README revision e1cd26e8f9a8c58636b7677356d108a003086b1b
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews BIND version 9 is a major rewrite of nearly all aspects of the
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence underlying BIND architecture. Some of the important features of
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley - DNS Security
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence DNSSEC (signed zones)
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews TSIG (signed DNS requests)
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - IP version 6
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews Answers DNS queries on IPv6 sockets
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews IPv6 resource records (AAAA)
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews Experimental IPv6 Resolver Library
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley - DNS Protocol Enhancements
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley IXFR, DDNS, Notify, EDNS0
0cae66577c69c89086cd065bb297690072b471b4Mark Andrews Improved standards conformance
9c3531d72aeaad6c5f01efe6a1c82023e1379e4dDavid Lawrence One server process can provide multiple "views" of
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley the DNS namespace, e.g. an "inside" view to certain
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley clients, and an "outside" view to others.
364a82f7c25b62967678027043425201a5e5171aBob Halley - Multiprocessor Support
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley - Improved Portability Architecture
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley BIND version 9 development has been underwritten by the following
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley organizations:
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews Sun Microsystems, Inc.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews Hewlett Packard
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews Compaq Computer Corporation
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley Process Software Corporation
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley Silicon Graphics, Inc.
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley Network Associates, Inc.
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley U.S. Defense Information Systems Agency
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley USENIX Association
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley Stichting NLnet - NLnet Foundation
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley Nominum, Inc.
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley For a summary of functional enhancements in previous
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley releases, see the HISTORY file.
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley For a detailed list of user-visible changes from
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley previous releases, see the CHANGES file.
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley For up-to-date release notes and errata, see
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley releases. New features include:
6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence - SERVFAIL responses can now be cached for a limited time
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley (defaulting to 10 seconds, with an upper limit of 30).
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley This can reduce the frequency of retries when a query is
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley persistently failing.
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley - The new "rndc nta" command can be used to set a "negative
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley trust anchor", disabling DNSSEC validation for a specific
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley domain; this can be used when responses from a domain are
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley known to be failing validation due to administrative error
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley rather than because of a spoofing attack. Negative trust
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley anchors are strictly temporary; by default they expire after
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley one hour, but can be configured to last up to one week.
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley - Update forwarding performance has been improved by allowing
6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence a single TCP connection to be shared by multiple updates.
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley - The EDNS Client Subnet (ECS) option is now supported for
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley authoritative servers; if a query contains an ECS option
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley then ACLs containing "geoip" or "ecs" elements can match
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley against the the address encoded in the option. This can be
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley used to select a view for a query, so that different answers
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley can be provided depending on the client network.
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley - The EDNS EXPIRE option has been implemented on the client
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley side, allowing a slave server to set the expiration timer
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley correctly when transferring zone data from another slave
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley - A new "masterfile-style" zone option controls the formatting
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley of text zone files: When set to "full", a zone file is dumped
368b37b616234fce3d23099eb180f1dd38e1fb62Mark Andrews in single-line-per-record format.
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley - "dig" now supports sending arbitary EDNS options by specifying
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley them on the command line.
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley - "dig +ttlunits" causes dig to print TTL values with time-unit
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley suffixes: w, d, h, m, s for weeks, days, hours, minutes, and
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley - "serial-update-method" can now be set to "date". On update,
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley the serial number will be set to the current date in YYYYMMDDNN
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley - "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley - "named -L <filename>" causes named to send log messages to
7cd4c3ddd1baf5f2b204562fdba3da37c716cc78Andreas Gustafsson the specified file by default instead of to the system log.
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley - dig can now set arbitary EDNS options on requests (+ednsopt).
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews - dig can now set yet-to-be-defined EDNS flags on requests (+ednsflags).
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews This release addresses the security flaw described in
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews CVE-2014-3214 and CVE-2014-3859.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews releases. New features include:
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley - DNS Response-rate limiting (DNS RRL), which blunts the
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley impact of reflection and amplification attacks, is always
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley compiled in and no longer requires a compile-time option
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley to enable it.
