README revision b66b333f59cf51ef87f973084a5023acd9317fb2
2722387f30847b828b57ba9ca59d2b47ee9244ecrie BIND version 9 is a major rewrite of nearly all aspects of the
2722387f30847b828b57ba9ca59d2b47ee9244ecrie underlying BIND architecture. Some of the important features of
2722387f30847b828b57ba9ca59d2b47ee9244ecrie BIND 9 are:
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - DNS Security
2722387f30847b828b57ba9ca59d2b47ee9244ecrie DNSSEC (signed zones)
2722387f30847b828b57ba9ca59d2b47ee9244ecrie TSIG (signed DNS requests)
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - IP version 6
2722387f30847b828b57ba9ca59d2b47ee9244ecrie Answers DNS queries on IPv6 sockets
2722387f30847b828b57ba9ca59d2b47ee9244ecrie IPv6 resource records (AAAA)
2722387f30847b828b57ba9ca59d2b47ee9244ecrie Experimental IPv6 Resolver Library
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - DNS Protocol Enhancements
2722387f30847b828b57ba9ca59d2b47ee9244ecrie IXFR, DDNS, Notify, EDNS0
2722387f30847b828b57ba9ca59d2b47ee9244ecrie Improved standards conformance
2722387f30847b828b57ba9ca59d2b47ee9244ecrie One server process can provide multiple "views" of
2722387f30847b828b57ba9ca59d2b47ee9244ecrie the DNS namespace, e.g. an "inside" view to certain
2722387f30847b828b57ba9ca59d2b47ee9244ecrie clients, and an "outside" view to others.
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - Multiprocessor Support
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - Improved Portability Architecture
2722387f30847b828b57ba9ca59d2b47ee9244ecrie BIND version 9 development has been underwritten by the following
2722387f30847b828b57ba9ca59d2b47ee9244ecrie organizations:
2722387f30847b828b57ba9ca59d2b47ee9244ecrie Sun Microsystems, Inc.
2722387f30847b828b57ba9ca59d2b47ee9244ecrie Hewlett Packard
2722387f30847b828b57ba9ca59d2b47ee9244ecrie Compaq Computer Corporation
2722387f30847b828b57ba9ca59d2b47ee9244ecrie Process Software Corporation
2722387f30847b828b57ba9ca59d2b47ee9244ecrie Silicon Graphics, Inc.
2722387f30847b828b57ba9ca59d2b47ee9244ecrie Network Associates, Inc.
2722387f30847b828b57ba9ca59d2b47ee9244ecrie U.S. Defense Information Systems Agency
2722387f30847b828b57ba9ca59d2b47ee9244ecrie USENIX Association
2722387f30847b828b57ba9ca59d2b47ee9244ecrie Stichting NLnet - NLnet Foundation
2722387f30847b828b57ba9ca59d2b47ee9244ecrie Nominum, Inc.
2722387f30847b828b57ba9ca59d2b47ee9244ecrie For a summary of functional enhancements in previous
2722387f30847b828b57ba9ca59d2b47ee9244ecrie releases, see the HISTORY file.
2722387f30847b828b57ba9ca59d2b47ee9244ecrie For a detailed list of user-visible changes from
2722387f30847b828b57ba9ca59d2b47ee9244ecrie previous releases, see the CHANGES file.
2722387f30847b828b57ba9ca59d2b47ee9244ecrie For up-to-date release notes and errata, see
2722387f30847b828b57ba9ca59d2b47ee9244ecrieBIND 9.11.0
2722387f30847b828b57ba9ca59d2b47ee9244ecrie BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
2722387f30847b828b57ba9ca59d2b47ee9244ecrie releases. New features include:
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - Added support for "dnstap", a fast and flexible method of
2722387f30847b828b57ba9ca59d2b47ee9244ecrie capturing and logging DNS traffic.
