README revision 59663800d2ec04777dae2791dd92aa563faf94c8
842ae4bd224140319ae7feec1872b93dfd491143fielding 1. Introduction
842ae4bd224140319ae7feec1872b93dfd491143fielding 2. Reporting bugs and getting help
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes 3. Contributing to BIND
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes 4. BIND 9.11 features
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes 5. Building BIND
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes 6. Compile-time options
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes 7. Automated testing
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes 8. Documentation
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes 9. Change log
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes10. Acknowledgments
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesBIND (Berkeley Internet Name Domain) is a complete, highly portable
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesimplementation of the DNS (Domain Name System) protocol.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesThe BIND name server, named, is able to serve as an authoritative name
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesserver, recursive resolver, DNS forwarder, or all three simultaneously. It
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesimplements views for split-horizon DNS, automatic DNSSEC zone signing and
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholeskey management, catalog zones to facilitate provisioning of zone data
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesthroughout a name server constellation, response policy zones (RPZ) to
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesprotect clients from malicious data, response rate limiting (RRL) and
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesrecursive query limits to reduce distributed denial of service attacks,
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesand many other advanced DNS features. BIND also includes a suite of
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesadministrative tools, including the dig and delv DNS lookup tools,
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesnsupdate for dynamic DNS zone updates, rndc for remote name server
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesadministration, and more.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesBIND 9 is a complete re-write of the BIND architecture that was used in
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesversions 4 and 8. Internet Systems Consortium (https://www.isc.org), a 501
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes(c)(3) public benefit corporation dedicated to providing software and
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesservices in support of the Internet infrastructure, developed BIND 9 and
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesis responsible for its ongoing maintenance and improvement. BIND is open
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholessource software licenced under the terms of the Mozilla Public License,
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesFor a summary of features introduced in past major releases of BIND, see
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesthe file HISTORY.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesFor a detailed list of changes made throughout the history of BIND 9, see
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesthe file CHANGES. See below for details on the CHANGES file format.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesFor up-to-date release notes and errata, see http://www.isc.org/software/
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesReporting bugs and getting help
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesPlease report assertion failure errors and suspected security issues to
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholessecurity-officer@isc.org.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesGeneral bug reports can be sent to bind9-bugs@isc.org.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesFeature requests can be sent to bind-suggest@isc.org.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesPlease note that, while ISC's ticketing system is not currently publicly
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesreadable, this may change in the future. Please do not include information
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesin bug reports that you consider to be confidential. For example, when
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholessending the contents of your configuration file, it is advisable to
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesobscure key secrets; this can be done automatically by using
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesnamed-checkconf -px.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesProfessional support and training for BIND are available from ISC at
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesTo join the BIND Users mailing list, or view the archives, visit https://
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesIf you're planning on making changes to the BIND 9 source code, you may
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesalso want to join the BIND Workers mailing list, at https://lists.isc.org/
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesContributing to BIND
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesA public git repository for BIND is maintained at http://www.isc.org/git/,
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesand also on Github at https://github.com/isc-projects.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesInformation for BIND contributors can be found in the following files: -
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesGeneral information: doc/dev/contrib.md - BIND 9 code style: doc/dev/
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesstyle.md - BIND architecture and developer guide: doc/dev/dev.md
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesPatches for BIND may be submitted either as Github pull requests or via
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesemail. When submitting a patch via email, please prepend the subject
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesheader with "[PATCH]" so it will be easier for us to find. If your patch
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesintroduces a new feature in BIND, please submit it to bind-suggest@isc.org
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes; if it fixes a bug, please submit it to bind9-bugs@isc.org.
0696197a54f186a65abacba1037f6fbe0cb975a1niqBIND 9.11 features
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesBIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesreleases. New features include:
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * Added support for Catalog Zones, a new method for provisioning
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes servers: a list of zones to be served is stored in a DNS zone, along
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes with their configuration parameters. Changes to the catalog zone are
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes propagated to slaves via normal AXFR/IXFR, whereupon the zones that
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes are listed in it are automatically added, deleted or reconfigured.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * Added support for "dnstap", a fast and flexible method of capturing
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes and logging DNS traffic.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * Added support for "dyndb", a new API for loading zone data from an
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes external database, developed by Red Hat for the FreeIPA project.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * "fetchlimit" quotas are now compiled in by default. These are for the
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes use of recursive resolvers that are are under high query load for
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes domains whose authoritative servers are nonresponsive or are
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes experiencing a denial of service attack:
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes + fetches-per-server limits the number of simultaneous queries that
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes can be sent to any single authoritative server. The configured
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes value is a starting point; it is automatically adjusted downward
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes if the server is partially or completely non-responsive. The
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes algorithm used to adjust the quota can be configured via the
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes "fetch-quota-params" option.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes + fetches-per-zone limits the number of simultaneous queries that
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes can be sent for names within a single domain. (Note: Unlike
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes fetches-per-server, this value is not self-tuning.)
