README revision 47d19078de548016572db6ba7c29030bce9d5796
7bd455641455950eff7d21be652c8142b134d32fTinderbox User BIND version 9 is a major rewrite of nearly all aspects of the
7bd455641455950eff7d21be652c8142b134d32fTinderbox User underlying BIND architecture. Some of the important features of
7bd455641455950eff7d21be652c8142b134d32fTinderbox User - DNS Security
7bd455641455950eff7d21be652c8142b134d32fTinderbox User DNSSEC (signed zones)
7bd455641455950eff7d21be652c8142b134d32fTinderbox User TSIG (signed DNS requests)
7bd455641455950eff7d21be652c8142b134d32fTinderbox User - IP version 6
7bd455641455950eff7d21be652c8142b134d32fTinderbox User Answers DNS queries on IPv6 sockets
7bd455641455950eff7d21be652c8142b134d32fTinderbox User IPv6 resource records (AAAA)
7bd455641455950eff7d21be652c8142b134d32fTinderbox User Experimental IPv6 Resolver Library
bf8267aa453e5d2a735ed732a043b77a0b355b20Mark Andrews - DNS Protocol Enhancements
bf8267aa453e5d2a735ed732a043b77a0b355b20Mark Andrews IXFR, DDNS, Notify, EDNS0
bf8267aa453e5d2a735ed732a043b77a0b355b20Mark Andrews Improved standards conformance
bf8267aa453e5d2a735ed732a043b77a0b355b20Mark Andrews One server process can provide multiple "views" of
bf8267aa453e5d2a735ed732a043b77a0b355b20Mark Andrews the DNS namespace, e.g. an "inside" view to certain
bf8267aa453e5d2a735ed732a043b77a0b355b20Mark Andrews clients, and an "outside" view to others.
bf8267aa453e5d2a735ed732a043b77a0b355b20Mark Andrews - Multiprocessor Support
bf8267aa453e5d2a735ed732a043b77a0b355b20Mark Andrews - Improved Portability Architecture
866d106459313499d0ca7bfccb4b2d23d5e4377cDavid Lawrence BIND version 9 development has been underwritten by the following
74cb99072c4b0ebd2ccafcfa284288fa760f7a1aMark Andrews organizations:
866d106459313499d0ca7bfccb4b2d23d5e4377cDavid Lawrence Sun Microsystems, Inc.
7c74e180c206e6ed99e8beb820da5f399d845c3eDavid Lawrence Hewlett Packard
92b796c963e7ba0217debfa27a0709f94934f5d5Mark Andrews Compaq Computer Corporation
a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob Halley Process Software Corporation
a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob Halley Silicon Graphics, Inc.
63dd46733010bb9622810faa17d88c3e3c28b730Mark Andrews Network Associates, Inc.
a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob Halley U.S. Defense Information Systems Agency
a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob Halley USENIX Association
a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob Halley Stichting NLnet - NLnet Foundation
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graff Nominum, Inc.
f4ea363e3acc321b24ffe95a64a583e8041d6fd5Mark Andrews For a summary of functional enhancements in previous
f4ea363e3acc321b24ffe95a64a583e8041d6fd5Mark Andrews releases, see the HISTORY file.
f4ea363e3acc321b24ffe95a64a583e8041d6fd5Mark Andrews For a detailed list of user-visible changes from
f4ea363e3acc321b24ffe95a64a583e8041d6fd5Mark Andrews previous releases, see the CHANGES file.
f4ea363e3acc321b24ffe95a64a583e8041d6fd5Mark Andrews For up-to-date release notes and errata, see
f4ea363e3acc321b24ffe95a64a583e8041d6fd5Mark Andrews BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
914eeb33149a0008e26741d9e7d89dcd6f8b6d0bMark Andrews releases. New features include:
a903095bf4512dae561c7f6fc7854a51bebf334aMark Andrews - Added nsip-wait-recurse switch to rpz.
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graff - Added python RNDC module.
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graff - Added support for "dnstap", a fast and flexible method of
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graff capturing and logging DNS traffic.
