries
53b5a0377d08626553f3d581e821f29da44c0a88Evan Hunt that can be sent to any single authoritative server. The
53b5a0377d08626553f3d581e821f29da44c0a88Evan Hunt configured value is a starting point; it is automatically
53b5a0377d08626553f3d581e821f29da44c0a88Evan Hunt adjusted downward if the server is partially or completely
53b5a0377d08626553f3d581e821f29da44c0a88Evan Hunt non-responsive. The algorithm used to adjust the quota can be
53b5a0377d08626553f3d581e821f29da44c0a88Evan Hunt configured via the "fetch-quota-params" option.
53b5a0377d08626553f3d581e821f29da44c0a88Evan Hunt + "fetches-per-zone" limits the number of simultaneous queries
53b5a0377d08626553f3d581e821f29da44c0a88Evan Hunt that can be sent for names within a single domain. (Note:
53b5a0377d08626553f3d581e821f29da44c0a88Evan Hunt Unlike "fetches-per-server", this value is not self-tuning.)
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt + New stats counters have been added to count
53b5a0377d08626553f3d581e821f29da44c0a88Evan Hunt queries spilled due to these quotas.
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt - The experimental "SIT" feature in BIND 9.10 has been renamed
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt "COOKIE" and is no longer optional. EDNS COOKIE is a mechanism
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt enabling clients to detect off-path spoofed responses, and
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt servers to detect spoofed-source queries. Clients that identify
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt themselves using COOKIE options are not subject to response rate
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt limiting (RRL) and can receive larger UDP responses.
b9691872341fbf997b7d6be987aec18afda236f6Evan Hunt - SERVFAIL responses can now be cached for a limited time
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt (defaulting to 1 second, with an upper limit of 30).
b9691872341fbf997b7d6be987aec18afda236f6Evan Hunt This can reduce the frequency of retries when a query is
b9691872341fbf997b7d6be987aec18afda236f6Evan Hunt persistently failing.
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt - The "controls" block in named.conf can now grand read-only
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt "rndc" access to specified clients or keys. Read-only clients
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt could, for example, check "rndc status" but could not
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt reconfigure or shut down the server.
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt - "rndc" commands can now return arbitrarily large amounts of
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt text to the caller.
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt - The zone serial number of a dynamically updatable zone
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt can now be set via "rndc signing -serial <number> <zonename>".
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt This allows inline-signing zones to be set to a specific
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt serial number.
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt - The new "rndc nta" command can be used to set a Negative
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt Trust Anchor (NTA), disabling DNSSEC validation for a
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt specific domain; this can be used when responses from a
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt domain are known to be failing validation due to administrative
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt error rather than because of a spoofing attack. Negative
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt trust anchors are strictly temporary; by default they expire
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt after one hour, but can be configured to last up to one week.
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt - "rndc delzone" can now be used on zones that were not originally
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt created by "rndc addzone".
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt - "rndc modzone" reconfigures a single zone, without requiring
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt the entire server to be reconfigured.
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt - "rndc showzone" displays the current configuration of a zone.
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt - "rndc managed-keys" can be used to check the status of RFC 5001
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt managed trust anchors, or to force trust anchors to be refreshed.
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt - "max-cache-size" can now be set to a percentage of available
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt memory. The default is 90%.
b9691872341fbf997b7d6be987aec18afda236f6Evan Hunt - Update forwarding performance has been improved by allowing
b9691872341fbf997b7d6be987aec18afda236f6Evan Hunt a single TCP connection to be shared by multiple updates.
d46855caedd5cb101795707f6f467fa363ef1448Evan Hunt - The EDNS Client Subnet (ECS) option is now supported for
d46855caedd5cb101795707f6f467fa363ef1448Evan Hunt authoritative servers; if a query contains an ECS option
d46855caedd5cb101795707f6f467fa363ef1448Evan Hunt then ACLs containing "geoip" or "ecs" elements can match
d46855caedd5cb101795707f6f467fa363ef1448Evan Hunt against the the address encoded in the option. This can be
d46855caedd5cb101795707f6f467fa363ef1448Evan Hunt used to select a view for a query, so that different answers
d46855caedd5cb101795707f6f467fa363ef1448Evan Hunt can be provided depending on the client network.
