README revision cf710c81aee40b565323bdb9422b53fe225526f5
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix BIND version 9 is a major rewrite of nearly all aspects of the
6c3e745a94ef6b25a4ef9f018d350a7535aa45afTed Gould underlying BIND architecture. Some of the important features of
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix - DNS Security
6c3e745a94ef6b25a4ef9f018d350a7535aa45afTed Gould DNSSEC (signed zones)
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix TSIG (signed DNS requests)
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix - IP version 6
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix Answers DNS queries on IPv6 sockets
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix IPv6 resource records (AAAA)
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix Experimental IPv6 Resolver Library
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix - DNS Protocol Enhancements
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix IXFR, DDNS, Notify, EDNS0
a98d7da87dea01e6c39b3df95b78fc6a397dd685bgk Improved standards conformance
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix One server process can provide multiple "views" of
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix the DNS namespace, e.g. an "inside" view to certain
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix clients, and an "outside" view to others.
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix - Multiprocessor Support
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix - Improved Portability Architecture
25ad3718fb4b96b39930af8e043c8ee1e624fd10cilix BIND version 9 development has been underwritten by the following
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix organizations:
5b20351508dc029f37f23fb7add6d0b43bf47f20johanengelen Sun Microsystems, Inc.
5b20351508dc029f37f23fb7add6d0b43bf47f20johanengelen Hewlett Packard
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix Compaq Computer Corporation
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix Process Software Corporation
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix Silicon Graphics, Inc.
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix Network Associates, Inc.
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix U.S. Defense Information Systems Agency
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix USENIX Association
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix Stichting NLnet - NLnet Foundation
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix Nominum, Inc.
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix For a summary of functional enhancements in previous
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix releases, see the HISTORY file.
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix For a detailed list of user-visible changes from
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix previous releases, see the CHANGES file.
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix For up-to-date release notes and errata, see
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix BIND 9.11.1 is a maintenance release and addresses the security
74b408ae13ffc5a6e8cfafda04a3edbc5a32c89ccilix flaws disclosed in CVE-2016-6170, CVE-2016-8864, CVE-2016-9131,
74b408ae13ffc5a6e8cfafda04a3edbc5a32c89ccilix CVE-2016-9147, CVE-2016-9778, CVE-2017-3135, CVE-2017-3136, and
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix CVE-2017-3137.
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix releases. New features include:
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix - Added support for Catalog Zones, a new method for provisioning
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix servers: a list of zones to be served is stored in a DNS zone,
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix along with their configuration parameters. Changes to the
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix catalog zone are propagated to slaves via normal AXFR/IXFR,
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix whereupon the zones that are listed in it are automatically
a98d7da87dea01e6c39b3df95b78fc6a397dd685bgk added, deleted or reconfigured.
a98d7da87dea01e6c39b3df95b78fc6a397dd685bgk - Added support for "dnstap", a fast and flexible method of
a98d7da87dea01e6c39b3df95b78fc6a397dd685bgk capturing and logging DNS traffic.
d7e43efbcb4e431ff2fc52941513cc1bd614afa5cilix - Added support for "dyndb", a new API for loading zone data
a98d7da87dea01e6c39b3df95b78fc6a397dd685bgk from an external database, developed by Red Hat for the FreeIPA
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix - "fetchlimit" quotas are now compiled in by default. These
ecda720053ff791e35dae3c5c1177bc225b6cdf1johanengelen are for the use of recursive resolvers that are are under
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix high query load for domains whose authoritative servers are
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix nonresponsive or are experiencing a denial of service attack:
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix + "fetches-per-server" limits the number of simultaneous queries
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix that can be sent to any single authoritative server. The
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix configured value is a starting point; it is automatically
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix adjusted downward if the server is partially or completely
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix non-responsive. The algorithm used to adjust the quota can be
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix configured via the "fetch-quota-params" option.
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix + "fetches-per-zone" limits the number of simultaneous queries
8001ba81cb851b38d86650a2fef5817facffb763johanengelen that can be sent for names within a single domain. (Note:
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix Unlike "fetches-per-server", this value is not self-tuning.)
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix + New stats counters have been added to count
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix queries spilled due to these quotas.
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix - Added a new "dnssec-keymgr" key mainenance utility, which can
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix generate or update keys as needed to ensure that a zone's
a98d7da87dea01e6c39b3df95b78fc6a397dd685bgk keys match a defined DNSSEC policy.
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix - The experimental "SIT" feature in BIND 9.10 has been renamed
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix "COOKIE" and is no longer optional. EDNS COOKIE is a mechanism
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix enabling clients to detect off-path spoofed responses, and
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix servers to detect spoofed-source queries. Clients that identify
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix themselves using COOKIE options are not subject to response rate
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix limiting (RRL) and can receive larger UDP responses.
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix - SERVFAIL responses can now be cached for a limited time
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix (defaulting to 1 second, with an upper limit of 30).
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix This can reduce the frequency of retries when a query is
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix persistently failing.
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix - Added an "nsip-wait-recurse" switch to RPZ. This causes NSIP
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix rules to be skipped if a name server IP address isn't in the
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix cache yet; the address will be looked up and the rule will be
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix applied on future queries.
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix - Added a Python RNDC module. This allows multiple commands to
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix sent over a persistent RNDC channel, which saves time.
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix - The "controls" block in named.conf can now grant read-only
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix "rndc" access to specified clients or keys. Read-only clients
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix could, for example, check "rndc status" but could not
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix reconfigure or shut down the server.
