2N/A BIND version 9 is a major rewrite of nearly all aspects of the
2N/A underlying BIND architecture. Some of the important features of
2N/A DNSSEC (signed zones)
2N/A TSIG (signed DNS requests)
2N/A Answers DNS queries on IPv6 sockets
2N/A IPv6 resource records (AAAA)
2N/A Experimental IPv6 Resolver Library
2N/A - DNS Protocol Enhancements
2N/A IXFR, DDNS, Notify, EDNS0
2N/A Improved standards conformance
2N/A One server process can provide multiple "views" of
2N/A the DNS namespace,
e.g. an "inside" view to certain
2N/A clients, and an "outside" view to others.
2N/A - Multiprocessor Support
2N/A - Improved Portability Architecture
2N/A BIND version 9 development has been underwritten by the following
2N/A Sun Microsystems, Inc.
2N/A Compaq Computer Corporation
2N/A Process Software Corporation
2N/A Silicon Graphics, Inc.
2N/A Network Associates, Inc.
2N/A U.S. Defense Information Systems Agency
2N/A Stichting NLnet - NLnet Foundation
2N/A For a summary of functional enhancements in previous
2N/A releases, see the HISTORY file.
2N/A For a detailed list of user-visible changes from
2N/A previous releases, see the CHANGES file.
2N/A For up-to-date release notes and errata, see
2N/A BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
2N/A releases. New features include:
2N/A - DNS Response-rate limiting (DNS RRL), which blunts the
2N/A impact of reflection and amplification attacks, is always
2N/A compiled in and no longer requires a compile-time option
2N/A - An experimental "Source Identity Token" (SIT) EDNS option
2N/A is now available. Similar to DNS Cookies as invented by
2N/A Donald Eastlake 3rd, these are designed to enable clients
2N/A to detect off-path spoofed responses, and to enable servers
2N/A to detect spoofed-source queries. Servers can be configured
2N/A to send smaller responses to clients that have not identified
2N/A themselves using a SIT option, reducing the effectiveness of
2N/A amplification attacks. RRL processing has also been updated;
2N/A clients proven to be legitimate via SIT are not subject to
2N/A rate limiting. Use "configure --enable-sit" to enable this
2N/A - A new zone file format, "map", stores zone data in a
2N/A format that can be mapped directly into memory, allowing
2N/A significantly faster zone loading.
2N/A - "delve" (domain entity lookup and validation engine) is a
2N/A new tool with dig-like semantics for looking up DNS data
2N/A and performing internal DNSSEC validation. This allows
2N/A easy validation in environments where the resolver may
2N/A not be trustworthy, and assists with troubleshooting of
2N/A - Improved EDNS(0) processing for better resolver performance
2N/A and reliability over slow or lossy connections.
2N/A - A new "configure --with-tuning=large" option tunes certain
2N/A compiled-in constants and default settings to values better
2N/A suited to large servers with abundant memory. This can
2N/A improve performance on such servers, but will consume more
2N/A memory and may degrade performance on smaller systems.
2N/A - Substantial improvement in response-policy zone (RPZ)
2N/A performance. Up to 32 response-policy zones can be
2N/A configured with minimal performance loss.
2N/A - To improve recursive resolver performance, cache records
2N/A which are still being requested by clients can now be
2N/A automatically refreshed from the authoritative server
2N/A before they expire, reducing or eliminating the time
2N/A window in which no answer is available in the cache.
2N/A - New "rpz-client-ip" triggers and drop policies allowing
2N/A response policies based on the IP address of the client.
2N/A - ACLs can now be specified based on geographic location
2N/A using the MaxMind GeoIP databases. Use "configure
2N/A --with-geoip" to enable.
2N/A - Zone data can now be shared between views, allowing
2N/A multiple views to serve the same zones authoritatively
2N/A without storing multiple copies in memory.
2N/A - New XML schema (version 3) for the statistics channel
2N/A includes many new statistics and uses a flattened XML tree
2N/A for faster parsing. The older schema is now deprecated.
2N/A - A new stylesheet, based on the Google Charts API, displays
2N/A XML statistics in charts and graphs on javascript-enabled
2N/A - The statistics channel can now provide data in JSON
2N/A format as well as XML.
2N/A - New stats counters track TCP and UDP queries on a
2N/A - The internal and export versions of the BIND libraries
2N/A (libisc, libdns, etc) have been unified so that external
2N/A library clients can use the same libraries as BIND itself.
