README revision e94261f0bcfb42a33128f27809d7c36f32f703f5
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington BIND version 9 is a major rewrite of nearly all aspects of the
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington underlying BIND architecture. Some of the important features of
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - DNS Security
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington DNSSEC (signed zones)
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington TSIG (signed DNS requests)
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - IP version 6
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington Answers DNS queries on IPv6 sockets
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington IPv6 resource records (AAAA)
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington Experimental IPv6 Resolver Library
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - DNS Protocol Enhancements
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington IXFR, DDNS, Notify, EDNS0
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington Improved standards conformance
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington One server process can provide multiple "views" of
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington the DNS namespace, e.g. an "inside" view to certain
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington clients, and an "outside" view to others.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - Multiprocessor Support
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - Improved Portability Architecture
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington BIND version 9 development has been underwritten by the following
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington organizations:
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Sun Microsystems, Inc.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Hewlett Packard
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Compaq Computer Corporation
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Process Software Corporation
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Silicon Graphics, Inc.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Network Associates, Inc.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington U.S. Defense Information Systems Agency
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington USENIX Association
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Stichting NLnet - NLnet Foundation
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Nominum, Inc.
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews For a summary of functional enhancements in previous
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington releases, see the HISTORY file.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington For a detailed list of user-visible changes from
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington previous releases, see the CHANGES file.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington For up-to-date release notes and errata, see
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington http://www.isc.org/software/bind9/releasenotes
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington releases. New features include:
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - DNS Response-rate limiting (DNS RRL), which blunts the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington impact of reflection and amplification attacks, is always
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington compiled in and no longer requires a compile-time option
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington to enable it.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - An experimental "Source Identity Token" (SIT) EDNS option
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington is now available. Similar to DNS Cookies as invented by
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews Donald Eastlake 3rd, these are designed to enable clients
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews to detect off-path spoofed responses, and to enable servers
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington to detect spoofed-source queries. Servers can be configured
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington to send smaller responses to clients that have not identified
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington themselves using a SIT option, reducing the effectiveness of
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington amplification attacks. RRL processing has also been updated;
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington clients proven to be legitimate via SIT are not subject to
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington rate limiting. Use "configure --enable-sit" to enable this
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington feature in BIND.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - A new zone file format, "map", stores zone data in a
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington format that can be mapped directly into memory, allowing
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington significantly faster zone loading.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - "delve" (domain entity lookup and validation engine) is a
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington new tool with dig-like semantics for looking up DNS data
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington and performing internal DNSSEC validation. This allows
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington easy validation in environments where the resolver may
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington not be trustworthy, and assists with troubleshooting of
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington DNSSEC problems.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - Improved EDNS(0) processing for better resolver performance
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington and reliability over slow or lossy connections.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - A new "configure --with-tuning=large" option tunes certain
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington compiled-in constants and default settings to values better
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington suited to large servers with abundant memory. This can
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington improve performance on such servers, but will consume more
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington memory and may degrade performance on smaller systems.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - Substantial improvement in response-policy zone (RPZ)
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington performance. Up to 32 response-policy zones can be
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington configured with minimal performance loss.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - To improve recursive resolver performance, cache records
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington which are still being requested by clients can now be
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington automatically refreshed from the authoritative server
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington before they expire, reducing or eliminating the time
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington window in which no answer is available in the cache.
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews - New "rpz-client-ip" triggers and drop policies allowing
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews response policies based on the IP address of the client.
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews - ACLs can now be specified based on geographic location
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews using the MaxMind GeoIP databases. Use "configure
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews --with-geoip" to enable.
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews - Zone data can now be shared between views, allowing
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews multiple views to serve the same zones authoritatively
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews without storing multiple copies in memory.
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews - New XML schema (version 3) for the statistics channel
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews includes many new statistics and uses a flattened XML tree
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington for faster parsing. The older schema is now deprecated.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - A new stylesheet, based on the Google Charts API, displays
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington XML statistics in charts and graphs on javascript-enabled
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - The statistics channel can now provide data in JSON
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington format as well as XML.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - New stats counters track TCP and UDP queries recieved
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington per zone, and EDNS options received in total.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - The internal and export versions of the BIND libraries
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington (libisc, libdns, etc) have been unified so that external
bf7f253e306d0ced8ae24d7a0598773950da11f4Mark Andrews library clients can use the same libraries as BIND itself.
bf7f253e306d0ced8ae24d7a0598773950da11f4Mark Andrews - A new compile-time option, "configure --enable-native-pkcs11",
bf7f253e306d0ced8ae24d7a0598773950da11f4Mark Andrews allows BIND 9 cryptography functions to use the PKCS#11 API
bf7f253e306d0ced8ae24d7a0598773950da11f4Mark Andrews natively, so that BIND can drive a cryptographic hardware
bf7f253e306d0ced8ae24d7a0598773950da11f4Mark Andrews service module (HSM) directly instead of using a modified
bf7f253e306d0ced8ae24d7a0598773950da11f4Mark Andrews OpenSSL as an intermediary. (Note: This feature requires an
bf7f253e306d0ced8ae24d7a0598773950da11f4Mark Andrews HSM to have a full implementation of the PKCS#11 API; many
bf7f253e306d0ced8ae24d7a0598773950da11f4Mark Andrews current HSMs only have partial implementations. The new
bf7f253e306d0ced8ae24d7a0598773950da11f4Mark Andrews "pkcs11-tokens" command can be used to check API completeness.
bf7f253e306d0ced8ae24d7a0598773950da11f4Mark Andrews Native PKCS#11 is known to work with the Thales nShield HSM
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington and with SoftHSM version 2 from the Open DNSSEC project.)