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graff - Added support for "dyndb", a new API for loading zone data
3d776d762914d1b675b4fd49728ce353ccf6f77eBrian Wellington from an external database, developed by Red Hat for the FreeIPA
6b66ee9147e940572a0e873ecbd67456ccb85c39Mark Andrews - New "fetchlimit" quotas are now available for the use of
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graff recursive resolvers that are are under high query load for
11dbf2fc38eea8c5d3fe7123718bf197a8bb2e6bMark Andrews domains whose authoritative servers are nonresponsive or are
11dbf2fc38eea8c5d3fe7123718bf197a8bb2e6bMark Andrews experiencing a denial of service attack:
11dbf2fc38eea8c5d3fe7123718bf197a8bb2e6bMark Andrews + "fetches-per-server" limits the number of simultaneous queries
11dbf2fc38eea8c5d3fe7123718bf197a8bb2e6bMark Andrews that can be sent to any single authoritative server. The
11dbf2fc38eea8c5d3fe7123718bf197a8bb2e6bMark Andrews configured value is a starting point; it is automatically
11dbf2fc38eea8c5d3fe7123718bf197a8bb2e6bMark Andrews adjusted downward if the server is partially or completely
11dbf2fc38eea8c5d3fe7123718bf197a8bb2e6bMark Andrews non-responsive. The algorithm used to adjust the quota can be
11dbf2fc38eea8c5d3fe7123718bf197a8bb2e6bMark Andrews configured via the "fetch-quota-params" option.
11dbf2fc38eea8c5d3fe7123718bf197a8bb2e6bMark Andrews + "fetches-per-zone" limits the number of simultaneous queries
11dbf2fc38eea8c5d3fe7123718bf197a8bb2e6bMark Andrews that can be sent for names within a single domain. (Note:
11dbf2fc38eea8c5d3fe7123718bf197a8bb2e6bMark Andrews Unlike "fetches-per-server", this value is not self-tuning.)
11dbf2fc38eea8c5d3fe7123718bf197a8bb2e6bMark Andrews + New stats counters have been added to count
11463c0ac24692e229ec87f307f5e7df3c0a7e10Evan Hunt queries spilled due to these quotas.
11463c0ac24692e229ec87f307f5e7df3c0a7e10Evan Hunt - Added a new "dnssec-keymgr" key mainenance utility, which can
1c1290afabb3c8f4dd498170ac9592e5be450161Mark Andrews generate or update keys as needed to ensure that a zone's
1c1290afabb3c8f4dd498170ac9592e5be450161Mark Andrews keys match a defined DNSSEC policy.
b123b265e3a3d9b72a14230b6517e0f6fdb5c5b5Mark Andrews - The experimental "SIT" feature in BIND 9.10 has been renamed
32ebb157b1d9409a186c86002827f8a1f4931f5aMark Andrews "COOKIE" and is no longer optional. EDNS COOKIE is a mechanism
32ebb157b1d9409a186c86002827f8a1f4931f5aMark Andrews enabling clients to detect off-path spoofed responses, and
740e7340c55e9f0cf80c6fbbf7e8d3c1bdeaa255Mark Andrews servers to detect spoofed-source queries. Clients that identify
32ebb157b1d9409a186c86002827f8a1f4931f5aMark Andrews themselves using COOKIE options are not subject to response rate
84f95ddb2572641022619950a211aff49e331c98Mukund Sivaraman limiting (RRL) and can receive larger UDP responses.
32ebb157b1d9409a186c86002827f8a1f4931f5aMark Andrews - SERVFAIL responses can now be cached for a limited time
32ebb157b1d9409a186c86002827f8a1f4931f5aMark Andrews (defaulting to 1 second, with an upper limit of 30).
32ebb157b1d9409a186c86002827f8a1f4931f5aMark Andrews This can reduce the frequency of retries when a query is
71697fd082b1c76562dc80fa91787af3860146bfEvan Hunt persistently failing.
1c1290afabb3c8f4dd498170ac9592e5be450161Mark Andrews - The "controls" block in named.conf can now grant read-only
11463c0ac24692e229ec87f307f5e7df3c0a7e10Evan Hunt "rndc" access to specified clients or keys. Read-only clients
32ebb157b1d9409a186c86002827f8a1f4931f5aMark Andrews could, for example, check "rndc status" but could not
32ebb157b1d9409a186c86002827f8a1f4931f5aMark Andrews reconfigure or shut down the server.