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix - "rndc" commands can now return arbitrarily large amounts of
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix text to the caller.
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix - The zone serial number of a dynamically updatable zone
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix can now be set via "rndc signing -serial <number> <zonename>".
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix This allows inline-signing zones to be set to a specific
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix serial number.
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix - The new "rndc nta" command can be used to set a Negative
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix Trust Anchor (NTA), disabling DNSSEC validation for a
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix specific domain; this can be used when responses from a
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix domain are known to be failing validation due to administrative
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix error rather than because of a spoofing attack. Negative
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix trust anchors are strictly temporary; by default they expire
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix after one hour, but can be configured to last up to one week.
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix - "rndc delzone" can now be used on zones that were not originally
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix created by "rndc addzone".
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix - "rndc modzone" reconfigures a single zone, without requiring
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix the entire server to be reconfigured.
d7e43efbcb4e431ff2fc52941513cc1bd614afa5cilix - "rndc showzone" displays the current configuration of a zone.
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix - "rndc managed-keys" can be used to check the status of RFC 5001
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix managed trust anchors, or to force trust anchors to be refreshed.
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix - "max-cache-size" can now be set to a percentage of available
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix memory. The default is 90%.
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix - Update forwarding performance has been improved by allowing
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix a single TCP connection to be shared by multiple updates.
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix - The EDNS Client Subnet (ECS) option is now supported for
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix authoritative servers; if a query contains an ECS option
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix then ACLs containing "geoip" or "ecs" elements can match
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix against the the address encoded in the option. This can be
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix used to select a view for a query, so that different answers
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix can be provided depending on the client network.
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix - The EDNS EXPIRE option has been implemented on the client
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix side, allowing a slave server to set the expiration timer
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix correctly when transferring zone data from another slave
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix - The key generation and manipulation tools (dnssec-keygen,
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix take "-Psync" and "-Dsync" options to set the publication
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix and deletion times of CDS and CDNSKEY parent-synchronization
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix records. Both named and dnssec-signzone can now publish and
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix remove these records at the scheduled times.
5b20351508dc029f37f23fb7add6d0b43bf47f20johanengelen - A new "minimal-any" option reduces the size of UDP responses
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix for query type ANY by returning a single arbitrarily selected
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix RRset instead of all RRsets.
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix - A new "masterfile-style" zone option controls the formatting
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix of text zone files: When set to "full", a zone file is dumped
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix in single-line-per-record format.
5b20351508dc029f37f23fb7add6d0b43bf47f20johanengelen - "serial-update-method" can now be set to "date". On update,
947fb2f89245c19c5bad9dbefb9fd44c2aaed2eccilix the serial number will be set to the current date in YYYYMMDDNN
c3521f69a168bb569f01c674683489ea8e98f7f5johanengelen - "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix - "named -L <filename>" causes named to send log messages to
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix the specified file by default instead of to the system log.
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix - "dig +ttlunits" prints TTL values with time-unit suffixes:
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix w, d, h, m, s for weeks, days, hours, minutes, and seconds.
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix - "dig +unknownformat" prints dig output in RFC 3597 "unknown
5b20351508dc029f37f23fb7add6d0b43bf47f20johanengelen record" presentation format.
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix - "dig +ednsopt" allows dig to set arbitrary EDNS options on
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix - "dig +ednsflags" allows dig to set yet-to-be-defined EDNS
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix flags on requests.
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix - "mdig" is an alternate version of dig which sends multiple
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix pipelined TCP queries to a server. Instead of waiting for a
36285e420d3124dfe8cd2c5a8ac5a76bf7cdd4c6cilix response after sending a query, it sends all queries
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix immediately and displays responses in the order received.
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix - "serial-query-rate" no longer controls NOTIFY messages.
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix These are separately controlled by "notify-rate" and
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix "startup-notify-rate".
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix - "nsupdate" now performs "check-names" processing by default
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix on records to be added. This can be disabled with
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix "check-names no".
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix - The statistics channel now supports DEFLATE compression,
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix reducing the size of the data sent over the network when
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix querying statistics.
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix - New counters have been added to the statistics channel
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix to track the sizes of incoming queries and outgoing responses in
70eb1fc448cb08acf3468f80fa2296c03b32afd2cilix histogram buckets, as specified in RSSAC002.
6c3e745a94ef6b25a4ef9f018d350a7535aa45afTed Gould - A new NXDOMAIN redirect method (option "nxdomain-redirect")
NetBSD 3.x, 4.0-beta, 5.0-beta
C compiler flags. Defaults to include -g and/or -O2
Change the default syslog facility of named/lwresd.
Enable workaround for Solaris kernel bug about /dev/poll
The watch timeout is also configurable, e.g.,
-DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
memory resources (e.g, 64-bit servers with 12G or more of memory)
By default, installation is into /usr/local, but this can be changed
where configuration files like "named.conf" go by default,
of "run/named.pid". For backwards compatibility with BIND 8,
option, sysconfdir defaults to "$prefix/etc" and localstatedir
defaults to "$prefix/var".
compiler (e.g. the various BSD systems, Linux).
on your system, and some require Perl; see bin/tests/system/README
doc/arm directory.
options of "named" are documented in /bin/named/named.8.
notes in doc/misc/migration. If you are upgrading from
BIND 4, read doc/misc/migration-4to9.
branches, e.g. when fixing a bug that only
in new-feature releases (i.e., those with version numbers
for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/).