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley - An experimental "Source Identity Token" (SIT) EDNS option
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley is now available. Similar to DNS Cookies as invented by
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley Donald Eastlake 3rd, these are designed to enable clients
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley to detect off-path spoofed responses, and to enable servers
66b2f0d4bfa342770aa5e26a005a0c0ec5071231Bob Halley to detect spoofed-source queries. Servers can be configured
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews to send smaller responses to clients that have not identified
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley themselves using a SIT option, reducing the effectiveness of
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley amplification attacks. RRL processing has also been updated;
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley clients proven to be legitimate via SIT are not subject to
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews rate limiting. Use "configure --enable-sit" to enable this
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley feature in BIND.
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley - A new zone file format, "map", stores zone data in a
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley format that can be mapped directly into memory, allowing
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley significantly faster zone loading.
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley - "delv" (domain entity lookup and validation) is a new tool
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley with dig-like semantics for looking up DNS data and performing
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley internal DNSSEC validation. This allows easy validation in
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley environments where the resolver may not be trustworthy, and
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley assists with troubleshooting of DNSSEC problems. (NOTE:
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley In previous development releases of BIND 9.10, this utility
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley was called "delve". The spelling has been changed to avoid
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley confusion with the "delve" utility included with the Xapian
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley search engine.)
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley - Improved EDNS(0) processing for better resolver performance
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews and reliability over slow or lossy connections.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews - A new "configure --with-tuning=large" option tunes certain
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews compiled-in constants and default settings to values better
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews suited to large servers with abundant memory. This can
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews improve performance on such servers, but will consume more
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews memory and may degrade performance on smaller systems.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews - Substantial improvement in response-policy zone (RPZ)
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews performance. Up to 32 response-policy zones can be
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews configured with minimal performance loss.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews - To improve recursive resolver performance, cache records
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews which are still being requested by clients can now be
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley automatically refreshed from the authoritative server
7cd4c3ddd1baf5f2b204562fdba3da37c716cc78Andreas Gustafsson before they expire, reducing or eliminating the time
66b2f0d4bfa342770aa5e26a005a0c0ec5071231Bob Halley window in which no answer is available in the cache.
6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence - New "rpz-client-ip" triggers and drop policies allowing
4607e7a9b8dfb1b41c70e51c2b603daaf22cf302Mark Andrews response policies based on the IP address of the client.
4607e7a9b8dfb1b41c70e51c2b603daaf22cf302Mark Andrews - ACLs can now be specified based on geographic location
4607e7a9b8dfb1b41c70e51c2b603daaf22cf302Mark Andrews using the MaxMind GeoIP databases. Use "configure
4607e7a9b8dfb1b41c70e51c2b603daaf22cf302Mark Andrews --with-geoip" to enable.
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley - Zone data can now be shared between views, allowing
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley multiple views to serve the same zones authoritatively
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley without storing multiple copies in memory.
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley - New XML schema (version 3) for the statistics channel
66b2f0d4bfa342770aa5e26a005a0c0ec5071231Bob Halley includes many new statistics and uses a flattened XML tree
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley for faster parsing. The older schema is now deprecated.
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley - A new stylesheet, based on the Google Charts API, displays
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley XML statistics in charts and graphs on javascript-enabled
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley - The statistics channel can now provide data in JSON
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley format as well as XML.
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley - New stats counters track TCP and UDP queries received
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews per zone, and EDNS options received in total.
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley - The internal and export versions of the BIND libraries
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley (libisc, libdns, etc) have been unified so that external
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews library clients can use the same libraries as BIND itself.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews - A new compile-time option, "configure --enable-native-pkcs11",
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley allows BIND 9 cryptography functions to use the PKCS#11 API
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley natively, so that BIND can drive a cryptographic hardware
66b2f0d4bfa342770aa5e26a005a0c0ec5071231Bob Halley service module (HSM) directly instead of using a modified
66b2f0d4bfa342770aa5e26a005a0c0ec5071231Bob Halley OpenSSL as an intermediary. (Note: This feature requires an
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley HSM to have a full implementation of the PKCS#11 API; many
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley current HSMs only have partial implementations. The new
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley "pkcs11-tokens" command can be used to check API completeness.
