1505N/A BIND version 9 is a major rewrite of nearly all aspects of the
1505N/A underlying BIND architecture. Some of the important features of
1505N/A Answers DNS queries on IPv6 sockets
1505N/A IPv6 resource records (AAAA)
1505N/A Experimental IPv6 Resolver Library
1505N/A - DNS Protocol Enhancements
1505N/A Improved standards conformance
1505N/A One server process can provide multiple "views" of
1505N/A the DNS namespace,
e.g. an "inside" view to certain
1505N/A clients, and an "outside" view to others.
1505N/A - Improved Portability Architecture
1505N/A BIND version 9 development has been underwritten by the following
1505N/A Compaq Computer Corporation
1505N/A Process Software Corporation
1505N/A Stichting NLnet - NLnet Foundation
1505N/A For a summary of functional enhancements in previous
1505N/A releases, see the HISTORY file.
1505N/A For a detailed list of user-visible changes from
1505N/A previous releases, see the CHANGES file.
1505N/A For up-to-date release notes and errata, see
1505N/A BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
1505N/A releases. New features include:
1505N/A - Dig now supports sending of arbitary EDNS options by specifying
1505N/A BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
1505N/A releases. New features include:
1505N/A - DNS Response-rate limiting (DNS RRL), which blunts the
1505N/A impact of reflection and amplification attacks, is always
1505N/A compiled in and no longer requires a compile-time option
1505N/A - An experimental "Source Identity Token" (SIT) EDNS option
1505N/A is now available. Similar to DNS Cookies as invented by
1505N/A Donald Eastlake 3rd, these are designed to enable clients
1505N/A to detect off-path spoofed responses, and to enable servers
1505N/A to detect spoofed-source queries. Servers can be configured
1505N/A to send smaller responses to clients that have not identified
1505N/A themselves using a SIT option, reducing the effectiveness of
1505N/A amplification attacks. RRL processing has also been updated;
1505N/A clients proven to be legitimate via SIT are not subject to
1505N/A rate limiting. Use "configure --enable-sit" to enable this
1505N/A - A new zone file format, "map", stores zone data in a
1505N/A format that can be mapped directly into memory, allowing
1505N/A significantly faster zone loading.
1505N/A - "delv" (domain entity lookup and validation) is a new tool
1505N/A with dig-like semantics for looking up DNS data and performing
1505N/A internal DNSSEC validation. This allows easy validation in
1505N/A environments where the resolver may not be trustworthy, and
1505N/A assists with troubleshooting of DNSSEC problems. (NOTE:
1505N/A In previous development releases of BIND 9.10, this utility
1505N/A was called "delve". The spelling has been changed to avoid
1505N/A confusion with the "delve" utility that included with
1505N/A - Improved EDNS(0) processing for better resolver performance
1505N/A and reliability over slow or lossy connections.
1505N/A - A new "configure --with-tuning=large" option tunes certain
1505N/A compiled-in constants and default settings to values better
1505N/A suited to large servers with abundant memory. This can
1505N/A improve performance on such servers, but will consume more
1505N/A memory and may degrade performance on smaller systems.
1505N/A - Substantial improvement in response-policy zone (RPZ)
1505N/A performance. Up to 32 response-policy zones can be
1505N/A configured with minimal performance loss.
1505N/A - To improve recursive resolver performance, cache records
1505N/A which are still being requested by clients can now be
1505N/A automatically refreshed from the authoritative server
1505N/A before they expire, reducing or eliminating the time
1505N/A window in which no answer is available in the cache.
1505N/A - New "rpz-client-ip" triggers and drop policies allowing
1505N/A response policies based on the IP address of the client.
1505N/A - ACLs can now be specified based on geographic location
1505N/A using the MaxMind GeoIP databases. Use "configure
1505N/A - Zone data can now be shared between views, allowing
1505N/A multiple views to serve the same zones authoritatively
1505N/A without storing multiple copies in memory.
1505N/A - New XML schema (version 3) for the statistics channel
1505N/A includes many new statistics and uses a flattened XML tree
1505N/A for faster parsing. The older schema is now deprecated.
1505N/A - A new stylesheet, based on the Google Charts API, displays
1505N/A XML statistics in charts and graphs on javascript-enabled
1505N/A - The statistics channel can now provide data in JSON
1505N/A - New stats counters track TCP and UDP queries recieved
1505N/A per zone, and EDNS options received in total.
1505N/A - The internal and export versions of the BIND libraries
1505N/A (libisc, libdns, etc) have been unified so that external
1505N/A library clients can use the same libraries as BIND itself.
