README revision 2baa66562a2f119edffded961d3391f87ff98ec0
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halley 1. Introduction
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halley 2. Reporting bugs and getting help
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence 3. Contributing to BIND
15a44745412679c30a6d022733925af70a38b715David Lawrence 4. BIND 9.11 features
15a44745412679c30a6d022733925af70a38b715David Lawrence 5. Building BIND
15a44745412679c30a6d022733925af70a38b715David Lawrence 7. Compile-time options
15a44745412679c30a6d022733925af70a38b715David Lawrence 8. Automated testing
15a44745412679c30a6d022733925af70a38b715David Lawrence 9. Documentation
15a44745412679c30a6d022733925af70a38b715David Lawrence10. Change log
15a44745412679c30a6d022733925af70a38b715David Lawrence11. Acknowledgments
9c3531d72aeaad6c5f01efe6a1c82023e1379e4dDavid LawrenceBIND (Berkeley Internet Name Domain) is a complete, highly portable
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halleyimplementation of the DNS (Domain Name System) protocol.
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob HalleyThe BIND name server, named, is able to serve as an authoritative name
de8e189332e884db065b921f84e3ee4922ad10e3David Lawrenceserver, recursive resolver, DNS forwarder, or all three simultaneously. It
de8e189332e884db065b921f84e3ee4922ad10e3David Lawrenceimplements views for split-horizon DNS, automatic DNSSEC zone signing and
de8e189332e884db065b921f84e3ee4922ad10e3David Lawrencekey management, catalog zones to facilitate provisioning of zone data
de8e189332e884db065b921f84e3ee4922ad10e3David Lawrencethroughout a name server constellation, response policy zones (RPZ) to
de8e189332e884db065b921f84e3ee4922ad10e3David Lawrenceprotect clients from malicious data, response rate limiting (RRL) and
de8e189332e884db065b921f84e3ee4922ad10e3David Lawrencerecursive query limits to reduce distributed denial of service attacks,
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halleyand many other advanced DNS features. BIND also includes a suite of
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halleyadministrative tools, including the dig and delv DNS lookup tools,
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halleynsupdate for dynamic DNS zone updates, rndc for remote name server
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halleyadministration, and more.
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob HalleyBIND 9 is a complete re-write of the BIND architecture that was used in
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halleyversions 4 and 8. Internet Systems Consortium (https://www.isc.org), a 501
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halley(c)(3) public benefit corporation dedicated to providing software and
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halleyservices in support of the Internet infrastructure, developed BIND 9 and
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halleyis responsible for its ongoing maintenance and improvement. BIND is open
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halleysource software licenced under the terms of ISC License for all versions
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halleyup to and including BIND 9.10, and the Mozilla Public License version 2.0
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halleyfor all subsequent verisons.
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob HalleyFor a summary of features introduced in past major releases of BIND, see
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halleythe file HISTORY.
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob HalleyFor a detailed list of changes made throughout the history of BIND 9, see
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halleythe file CHANGES. See below for details on the CHANGES file format.
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob HalleyFor up-to-date release notes and errata, see http://www.isc.org/software/
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob HalleyReporting bugs and getting help
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob HalleyTo report non-security-sensitive bugs or request new features, you may
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halleyopen an Issue in the BIND 9 project on the ISC GitLab server at https://
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob HalleyPlease note that, unless you explicitly mark the newly created Issue as
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halley"confidential", it will be publicly readable. Please do not include any
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halleyinformation in bug reports that you consider to be confidential unless the
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halleyissue has been marked as such. In particular, if submitting the contents
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halleyof your configuration file in a non-confidential Issue, it is advisable to
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halleyobscure key secrets: this can be done automatically by using
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halleynamed-checkconf -px.
f6f4ceece41f040cc43722afa9a5cd1f54a576b6Michael GraffIf the bug you are reporting is a potential security issue, such as an
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halleyassertion failure or other crash in named, please do NOT use GitLab to
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halleyreport it. Instead, please send mail to security-officer@isc.org.