d0ffef73fdee75f30e33c628a31d031616ad9433Evan Hunt - The EDNS EXPIRE option has been implemented on the client
d0ffef73fdee75f30e33c628a31d031616ad9433Evan Hunt side, allowing a slave server to set the expiration timer
d0ffef73fdee75f30e33c628a31d031616ad9433Evan Hunt correctly when transferring zone data from another slave
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt - The key generation and manipulation tools (dnssec-keygen,
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt take "-Psync" and "-Dsync" options to set the publication
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt and deletion times of CDS and CDNSKEY parent-synchronization
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt records. Both named and dnssec-signzone can now publish and
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt remove these records at the scheduled times.
39a1cfa41589961fd0e4ff4c68e37065bdc02563Evan Hunt - A new "masterfile-style" zone option controls the formatting
39a1cfa41589961fd0e4ff4c68e37065bdc02563Evan Hunt of text zone files: When set to "full", a zone file is dumped
39a1cfa41589961fd0e4ff4c68e37065bdc02563Evan Hunt in single-line-per-record format.
1fe0d7f6d05458b50a4bce9143ef07eaaf1f234dEvan Hunt - "serial-update-method" can now be set to "date". On update,
39a1cfa41589961fd0e4ff4c68e37065bdc02563Evan Hunt the serial number will be set to the current date in YYYYMMDDNN
b4ba66ba1e36a6d8236d20be55273ce663819d69Evan Hunt - "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
44613d4d868ed5e73a1132280880f0699af56733Evan Hunt - "named -L <filename>" causes named to send log messages to
44613d4d868ed5e73a1132280880f0699af56733Evan Hunt the specified file by default instead of to the system log.
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt - "dig +ttlunits" prints TTL values with time-unit suffixes:
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt w, d, h, m, s for weeks, days, hours, minutes, and seconds.
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt - "dig +unknownformat" prints dig output in RFC 3597 "unknown
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt record" presentation format.
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt - "dig +ednsopt" allows dig to set arbitrary EDNS options on
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt - "dig +ednsflags" allows dig to set yet-to-be-defined EDNS
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt flags on requests.
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt - "mdig" is an alternate version of dig which sends multiple
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt pipelined TCP queries to a server. Instead of waiting for a
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt response after sending a query, it sends all queries
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt immediately and displays responses in the order received.
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt - "serial-query-rate" no longer controls NOTIFY messages.
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt These are separately controlled by "notify-rate" and
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt "startup-notify-rate".
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt - "nsupdate" now performs "check-names" processing by default
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt on records to be added. This can be disabled with
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt "check-names no".
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt - The statistics channel now supports DEFLATE compression,
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt reducing the size of the data sent over the network when
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt querying statistics.
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt - New counters have been added to the statistics channel
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt to track the sizes of incoming queries and outgoing responses in
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt histogram buckets, as specified in RSSAC002.
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt - An new NXDOMAIN redirect method (option "nxdomain-redirect")
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt has been added, allowing redirection to a specified DNS
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt namespace instead of a single redirect zone.
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt - When starting up, named now ensures that no other named
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt process is already running.
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt - Files created by named to store information, including "mkeys"
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt and "nzf" files, are now named after their corresponding views
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt unless the view name contains characters incompatible with use
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt as a filename. Old style filenames (based on the hash of the
1a849dab19287148f12da50d890f455f02aa3622Evan Hunt view name) will still work.
f5e4daf2ba0799a9beed5357701eecb8df56ceeaMark Andrews This release addresses the security flaws described in
c5eb9add52241aab2e95f31b53bb911438bb38f5Mark Andrews CVE-2014-3214, CVE-2014-3859, CVE-2014-8500, CVE-2014-8680,
77daae1a07756b2aec7b110cb309232237f8222dMark Andrews CVE-2015-1349, CVE-2015-5477, CVE-2015-5722, CVE-2015-5986,
d9ec4ca4b6946ebba5d6f60f28f9725fa4232bf7Mark Andrews CVE-2015-8000, CVE-2015-8704, CVE-2015-8705, CVE-2016-1285,
d9ec4ca4b6946ebba5d6f60f28f9725fa4232bf7Mark Andrews CVE-2016-1286 and CVE-2016-2088.