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt - "rndc" commands can now return arbitrarily large amounts of
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt text to the caller.
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt - The zone serial number of a dynamically updatable zone
1831311ac6179951c8fcca75aa29dc2f5c0218b9Francis Dupont can now be set via "rndc signing -serial <number> <zonename>".
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt This allows inline-signing zones to be set to a specific
206e697f24e47b8868bd68a5b6ef42f5f62e39d5Evan Hunt serial number.
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt - The new "rndc nta" command can be used to set a Negative
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt Trust Anchor (NTA), disabling DNSSEC validation for a
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt specific domain; this can be used when responses from a
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt domain are known to be failing validation due to administrative
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt error rather than because of a spoofing attack. Negative
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt trust anchors are strictly temporary; by default they expire
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt after one hour, but can be configured to last up to one week.
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt - "rndc delzone" can now be used on zones that were not originally
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt created by "rndc addzone".
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt - "rndc modzone" reconfigures a single zone, without requiring
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt the entire server to be reconfigured.
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt - "rndc showzone" displays the current configuration of a zone.
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt - "rndc managed-keys" can be used to check the status of RFC 5001
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt managed trust anchors, or to force trust anchors to be refreshed.
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt - "max-cache-size" can now be set to a percentage of available
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt memory. The default is 90%.
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt - Update forwarding performance has been improved by allowing
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt a single TCP connection to be shared by multiple updates.
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt - The EDNS Client Subnet (ECS) option is now supported for
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt authoritative servers; if a query contains an ECS option
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt then ACLs containing "geoip" or "ecs" elements can match
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt against the the address encoded in the option. This can be
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt used to select a view for a query, so that different answers
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt can be provided depending on the client network.
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt - The EDNS EXPIRE option has been implemented on the client
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt side, allowing a slave server to set the expiration timer
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt correctly when transferring zone data from another slave
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt - The key generation and manipulation tools (dnssec-keygen,
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt take "-Psync" and "-Dsync" options to set the publication
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt and deletion times of CDS and CDNSKEY parent-synchronization
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt records. Both named and dnssec-signzone can now publish and
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt remove these records at the scheduled times.
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt - A new "masterfile-style" zone option controls the formatting
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt of text zone files: When set to "full", a zone file is dumped
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt in single-line-per-record format.
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt - "serial-update-method" can now be set to "date". On update,
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt the serial number will be set to the current date in YYYYMMDDNN
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt - "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt - "named -L <filename>" causes named to send log messages to
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt the specified file by default instead of to the system log.
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt - "dig +ttlunits" prints TTL values with time-unit suffixes:
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt w, d, h, m, s for weeks, days, hours, minutes, and seconds.
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt - "dig +unknownformat" prints dig output in RFC 3597 "unknown
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt record" presentation format.
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt - "dig +ednsopt" allows dig to set arbitrary EDNS options on
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt - "dig +ednsflags" allows dig to set yet-to-be-defined EDNS
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt flags on requests.
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt - "mdig" is an alternate version of dig which sends multiple
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt pipelined TCP queries to a server. Instead of waiting for a
206e697f24e47b8868bd68a5b6ef42f5f62e39d5Evan Hunt response after sending a query, it sends all queries
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt immediately and displays responses in the order received.
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt - "serial-query-rate" no longer controls NOTIFY messages.
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt These are separately controlled by "notify-rate" and
03e200df5dc283f24a6a349f0b31d3eab26da893Mark Andrews "startup-notify-rate".
03e200df5dc283f24a6a349f0b31d3eab26da893Mark Andrews - "nsupdate" now performs "check-names" processing by default
03e200df5dc283f24a6a349f0b31d3eab26da893Mark Andrews on records to be added. This can be disabled with
323a9f3430abf186f8f84d795549391a8ed7f274Francis Dupont "check-names no".
03e200df5dc283f24a6a349f0b31d3eab26da893Mark Andrews - The statistics channel now supports DEFLATE compression,
03e200df5dc283f24a6a349f0b31d3eab26da893Mark Andrews reducing the size of the data sent over the network when
03e200df5dc283f24a6a349f0b31d3eab26da893Mark Andrews querying statistics.