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley Native PKCS#11 is known to work with the Thales nShield HSM
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley and with SoftHSM version 2 from the Open DNSSEC project.)
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley - The new "max-zone-ttl" option enforces maximum TTLs for
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley zones. This can simplify the process of rolling DNSSEC keys
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley by guaranteeing that cached signatures will have expired
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley within the specified amount of time.
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley - "dig +subnet" sends an EDNS CLIENT-SUBNET option when
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence - "dig +expire" sends an EDNS EXPIRE option when querying.
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence When this option is sent with an SOA query to a server
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley that supports it, it will report the expiry time of
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley a slave zone.
b5fff54fe9335b20c02d749831fc0eaeda97198fBrian Wellington - New "dnssec-coverage" tool to check DNSSEC key coverage
b5fff54fe9335b20c02d749831fc0eaeda97198fBrian Wellington for a zone and report if a lapse in signing coverage has
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley been inadvertently scheduled.
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley - Signing algorithm flexibility and other improvements
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley for the "rndc" control channel.
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley - "named-checkzone" and "named-compilezone" can now read
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley journal files, allowing them to process dynamic zones.
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley - Multiple DLZ databases can now be configured. Individual
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley zones can be configured to be served from a specific DLZ
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews database. DLZ databases now serve zones of type "master"
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews and "redirect".
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews - "rndc zonestatus" reports information about a specified zone.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews - "named" now listens on IPv6 as well as IPv4 interfaces
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews - "named" now preserves the capitalization of names
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews when responding to queries: for instance, a query for
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews "example.com" may be answered with "example.COM" if the
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews name was configured that way in the zone file. Some
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews clients have a bug causing them to depend on the older
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews behavior, in which the case of the answer always matched
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews the case of the query, rather than the case of the name
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews configured in the DNS. Such clients can now be specified
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews in the new "no-case-compress" ACL; this will restore the
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews older behavior of "named" for those clients only.
e0df061f35a26d2bbd0986aa889f88b3710b32d4Bob Halley - new "dnssec-importkey" command allows the use of offline
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley DNSSEC keys with automatic DNSKEY management.
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley - New "named-rrchecker" tool to verify the syntactic
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley correctness of individual resource records.
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley - When re-signing a zone, the new "dnssec-signzone -Q" option
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley drops signatures from keys that are still published but are
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley no longer active.
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley - "named-checkconf -px" will print the contents of configuration
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley files with the shared secrets obscured, making it easier to
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley share configuration (e.g. when submitting a bug report)
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley without revealing private information.
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley - "rndc scan" causes named to re-scan network interfaces for
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley changes in local addresses.
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley - On operating systems with support for routing sockets,
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley network interfaces are re-scanned automatically whenever
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein they change.
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley - "tsig-keygen" is now available as an alternate command
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley name to use for "ddns-confgen".
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley BIND 9 currently requires a UNIX system with an ANSI C compiler,
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley basic POSIX support, and a 64 bit integer type.