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt releases. New features include:
9d1f3953d3226a9e85d26bc59e62b29c16d14e77Evan Hunt - DNS Response-rate limiting (DNS RRL), which blunts the
db955e6f01e7a40c7c69b21495e316a9f29102a8Evan Hunt impact of reflection and amplification attacks, is always
db955e6f01e7a40c7c69b21495e316a9f29102a8Evan Hunt compiled in and no longer requires a compile-time option
db955e6f01e7a40c7c69b21495e316a9f29102a8Evan Hunt to enable it.
db955e6f01e7a40c7c69b21495e316a9f29102a8Evan Hunt - An experimental "Source Identity Token" (SIT) EDNS option
db955e6f01e7a40c7c69b21495e316a9f29102a8Evan Hunt is now available. Similar to DNS Cookies as invented by
db955e6f01e7a40c7c69b21495e316a9f29102a8Evan Hunt Donald Eastlake 3rd, these are designed to enable clients
db955e6f01e7a40c7c69b21495e316a9f29102a8Evan Hunt to detect off-path spoofed responses, and to enable servers
db955e6f01e7a40c7c69b21495e316a9f29102a8Evan Hunt to detect spoofed-source queries. Servers can be configured
db955e6f01e7a40c7c69b21495e316a9f29102a8Evan Hunt to send smaller responses to clients that have not identified
db955e6f01e7a40c7c69b21495e316a9f29102a8Evan Hunt themselves using a SIT option, reducing the effectiveness of
db955e6f01e7a40c7c69b21495e316a9f29102a8Evan Hunt amplification attacks. RRL processing has also been updated;
db955e6f01e7a40c7c69b21495e316a9f29102a8Evan Hunt clients proven to be legitimate via SIT are not subject to
db955e6f01e7a40c7c69b21495e316a9f29102a8Evan Hunt rate limiting. Use "configure --enable-sit" to enable this
db955e6f01e7a40c7c69b21495e316a9f29102a8Evan Hunt feature in BIND.
83d59691e3d25938474ea1e0b8a0385e1a77da40Evan Hunt - A new zone file format, "map", stores zone data in a
83d59691e3d25938474ea1e0b8a0385e1a77da40Evan Hunt format that can be mapped directly into memory, allowing
83d59691e3d25938474ea1e0b8a0385e1a77da40Evan Hunt significantly faster zone loading.
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt - "delv" (domain entity lookup and validation) is a new tool
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt with dig-like semantics for looking up DNS data and performing
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt internal DNSSEC validation. This allows easy validation in
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt environments where the resolver may not be trustworthy, and
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt assists with troubleshooting of DNSSEC problems. (NOTE:
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt In previous development releases of BIND 9.10, this utility
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt was called "delve". The spelling has been changed to avoid
f9f252589bcaa2c2427975b587b74c4c3526ec1cEvan Hunt confusion with the "delve" utility included with the Xapian
f9f252589bcaa2c2427975b587b74c4c3526ec1cEvan Hunt search engine.)
45e74d65bd981a97c5da2f86e8557c9843a0c7c0Evan Hunt - Improved EDNS(0) processing for better resolver performance
45e74d65bd981a97c5da2f86e8557c9843a0c7c0Evan Hunt and reliability over slow or lossy connections.
6a3fa181d1253db5191139e20231512eebaddeebEvan Hunt - A new "configure --with-tuning=large" option tunes certain
6a3fa181d1253db5191139e20231512eebaddeebEvan Hunt compiled-in constants and default settings to values better
6a3fa181d1253db5191139e20231512eebaddeebEvan Hunt suited to large servers with abundant memory. This can
6a3fa181d1253db5191139e20231512eebaddeebEvan Hunt improve performance on such servers, but will consume more
6a3fa181d1253db5191139e20231512eebaddeebEvan Hunt memory and may degrade performance on smaller systems.