2N/A - A new compile-time option, "configure --enable-native-pkcs11",
2N/A allows BIND 9 cryptography functions to use the PKCS#11 API
2N/A natively, so that BIND can drive a cryptographic hardware
2N/A service module (HSM) directly instead of using a modified
2N/A OpenSSL as an intermediary. This has been tested with the
2N/A Thales nShield HSM and with SoftHSMv2 from the Open DNSSEC
2N/A - The new "max-zone-ttl" option enforces maximum TTLs for
2N/A zones. This can simplify the process of rolling DNSSEC keys
2N/A by guaranteeing that cached signatures will have expired
2N/A within the specified amount of time.
2N/A - "dig +subnet" sends an EDNS client-subnet option when
2N/A - New "dnssec-coverage" tool to check DNSSEC key coverage
2N/A for a zone and report if a lapse in signing coverage has
2N/A been inadvertently scheduled.
2N/A - Signing algorithm flexibility and other improvements
2N/A for the "rndc" control channel.
2N/A - "named-checkzone" and "named-compilezone" can now read
2N/A journal files, allowing them to process dynamic zones.
2N/A - Multiple DLZ databases can now be configured. Individual
2N/A zones can be configured to be served from a specific DLZ
2N/A database. DLZ databases now serve zones of type "master"
2N/A - "rndc zonestatus" reports information about a specified zone.
2N/A - "named" now listens on IPv6 as well as IPv4 interfaces
2N/A - "named" now preserves the capitalization of names when
2N/A responding to queries. The former behavior can be restored
2N/A for specific clients via the new "no-case-compress" ACL.
2N/A - new "dnssec-importkey" command allows the use of offline
2N/A DNSSEC keys with automatic DNSKEY management.
2N/A - New "named-rrchecker" tool to verify the syntactic
2N/A correctness of individual resource records.
2N/A - When re-signing a zone, the new "dnssec-signzone -Q" option
2N/A drops signatures from keys that are still published but are
2N/A - "named-checkconf -px" will print the contents of configuration
2N/A files with the shared secrets obscured, making it easier to
2N/A share configuration (
e.g. when submitting a bug report)
2N/A without revealing private information.
2N/A - "rndc scan" causes named to re-scan network interfaces for
2N/A changes in local addresses.
2N/A - On operating systems with support for routing sockets,
2N/A network interfaces are re-scanned automatically whenever
2N/A BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
2N/A releases. New features include:
2N/A - Inline signing, allowing automatic DNSSEC signing of
2N/A master zones without modification of the zonefile, or
2N/A "bump in the wire" signing in slaves.
2N/A - NXDOMAIN redirection.
2N/A - New 'rndc flushtree' command clears all data under a given
2N/A name from the DNS cache.
2N/A - New 'rndc sync' command dumps pending changes in a dynamic
2N/A - New 'rndc signing' command displays or clears signing status
2N/A records in 'auto-dnssec' zones.
2N/A - NSEC3 parameters for 'auto-dnssec' zones can now be set prior
2N/A to signing, eliminating the need to initially sign with NSEC.
2N/A - Startup time improvements on large authoritative servers.
2N/A - Slave zones are now saved in raw format by default.
2N/A - Several improvements to response policy zones (RPZ).
2N/A - Improved hardware scalability by using multiple threads
2N/A to listen for queries and using finer-grained client locking
2N/A - The 'also-notify' option now takes the same syntax as
2N/A 'masters', so it can used named masterlists and TSIG keys.
2N/A - 'dnssec-signzone -D' writes an output file containing only DNSSEC
2N/A data, which can be included by the primary zone file.
2N/A - 'dnssec-signzone -R' forces removal of signatures that are
2N/A not expired but were created by a key which no longer exists.
2N/A - 'dnssec-signzone -X' allows a separate expiration date to
2N/A be specified for DNSKEY signatures from other signatures.
2N/A - New '-L' option to dnssec-keygen, dnssec-settime, and
2N/A dnssec-keyfromlabel sets the default TTL for the key.
2N/A - dnssec-dsfromkey now supports reading from standard input,
2N/A to make it easier to convert DNSKEY to DS.
2N/A - RFC 1918 reverse zones have been added to the empty-zones
2N/A - Dynamic updates can now optionally set the zone's SOA serial
2N/A number to the current UNIX time.
2N/A - DLZ modules can now retrieve the source IP address of
2N/A the querying client.
2N/A - 'request-ixfr' option can now be set at the per-zone level.
2N/A - 'dig +rrcomments' turns on comments about DNSKEY records,
2N/A indicating their key ID, algorithm and function
2N/A - Simplified nsupdate syntax and added readline support
2N/A BIND 9 currently requires a UNIX system with an ANSI C compiler,
2N/A basic POSIX support, and a 64 bit integer type.