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes + New stats counters have been added to count queries spilled due to
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes these quotas.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * Added a new dnssec-keymgr key mainenance utility, which can generate
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes or update keys as needed to ensure that a zone's keys match a defined
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes DNSSEC policy.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE"
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes and is no longer optional. EDNS COOKIE is a mechanism enabling clients
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes to detect off-path spoofed responses, and servers to detect
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes spoofed-source queries. Clients that identify themselves using COOKIE
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes options are not subject to response rate limiting (RRL) and can
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes receive larger UDP responses.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * SERVFAIL responses can now be cached for a limited time (defaulting to
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes 1 second, with an upper limit of 30). This can reduce the frequency of
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes retries when a query is persistently failing.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * Added an nsip-wait-recurse switch to RPZ. This causes NSIP rules to be
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes skipped if a name server IP address isn't in the cache yet; the
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes address will be looked up and the rule will be applied on future
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * Added a Python RNDC module. This allows multiple commands to sent over
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes a persistent RNDC channel, which saves time.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * The controls block in named.conf can now grant read-only rndc access
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes to specified clients or keys. Read-only clients could, for example,
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes check rndc status but could not reconfigure or shut down the server.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * rndc commands can now return arbitrarily large amounts of text to the
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * The zone serial number of a dynamically updatable zone can now be set
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes via rndc signing -serial <number> <zonename>. This allows
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes inline-signing zones to be set to a specific serial number.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * The new rndc nta command can be used to set a Negative Trust Anchor
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes (NTA), disabling DNSSEC validation for a specific domain; this can be
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes used when responses from a domain are known to be failing validation
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes due to administrative error rather than because of a spoofing attack.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes Negative trust anchors are strictly temporary; by default they expire
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes after one hour, but can be configured to last up to one week.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * rndc delzone can now be used on zones that were not originally created
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes by "rndc addzone".
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * rndc modzone reconfigures a single zone, without requiring the entire
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes server to be reconfigured.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * rndc showzone displays the current configuration of a zone.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * rndc managed-keys can be used to check the status of RFC 5001 managed
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes trust anchors, or to force trust anchors to be refreshed.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * max-cache-size can now be set to a percentage of available memory. The
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes default is 90%.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * Update forwarding performance has been improved by allowing a single
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes TCP connection to be shared by multiple updates.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * The EDNS Client Subnet (ECS) option is now supported for authoritative
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes servers; if a query contains an ECS option then ACLs containing geoip
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes or ecs elements can match against the the address encoded in the
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes option. This can be used to select a view for a query, so that
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes different answers can be provided depending on the client network.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * The EDNS EXPIRE option has been implemented on the client side,
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes allowing a slave server to set the expiration timer correctly when
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes transferring zone data from another slave server.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * The key generation and manipulation tools (dnssec-keygen,
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now take -Psync
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes and -Dsync options to set the publication and deletion times of CDS
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes and CDNSKEY parent-synchronization records. Both named and
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes dnssec-signzone can now publish and remove these records at the
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes scheduled times.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * A new minimal-any option reduces the size of UDP responses for query
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes type ANY by returning a single arbitrarily selected RRset instead of
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * A new masterfile-style zone option controls the formatting of text
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes zone files: When set to full, a zone file is dumped in
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes single-line-per-record format.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * serial-update-method can now be set to date. On update, the serial
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes number will be set to the current date in YYYYMMDDNN format.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * dnssec-signzone -N date sets the serial number to YYYYMMDDNN.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * named -L <filename> causes named to send log messages to the specified
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes file by default instead of to the system log.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * dig +ttlunits prints TTL values with time-unit suffixes: w, d, h, m, s
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes for weeks, days, hours, minutes, and seconds.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * dig +unknownformat prints dig output in RFC 3597 "unknown record"
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes presentation format.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * dig +ednsopt allows dig to set arbitrary EDNS options on requests.