75a4dd0d377dca2f85cea44e28bf110314c1fe8cDavid Lawrence - New counters have been added to the statistics channel
75a4dd0d377dca2f85cea44e28bf110314c1fe8cDavid Lawrence to track the sizes of incoming queries and outgoing responses in
75a4dd0d377dca2f85cea44e28bf110314c1fe8cDavid Lawrence histogram buckets, as specified in RSSAC002.
75a4dd0d377dca2f85cea44e28bf110314c1fe8cDavid Lawrence - A new NXDOMAIN redirect method (option "nxdomain-redirect")
75a4dd0d377dca2f85cea44e28bf110314c1fe8cDavid Lawrence has been added, allowing redirection to a specified DNS
91306d962f9d147d94b82fb14edb28f8d907cae7Andreas Gustafsson namespace instead of a single redirect zone.
91306d962f9d147d94b82fb14edb28f8d907cae7Andreas Gustafsson - When starting up, named now ensures that no other named
91306d962f9d147d94b82fb14edb28f8d907cae7Andreas Gustafsson process is already running.
91306d962f9d147d94b82fb14edb28f8d907cae7Andreas Gustafsson - Files created by named to store information, including "mkeys"
91306d962f9d147d94b82fb14edb28f8d907cae7Andreas Gustafsson and "nzf" files, are now named after their corresponding views
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence unless the view name contains characters incompatible with use
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence as a filename. Old style filenames (based on the hash of the
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence view name) will still work.
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence This release addresses the security flaws described in
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence CVE-2014-3214, CVE-2014-3859, CVE-2014-8500, CVE-2014-8680,
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence CVE-2015-1349, CVE-2015-5477, CVE-2015-5722, CVE-2015-5986,
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence CVE-2015-8000, CVE-2015-8704, CVE-2015-8705, CVE-2016-1285,
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence CVE-2016-1286 and CVE-2016-2088.
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley BIND 9 currently requires a UNIX system with an ANSI C compiler,
8e06cea14c857429ab7e7299af2dce5eeeaa5ff0Michael Graff basic POSIX support, and a 64 bit integer type.
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley We've had successful builds and tests on the following systems:
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley COMPAQ Tru64 UNIX 5.1B
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley Fedora Core 6
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley FreeBSD 4.10, 5.2.1, 6.2
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley Mac OS X 10.5
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley NetBSD 3.x, 4.0-beta, 5.0-beta
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley OpenBSD 3.3 and up
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley Solaris 8, 9, 9 (x86), 10
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley Ubuntu 7.04, 7.10
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley Windows XP/2003/2008
8e06cea14c857429ab7e7299af2dce5eeeaa5ff0Michael Graff NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
8e06cea14c857429ab7e7299af2dce5eeeaa5ff0Michael Graff Windows, including Windows NT and Windows 2000, are no longer
a27fe4c990f96bd792f2a07ca4d38c78d5b9df2cTatuya JINMEI 神明達哉 We have recent reports from the user community that a supported
a27fe4c990f96bd792f2a07ca4d38c78d5b9df2cTatuya JINMEI 神明達哉 version of BIND will build and run on the following systems:
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson CentOS 4, 4.5, 5
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson Darwin 9.0.0d1/ARM
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews Debian 4, 5, 6
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews Fedora Core 5, 7, 8
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews FreeBSD 6, 7, 8
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews HP-UX 11.23 PA
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews MacOS X 10.5, 10.6, 10.7
b5f6271f4daf1e54501af2cb7dd278d7e8003d65Mark Andrews Red Hat Enterprise Linux 4, 5, 6
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews SCO OpenServer 5.0.6
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews Slackware 9, 10
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt To build, just
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews Do not use a parallel "make".
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews Several environment variables that can be set before running
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews configure will affect compilation:
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt The C compiler to use. configure tries to figure
1f27b7873c640771df00a47ee3be188c4079479cFrancis Dupont out the right one for supported systems.
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt C compiler flags. Defaults to include -g and/or -O2
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt as supported by the compiler. Please include '-g'
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt if you need to set CFLAGS.
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt STD_CINCLUDES
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt System header file directories. Can be used to specify
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt where add-on thread or IPv6 support is, for example.
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt Defaults to empty string.