2N/A We've had successful builds and tests on the following systems:
2N/A COMPAQ Tru64 UNIX 5.1B
2N/A FreeBSD 4.10, 5.2.1, 6.2
2N/A NetBSD
3.x, 4.0-beta, 5.0-beta
2N/A Solaris 8, 9, 9 (x86), 10
2N/A Windows XP/2003/2008
2N/A NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
2N/A Windows, including Windows NT and Windows 2000, are no longer
2N/A We have recent reports from the user community that a supported
2N/A version of BIND will build and run on the following systems:
2N/A MacOS X 10.5, 10.6, 10.7
2N/A Red Hat Enterprise Linux 4, 5, 6
2N/A SCO OpenServer 5.0.6
2N/A Do not use a parallel "make".
2N/A Several environment variables that can be set before running
2N/A configure will affect compilation:
2N/A The C compiler to use. configure tries to figure
2N/A out the right one for supported systems.
2N/A C compiler flags. Defaults to include -g
and/or -O2
2N/A as supported by the compiler. Please include '-g'
2N/A if you need to set CFLAGS.
2N/A System header file directories. Can be used to specify
2N/A where add-on thread or IPv6 support is, for example.
2N/A Defaults to empty string.
2N/A Any additional preprocessor symbols you want defined.
2N/A Defaults to empty string.
2N/A -DISC_FACILITY=LOG_LOCAL0
2N/A Enable DNSSEC signature chasing support in dig.
2N/A -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
2N/A -DDIG_SIGCHASE_BU=1)
2N/A Disable dropping queries from particular well known ports.
2N/A -DNS_CLIENT_DROPPORT=0
2N/A Sibling glue checking in named-checkzone is enabled by default.
2N/A To disable the default check set. -DCHECK_SIBLING=0
2N/A named-checkzone checks out-of-zone addresses by default.
2N/A To disable this default set. -DCHECK_LOCAL=0
2N/A To create the default pid files in ${localstatedir}/run rather
2N/A than ${localstatedir}/run/{named,lwresd}/ set.
2N/A -DISC_SOCKET_USE_POLLWATCH=1
2N/A The watch timeout is also configurable,
e.g.,
2N/A -DISC_SOCKET_POLLWATCH_TIMEOUT=20
2N/A Linker flags. Defaults to empty string.
2N/A The following need to be set when cross compiling.
2N/A The native C compiler.
2N/A BUILD_CFLAGS (optional)
2N/A BUILD_CPPFLAGS (optional)
2N/A BUILD_LDFLAGS (optional)
2N/A BUILD_LIBS (optional)
2N/A On most platforms, BIND 9 is built with multithreading
2N/A support, allowing it to take advantage of multiple CPUs.
2N/A You can configure this by specifying "--enable-threads" or
2N/A "--disable-threads" on the configure command line. The default
2N/A is to enable threads, except on some older operating systems
2N/A on which threads are known to have had problems in the past.
2N/A (Note: Prior to BIND 9.10, the default was to disable threads on
2N/A Linux systems; this has been reversed. On Linux systems, the
2N/A threaded build is known to change BIND's behavior with respect
2N/A to file permissions; it may be necessary to specify a user with
2N/A the -u option when running named.)
2N/A To build shared libraries, specify "--with-libtool" on the
2N/A configure command line.
2N/A Certain compiled-in constants and default settings can be
2N/A increased to values better suited to large servers with abundant
2N/A memory resources (
e.g, 64-bit servers with 12G or more of memory)
2N/A by specifying "--with-tuning=large" on the configure command
2N/A line. This can improve performance on big servers, but will
2N/A consume more memory and may degrade performance on smaller
2N/A For the server to support DNSSEC, you need to build it
2N/A with crypto support. You must have OpenSSL 0.9.5a
2N/A or newer installed and specify "--with-openssl" on the
2N/A configure command line. If OpenSSL is installed under
2N/A a nonstandard prefix, you can tell configure where to
2N/A look for it using "--with-openssl=/prefix".
2N/A To support the HTTP statistics channel, the server must
2N/A be linked with at least one of the following: libxml2
2N/A If these are installed at a nonstandard prefix, use
2N/A "--with-libxml2=/prefix" or "--with-libjson=/prefix".
2N/A On some platforms it is necessary to explicitly request large
2N/A file support to handle files bigger than 2GB. This can be
2N/A done by "--enable-largefile" on the configure command line.