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley We've had successful builds and tests on the following systems:
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley COMPAQ Tru64 UNIX 5.1B
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley Fedora Core 6
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley FreeBSD 4.10, 5.2.1, 6.2
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley Mac OS X 10.5
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley NetBSD 3.x, 4.0-beta, 5.0-beta
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley OpenBSD 3.3 and up
6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence Solaris 8, 9, 9 (x86), 10
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley Ubuntu 7.04, 7.10
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley Windows XP/2003/2008
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley Windows, including Windows NT and Windows 2000, are no longer
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley We have recent reports from the user community that a supported
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley version of BIND will build and run on the following systems:
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley CentOS 4, 4.5, 5
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley Darwin 9.0.0d1/ARM
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley Debian 4, 5, 6
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley Fedora Core 5, 7, 8
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley FreeBSD 6, 7, 8
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley HP-UX 11.23 PA
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley MacOS X 10.5, 10.6, 10.7
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley Red Hat Enterprise Linux 4, 5, 6
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley SCO OpenServer 5.0.6
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley Slackware 9, 10
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews To build, just
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews Do not use a parallel "make".
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews Several environment variables that can be set before running
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews configure will affect compilation:
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley The C compiler to use. configure tries to figure
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley out the right one for supported systems.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews C compiler flags. Defaults to include -g and/or -O2
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley as supported by the compiler. Please include '-g'
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley if you need to set CFLAGS.
66b2f0d4bfa342770aa5e26a005a0c0ec5071231Bob Halley System header file directories. Can be used to specify
421e4cf66e4cba0b0751a34a9c027e39fe0474f9Mark Andrews where add-on thread or IPv6 support is, for example.
421e4cf66e4cba0b0751a34a9c027e39fe0474f9Mark Andrews Defaults to empty string.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews STD_CDEFINES
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley Any additional preprocessor symbols you want defined.
55254a46f91419b92eee0d20dfb958e8dd52526cBob Halley Defaults to empty string.
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley Possible settings:
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley Change the default syslog facility of named/lwresd.
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley -DISC_FACILITY=LOG_LOCAL0
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley Enable DNSSEC signature chasing support in dig.
b2ca6fd3a8293440b4d263723525396059cf2400Brian Wellington -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
84185d19c7a9ef1ac23cc6236c8773697d4efeb1Brian Wellington -DDIG_SIGCHASE_BU=1)
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley Disable dropping queries from particular well known ports.
c03bb27f0675a6e60ceea66b451548e8481bc05cMark Andrews -DNS_CLIENT_DROPPORT=0
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley Sibling glue checking in named-checkzone is enabled by default.
8569ab045a4cf6ecd1b5a3354ddb1c93ef34ea57Brian Wellington To disable the default check set. -DCHECK_SIBLING=0
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley named-checkzone checks out-of-zone addresses by default.
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley To disable this default set. -DCHECK_LOCAL=0
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley To create the default pid files in ${localstatedir}/run rather
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley than ${localstatedir}/run/{named,lwresd}/ set.
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley -DNS_RUN_PID_DIR=0
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley Enable workaround for Solaris kernel bug about /dev/poll
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley -DISC_SOCKET_USE_POLLWATCH=1
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley The watch timeout is also configurable, e.g.,
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley -DISC_SOCKET_POLLWATCH_TIMEOUT=20
569d094440399b000e059d4cb3434391c2c4d330Michael Graff Linker flags. Defaults to empty string.
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley The following need to be set when cross compiling.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews The native C compiler.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews BUILD_CFLAGS (optional)
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews BUILD_CPPFLAGS (optional)
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews Possible Settings:
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews BUILD_LDFLAGS (optional)
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley BUILD_LIBS (optional)
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley On most platforms, BIND 9 is built with multithreading
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley support, allowing it to take advantage of multiple CPUs.
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley You can configure this by specifying "--enable-threads" or
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley "--disable-threads" on the configure command line. The default
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley is to enable threads, except on some older operating systems
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley on which threads are known to have had problems in the past.
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley (Note: Prior to BIND 9.10, the default was to disable threads on
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley Linux systems; this has been reversed. On Linux systems, the
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley threaded build is known to change BIND's behavior with respect
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley to file permissions; it may be necessary to specify a user with
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley the -u option when running named.)
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley To build shared libraries, specify "--with-libtool" on the
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley configure command line.