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt - Substantial improvement in response-policy zone (RPZ)
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt performance. Up to 32 response-policy zones can be
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt configured with minimal performance loss.
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt - To improve recursive resolver performance, cache records
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt which are still being requested by clients can now be
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt automatically refreshed from the authoritative server
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt before they expire, reducing or eliminating the time
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt window in which no answer is available in the cache.
9d1f3953d3226a9e85d26bc59e62b29c16d14e77Evan Hunt - New "rpz-client-ip" triggers and drop policies allowing
9d1f3953d3226a9e85d26bc59e62b29c16d14e77Evan Hunt response policies based on the IP address of the client.
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt - ACLs can now be specified based on geographic location
db955e6f01e7a40c7c69b21495e316a9f29102a8Evan Hunt using the MaxMind GeoIP databases. Use "configure
db955e6f01e7a40c7c69b21495e316a9f29102a8Evan Hunt --with-geoip" to enable.
45e74d65bd981a97c5da2f86e8557c9843a0c7c0Evan Hunt - Zone data can now be shared between views, allowing
45e74d65bd981a97c5da2f86e8557c9843a0c7c0Evan Hunt multiple views to serve the same zones authoritatively
daa098822e9798fa22fa704cfb1dddf96c8f253bJeremy C. Reed without storing multiple copies in memory.
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt - New XML schema (version 3) for the statistics channel
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt includes many new statistics and uses a flattened XML tree
db955e6f01e7a40c7c69b21495e316a9f29102a8Evan Hunt for faster parsing. The older schema is now deprecated.
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt - A new stylesheet, based on the Google Charts API, displays
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt XML statistics in charts and graphs on javascript-enabled
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt - The statistics channel can now provide data in JSON
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt format as well as XML.
821350367e2c7313c02eb275e8e05d5193b47cfdJeremy C. Reed - New stats counters track TCP and UDP queries received
1736709296d81b06230f073543e95d70bd7cfe7cEvan Hunt per zone, and EDNS options received in total.
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt - The internal and export versions of the BIND libraries
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt (libisc, libdns, etc) have been unified so that external
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt library clients can use the same libraries as BIND itself.
db955e6f01e7a40c7c69b21495e316a9f29102a8Evan Hunt - A new compile-time option, "configure --enable-native-pkcs11",
db955e6f01e7a40c7c69b21495e316a9f29102a8Evan Hunt allows BIND 9 cryptography functions to use the PKCS#11 API
db955e6f01e7a40c7c69b21495e316a9f29102a8Evan Hunt natively, so that BIND can drive a cryptographic hardware
db955e6f01e7a40c7c69b21495e316a9f29102a8Evan Hunt service module (HSM) directly instead of using a modified
e94261f0bcfb42a33128f27809d7c36f32f703f5Evan Hunt OpenSSL as an intermediary. (Note: This feature requires an
e94261f0bcfb42a33128f27809d7c36f32f703f5Evan Hunt HSM to have a full implementation of the PKCS#11 API; many
e94261f0bcfb42a33128f27809d7c36f32f703f5Evan Hunt current HSMs only have partial implementations. The new
e94261f0bcfb42a33128f27809d7c36f32f703f5Evan Hunt "pkcs11-tokens" command can be used to check API completeness.
e94261f0bcfb42a33128f27809d7c36f32f703f5Evan Hunt Native PKCS#11 is known to work with the Thales nShield HSM
e94261f0bcfb42a33128f27809d7c36f32f703f5Evan Hunt and with SoftHSM version 2 from the Open DNSSEC project.)
35f6a21f5f8114542c050bfcb484b39ce513d4bdEvan Hunt - The new "max-zone-ttl" option enforces maximum TTLs for
35f6a21f5f8114542c050bfcb484b39ce513d4bdEvan Hunt zones. This can simplify the process of rolling DNSSEC keys
35f6a21f5f8114542c050bfcb484b39ce513d4bdEvan Hunt by guaranteeing that cached signatures will have expired
35f6a21f5f8114542c050bfcb484b39ce513d4bdEvan Hunt within the specified amount of time.
fc73ba3528e8ceaa30ab4c2f74c991d08f4e2cedEvan Hunt - "dig +subnet" sends an EDNS CLIENT-SUBNET option when
fc73ba3528e8ceaa30ab4c2f74c991d08f4e2cedEvan Hunt - "dig +expire" sends an EDNS EXPIRE option when querying.