3d230969dc38f71278bc542a440754e97d81ed66bnicholes * dig +ednsflags allows dig to set yet-to-be-defined EDNS flags on
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * mdig is an alternate version of dig which sends multiple pipelined TCP
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes queries to a server. Instead of waiting for a response after sending a
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes query, it sends all queries immediately and displays responses in the
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes order received.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * serial-query-rate no longer controls NOTIFY messages. These are
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes separately controlled by notify-rate and startup-notify-rate.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * nsupdate now performs check-names processing by default on records to
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes be added. This can be disabled with check-names no.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * The statistics channel now supports DEFLATE compression, reducing the
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes size of the data sent over the network when querying statistics.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * New counters have been added to the statistics channel to track the
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes sizes of incoming queries and outgoing responses in histogram buckets,
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes as specified in RSSAC002.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * A new NXDOMAIN redirect method (option nxdomain-redirect) has been
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes added, allowing redirection to a specified DNS namespace instead of a
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes single redirect zone.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * When starting up, named now ensures that no other named process is
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes already running.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes * Files created by named to store information, including mkeys and nzf
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes files, are now named after their corresponding views unless the view
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes name contains characters incompatible with use as a filename. Old
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes style filenames (based on the hash of the view name) will still work.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesBIND 9.11.1 is a maintenance release, and addresses the security flaws
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesdisclosed in CVE-2016-6170, CVE-2016-8864, CVE-2016-9131, CVE-2016-9147,
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesCVE-2016-9444, CVE-2016-9778, CVE-2017-3135, CVE-2017-3136, CVE-2017-3137
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesand CVE-2017-3138.
3d230969dc38f71278bc542a440754e97d81ed66bnicholesBuilding BIND
3d230969dc38f71278bc542a440754e97d81ed66bnicholesBIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
3d230969dc38f71278bc542a440754e97d81ed66bnicholessupport, and a 64-bit integer type. Successful builds have been observed
3d230969dc38f71278bc542a440754e97d81ed66bnicholeson many versions of Linux and UNIX, including RedHat, Fedora, Debian,
3d230969dc38f71278bc542a440754e97d81ed66bnicholesUbuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris,
3d230969dc38f71278bc542a440754e97d81ed66bnicholesHP-UX, AIX, SCO OpenServer, and OpenWRT.
3d230969dc38f71278bc542a440754e97d81ed66bnicholesBIND is also available for Windows XP, 2003, 2008, and higher. See
3d230969dc38f71278bc542a440754e97d81ed66bnicholeswin32utils/readme1st.txt for details on building for Windows systems.
3d230969dc38f71278bc542a440754e97d81ed66bnicholesTo build on a UNIX or Linux system, use:
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes $ ./configure
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesIf you're planning on making changes to the BIND 9 source, you should run
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesmake depend. If you're using Emacs, you might find make tags helpful.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesSeveral environment variables that can be set before running configure
3d230969dc38f71278bc542a440754e97d81ed66bnicholeswill affect compilation:
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesVariable Description
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesCC The C compiler to use. configure tries to figure out the
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes right one for supported systems.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes C compiler flags. Defaults to include -g and/or -O2 as
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesCFLAGS supported by the compiler. Please include '-g' if you need
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes to set CFLAGS.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes System header file directories. Can be used to specify
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesSTD_CINCLUDES where add-on thread or IPv6 support is, for example.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes Defaults to empty string.
a72211e92bab814bfa28ee086ca9b2a1a6095c92chrisd Any additional preprocessor symbols you want defined.
a72211e92bab814bfa28ee086ca9b2a1a6095c92chrisdSTD_CDEFINES Defaults to empty string. For a list of possible settings,
a72211e92bab814bfa28ee086ca9b2a1a6095c92chrisd see the file OPTIONS.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesLDFLAGS Linker flags. Defaults to empty string.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesBUILD_CC Needed when cross-compiling: the native C compiler to use
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes when building for the target system.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesBUILD_CFLAGS Optional, used for cross-compiling
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesBUILD_CPPFLAGS
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesBUILD_LDFLAGS
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesCompile-time options
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesTo see a full list of configuration options, run configure --help.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesOn most platforms, BIND 9 is built with multithreading support, allowing
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesit to take advantage of multiple CPUs. You can configure this by
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesspecifying --enable-threads or --disable-threads on the configure command
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesline. The default is to enable threads, except on some older operating
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholessystems on which threads are known to have had problems in the past.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes(Note: Prior to BIND 9.10, the default was to disable threads on Linux
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholessystems; this has now been reversed. On Linux systems, the threaded build
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesis known to change BIND's behavior with respect to file permissions; it
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesmay be necessary to specify a user with the -u option when running named.)