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - Added support for "dyndb", a new API for loading zone data
2722387f30847b828b57ba9ca59d2b47ee9244ecrie from an external database, developed by Red Hat for the FreeIPA
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - New "fetchlimit" quotas are now available for the use of
2722387f30847b828b57ba9ca59d2b47ee9244ecrie recursive resolvers that are are under high query load for
2722387f30847b828b57ba9ca59d2b47ee9244ecrie domains whose authoritative servers are nonresponsive or are
2722387f30847b828b57ba9ca59d2b47ee9244ecrie experiencing a denial of service attack:
2722387f30847b828b57ba9ca59d2b47ee9244ecrie + "fetches-per-server" limits the number of simultaneous queries
2722387f30847b828b57ba9ca59d2b47ee9244ecrie that can be sent to any single authoritative server. The
2722387f30847b828b57ba9ca59d2b47ee9244ecrie configured value is a starting point; it is automatically
2722387f30847b828b57ba9ca59d2b47ee9244ecrie adjusted downward if the server is partially or completely
2722387f30847b828b57ba9ca59d2b47ee9244ecrie non-responsive. The algorithm used to adjust the quota can be
2722387f30847b828b57ba9ca59d2b47ee9244ecrie configured via the "fetch-quota-params" option.
2722387f30847b828b57ba9ca59d2b47ee9244ecrie + "fetches-per-zone" limits the number of simultaneous queries
2722387f30847b828b57ba9ca59d2b47ee9244ecrie that can be sent for names within a single domain. (Note:
2722387f30847b828b57ba9ca59d2b47ee9244ecrie Unlike "fetches-per-server", this value is not self-tuning.)
2722387f30847b828b57ba9ca59d2b47ee9244ecrie + New stats counters have been added to count
2722387f30847b828b57ba9ca59d2b47ee9244ecrie queries spilled due to these quotas.
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - The zone serial number of a dynamically updatable zone
2722387f30847b828b57ba9ca59d2b47ee9244ecrie can now be set via "rndc signing -serial <number> <zonename>".
2722387f30847b828b57ba9ca59d2b47ee9244ecrie This allows inline-signing zones to be set to a specific
2722387f30847b828b57ba9ca59d2b47ee9244ecrie serial number.
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - SERVFAIL responses can now be cached for a limited time
2722387f30847b828b57ba9ca59d2b47ee9244ecrie (defaulting to 10 seconds, with an upper limit of 30).
2722387f30847b828b57ba9ca59d2b47ee9244ecrie This can reduce the frequency of retries when a query is
2722387f30847b828b57ba9ca59d2b47ee9244ecrie persistently failing.
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - The new "rndc nta" command can be used to set a "negative
2722387f30847b828b57ba9ca59d2b47ee9244ecrie trust anchor", disabling DNSSEC validation for a specific
2722387f30847b828b57ba9ca59d2b47ee9244ecrie domain; this can be used when responses from a domain are
2722387f30847b828b57ba9ca59d2b47ee9244ecrie known to be failing validation due to administrative error
2722387f30847b828b57ba9ca59d2b47ee9244ecrie rather than because of a spoofing attack. Negative trust
2722387f30847b828b57ba9ca59d2b47ee9244ecrie anchors are strictly temporary; by default they expire after
2722387f30847b828b57ba9ca59d2b47ee9244ecrie one hour, but can be configured to last up to one week.
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - Update forwarding performance has been improved by allowing
2722387f30847b828b57ba9ca59d2b47ee9244ecrie a single TCP connection to be shared by multiple updates.
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - The EDNS Client Subnet (ECS) option is now supported for
2722387f30847b828b57ba9ca59d2b47ee9244ecrie authoritative servers; if a query contains an ECS option
2722387f30847b828b57ba9ca59d2b47ee9244ecrie then ACLs containing "geoip" or "ecs" elements can match
2722387f30847b828b57ba9ca59d2b47ee9244ecrie against the the address encoded in the option. This can be
2722387f30847b828b57ba9ca59d2b47ee9244ecrie used to select a view for a query, so that different answers
2722387f30847b828b57ba9ca59d2b47ee9244ecrie can be provided depending on the client network.