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley Certain compiled-in constants and default settings can be
368b37b616234fce3d23099eb180f1dd38e1fb62Mark Andrews increased to values better suited to large servers with abundant
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley memory resources (e.g, 64-bit servers with 12G or more of memory)
6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence by specifying "--with-tuning=large" on the configure command
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley line. This can improve performance on big servers, but will
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley consume more memory and may degrade performance on smaller
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley For the server to support DNSSEC, you need to build it
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley with crypto support. You must have OpenSSL 0.9.5a
b2ca6fd3a8293440b4d263723525396059cf2400Brian Wellington or newer installed and specify "--with-openssl" on the
b2ca6fd3a8293440b4d263723525396059cf2400Brian Wellington configure command line. If OpenSSL is installed under
84185d19c7a9ef1ac23cc6236c8773697d4efeb1Brian Wellington a nonstandard prefix, you can tell configure where to
84185d19c7a9ef1ac23cc6236c8773697d4efeb1Brian Wellington look for it using "--with-openssl=/prefix".
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley To support the HTTP statistics channel, the server must
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley be linked with at least one of the following: libxml2
94a08e09db3dc844b6ee4841c368a2d7074a9c3fAndreas Gustafsson (http://xmlsoft.org) or json-c (https://github.com/json-c).
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley If these are installed at a nonstandard prefix, use
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff "--with-libxml2=/prefix" or "--with-libjson=/prefix".
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley On some platforms it is necessary to explicitly request large
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley file support to handle files bigger than 2GB. This can be
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley done by "--enable-largefile" on the configure command line.
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley Support for the "fixed" rrset-order option can be enabled
8569ab045a4cf6ecd1b5a3354ddb1c93ef34ea57Brian Wellington or disabled by specifying "--enable-fixed-rrset" or
8569ab045a4cf6ecd1b5a3354ddb1c93ef34ea57Brian Wellington "--disable-fixed-rrset" on the configure command line.
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley The default is "disabled", to reduce memory footprint.
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley If your operating system has integrated support for IPv6, it
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley will be used automatically. If you have installed KAME IPv6
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley separately, use "--with-kame[=PATH]" to specify its location.
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley "make install" will install "named" and the various BIND 9 libraries.
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley By default, installation is into /usr/local, but this can be changed
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley with the "--prefix" option when running "configure".
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley You may specify the option "--sysconfdir" to set the directory
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley where configuration files like "named.conf" go by default,
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence and "--localstatedir" to set the default parent directory
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley of "run/named.pid". For backwards compatibility with BIND 8,
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley --sysconfdir defaults to "/etc" and --localstatedir defaults to
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley "/var" if no --prefix option is given. If there is a --prefix
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley option, sysconfdir defaults to "$prefix/etc" and localstatedir
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff defaults to "$prefix/var".
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley To see additional configure options, run "configure --help".
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley Note that the help message does not reflect the BIND 8
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley compatibility defaults for sysconfdir and localstatedir.
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley If you're planning on making changes to the BIND 9 source, you
c866769e664ba0a6a5e6f9375245f5ccca393009David Lawrence should also "make depend". If you're using Emacs, you might find
c866769e664ba0a6a5e6f9375245f5ccca393009David Lawrence "make tags" helpful.
c866769e664ba0a6a5e6f9375245f5ccca393009David Lawrence If you need to re-run configure please run "make distclean" first.
c866769e664ba0a6a5e6f9375245f5ccca393009David Lawrence This will ensure that all the option changes take.
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley Building with gcc is not supported, unless gcc is the vendor's usual
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley compiler (e.g. the various BSD systems, Linux).
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews Known compiler issues:
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews * gcc-3.3.5 powerpc generates incorrect code at -02.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews * Irix, MipsPRO 7.4.1m is known to cause problems.