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - The new "max-zone-ttl" option enforces maximum TTLs for
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington zones. This can simplify the process of rolling DNSSEC keys
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington by guaranteeing that cached signatures will have expired
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews within the specified amount of time.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - "dig +subnet" sends an EDNS CLIENT-SUBNET option when
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - "dig +expire" sends an EDNS EXPIRE option when querying.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington When this option is sent with an SOA query to a server
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington that supports it, it will report the expiry time of
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington a slave zone.
99776003811a413457a2c35a808ad860df877d24Mark Andrews - New "dnssec-coverage" tool to check DNSSEC key coverage
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington for a zone and report if a lapse in signing coverage has
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington been inadvertently scheduled.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - Signing algorithm flexibility and other improvements
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington for the "rndc" control channel.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - "named-checkzone" and "named-compilezone" can now read
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington journal files, allowing them to process dynamic zones.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - Multiple DLZ databases can now be configured. Individual
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington zones can be configured to be served from a specific DLZ
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews database. DLZ databases now serve zones of type "master"
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington and "redirect".
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - "rndc zonestatus" reports information about a specified zone.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - "named" now listens on IPv6 as well as IPv4 interfaces
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - "named" now preserves the capitalization of names
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington when responding to queries: for instance, a query for
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington "example.com" may be answered with "example.COM" if the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington name was configured that way in the zone file. Some
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington clients have a bug causing them to depend on the older
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington behavior, in which the case of the answer always matched
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington the case of the query, rather than the case of the name
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington configured in the DNS. Such clients can now be specified
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington in the new "no-case-compress" ACL; this will restore the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington older behavior of "named" for those clients only.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - new "dnssec-importkey" command allows the use of offline
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington DNSSEC keys with automatic DNSKEY management.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - New "named-rrchecker" tool to verify the syntactic
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington correctness of individual resource records.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - When re-signing a zone, the new "dnssec-signzone -Q" option
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington drops signatures from keys that are still published but are
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington no longer active.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - "named-checkconf -px" will print the contents of configuration
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington files with the shared secrets obscured, making it easier to
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington share configuration (e.g. when submitting a bug report)
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington without revealing private information.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - "rndc scan" causes named to re-scan network interfaces for
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington changes in local addresses.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - On operating systems with support for routing sockets,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington network interfaces are re-scanned automatically whenever
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington releases. New features include:
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - Inline signing, allowing automatic DNSSEC signing of
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington master zones without modification of the zonefile, or
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews "bump in the wire" signing in slaves.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - NXDOMAIN redirection.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - New 'rndc flushtree' command clears all data under a given
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington name from the DNS cache.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - New 'rndc sync' command dumps pending changes in a dynamic
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington zone to disk without a freeze/thaw cycle.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - New 'rndc signing' command displays or clears signing status
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington records in 'auto-dnssec' zones.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - NSEC3 parameters for 'auto-dnssec' zones can now be set prior
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington to signing, eliminating the need to initially sign with NSEC.
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews - Startup time improvements on large authoritative servers.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - Slave zones are now saved in raw format by default.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - Several improvements to response policy zones (RPZ).
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - Improved hardware scalability by using multiple threads
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington to listen for queries and using finer-grained client locking
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - The 'also-notify' option now takes the same syntax as
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington 'masters', so it can used named masterlists and TSIG keys.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - 'dnssec-signzone -D' writes an output file containing only DNSSEC
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington data, which can be included by the primary zone file.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - 'dnssec-signzone -R' forces removal of signatures that are
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington not expired but were created by a key which no longer exists.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - 'dnssec-signzone -X' allows a separate expiration date to
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington be specified for DNSKEY signatures from other signatures.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - New '-L' option to dnssec-keygen, dnssec-settime, and
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington dnssec-keyfromlabel sets the default TTL for the key.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - dnssec-dsfromkey now supports reading from standard input,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington to make it easier to convert DNSKEY to DS.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - RFC 1918 reverse zones have been added to the empty-zones
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington table per RFC 6303.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - Dynamic updates can now optionally set the zone's SOA serial
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington number to the current UNIX time.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - DLZ modules can now retrieve the source IP address of
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington the querying client.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - 'request-ixfr' option can now be set at the per-zone level.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - 'dig +rrcomments' turns on comments about DNSKEY records,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington indicating their key ID, algorithm and function
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - Simplified nsupdate syntax and added readline support
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington BIND 9 currently requires a UNIX system with an ANSI C compiler,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington basic POSIX support, and a 64 bit integer type.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington We've had successful builds and tests on the following systems:
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington COMPAQ Tru64 UNIX 5.1B
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Fedora Core 6
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington FreeBSD 4.10, 5.2.1, 6.2
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Mac OS X 10.5
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington NetBSD 3.x, 4.0-beta, 5.0-beta
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington OpenBSD 3.3 and up
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Solaris 8, 9, 9 (x86), 10
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Ubuntu 7.04, 7.10
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Windows XP/2003/2008
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Windows, including Windows NT and Windows 2000, are no longer
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington We have recent reports from the user community that a supported
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington version of BIND will build and run on the following systems:
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington CentOS 4, 4.5, 5
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Darwin 9.0.0d1/ARM
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Debian 4, 5, 6
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Fedora Core 5, 7, 8
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington FreeBSD 6, 7, 8
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington HP-UX 11.23 PA
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington MacOS X 10.5, 10.6, 10.7
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Red Hat Enterprise Linux 4, 5, 6
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington SCO OpenServer 5.0.6
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Slackware 9, 10
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington To build, just
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Do not use a parallel "make".