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - The EDNS EXPIRE option has been implemented on the client
2722387f30847b828b57ba9ca59d2b47ee9244ecrie side, allowing a slave server to set the expiration timer
2722387f30847b828b57ba9ca59d2b47ee9244ecrie correctly when transferring zone data from another slave
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - A new "masterfile-style" zone option controls the formatting
2722387f30847b828b57ba9ca59d2b47ee9244ecrie of text zone files: When set to "full", a zone file is dumped
2722387f30847b828b57ba9ca59d2b47ee9244ecrie in single-line-per-record format.
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - "dig +ttlunits" causes dig to print TTL values with time-unit
2722387f30847b828b57ba9ca59d2b47ee9244ecrie suffixes: w, d, h, m, s for weeks, days, hours, minutes, and
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - "serial-update-method" can now be set to "date". On update,
2722387f30847b828b57ba9ca59d2b47ee9244ecrie the serial number will be set to the current date in YYYYMMDDNN
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - "named -L <filename>" causes named to send log messages to
2722387f30847b828b57ba9ca59d2b47ee9244ecrie the specified file by default instead of to the system log.
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - dig can now set arbitrary EDNS options on requests (+ednsopt).
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - dig can now set yet-to-be-defined EDNS flags on requests (+ednsflags).
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - serial-query-rate no longer covers NOTIFY messages. These are
2722387f30847b828b57ba9ca59d2b47ee9244ecrie separately controlled by notify-rate and startup-notify-rate.
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - nsupdate now performs check-names processing by default on records
2722387f30847b828b57ba9ca59d2b47ee9244ecrie to be added. This can be disabled with "check-names no".
2722387f30847b828b57ba9ca59d2b47ee9244ecrie This release addresses the security flaws described in
2722387f30847b828b57ba9ca59d2b47ee9244ecrie CVE-2014-3214, CVE-2014-3859, CVE-2014-8500, CVE-2014-8680,
2722387f30847b828b57ba9ca59d2b47ee9244ecrie CVE-2015-1349, CVE-2015-5477, CVE-2015-5722, and CVE-2015-5986.
2722387f30847b828b57ba9ca59d2b47ee9244ecrieBIND 9.10.0
2722387f30847b828b57ba9ca59d2b47ee9244ecrie BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
2722387f30847b828b57ba9ca59d2b47ee9244ecrie releases. New features include:
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - DNS Response-rate limiting (DNS RRL), which blunts the
2722387f30847b828b57ba9ca59d2b47ee9244ecrie impact of reflection and amplification attacks, is always
2722387f30847b828b57ba9ca59d2b47ee9244ecrie compiled in and no longer requires a compile-time option
2722387f30847b828b57ba9ca59d2b47ee9244ecrie to enable it.
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - An experimental "Source Identity Token" (SIT) EDNS option
2722387f30847b828b57ba9ca59d2b47ee9244ecrie is now available. Similar to DNS Cookies as invented by
2722387f30847b828b57ba9ca59d2b47ee9244ecrie Donald Eastlake 3rd, these are designed to enable clients
2722387f30847b828b57ba9ca59d2b47ee9244ecrie to detect off-path spoofed responses, and to enable servers
2722387f30847b828b57ba9ca59d2b47ee9244ecrie to detect spoofed-source queries. Servers can be configured
2722387f30847b828b57ba9ca59d2b47ee9244ecrie to send smaller responses to clients that have not identified
2722387f30847b828b57ba9ca59d2b47ee9244ecrie themselves using a SIT option, reducing the effectiveness of
2722387f30847b828b57ba9ca59d2b47ee9244ecrie amplification attacks. RRL processing has also been updated;
2722387f30847b828b57ba9ca59d2b47ee9244ecrie clients proven to be legitimate via SIT are not subject to
2722387f30847b828b57ba9ca59d2b47ee9244ecrie rate limiting. Use "configure --enable-sit" to enable this
2722387f30847b828b57ba9ca59d2b47ee9244ecrie feature in BIND.
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - A new zone file format, "map", stores zone data in a
2722387f30847b828b57ba9ca59d2b47ee9244ecrie format that can be mapped directly into memory, allowing
2722387f30847b828b57ba9ca59d2b47ee9244ecrie significantly faster zone loading.