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt Any additional preprocessor symbols you want defined.
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt Defaults to empty string.
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt Possible settings:
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt Change the default syslog facility of named/lwresd.
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt -DISC_FACILITY=LOG_LOCAL0
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt Enable DNSSEC signature chasing support in dig.
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt -DDIG_SIGCHASE_BU=1)
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt Disable dropping queries from particular well known ports.
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt -DNS_CLIENT_DROPPORT=0
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews Sibling glue checking in named-checkzone is enabled by default.
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews To disable the default check set. -DCHECK_SIBLING=0
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews named-checkzone checks out-of-zone addresses by default.
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt To disable this default set. -DCHECK_LOCAL=0
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt To create the default pid files in ${localstatedir}/run rather
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews than ${localstatedir}/run/{named,lwresd}/ set.
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt -DNS_RUN_PID_DIR=0
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt Enable workaround for Solaris kernel bug about /dev/poll
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews -DISC_SOCKET_USE_POLLWATCH=1
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews The watch timeout is also configurable, e.g.,
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt -DISC_SOCKET_POLLWATCH_TIMEOUT=20
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt Linker flags. Defaults to empty string.
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt The following need to be set when cross compiling.
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt The native C compiler.
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews BUILD_CFLAGS (optional)
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews BUILD_CPPFLAGS (optional)
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews Possible Settings:
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
66dddd906ada6035d65bbbad2ecbcd74037759a8Mark Andrews BUILD_LDFLAGS (optional)
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt BUILD_LIBS (optional)
d7729155dff87d3c7a2b9103bf6e5164ea4d7dd7Mark Andrews On most platforms, BIND 9 is built with multithreading
66dddd906ada6035d65bbbad2ecbcd74037759a8Mark Andrews support, allowing it to take advantage of multiple CPUs.
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt You can configure this by specifying "--enable-threads" or
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews "--disable-threads" on the configure command line. The default
66dddd906ada6035d65bbbad2ecbcd74037759a8Mark Andrews is to enable threads, except on some older operating systems
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt on which threads are known to have had problems in the past.
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews (Note: Prior to BIND 9.10, the default was to disable threads on
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews Linux systems; this has been reversed. On Linux systems, the
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence threaded build is known to change BIND's behavior with respect
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence to file permissions; it may be necessary to specify a user with
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence the -u option when running named.)
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence To build shared libraries, specify "--with-libtool" on the
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence configure command line.
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence Certain compiled-in constants and default settings can be
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence increased to values better suited to large servers with abundant
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence memory resources (e.g, 64-bit servers with 12G or more of memory)
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence by specifying "--with-tuning=large" on the configure command
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence line. This can improve performance on big servers, but will
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence consume more memory and may degrade performance on smaller
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence For the server to support DNSSEC, you need to build it
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence with crypto support. You must have OpenSSL 0.9.5a
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence or newer installed and specify "--with-openssl" on the
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence configure command line. If OpenSSL is installed under
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence a nonstandard prefix, you can tell configure where to
ae4cbb69eef32ced103fe4561e8d2031ee4c3497David Lawrence look for it using "--with-openssl=/prefix".
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews To support the HTTP statistics channel, the server must
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews be linked with at least one of the following: libxml2
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews (http://xmlsoft.org) or json-c (https://github.com/json-c).
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews If these are installed at a nonstandard prefix, use
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews "--with-libxml2=/prefix" or "--with-libjson=/prefix".
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews To support compression on the HTTP statistics channel, the
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews server must be linked against libzlib (--with-zlib=/prefix).
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews On some platforms it is necessary to explicitly request large
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews file support to handle files bigger than 2GB. This can be
ae4cbb69eef32ced103fe4561e8d2031ee4c3497David Lawrence done by "--enable-largefile" on the configure command line.
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence Support for the "fixed" rrset-order option can be enabled
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence or disabled by specifying "--enable-fixed-rrset" or
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence "--disable-fixed-rrset" on the configure command line.
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence The default is "disabled", to reduce memory footprint.
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence If your operating system has integrated support for IPv6, it
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence will be used automatically. If you have installed KAME IPv6
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence separately, use "--with-kame[=PATH]" to specify its location.