7adf0928b92d742b727c9d032044c22f4fc8ebe7Evan Hunt When this option is sent with an SOA query to a server
7adf0928b92d742b727c9d032044c22f4fc8ebe7Evan Hunt that supports it, it will report the expiry time of
7adf0928b92d742b727c9d032044c22f4fc8ebe7Evan Hunt a slave zone.
83d59691e3d25938474ea1e0b8a0385e1a77da40Evan Hunt - New "dnssec-coverage" tool to check DNSSEC key coverage
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt for a zone and report if a lapse in signing coverage has
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt been inadvertently scheduled.
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt - Signing algorithm flexibility and other improvements
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt for the "rndc" control channel.
83d59691e3d25938474ea1e0b8a0385e1a77da40Evan Hunt - "named-checkzone" and "named-compilezone" can now read
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt journal files, allowing them to process dynamic zones.
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt - Multiple DLZ databases can now be configured. Individual
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt zones can be configured to be served from a specific DLZ
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt database. DLZ databases now serve zones of type "master"
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt and "redirect".
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt - "rndc zonestatus" reports information about a specified zone.
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt - "named" now listens on IPv6 as well as IPv4 interfaces
f6f88198067c260f92bae36bd564bd68e929d6b3Evan Hunt - "named" now preserves the capitalization of names
f6f88198067c260f92bae36bd564bd68e929d6b3Evan Hunt when responding to queries: for instance, a query for
f6f88198067c260f92bae36bd564bd68e929d6b3Evan Hunt "example.com" may be answered with "example.COM" if the
f6f88198067c260f92bae36bd564bd68e929d6b3Evan Hunt name was configured that way in the zone file. Some
f6f88198067c260f92bae36bd564bd68e929d6b3Evan Hunt clients have a bug causing them to depend on the older
f6f88198067c260f92bae36bd564bd68e929d6b3Evan Hunt behavior, in which the case of the answer always matched
f6f88198067c260f92bae36bd564bd68e929d6b3Evan Hunt the case of the query, rather than the case of the name
f6f88198067c260f92bae36bd564bd68e929d6b3Evan Hunt configured in the DNS. Such clients can now be specified
f6f88198067c260f92bae36bd564bd68e929d6b3Evan Hunt in the new "no-case-compress" ACL; this will restore the
f6f88198067c260f92bae36bd564bd68e929d6b3Evan Hunt older behavior of "named" for those clients only.
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt - new "dnssec-importkey" command allows the use of offline
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt DNSSEC keys with automatic DNSKEY management.
83d59691e3d25938474ea1e0b8a0385e1a77da40Evan Hunt - New "named-rrchecker" tool to verify the syntactic
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt correctness of individual resource records.
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt - When re-signing a zone, the new "dnssec-signzone -Q" option
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt drops signatures from keys that are still published but are
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt no longer active.
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt - "named-checkconf -px" will print the contents of configuration
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt files with the shared secrets obscured, making it easier to
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt share configuration (e.g. when submitting a bug report)
b751788932cf1a6d98ae83355f38a080125c2f3eEvan Hunt without revealing private information.
c9221313204f9720b3ae54c3ef1d89743180223aEvan Hunt - "rndc scan" causes named to re-scan network interfaces for
c9221313204f9720b3ae54c3ef1d89743180223aEvan Hunt changes in local addresses.
c9221313204f9720b3ae54c3ef1d89743180223aEvan Hunt - On operating systems with support for routing sockets,
c9221313204f9720b3ae54c3ef1d89743180223aEvan Hunt network interfaces are re-scanned automatically whenever
c9221313204f9720b3ae54c3ef1d89743180223aEvan Hunt they change.
2c0af3459435dcad54e787a2a3472c8aa374e0dfEvan Hunt - "tsig-keygen" is now available as an alternate command
2c0af3459435dcad54e787a2a3472c8aa374e0dfEvan Hunt name to use for "ddns-confgen".