2N/A Support for the "fixed" rrset-order option can be enabled
2N/A or disabled by specifying "--enable-fixed-rrset" or
2N/A "--disable-fixed-rrset" on the configure command line.
2N/A The default is "disabled", to reduce memory footprint.
2N/A If your operating system has integrated support for IPv6, it
2N/A will be used automatically. If you have installed KAME IPv6
2N/A separately, use "--with-kame[=PATH]" to specify its location.
2N/A "make install" will install "named" and the various BIND 9 libraries.
2N/A By default, installation is into
/usr/local, but this can be changed
2N/A with the "--prefix" option when running "configure".
2N/A You may specify the option "--sysconfdir" to set the directory
2N/A and "--localstatedir" to set the default parent directory
2N/A --sysconfdir defaults to "/etc" and --localstatedir defaults to
2N/A "/var" if no --prefix option is given. If there is a --prefix
2N/A To see additional configure options, run "configure --help".
2N/A Note that the help message does not reflect the BIND 8
2N/A compatibility defaults for sysconfdir and localstatedir.
2N/A If you're planning on making changes to the BIND 9 source, you
2N/A should also "make depend". If you're using Emacs, you might find
2N/A "make tags" helpful.
2N/A If you need to re-run configure please run "make distclean" first.
2N/A This will ensure that all the option changes take.
2N/A Building with gcc is not supported, unless gcc is the vendor's usual
2N/A compiler (
e.g. the various BSD systems, Linux).
2N/A Known compiler issues:
2N/A * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
2N/A * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
2N/A * gcc-3.3.5 powerpc generates incorrect code at -02.
2N/A * Irix, MipsPRO 7.4.1m is known to cause problems.
2N/A A limited test suite can be run with "make test". Many of
2N/A the tests require you to configure a set of virtual IP addresses
2N/A SunOS 4 requires "printf" to be installed to make the shared
2N/A libraries. sh-utils-1.16 provides a "printf" which compiles
2N/A Linux requires kernel build 2.6.39 or later to get the
2N/A performance benefits from using multiple sockets.
2N/A The BIND 9 Administrator Reference Manual is included with the
2N/A source distribution in DocBook XML and HTML format, in the
2N/A Some of the programs in the BIND 9 distribution have man pages
2N/A in their directories. In particular, the command line
2N/A There is now also a set of man pages for the lwres library.
2N/A If you are upgrading from BIND 8, please read the migration
2N/A Frequently asked questions and their answers can be found in
2N/A Additional information on various subjects can be found
2N/A in the other README files.
2N/A A detailed list of all changes to BIND 9 is included in the
2N/A file CHANGES, with the most recent changes listed first.
2N/A Change notes include tags indicating the category of the
2N/A change that was made; these categories are:
2N/A [bug] General bug fix
2N/A [security] Fix for a significant security flaw
2N/A [experimental] Used for new features when the syntax
2N/A or other aspects of the design are still
2N/A in flux and may change
2N/A [port] Portability enhancement
2N/A [maint] Updates to built-in data such as root
2N/A server addresses and keys
2N/A [tuning] Changes to built-in configuration defaults
2N/A and constants to improve performance
2N/A [protocol] Updates to the DNS protocol such as new
2N/A [test] Changes to the automatic tests, not
2N/A affecting server functionality
2N/A [cleanup] Minor corrections and refactoring
2N/A [contrib] Changes to the contributed tools and
2N/A libraries in the 'contrib' subdirectory
2N/A [placeholder] Used in the master development branch to
2N/A reserve change numbers for use in other
2N/A branches,
e.g. when fixing a bug that only
2N/A exists in older releases
2N/A In general, [func] and [experimental] tags will only appear
2N/A in new-feature releases (
i.e., those with version numbers
2N/A ending in zero). Some new functionality may be backported to
2N/A older releases on a case-by-case basis. All other change
2N/A types may be applied to all currently-supported releases.
2N/ABug Reports and Mailing Lists
2N/A Bugs reports should be sent to
2N/A To join the BIND Users mailing list, send mail to
2N/A bind-users-request@isc.org
2N/A archives of which can be found via
2N/A If you're planning on making changes to the BIND 9 source
2N/A code, you might want to join the BIND Workers mailing list.
2N/A bind-workers-request@isc.org
2N/A - This product includes software developed by the OpenSSL Project
2N/A - This product includes cryptographic software written by Eric
2N/A Young (eay@cryptsoft.com).
2N/A - This product includes software written by Tim Hudson
2N/A (tjh@cryptsoft.com).