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence "make install" will install "named" and the various BIND 9 libraries.
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews By default, installation is into /usr/local, but this can be changed
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews with the "--prefix" option when running "configure".
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews You may specify the option "--sysconfdir" to set the directory
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews where configuration files like "named.conf" go by default,
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews and "--localstatedir" to set the default parent directory
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews of "run/named.pid". For backwards compatibility with BIND 8,
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews --sysconfdir defaults to "/etc" and --localstatedir defaults to
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews "/var" if no --prefix option is given. If there is a --prefix
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews option, sysconfdir defaults to "$prefix/etc" and localstatedir
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews defaults to "$prefix/var".
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews To see additional configure options, run "configure --help".
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews Note that the help message does not reflect the BIND 8
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence compatibility defaults for sysconfdir and localstatedir.
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence If you're planning on making changes to the BIND 9 source, you
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence should also "make depend". If you're using Emacs, you might find
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence "make tags" helpful.
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence If you need to re-run configure please run "make distclean" first.
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence This will ensure that all the option changes take.
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence Building with gcc is not supported, unless gcc is the vendor's usual
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff compiler (e.g. the various BSD systems, Linux).
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff Known compiler issues:
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
1ce985ab3c6670662d555c108b35fed84a6a1001David Lawrence * gcc-3.3.5 powerpc generates incorrect code at -02.
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews * Irix, MipsPRO 7.4.1m is known to cause problems.
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews A limited test suite can be run with "make test". Many of
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews the tests require you to configure a set of virtual IP addresses
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews on your system, and some require Perl; see bin/tests/system/README
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews for details.
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence SunOS 4 requires "printf" to be installed to make the shared
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence libraries. sh-utils-1.16 provides a "printf" which compiles
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid LawrenceKnown limitations
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence Linux requires kernel build 2.6.39 or later to get the
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence performance benefits from using multiple sockets.
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence The BIND 9 Administrator Reference Manual is included with the
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence source distribution in DocBook XML and HTML format, in the
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff Some of the programs in the BIND 9 distribution have man pages
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff in their directories. In particular, the command line
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff options of "named" are documented in /bin/named/named.8.
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff There is now also a set of man pages for the lwres library.
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff If you are upgrading from BIND 8, please read the migration
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff notes in doc/misc/migration. If you are upgrading from
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff Frequently asked questions and their answers can be found in
641da3ca1184d9951d5cf91538524a345bf5f271Mark Andrews Additional information on various subjects can be found
641da3ca1184d9951d5cf91538524a345bf5f271Mark Andrews in the other README files.
641da3ca1184d9951d5cf91538524a345bf5f271Mark Andrews A detailed list of all changes to BIND 9 is included in the
641da3ca1184d9951d5cf91538524a345bf5f271Mark Andrews file CHANGES, with the most recent changes listed first.