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews Several environment variables that can be set before running
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews configure will affect compilation:
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews The C compiler to use. configure tries to figure
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews out the right one for supported systems.
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews C compiler flags. Defaults to include -g and/or -O2
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington as supported by the compiler. Please include '-g'
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington if you need to set CFLAGS.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington STD_CINCLUDES
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington System header file directories. Can be used to specify
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington where add-on thread or IPv6 support is, for example.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Defaults to empty string.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Any additional preprocessor symbols you want defined.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Defaults to empty string.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Possible settings:
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Change the default syslog facility of named/lwresd.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington -DISC_FACILITY=LOG_LOCAL0
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Enable DNSSEC signature chasing support in dig.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington -DDIG_SIGCHASE_BU=1)
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Disable dropping queries from particular well known ports.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington -DNS_CLIENT_DROPPORT=0
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Sibling glue checking in named-checkzone is enabled by default.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington To disable the default check set. -DCHECK_SIBLING=0
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington named-checkzone checks out-of-zone addresses by default.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington To disable this default set. -DCHECK_LOCAL=0
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington To create the default pid files in ${localstatedir}/run rather
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington than ${localstatedir}/run/{named,lwresd}/ set.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington -DNS_RUN_PID_DIR=0
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Enable workaround for Solaris kernel bug about /dev/poll
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington -DISC_SOCKET_USE_POLLWATCH=1
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The watch timeout is also configurable, e.g.,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington -DISC_SOCKET_POLLWATCH_TIMEOUT=20
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Linker flags. Defaults to empty string.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The following need to be set when cross compiling.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The native C compiler.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington BUILD_CFLAGS (optional)
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington BUILD_CPPFLAGS (optional)
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Possible Settings:
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington BUILD_LDFLAGS (optional)
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington BUILD_LIBS (optional)
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington On most platforms, BIND 9 is built with multithreading
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington support, allowing it to take advantage of multiple CPUs.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington You can configure this by specifying "--enable-threads" or
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington "--disable-threads" on the configure command line. The default
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington is to enable threads, except on some older operating systems
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington on which threads are known to have had problems in the past.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington (Note: Prior to BIND 9.10, the default was to disable threads on
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Linux systems; this has been reversed. On Linux systems, the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington threaded build is known to change BIND's behavior with respect
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington to file permissions; it may be necessary to specify a user with
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington the -u option when running named.)
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington To build shared libraries, specify "--with-libtool" on the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington configure command line.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Certain compiled-in constants and default settings can be
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington increased to values better suited to large servers with abundant
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington memory resources (e.g, 64-bit servers with 12G or more of memory)
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington by specifying "--with-tuning=large" on the configure command
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington line. This can improve performance on big servers, but will
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington consume more memory and may degrade performance on smaller
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington For the server to support DNSSEC, you need to build it
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington with crypto support. You must have OpenSSL 0.9.5a
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington or newer installed and specify "--with-openssl" on the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington configure command line. If OpenSSL is installed under
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington a nonstandard prefix, you can tell configure where to
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington look for it using "--with-openssl=/prefix".
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington To support the HTTP statistics channel, the server must
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington be linked with at least one of the following: libxml2
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington (http://xmlsoft.org) or json-c (https://github.com/json-c).
By default, installation is into /usr/local, but this can be changed
where configuration files like "named.conf" go by default,
of "run/named.pid". For backwards compatibility with BIND 8,
option, sysconfdir defaults to "$prefix/etc" and localstatedir
defaults to "$prefix/var".
compiler (e.g. the various BSD systems, Linux).
on your system, and some require Perl; see bin/tests/system/README
doc/arm directory.
options of "named" are documented in /bin/named/named.8.
notes in doc/misc/migration. If you are upgrading from
BIND 4, read doc/misc/migration-4to9.
branches, e.g. when fixing a bug that only
in new-feature releases (i.e., those with version numbers
for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/).