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - "delv" (domain entity lookup and validation) is a new tool
2722387f30847b828b57ba9ca59d2b47ee9244ecrie with dig-like semantics for looking up DNS data and performing
2722387f30847b828b57ba9ca59d2b47ee9244ecrie internal DNSSEC validation. This allows easy validation in
2722387f30847b828b57ba9ca59d2b47ee9244ecrie environments where the resolver may not be trustworthy, and
2722387f30847b828b57ba9ca59d2b47ee9244ecrie assists with troubleshooting of DNSSEC problems. (NOTE:
2722387f30847b828b57ba9ca59d2b47ee9244ecrie In previous development releases of BIND 9.10, this utility
2722387f30847b828b57ba9ca59d2b47ee9244ecrie was called "delve". The spelling has been changed to avoid
2722387f30847b828b57ba9ca59d2b47ee9244ecrie confusion with the "delve" utility included with the Xapian
2722387f30847b828b57ba9ca59d2b47ee9244ecrie search engine.)
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - Improved EDNS(0) processing for better resolver performance
2722387f30847b828b57ba9ca59d2b47ee9244ecrie and reliability over slow or lossy connections.
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - A new "configure --with-tuning=large" option tunes certain
2722387f30847b828b57ba9ca59d2b47ee9244ecrie compiled-in constants and default settings to values better
2722387f30847b828b57ba9ca59d2b47ee9244ecrie suited to large servers with abundant memory. This can
2722387f30847b828b57ba9ca59d2b47ee9244ecrie improve performance on such servers, but will consume more
2722387f30847b828b57ba9ca59d2b47ee9244ecrie memory and may degrade performance on smaller systems.
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - Substantial improvement in response-policy zone (RPZ)
2722387f30847b828b57ba9ca59d2b47ee9244ecrie performance. Up to 32 response-policy zones can be
2722387f30847b828b57ba9ca59d2b47ee9244ecrie configured with minimal performance loss.
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - To improve recursive resolver performance, cache records
2722387f30847b828b57ba9ca59d2b47ee9244ecrie which are still being requested by clients can now be
2722387f30847b828b57ba9ca59d2b47ee9244ecrie automatically refreshed from the authoritative server
2722387f30847b828b57ba9ca59d2b47ee9244ecrie before they expire, reducing or eliminating the time
2722387f30847b828b57ba9ca59d2b47ee9244ecrie window in which no answer is available in the cache.
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - New "rpz-client-ip" triggers and drop policies allowing
2722387f30847b828b57ba9ca59d2b47ee9244ecrie response policies based on the IP address of the client.
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - ACLs can now be specified based on geographic location
2722387f30847b828b57ba9ca59d2b47ee9244ecrie using the MaxMind GeoIP databases. Use "configure
2722387f30847b828b57ba9ca59d2b47ee9244ecrie --with-geoip" to enable.
2722387f30847b828b57ba9ca59d2b47ee9244ecrie - Zone data can now be shared between views, allowing
2722387f30847b828b57ba9ca59d2b47ee9244ecrie multiple views to serve the same zones authoritatively
share configuration (e.g. when submitting a bug report)
NetBSD 3.x, 4.0-beta, 5.0-beta
C compiler flags. Defaults to include -g and/or -O2
Change the default syslog facility of named/lwresd.
Enable workaround for Solaris kernel bug about /dev/poll
The watch timeout is also configurable, e.g.,
-DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
memory resources (e.g, 64-bit servers with 12G or more of memory)
By default, installation is into /usr/local, but this can be changed
where configuration files like "named.conf" go by default,
of "run/named.pid". For backwards compatibility with BIND 8,
option, sysconfdir defaults to "$prefix/etc" and localstatedir
defaults to "$prefix/var".
compiler (e.g. the various BSD systems, Linux).
on your system, and some require Perl; see bin/tests/system/README
doc/arm directory.
options of "named" are documented in /bin/named/named.8.
notes in doc/misc/migration. If you are upgrading from
BIND 4, read doc/misc/migration-4to9.
branches, e.g. when fixing a bug that only
in new-feature releases (i.e., those with version numbers
for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/).