1505N/A - A new compile-time option, "configure --enable-native-pkcs11",
1505N/A allows BIND 9 cryptography functions to use the PKCS#11 API
1505N/A natively, so that BIND can drive a cryptographic hardware
1505N/A service module (HSM) directly instead of using a modified
1505N/A OpenSSL as an intermediary. (Note: This feature requires an
1505N/A HSM to have a full implementation of the PKCS#11 API; many
1505N/A current HSMs only have partial implementations. The new
1505N/A "pkcs11-tokens" command can be used to check API completeness.
1505N/A Native PKCS#11 is known to work with the Thales nShield HSM
1505N/A and with SoftHSM version 2 from the Open DNSSEC project.)
1505N/A - The new "max-zone-ttl" option enforces maximum TTLs for
1505N/A zones. This can simplify the process of rolling DNSSEC keys
1505N/A by guaranteeing that cached signatures will have expired
1505N/A within the specified amount of time.
1505N/A - "dig +subnet" sends an EDNS CLIENT-SUBNET option when
1505N/A - "dig +expire" sends an EDNS EXPIRE option when querying.
1505N/A When this option is sent with an SOA query to a server
1505N/A that supports it, it will report the expiry time of
1505N/A - New "dnssec-coverage" tool to check DNSSEC key coverage
1505N/A for a zone and report if a lapse in signing coverage has
1505N/A been inadvertently scheduled.
1505N/A - Signing algorithm flexibility and other improvements
1505N/A for the "rndc" control channel.
1505N/A - "named-checkzone" and "named-compilezone" can now read
1505N/A journal files, allowing them to process dynamic zones.
1505N/A - Multiple DLZ databases can now be configured. Individual
1505N/A zones can be configured to be served from a specific DLZ
1505N/A database. DLZ databases now serve zones of type "master"
1505N/A - "rndc zonestatus" reports information about a specified zone.
1505N/A - "named" now listens on IPv6 as well as IPv4 interfaces
1505N/A - "named" now preserves the capitalization of names
1505N/A when responding to queries: for instance, a query for
1505N/A name was configured that way in the zone file. Some
1505N/A clients have a bug causing them to depend on the older
1505N/A behavior, in which the case of the answer always matched
1505N/A the case of the query, rather than the case of the name
1505N/A configured in the DNS. Such clients can now be specified
1505N/A in the new "no-case-compress" ACL; this will restore the
1505N/A older behavior of "named" for those clients only.
1505N/A - new "dnssec-importkey" command allows the use of offline
1505N/A DNSSEC keys with automatic DNSKEY management.
1505N/A - New "named-rrchecker" tool to verify the syntactic
1505N/A correctness of individual resource records.
1505N/A - When re-signing a zone, the new "dnssec-signzone -Q" option
1505N/A drops signatures from keys that are still published but are
1505N/A - "named-checkconf -px" will print the contents of configuration
1505N/A files with the shared secrets obscured, making it easier to
1505N/A share configuration (
e.g. when submitting a bug report)
1505N/A without revealing private information.
1505N/A - "rndc scan" causes named to re-scan network interfaces for
1505N/A changes in local addresses.
1505N/A - On operating systems with support for routing sockets,
1505N/A network interfaces are re-scanned automatically whenever
1505N/A - "tsig-keygen" is now available as an alternate command
1505N/A name to use for "ddns-confgen".
1505N/A BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
1505N/A releases. New features include:
1505N/A - Inline signing, allowing automatic DNSSEC signing of
1505N/A master zones without modification of the zonefile, or
1505N/A "bump in the wire" signing in slaves.
1505N/A - New 'rndc flushtree' command clears all data under a given
1505N/A - New 'rndc sync' command dumps pending changes in a dynamic
1505N/A - New 'rndc signing' command displays or clears signing status
1505N/A records in 'auto-dnssec' zones.
1505N/A - NSEC3 parameters for 'auto-dnssec' zones can now be set prior
1505N/A to signing, eliminating the need to initially sign with NSEC.
1505N/A - Startup time improvements on large authoritative servers.
1505N/A - Slave zones are now saved in raw format by default.
1505N/A - Several improvements to response policy zones (RPZ).
1505N/A - Improved hardware scalability by using multiple threads
1505N/A to listen for queries and using finer-grained client locking
1505N/A - The 'also-notify' option now takes the same syntax as
1505N/A 'masters', so it can used named masterlists and TSIG keys.