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt BIND 9 currently requires a UNIX system with an ANSI C compiler,
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt basic POSIX support, and a 64 bit integer type.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt We've had successful builds and tests on the following systems:
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt COMPAQ Tru64 UNIX 5.1B
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Fedora Core 6
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt FreeBSD 4.10, 5.2.1, 6.2
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Mac OS X 10.5
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt NetBSD 3.x, 4.0-beta, 5.0-beta
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt OpenBSD 3.3 and up
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Solaris 8, 9, 9 (x86), 10
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Ubuntu 7.04, 7.10
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Windows XP/2003/2008
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Windows, including Windows NT and Windows 2000, are no longer
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt We have recent reports from the user community that a supported
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt version of BIND will build and run on the following systems:
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt CentOS 4, 4.5, 5
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Darwin 9.0.0d1/ARM
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Debian 4, 5, 6
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Fedora Core 5, 7, 8
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt FreeBSD 6, 7, 8
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt HP-UX 11.23 PA
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt MacOS X 10.5, 10.6, 10.7
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Red Hat Enterprise Linux 4, 5, 6
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt SCO OpenServer 5.0.6
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Slackware 9, 10
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt To build, just
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Do not use a parallel "make".
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Several environment variables that can be set before running
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt configure will affect compilation:
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt The C compiler to use. configure tries to figure
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt out the right one for supported systems.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt C compiler flags. Defaults to include -g and/or -O2
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt as supported by the compiler. Please include '-g'
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt if you need to set CFLAGS.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt STD_CINCLUDES
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt System header file directories. Can be used to specify
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt where add-on thread or IPv6 support is, for example.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Defaults to empty string.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt STD_CDEFINES
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Any additional preprocessor symbols you want defined.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Defaults to empty string.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Possible settings:
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Change the default syslog facility of named/lwresd.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt -DISC_FACILITY=LOG_LOCAL0
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Enable DNSSEC signature chasing support in dig.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt -DDIG_SIGCHASE_BU=1)
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Disable dropping queries from particular well known ports.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt -DNS_CLIENT_DROPPORT=0
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Sibling glue checking in named-checkzone is enabled by default.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt To disable the default check set. -DCHECK_SIBLING=0
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt named-checkzone checks out-of-zone addresses by default.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt To disable this default set. -DCHECK_LOCAL=0
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt To create the default pid files in ${localstatedir}/run rather
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt than ${localstatedir}/run/{named,lwresd}/ set.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt -DNS_RUN_PID_DIR=0
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Enable workaround for Solaris kernel bug about /dev/poll
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt -DISC_SOCKET_USE_POLLWATCH=1
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt The watch timeout is also configurable, e.g.,
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt -DISC_SOCKET_POLLWATCH_TIMEOUT=20
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Linker flags. Defaults to empty string.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt The following need to be set when cross compiling.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt The native C compiler.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt BUILD_CFLAGS (optional)
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt BUILD_CPPFLAGS (optional)
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Possible Settings:
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt BUILD_LDFLAGS (optional)
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt BUILD_LIBS (optional)
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt On most platforms, BIND 9 is built with multithreading
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt support, allowing it to take advantage of multiple CPUs.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt You can configure this by specifying "--enable-threads" or
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt "--disable-threads" on the configure command line. The default
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt is to enable threads, except on some older operating systems
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt on which threads are known to have had problems in the past.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt (Note: Prior to BIND 9.10, the default was to disable threads on
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Linux systems; this has been reversed. On Linux systems, the
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt threaded build is known to change BIND's behavior with respect
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt to file permissions; it may be necessary to specify a user with
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt the -u option when running named.)
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt To build shared libraries, specify "--with-libtool" on the
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt configure command line.