f6f4ceece41f040cc43722afa9a5cd1f54a576b6Michael GraffProfessional support and training for BIND are available from ISC at
f6f4ceece41f040cc43722afa9a5cd1f54a576b6Michael GraffTo join the BIND Users mailing list, or view the archives, visit https://
705a1d752e32d89efc787e1f25d51777565afbc4Bob HalleyIf you're planning on making changes to the BIND 9 source code, you may
705a1d752e32d89efc787e1f25d51777565afbc4Bob Halleyalso want to join the BIND Workers mailing list, at https://lists.isc.org/
705a1d752e32d89efc787e1f25d51777565afbc4Bob HalleyContributing to BIND
5f42ef032d72001370d8bd5cd9ea3a5d032a67c8James BristerISC maintains a public git repository for BIND; details can be found at
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halleyhttp://www.isc.org/git/, and also on Github at https://github.com/
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halleyisc-projects.
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob HalleyInformation for BIND contributors can be found in the following files: -
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob HalleyGeneral information: doc/dev/contrib.md - BIND 9 code style: doc/dev/
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halleystyle.md - BIND architecture and developer guide: doc/dev/dev.md
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob HalleyPatches for BIND may be submitted as Merge Requests in the ISC GitLab
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halleyserver at at https://gitlab.isc.org/isc-projects/bind9/merge_requests.
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob HalleyBy default, external contributors don't have ability to fork BIND in the
5f42ef032d72001370d8bd5cd9ea3a5d032a67c8James BristerGitLab server, but if you wish to contribute code to BIND, you may request
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halleypermission to do so. Thereafter, you can create git branches and directly
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halleysubmit requests that they be reviewed and merged.
443ad8c09c31634a21ef73794aca32594543829dMichael GraffIf you prefer, you may also submit code by opening a GitLab Issue and
443ad8c09c31634a21ef73794aca32594543829dMichael Graffincluding your patch as an attachment, preferably generated by git
443ad8c09c31634a21ef73794aca32594543829dMichael GraffBIND 9.11 features
443ad8c09c31634a21ef73794aca32594543829dMichael GraffBIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
443ad8c09c31634a21ef73794aca32594543829dMichael Graffreleases. New features include:
443ad8c09c31634a21ef73794aca32594543829dMichael Graff * Added support for Catalog Zones, a new method for provisioning
443ad8c09c31634a21ef73794aca32594543829dMichael Graff servers: a list of zones to be served is stored in a DNS zone, along
443ad8c09c31634a21ef73794aca32594543829dMichael Graff with their configuration parameters. Changes to the catalog zone are
443ad8c09c31634a21ef73794aca32594543829dMichael Graff propagated to slaves via normal AXFR/IXFR, whereupon the zones that
443ad8c09c31634a21ef73794aca32594543829dMichael Graff are listed in it are automatically added, deleted or reconfigured.
443ad8c09c31634a21ef73794aca32594543829dMichael Graff * Added support for "dnstap", a fast and flexible method of capturing
443ad8c09c31634a21ef73794aca32594543829dMichael Graff and logging DNS traffic.
443ad8c09c31634a21ef73794aca32594543829dMichael Graff * Added support for "dyndb", a new API for loading zone data from an
443ad8c09c31634a21ef73794aca32594543829dMichael Graff external database, developed by Red Hat for the FreeIPA project.
443ad8c09c31634a21ef73794aca32594543829dMichael Graff * "fetchlimit" quotas are now compiled in by default. These are for the
443ad8c09c31634a21ef73794aca32594543829dMichael Graff use of recursive resolvers that are are under high query load for
443ad8c09c31634a21ef73794aca32594543829dMichael Graff domains whose authoritative servers are nonresponsive or are
443ad8c09c31634a21ef73794aca32594543829dMichael Graff experiencing a denial of service attack:
443ad8c09c31634a21ef73794aca32594543829dMichael Graff + fetches-per-server limits the number of simultaneous queries that
443ad8c09c31634a21ef73794aca32594543829dMichael Graff can be sent to any single authoritative server. The configured
443ad8c09c31634a21ef73794aca32594543829dMichael Graff value is a starting point; it is automatically adjusted downward
443ad8c09c31634a21ef73794aca32594543829dMichael Graff if the server is partially or completely non-responsive. The
443ad8c09c31634a21ef73794aca32594543829dMichael Graff algorithm used to adjust the quota can be configured via the
443ad8c09c31634a21ef73794aca32594543829dMichael Graff "fetch-quota-params" option.
