README revision cf710c81aee40b565323bdb9422b53fe225526f5
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein BIND version 9 is a major rewrite of nearly all aspects of the
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson underlying BIND architecture. Some of the important features of
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson - DNS Security
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson DNSSEC (signed zones)
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson TSIG (signed DNS requests)
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson - IP version 6
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews Answers DNS queries on IPv6 sockets
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews IPv6 resource records (AAAA)
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews Experimental IPv6 Resolver Library
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - DNS Protocol Enhancements
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews IXFR, DDNS, Notify, EDNS0
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews Improved standards conformance
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson One server process can provide multiple "views" of
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson the DNS namespace, e.g. an "inside" view to certain
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein clients, and an "outside" view to others.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - Multiprocessor Support
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - Improved Portability Architecture
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein BIND version 9 development has been underwritten by the following
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein organizations:
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Sun Microsystems, Inc.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Hewlett Packard
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Compaq Computer Corporation
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Process Software Corporation
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Silicon Graphics, Inc.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Network Associates, Inc.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein U.S. Defense Information Systems Agency
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein USENIX Association
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Stichting NLnet - NLnet Foundation
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Nominum, Inc.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein For a summary of functional enhancements in previous
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein releases, see the HISTORY file.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein For a detailed list of user-visible changes from
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein previous releases, see the CHANGES file.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein For up-to-date release notes and errata, see
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson BIND 9.11.1 is a maintenance release and addresses the security
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein flaws disclosed in CVE-2016-6170, CVE-2016-8864, CVE-2016-9131,
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson CVE-2016-9147, CVE-2016-9778, CVE-2017-3135, CVE-2017-3136, and
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson CVE-2017-3137.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson releases. New features include:
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson - Added support for Catalog Zones, a new method for provisioning
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson servers: a list of zones to be served is stored in a DNS zone,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein along with their configuration parameters. Changes to the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein catalog zone are propagated to slaves via normal AXFR/IXFR,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein whereupon the zones that are listed in it are automatically
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson added, deleted or reconfigured.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - Added support for "dnstap", a fast and flexible method of
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson capturing and logging DNS traffic.
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson - Added support for "dyndb", a new API for loading zone data
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein from an external database, developed by Red Hat for the FreeIPA
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - "fetchlimit" quotas are now compiled in by default. These
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein are for the use of recursive resolvers that are are under
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein high query load for domains whose authoritative servers are
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson nonresponsive or are experiencing a denial of service attack:
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein + "fetches-per-server" limits the number of simultaneous queries
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson that can be sent to any single authoritative server. The
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson configured value is a starting point; it is automatically
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein adjusted downward if the server is partially or completely
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein non-responsive. The algorithm used to adjust the quota can be
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein configured via the "fetch-quota-params" option.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein + "fetches-per-zone" limits the number of simultaneous queries
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein that can be sent for names within a single domain. (Note:
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Unlike "fetches-per-server", this value is not self-tuning.)
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson + New stats counters have been added to count
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein queries spilled due to these quotas.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - Added a new "dnssec-keymgr" key mainenance utility, which can
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein generate or update keys as needed to ensure that a zone's
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein keys match a defined DNSSEC policy.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - The experimental "SIT" feature in BIND 9.10 has been renamed
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein "COOKIE" and is no longer optional. EDNS COOKIE is a mechanism
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein enabling clients to detect off-path spoofed responses, and
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein servers to detect spoofed-source queries. Clients that identify
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein themselves using COOKIE options are not subject to response rate
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein limiting (RRL) and can receive larger UDP responses.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - SERVFAIL responses can now be cached for a limited time
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein (defaulting to 1 second, with an upper limit of 30).
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein This can reduce the frequency of retries when a query is
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein persistently failing.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - Added an "nsip-wait-recurse" switch to RPZ. This causes NSIP
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein rules to be skipped if a name server IP address isn't in the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein cache yet; the address will be looked up and the rule will be
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein applied on future queries.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - Added a Python RNDC module. This allows multiple commands to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein sent over a persistent RNDC channel, which saves time.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - The "controls" block in named.conf can now grant read-only
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein "rndc" access to specified clients or keys. Read-only clients
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein could, for example, check "rndc status" but could not
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein reconfigure or shut down the server.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - "rndc" commands can now return arbitrarily large amounts of
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein text to the caller.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - The zone serial number of a dynamically updatable zone
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein can now be set via "rndc signing -serial <number> <zonename>".
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein This allows inline-signing zones to be set to a specific
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein serial number.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - The new "rndc nta" command can be used to set a Negative
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Trust Anchor (NTA), disabling DNSSEC validation for a
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein specific domain; this can be used when responses from a
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein domain are known to be failing validation due to administrative
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein error rather than because of a spoofing attack. Negative
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein trust anchors are strictly temporary; by default they expire
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein after one hour, but can be configured to last up to one week.
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson - "rndc delzone" can now be used on zones that were not originally
8eea877894ea5bcf5cdd9ca124a8601ad421d753Andreas Gustafsson created by "rndc addzone".
8eea877894ea5bcf5cdd9ca124a8601ad421d753Andreas Gustafsson - "rndc modzone" reconfigures a single zone, without requiring
8eea877894ea5bcf5cdd9ca124a8601ad421d753Andreas Gustafsson the entire server to be reconfigured.
8eea877894ea5bcf5cdd9ca124a8601ad421d753Andreas Gustafsson - "rndc showzone" displays the current configuration of a zone.
8eea877894ea5bcf5cdd9ca124a8601ad421d753Andreas Gustafsson - "rndc managed-keys" can be used to check the status of RFC 5001
8eea877894ea5bcf5cdd9ca124a8601ad421d753Andreas Gustafsson managed trust anchors, or to force trust anchors to be refreshed.