1505N/A - 'dnssec-signzone -D' writes an output file containing only DNSSEC
1505N/A data, which can be included by the primary zone file.
1505N/A - 'dnssec-signzone -R' forces removal of signatures that are
1505N/A not expired but were created by a key which no longer exists.
1505N/A - 'dnssec-signzone -X' allows a separate expiration date to
1505N/A be specified for DNSKEY signatures from other signatures.
1505N/A - New '-L' option to dnssec-keygen, dnssec-settime, and
1505N/A dnssec-keyfromlabel sets the default TTL for the key.
1505N/A - dnssec-dsfromkey now supports reading from standard input,
1505N/A to make it easier to convert DNSKEY to DS.
1505N/A - RFC 1918 reverse zones have been added to the empty-zones
1505N/A - Dynamic updates can now optionally set the zone's SOA serial
1505N/A number to the current UNIX time.
1505N/A - DLZ modules can now retrieve the source IP address of
1505N/A - 'request-ixfr' option can now be set at the per-zone level.
1505N/A - 'dig +rrcomments' turns on comments about DNSKEY records,
1505N/A indicating their key ID, algorithm and function
1505N/A - Simplified nsupdate syntax and added readline support
1505N/A BIND 9 currently requires a UNIX system with an ANSI C compiler,
1505N/A basic POSIX support, and a 64 bit integer type.
1505N/A We've had successful builds and tests on the following systems:
1505N/A NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
1505N/A Windows, including Windows NT and Windows 2000, are no longer
1505N/A We have recent reports from the user community that a supported
1505N/A version of BIND will build and run on the following systems:
1505N/A Red Hat Enterprise Linux 4, 5, 6
1505N/A Do not use a parallel "make".
1505N/A Several environment variables that can be set before running
1505N/A configure will affect compilation:
1505N/A The C compiler to use. configure tries to figure
1505N/A out the right one for supported systems.
1505N/A as supported by the compiler. Please include '-g'
1505N/A System header file directories. Can be used to specify
1505N/A where add-on thread or IPv6 support is, for example.
1505N/A Any additional preprocessor symbols you want defined.
1505N/A Enable DNSSEC signature chasing support in dig.
1505N/A -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
1505N/A Disable dropping queries from particular well known ports.
1505N/A Sibling glue checking in named-checkzone is enabled by default.
1505N/A To disable the default check set. -DCHECK_SIBLING=0
1505N/A named-checkzone checks out-of-zone addresses by default.
1505N/A To disable this default set. -DCHECK_LOCAL=0
1505N/A To create the default pid files in ${localstatedir}/run rather
1505N/A than ${localstatedir}/run/{named,lwresd}/ set.
1505N/A -DISC_SOCKET_USE_POLLWATCH=1
1505N/A -DISC_SOCKET_POLLWATCH_TIMEOUT=20
1505N/A Linker flags. Defaults to empty string.
1505N/A The following need to be set when cross compiling.
1505N/A On most platforms, BIND 9 is built with multithreading
1505N/A support, allowing it to take advantage of multiple CPUs.
1505N/A You can configure this by specifying "--enable-threads" or
1505N/A "--disable-threads" on the configure command line. The default
1505N/A is to enable threads, except on some older operating systems
1505N/A on which threads are known to have had problems in the past.
1505N/A (Note: Prior to BIND 9.10, the default was to disable threads on
1505N/A Linux systems; this has been reversed. On Linux systems, the
1505N/A threaded build is known to change BIND's behavior with respect
1505N/A to file permissions; it may be necessary to specify a user with
1505N/A the -u option when running named.)
1505N/A To build shared libraries, specify "--with-libtool" on the
1505N/A Certain compiled-in constants and default settings can be
1505N/A increased to values better suited to large servers with abundant
1505N/A memory resources (
e.g, 64-bit servers with 12G or more of memory)
1505N/A by specifying "--with-tuning=large" on the configure command
1505N/A line. This can improve performance on big servers, but will
1505N/A consume more memory and may degrade performance on smaller
1505N/A For the server to support DNSSEC, you need to build it
1505N/A with crypto support. You must have OpenSSL 0.9.5a
1505N/A or newer installed and specify "--with-openssl" on the
1505N/A configure command line. If OpenSSL is installed under
1505N/A a nonstandard prefix, you can tell configure where to
1505N/A look for it using "--with-openssl=/prefix".
1505N/A To support the HTTP statistics channel, the server must
1505N/A be linked with at least one of the following: libxml2
1505N/A If these are installed at a nonstandard prefix, use
1505N/A "--with-libxml2=/prefix" or "--with-libjson=/prefix".