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley A limited test suite can be run with "make test". Many of
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence the tests require you to configure a set of virtual IP addresses
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley on your system, and some require Perl; see bin/tests/system/README
948eabe2a254a8a278ef6325f3790e75329ee656Bob Halley for details.
c866769e664ba0a6a5e6f9375245f5ccca393009David Lawrence SunOS 4 requires "printf" to be installed to make the shared
c866769e664ba0a6a5e6f9375245f5ccca393009David Lawrence libraries. sh-utils-1.16 provides a "printf" which compiles
948eabe2a254a8a278ef6325f3790e75329ee656Bob HalleyKnown limitations
4e142a5bccd2944174ad9ae58d86cf03e170054dBob Halley Linux requires kernel build 2.6.39 or later to get the
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews performance benefits from using multiple sockets.
ff30cdeb783ca7ffe69b222c56197828e882c229Mark AndrewsDocumentation
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews The BIND 9 Administrator Reference Manual is included with the
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews source distribution in DocBook XML and HTML format, in the
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews Some of the programs in the BIND 9 distribution have man pages
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews in their directories. In particular, the command line
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews options of "named" are documented in /bin/named/named.8.
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews There is now also a set of man pages for the lwres library.
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews If you are upgrading from BIND 8, please read the migration
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews notes in doc/misc/migration. If you are upgrading from
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews Frequently asked questions and their answers can be found in
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews Additional information on various subjects can be found
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews in the other README files.
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews A detailed list of all changes to BIND 9 is included in the
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews file CHANGES, with the most recent changes listed first.
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews Change notes include tags indicating the category of the
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews change that was made; these categories are:
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews [func] New feature
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews [bug] General bug fix
80b782f356f0692c11b4e52e8dd46ec41704e5a2Mark Andrews [security] Fix for a significant security flaw
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews [experimental] Used for new features when the syntax
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews or other aspects of the design are still
80b782f356f0692c11b4e52e8dd46ec41704e5a2Mark Andrews in flux and may change
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews [port] Portability enhancement
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews [maint] Updates to built-in data such as root
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews server addresses and keys
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews [tuning] Changes to built-in configuration defaults
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews and constants to improve performance
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews [protocol] Updates to the DNS protocol such as new
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews [test] Changes to the automatic tests, not
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews affecting server functionality
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews [cleanup] Minor corrections and refactoring
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews [doc] Documentation
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews [contrib] Changes to the contributed tools and
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews libraries in the 'contrib' subdirectory
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews [placeholder] Used in the master development branch to
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews reserve change numbers for use in other
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews branches, e.g. when fixing a bug that only
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews exists in older releases
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews In general, [func] and [experimental] tags will only appear
80b782f356f0692c11b4e52e8dd46ec41704e5a2Mark Andrews in new-feature releases (i.e., those with version numbers
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews ending in zero). Some new functionality may be backported to
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews older releases on a case-by-case basis. All other change
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews types may be applied to all currently-supported releases.
ff30cdeb783ca7ffe69b222c56197828e882c229Mark AndrewsBug Reports and Mailing Lists
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews Bug reports should be sent to:
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews bind9-bugs@isc.org
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews Feature requests can be sent to:
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews bind-suggest@isc.org
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews To join or view the archives of the BIND Users mailing list,
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews https://lists.isc.org/mailman/listinfo/bind-users
7ac0df532272d803c3f72ff7a109587e92622f5aMark Andrews If you're planning on making changes to the BIND 9 source
d0eb2cc33c5db3366a16b1cb0abcca6ec7c8ee3cTatuya JINMEI 神明達哉 code, you may also want to join the BIND Workers mailing
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews https://lists.isc.org/mailman/listinfo/bind-workers
0cae66577c69c89086cd065bb297690072b471b4Mark Andrews Information on read-only Git access, coding style and developer
0cae66577c69c89086cd065bb297690072b471b4Mark Andrews guidelines can be found at:
ff30cdeb783ca7ffe69b222c56197828e882c229Mark AndrewsAcknowledgments
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews - This product includes software developed by the OpenSSL Project
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/).
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews - This product includes cryptographic software written by Eric
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews Young (eay@cryptsoft.com).
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews - This product includes software written by Tim Hudson
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews (tjh@cryptsoft.com).