6a3fa181d1253db5191139e20231512eebaddeebEvan Hunt Certain compiled-in constants and default settings can be
6a3fa181d1253db5191139e20231512eebaddeebEvan Hunt increased to values better suited to large servers with abundant
6a3fa181d1253db5191139e20231512eebaddeebEvan Hunt memory resources (e.g, 64-bit servers with 12G or more of memory)
6a3fa181d1253db5191139e20231512eebaddeebEvan Hunt by specifying "--with-tuning=large" on the configure command
6a3fa181d1253db5191139e20231512eebaddeebEvan Hunt line. This can improve performance on big servers, but will
6a3fa181d1253db5191139e20231512eebaddeebEvan Hunt consume more memory and may degrade performance on smaller
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt For the server to support DNSSEC, you need to build it
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt with crypto support. You must have OpenSSL 0.9.5a
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt or newer installed and specify "--with-openssl" on the
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt configure command line. If OpenSSL is installed under
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt a nonstandard prefix, you can tell configure where to
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt look for it using "--with-openssl=/prefix".
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt To support the HTTP statistics channel, the server must
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt be linked with at least one of the following: libxml2
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt (http://xmlsoft.org) or json-c (https://github.com/json-c).
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt If these are installed at a nonstandard prefix, use
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt "--with-libxml2=/prefix" or "--with-libjson=/prefix".
3d8078255fd165b42cc5725427fa27810ecd1d56Mark Andrews To support compression on the HTTP statistics channel, the
3d8078255fd165b42cc5725427fa27810ecd1d56Mark Andrews server must be linked against libzlib (--with-zlib=/prefix).
daa098822e9798fa22fa704cfb1dddf96c8f253bJeremy C. Reed On some platforms it is necessary to explicitly request large
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt file support to handle files bigger than 2GB. This can be
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt done by "--enable-largefile" on the configure command line.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Support for the "fixed" rrset-order option can be enabled
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt or disabled by specifying "--enable-fixed-rrset" or
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt "--disable-fixed-rrset" on the configure command line.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt The default is "disabled", to reduce memory footprint.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt If your operating system has integrated support for IPv6, it
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt will be used automatically. If you have installed KAME IPv6
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt separately, use "--with-kame[=PATH]" to specify its location.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt "make install" will install "named" and the various BIND 9 libraries.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt By default, installation is into /usr/local, but this can be changed
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt with the "--prefix" option when running "configure".
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt You may specify the option "--sysconfdir" to set the directory
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt where configuration files like "named.conf" go by default,
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt and "--localstatedir" to set the default parent directory
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt of "run/named.pid". For backwards compatibility with BIND 8,
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt --sysconfdir defaults to "/etc" and --localstatedir defaults to
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt "/var" if no --prefix option is given. If there is a --prefix
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt option, sysconfdir defaults to "$prefix/etc" and localstatedir
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt defaults to "$prefix/var".
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt To see additional configure options, run "configure --help".
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Note that the help message does not reflect the BIND 8
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt compatibility defaults for sysconfdir and localstatedir.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt If you're planning on making changes to the BIND 9 source, you
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt should also "make depend". If you're using Emacs, you might find
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt "make tags" helpful.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt If you need to re-run configure please run "make distclean" first.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt This will ensure that all the option changes take.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Building with gcc is not supported, unless gcc is the vendor's usual
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt compiler (e.g. the various BSD systems, Linux).
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Known compiler issues:
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt * gcc-3.3.5 powerpc generates incorrect code at -02.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt * Irix, MipsPRO 7.4.1m is known to cause problems.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt A limited test suite can be run with "make test". Many of
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt the tests require you to configure a set of virtual IP addresses
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt on your system, and some require Perl; see bin/tests/system/README
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt for details.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt SunOS 4 requires "printf" to be installed to make the shared
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt libraries. sh-utils-1.16 provides a "printf" which compiles
c5e2e93f62e83ff6e3d85ea05ab5a9f468300a32Mark AndrewsKnown limitations
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Linux requires kernel build 2.6.39 or later to get the
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt performance benefits from using multiple sockets.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt The BIND 9 Administrator Reference Manual is included with the
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt source distribution in DocBook XML and HTML format, in the
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Some of the programs in the BIND 9 distribution have man pages
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt in their directories. In particular, the command line
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt options of "named" are documented in /bin/named/named.8.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt There is now also a set of man pages for the lwres library.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt If you are upgrading from BIND 8, please read the migration
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt notes in doc/misc/migration. If you are upgrading from
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Frequently asked questions and their answers can be found in
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Additional information on various subjects can be found
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt in the other README files.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt A detailed list of all changes to BIND 9 is included in the
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt file CHANGES, with the most recent changes listed first.