1505N/A On some platforms it is necessary to explicitly request large
1505N/A file support to handle files bigger than 2GB. This can be
1505N/A done by "--enable-largefile" on the configure command line.
1505N/A Support for the "fixed" rrset-order option can be enabled
1505N/A or disabled by specifying "--enable-fixed-rrset" or
1505N/A "--disable-fixed-rrset" on the configure command line.
1505N/A The default is "disabled", to reduce memory footprint.
1505N/A If your operating system has integrated support for IPv6, it
1505N/A will be used automatically. If you have installed KAME IPv6
1505N/A separately, use "--with-kame[=PATH]" to specify its location.
1505N/A "make install" will install "named" and the various BIND 9 libraries.
1505N/A with the "--prefix" option when running "configure".
1505N/A You may specify the option "--sysconfdir" to set the directory
1505N/A and "--localstatedir" to set the default parent directory
1505N/A --sysconfdir defaults to "/etc" and --localstatedir defaults to
1505N/A "/var" if no --prefix option is given. If there is a --prefix
1505N/A To see additional configure options, run "configure --help".
1505N/A Note that the help message does not reflect the BIND 8
1505N/A compatibility defaults for sysconfdir and localstatedir.
1505N/A If you're planning on making changes to the BIND 9 source, you
1505N/A should also "make depend". If you're using Emacs, you might find
1505N/A If you need to re-run configure please run "make distclean" first.
1505N/A This will ensure that all the option changes take.
1505N/A Building with gcc is not supported, unless gcc is the vendor's usual
1505N/A compiler (
e.g. the various BSD systems, Linux).
1505N/A * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
1505N/A * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
1505N/A * gcc-3.3.5 powerpc generates incorrect code at -02.
1505N/A * Irix, MipsPRO 7.4.1m is known to cause problems.
1505N/A A limited test suite can be run with "make test". Many of
1505N/A the tests require you to configure a set of virtual IP addresses
1505N/A SunOS 4 requires "printf" to be installed to make the shared
1505N/A libraries. sh-utils-1.16 provides a "printf" which compiles
1505N/A Linux requires kernel build 2.6.39 or later to get the
1505N/A performance benefits from using multiple sockets.
1505N/A The BIND 9 Administrator Reference Manual is included with the
1505N/A source distribution in DocBook XML and HTML format, in the
1505N/A Some of the programs in the BIND 9 distribution have man pages
1505N/A in their directories. In particular, the command line
1505N/A There is now also a set of man pages for the lwres library.
1505N/A If you are upgrading from BIND 8, please read the migration
1505N/A Frequently asked questions and their answers can be found in
1505N/A Additional information on various subjects can be found
1505N/A A detailed list of all changes to BIND 9 is included in the
1505N/A file CHANGES, with the most recent changes listed first.
1505N/A Change notes include tags indicating the category of the
1505N/A change that was made; these categories are:
1505N/A [security] Fix for a significant security flaw
1505N/A [experimental] Used for new features when the syntax
1505N/A or other aspects of the design are still
1505N/A [port] Portability enhancement
1505N/A [maint] Updates to built-in data such as root
1505N/A [tuning] Changes to built-in configuration defaults
1505N/A and constants to improve performance
1505N/A [protocol] Updates to the DNS protocol such as new
1505N/A [test] Changes to the automatic tests, not
1505N/A affecting server functionality
1505N/A [cleanup] Minor corrections and refactoring
1505N/A [contrib] Changes to the contributed tools and
1505N/A libraries in the 'contrib' subdirectory
1505N/A [placeholder] Used in the master development branch to
1505N/A reserve change numbers for use in other
1505N/A In general, [func] and [experimental] tags will only appear
1505N/A in new-feature releases (
i.e., those with version numbers
1505N/A ending in zero). Some new functionality may be backported to
1505N/A older releases on a case-by-case basis. All other change
1505N/A types may be applied to all currently-supported releases.
1505N/ABug Reports and Mailing Lists
1505N/A Bugs reports should be sent to
1505N/A To join the BIND Users mailing list, send mail to
1505N/A archives of which can be found via
1505N/A If you're planning on making changes to the BIND 9 source
1505N/A code, you might want to join the BIND Workers mailing list.
1505N/A bind-workers-request@isc.org
1505N/A - This product includes software developed by the OpenSSL Project
1505N/A - This product includes cryptographic software written by Eric
1505N/A - This product includes software written by Tim Hudson