443ad8c09c31634a21ef73794aca32594543829dMichael Graff + fetches-per-zone limits the number of simultaneous queries that
443ad8c09c31634a21ef73794aca32594543829dMichael Graff can be sent for names within a single domain. (Note: Unlike
443ad8c09c31634a21ef73794aca32594543829dMichael Graff fetches-per-server, this value is not self-tuning.)
443ad8c09c31634a21ef73794aca32594543829dMichael Graff + New stats counters have been added to count queries spilled due to
443ad8c09c31634a21ef73794aca32594543829dMichael Graff these quotas.
443ad8c09c31634a21ef73794aca32594543829dMichael Graff * Added a new dnssec-keymgr key mainenance utility, which can generate
443ad8c09c31634a21ef73794aca32594543829dMichael Graff or update keys as needed to ensure that a zone's keys match a defined
443ad8c09c31634a21ef73794aca32594543829dMichael Graff DNSSEC policy.
d80da258e377f02f0dcd703b89a1044cc58e949fMichael Graff * The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE"
d80da258e377f02f0dcd703b89a1044cc58e949fMichael Graff and is no longer optional. EDNS COOKIE is a mechanism enabling clients
d80da258e377f02f0dcd703b89a1044cc58e949fMichael Graff to detect off-path spoofed responses, and servers to detect
d80da258e377f02f0dcd703b89a1044cc58e949fMichael Graff spoofed-source queries. Clients that identify themselves using COOKIE
d80da258e377f02f0dcd703b89a1044cc58e949fMichael Graff options are not subject to response rate limiting (RRL) and can
d80da258e377f02f0dcd703b89a1044cc58e949fMichael Graff receive larger UDP responses.
79a6a33184abff1999ba13b10922ccb34a2758a5Mark Andrews * SERVFAIL responses can now be cached for a limited time (defaulting to
79a6a33184abff1999ba13b10922ccb34a2758a5Mark Andrews 1 second, with an upper limit of 30). This can reduce the frequency of
79a6a33184abff1999ba13b10922ccb34a2758a5Mark Andrews retries when a query is persistently failing.
79a6a33184abff1999ba13b10922ccb34a2758a5Mark Andrews * Added an nsip-wait-recurse switch to RPZ. This causes NSIP rules to be
79a6a33184abff1999ba13b10922ccb34a2758a5Mark Andrews skipped if a name server IP address isn't in the cache yet; the
79a6a33184abff1999ba13b10922ccb34a2758a5Mark Andrews address will be looked up and the rule will be applied on future
79a6a33184abff1999ba13b10922ccb34a2758a5Mark Andrews * Added a Python RNDC module. This allows multiple commands to sent over
9679032ec8ea97edcc993deb3d3dfcf54655cb52Bob Halley a persistent RNDC channel, which saves time.
* The controls block in named.conf can now grant read-only rndc access
win32utils/readme1st.txt for details on building for Windows systems.
C compiler flags. Defaults to include -g and/or -O2 as
This can be downloaded from https://developer.apple.com/download/more/ or
This will add /usr/include to the system and install the compiler and
values better suited to large servers with abundant memory resources (e.g,
least one of the following: libxml2 http://xmlsoft.org or json-c https://
github.com/json-c. If these are installed at a nonstandard location,
github.com/farsightsec/fstrm and libprotobuf-c https://
developers.google.com/protocol-buffers, and BIND must be configured with
default, installation is into /usr/local, but this can be changed with the
configuration files like named.conf go by default, and --localstatedir to
set the default parent directory of run/named.pid. For backwards
is a --prefix option, sysconfdir defaults to $prefix/etc and localstatedir
defaults to $prefix/var.
IP addresses can be configured by running the command bin/tests/system/
ifconfig.sh up as root.
Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
See bin/tests/system/README for further details.
distribution, in DocBook XML, HTML and PDF format, in the doc/arm
documented in bin/named/named.8.
be found in the ISC Knowledge Base at https://kb.isc.org.
[placeholder] numbers for use in other branches, e.g. when fixing a bug
releases (i.e., those with version numbers ending in zero). Some new
U.S. Defense Information Systems Agency
use in the OpenSSL Toolkit. http://www.OpenSSL.org/