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesTo build shared libraries, specify --with-libtool on the configure command
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesCertain compiled-in constants and default settings can be increased to
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesvalues better suited to large servers with abundant memory resources (e.g,
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes64-bit servers with 12G or more of memory) by specifying --with-tuning=
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholeslarge on the configure command line. This can improve performance on big
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesservers, but will consume more memory and may degrade performance on
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholessmaller systems.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesFor the server to support DNSSEC, you need to build it with crypto
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholessupport. To use OpenSSL, you should have OpenSSL 1.0.2e or newer
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesinstalled. If the OpenSSL library is installed in a nonstandard location,
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesspecify the prefix using "--with-openssl=/prefix" on the configure command
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesline. To use a PKCS#11 hardware service module for cryptographic
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesoperations, specify the path to the PKCS#11 provider library using
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes"--with-pkcs11=/prefix", and configure BIND with "--enable-native-pkcs11".
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesTo support the HTTP statistics channel, the server must be linked with at
a72211e92bab814bfa28ee086ca9b2a1a6095c92chrisdleast one of the following: libxml2 http://xmlsoft.org or json-c https://
a72211e92bab814bfa28ee086ca9b2a1a6095c92chrisdgithub.com/json-c. If these are installed at a nonstandard location,
a72211e92bab814bfa28ee086ca9b2a1a6095c92chrisdspecify the prefix using --with-libxml2=/prefix or --with-libjson=/prefix.
a72211e92bab814bfa28ee086ca9b2a1a6095c92chrisdTo support compression on the HTTP statistics channel, the server must be
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholeslinked against libzlib. If this is installed in a nonstandard location,
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesspecify the prefix using --with-zlib=/prefix.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesTo support storing configuration data for runtime-added zones in an LMDB
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesdatabase, the server must be linked with liblmdb. If this is installed in
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesa nonstandard location, specify the prefix using "with-lmdb=/prefix".
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesTo support GeoIP location-based ACLs, the server must be linked with
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholeslibGeoIP. This is not turned on by default; BIND must be configured with
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes"--with-geoip". If the library is installed in a nonstandard location, use
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesspecify the prefix using "--with-geoip=/prefix".
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesFor DNSTAP packet logging, you must have libfstrm https://github.com/
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesfarsightsec/fstrm and libprotobuf-c https://developers.google.com/
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesprotocol-buffers, and BIND must be configured with "--enable-dnstap".
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesPython requires the 'argparse' and 'ply' modules to be available.
a72211e92bab814bfa28ee086ca9b2a1a6095c92chrisd'argparse' is a standard module as of Python 2.7 and Python 3.2. 'ply' is
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesOn some platforms it is necessary to explicitly request large file support
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesto handle files bigger than 2GB. This can be done by using
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholes--enable-largefile on the configure command line.
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesSupport for the "fixed" rrset-order option can be enabled or disabled by
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesspecifying --enable-fixed-rrset or --disable-fixed-rrset on the configure
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholescommand line. By default, fixed rrset-order is disabled to reduce memory
367d146f245f3b1c9f77c18e6ec591b52e0b344cbnicholesIf your operating system has integrated support for IPv6, it will be used
default, installation is into /usr/local, but this can be changed with the
configuration files like named.conf go by default, and --localstatedir to
set the default parent directory of run/named.pid. For backwards
is a --prefix option, sysconfdir defaults to $prefix/etc and localstatedir
defaults to $prefix/var.
IP addresses can be configured by by running the script bin/tests/system/
ifconfig.sh up as root.
Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
See bin/tests/system/README for further details.
distribution, in DocBook XML, HTML and PDF format, in the doc/arm
documented in bin/named/named.8.
be found in the ISC Knowledge Base at https://kb.isc.org.
[placeholder] numbers for use in other branches, e.g. when fixing a bug
releases (i.e., those with version numbers ending in zero). Some new
U.S. Defense Information Systems Agency
use in the OpenSSL Toolkit. http://www.OpenSSL.org/