8eea877894ea5bcf5cdd9ca124a8601ad421d753Andreas Gustafsson - "max-cache-size" can now be set to a percentage of available
8eea877894ea5bcf5cdd9ca124a8601ad421d753Andreas Gustafsson memory. The default is 90%.
8eea877894ea5bcf5cdd9ca124a8601ad421d753Andreas Gustafsson - Update forwarding performance has been improved by allowing
8eea877894ea5bcf5cdd9ca124a8601ad421d753Andreas Gustafsson a single TCP connection to be shared by multiple updates.
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson - The EDNS Client Subnet (ECS) option is now supported for
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein authoritative servers; if a query contains an ECS option
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein then ACLs containing "geoip" or "ecs" elements can match
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein against the the address encoded in the option. This can be
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein used to select a view for a query, so that different answers
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein can be provided depending on the client network.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - The EDNS EXPIRE option has been implemented on the client
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein side, allowing a slave server to set the expiration timer
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein correctly when transferring zone data from another slave
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - The key generation and manipulation tools (dnssec-keygen,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein take "-Psync" and "-Dsync" options to set the publication
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein and deletion times of CDS and CDNSKEY parent-synchronization
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein records. Both named and dnssec-signzone can now publish and
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein remove these records at the scheduled times.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - A new "minimal-any" option reduces the size of UDP responses
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein for query type ANY by returning a single arbitrarily selected
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein RRset instead of all RRsets.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - A new "masterfile-style" zone option controls the formatting
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein of text zone files: When set to "full", a zone file is dumped
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein in single-line-per-record format.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - "serial-update-method" can now be set to "date". On update,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein the serial number will be set to the current date in YYYYMMDDNN
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - "named -L <filename>" causes named to send log messages to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein the specified file by default instead of to the system log.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - "dig +ttlunits" prints TTL values with time-unit suffixes:
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein w, d, h, m, s for weeks, days, hours, minutes, and seconds.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - "dig +unknownformat" prints dig output in RFC 3597 "unknown
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein record" presentation format.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - "dig +ednsopt" allows dig to set arbitrary EDNS options on
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - "dig +ednsflags" allows dig to set yet-to-be-defined EDNS
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein flags on requests.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - "mdig" is an alternate version of dig which sends multiple
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein pipelined TCP queries to a server. Instead of waiting for a
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein response after sending a query, it sends all queries
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein immediately and displays responses in the order received.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - "serial-query-rate" no longer controls NOTIFY messages.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein These are separately controlled by "notify-rate" and
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein "startup-notify-rate".
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - "nsupdate" now performs "check-names" processing by default
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein on records to be added. This can be disabled with
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein "check-names no".
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - The statistics channel now supports DEFLATE compression,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein reducing the size of the data sent over the network when
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein querying statistics.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - New counters have been added to the statistics channel
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein to track the sizes of incoming queries and outgoing responses in
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein histogram buckets, as specified in RSSAC002.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - A new NXDOMAIN redirect method (option "nxdomain-redirect")
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein has been added, allowing redirection to a specified DNS
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein namespace instead of a single redirect zone.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - When starting up, named now ensures that no other named
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein process is already running.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - Files created by named to store information, including "mkeys"
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein and "nzf" files, are now named after their corresponding views
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein unless the view name contains characters incompatible with use
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein as a filename. Old style filenames (based on the hash of the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein view name) will still work.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein This release addresses the security flaws described in
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein CVE-2014-3214, CVE-2014-3859, CVE-2014-8500, CVE-2014-8680,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein CVE-2015-1349, CVE-2015-5477, CVE-2015-5722, CVE-2015-5986,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein CVE-2015-8000, CVE-2015-8704, CVE-2015-8705, CVE-2016-1285,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein CVE-2016-1286, CVE-2016-2088, CVE-2016-2775 and CVE-2016-2776.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein BIND 9 currently requires a UNIX system with an ANSI C compiler,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein basic POSIX support, and a 64 bit integer type.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein We've had successful builds and tests on the following systems:
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein COMPAQ Tru64 UNIX 5.1B
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Fedora Core 6
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein FreeBSD 4.10, 5.2.1, 6.2
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Mac OS X 10.5
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein NetBSD 3.x, 4.0-beta, 5.0-beta
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein OpenBSD 3.3 and up
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Solaris 8, 9, 9 (x86), 10
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Ubuntu 7.04, 7.10
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Windows XP/2003/2008
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Windows, including Windows NT and Windows 2000, are no longer
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein We have recent reports from the user community that a supported
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein version of BIND will build and run on the following systems:
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein CentOS 4, 4.5, 5
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Darwin 9.0.0d1/ARM
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Debian 4, 5, 6
C compiler flags. Defaults to include -g and/or -O2
Change the default syslog facility of named/lwresd.
Enable workaround for Solaris kernel bug about /dev/poll
The watch timeout is also configurable, e.g.,
-DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
memory resources (e.g, 64-bit servers with 12G or more of memory)
By default, installation is into /usr/local, but this can be changed
where configuration files like "named.conf" go by default,
of "run/named.pid". For backwards compatibility with BIND 8,
option, sysconfdir defaults to "$prefix/etc" and localstatedir
defaults to "$prefix/var".
compiler (e.g. the various BSD systems, Linux).
on your system, and some require Perl; see bin/tests/system/README
doc/arm directory.
options of "named" are documented in /bin/named/named.8.
notes in doc/misc/migration. If you are upgrading from
BIND 4, read doc/misc/migration-4to9.
branches, e.g. when fixing a bug that only
in new-feature releases (i.e., those with version numbers
for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/).