641da3ca1184d9951d5cf91538524a345bf5f271Mark Andrews Change notes include tags indicating the category of the
641da3ca1184d9951d5cf91538524a345bf5f271Mark Andrews change that was made; these categories are:
9fe28a624c659e380d47dbf45527637dab03b998Mark Andrews [func] New feature
9fe28a624c659e380d47dbf45527637dab03b998Mark Andrews [bug] General bug fix
323a9f3430abf186f8f84d795549391a8ed7f274Francis Dupont [security] Fix for a significant security flaw
9fe28a624c659e380d47dbf45527637dab03b998Mark Andrews [experimental] Used for new features when the syntax
9fe28a624c659e380d47dbf45527637dab03b998Mark Andrews or other aspects of the design are still
9fe28a624c659e380d47dbf45527637dab03b998Mark Andrews in flux and may change
774c3a62d9adca187b44fe90919bb409a43a2f2aMark Andrews [port] Portability enhancement
774c3a62d9adca187b44fe90919bb409a43a2f2aMark Andrews [maint] Updates to built-in data such as root
774c3a62d9adca187b44fe90919bb409a43a2f2aMark Andrews server addresses and keys
774c3a62d9adca187b44fe90919bb409a43a2f2aMark Andrews [tuning] Changes to built-in configuration defaults
774c3a62d9adca187b44fe90919bb409a43a2f2aMark Andrews and constants to improve performance
774c3a62d9adca187b44fe90919bb409a43a2f2aMark Andrews [performance] Other changes to improve server performance
774c3a62d9adca187b44fe90919bb409a43a2f2aMark Andrews [protocol] Updates to the DNS protocol such as new
d7896edb4e93c4785a9281ea86afba86b758e813Mark Andrews [test] Changes to the automatic tests, not
d7896edb4e93c4785a9281ea86afba86b758e813Mark Andrews affecting server functionality
89119e3cafff373426858f6cec7c09539f53e209Mark Andrews [cleanup] Minor corrections and refactoring
d7896edb4e93c4785a9281ea86afba86b758e813Mark Andrews [doc] Documentation
ab3aeba682460fd39deb7901aa69f976583c9f47Michael Graff [contrib] Changes to the contributed tools and
ab3aeba682460fd39deb7901aa69f976583c9f47Michael Graff libraries in the 'contrib' subdirectory
ab3aeba682460fd39deb7901aa69f976583c9f47Michael Graff [placeholder] Used in the master development branch to
ab3aeba682460fd39deb7901aa69f976583c9f47Michael Graff reserve change numbers for use in other
ab3aeba682460fd39deb7901aa69f976583c9f47Michael Graff branches, e.g. when fixing a bug that only
ab3aeba682460fd39deb7901aa69f976583c9f47Michael Graff exists in older releases
9fe28a624c659e380d47dbf45527637dab03b998Mark Andrews In general, [func] and [experimental] tags will only appear
9fe28a624c659e380d47dbf45527637dab03b998Mark Andrews in new-feature releases (i.e., those with version numbers
5b7abbef511cea0b568be0bc8d5b3120a0b9034dEvan Hunt ending in zero). Some new functionality may be backported to
5b7abbef511cea0b568be0bc8d5b3120a0b9034dEvan Hunt older releases on a case-by-case basis. All other change
5b7abbef511cea0b568be0bc8d5b3120a0b9034dEvan Hunt types may be applied to all currently-supported releases.
5b7abbef511cea0b568be0bc8d5b3120a0b9034dEvan HuntBug Reports and Mailing Lists
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson Bug reports should be sent to:
850b5e80930907e4747347201dc41e4d04e036f8Mark Andrews bind9-bugs@isc.org
6342df69b05f2f62d060fd4affdf536e51504084Mark Andrews Feature requests can be sent to:
6342df69b05f2f62d060fd4affdf536e51504084Mark Andrews bind-suggest@isc.org
62ec9fd1681ffae7d6b0d54618599ecf650e3100Mark Andrews To join or view the archives of the BIND Users mailing list,
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson https://lists.isc.org/mailman/listinfo/bind-users
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson If you're planning on making changes to the BIND 9 source
8486ce1efa5deded85415d21d5696e5a51c63357Mark Andrews code, you may also want to join the BIND Workers mailing
6fcb2f0faad67a6d2cb2e30ec57157d75fbfe58fAndreas Gustafsson https://lists.isc.org/mailman/listinfo/bind-workers
5506903c9215faf42586307c2288942fd804c579Evan Hunt Information on read-only Git access, coding style and developer
5506903c9215faf42586307c2288942fd804c579Evan Hunt guidelines can be found at:
38cd4d14cc341c2663e574035074788bb6f0fce2Evan HuntAcknowledgments
38cd4d14cc341c2663e574035074788bb6f0fce2Evan Hunt - This product includes software developed by the OpenSSL Project
38cd4d14cc341c2663e574035074788bb6f0fce2Evan Hunt for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/).
d8f2dd46cba3a16c2433e85657a5b15543013ca6Mark Andrews - This product includes cryptographic software written by Eric
d8f2dd46cba3a16c2433e85657a5b15543013ca6Mark Andrews Young (eay@cryptsoft.com).
d8f2dd46cba3a16c2433e85657a5b15543013ca6Mark Andrews - This product includes software written by Tim Hudson
6fcb2f0faad67a6d2cb2e30ec57157d75fbfe58fAndreas Gustafsson (tjh@cryptsoft.com).