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt Change notes include tags indicating the category of the
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt change that was made; these categories are:
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt [func] New feature
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt [bug] General bug fix
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt [security] Fix for a significant security flaw
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt [experimental] Used for new features when the syntax
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt or other aspects of the design are still
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt in flux and may change
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt [port] Portability enhancement
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt [maint] Updates to built-in data such as root
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt server addresses and keys
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt [tuning] Changes to built-in configuration defaults
daa098822e9798fa22fa704cfb1dddf96c8f253bJeremy C. Reed and constants to improve performance
5828f087148dd281907857a9ab6560619b95843eEvan Hunt [performance] Other changes to improve server performance
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt [protocol] Updates to the DNS protocol such as new
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt [test] Changes to the automatic tests, not
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt affecting server functionality
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt [cleanup] Minor corrections and refactoring
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt [doc] Documentation
09158ff8e47827f22547c4c0aa81f93127aae05cEvan Hunt [contrib] Changes to the contributed tools and
09158ff8e47827f22547c4c0aa81f93127aae05cEvan Hunt libraries in the 'contrib' subdirectory
ff0b3538a430cfaf617921ce59ff36c31c189986Evan Hunt [placeholder] Used in the master development branch to
ff0b3538a430cfaf617921ce59ff36c31c189986Evan Hunt reserve change numbers for use in other
ff0b3538a430cfaf617921ce59ff36c31c189986Evan Hunt branches, e.g. when fixing a bug that only
ff0b3538a430cfaf617921ce59ff36c31c189986Evan Hunt exists in older releases
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt In general, [func] and [experimental] tags will only appear
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt in new-feature releases (i.e., those with version numbers
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt ending in zero). Some new functionality may be backported to
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt older releases on a case-by-case basis. All other change
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt types may be applied to all currently-supported releases.
413d5565ba2af24f12dc54d6e6807af7f1a39867Andreas GustafssonBug Reports and Mailing Lists
e1cd26e8f9a8c58636b7677356d108a003086b1bEvan Hunt Bug reports should be sent to:
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt bind9-bugs@isc.org
e1cd26e8f9a8c58636b7677356d108a003086b1bEvan Hunt Feature requests can be sent to:
e1cd26e8f9a8c58636b7677356d108a003086b1bEvan Hunt bind-suggest@isc.org
e1cd26e8f9a8c58636b7677356d108a003086b1bEvan Hunt To join or view the archives of the BIND Users mailing list,
3b1b34f762cf4a9a4e09d3ef03becc0d08acddb9Evan Hunt If you're planning on making changes to the BIND 9 source
e1cd26e8f9a8c58636b7677356d108a003086b1bEvan Hunt code, you may also want to join the BIND Workers mailing
e1cd26e8f9a8c58636b7677356d108a003086b1bEvan Hunt https://lists.isc.org/mailman/listinfo/bind-workers
e1cd26e8f9a8c58636b7677356d108a003086b1bEvan Hunt Information on read-only Git access, coding style and developer
e1cd26e8f9a8c58636b7677356d108a003086b1bEvan Hunt guidelines can be found at:
ba41a196662a56fad56a2b087b6fc0b581bfc5ffEvan HuntAcknowledgments
ba41a196662a56fad56a2b087b6fc0b581bfc5ffEvan Hunt - This product includes software developed by the OpenSSL Project
ba41a196662a56fad56a2b087b6fc0b581bfc5ffEvan Hunt for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/).
ba41a196662a56fad56a2b087b6fc0b581bfc5ffEvan Hunt - This product includes cryptographic software written by Eric
ba41a196662a56fad56a2b087b6fc0b581bfc5ffEvan Hunt Young (eay@cryptsoft.com).
ba41a196662a56fad56a2b087b6fc0b581bfc5ffEvan Hunt - This product includes software written by Tim Hudson
ba41a196662a56fad56a2b087b6fc0b581bfc5ffEvan Hunt (tjh@cryptsoft.com).