0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark AndrewsCopyright (C) 2000, 2001, 2003, 2004, 2007, 2008, 2016 Internet Systems Consortium, Inc. ("ISC")
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark AndrewsThis Source Code Form is subject to the terms of the Mozilla Public
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark AndrewsLicense, v. 2.0. If a copy of the MPL was not distributed with this
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrewsfile, You can obtain one at http://mozilla.org/MPL/2.0/.
69b641bf31d95fd79a50dcea2cdb0fcb23fe22c6David Lawrence BIND 8 to BIND 9 Migration Notes
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas GustafssonBIND 9 is designed to be mostly upwards compatible with BIND 8, but
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas Gustafssonthere is still a number of caveats you should be aware of when
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas Gustafssonupgrading an existing BIND 8 installation to use BIND 9.
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafsson1. Configuration File Compatibility
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafsson1.1. Unimplemented Options and Changed Defaults
0f7bbb64ea71e1226c34fb433731eebf4b395333Andreas GustafssonBIND 9 supports most, but not all of the named.conf options of BIND 8.
adb6b4397091d2380f0cb412c603816610638f95Brian WellingtonFor a complete list of implemented options, see doc/misc/options.
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas GustafssonIf your named.conf file uses an unimplemented option, named will log a
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafssonwarning message. A message is also logged about each option whose
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafssondefault has changed unless the option is set explicitly in named.conf.
59ddb53fd74be6c4d76536e45465f34f1a08b834Andreas GustafssonThe default of the "transfer-format" option has changed from
59ddb53fd74be6c4d76536e45465f34f1a08b834Andreas Gustafsson"one-answer" to "many-answers". If you have slave servers that do not
59ddb53fd74be6c4d76536e45465f34f1a08b834Andreas Gustafssonunderstand the many-answers zone transfer format (e.g., BIND 4.9.5 or
59ddb53fd74be6c4d76536e45465f34f1a08b834Andreas Gustafssonolder) you need to explicitly specify "transfer-format one-answer;" in
59ddb53fd74be6c4d76536e45465f34f1a08b834Andreas Gustafssoneither the options block or a server statement.
59c0977bedf9af5a47682655d36c6000ac1a3a4aJeremy ReedBIND 9.4 onwards implements "allow-query-cache". The "allow-query"
59c0977bedf9af5a47682655d36c6000ac1a3a4aJeremy Reedoption is no longer used to specify access to the cache. The
59c0977bedf9af5a47682655d36c6000ac1a3a4aJeremy Reed"allow-query" option continues to specify which hosts are allowed
59c0977bedf9af5a47682655d36c6000ac1a3a4aJeremy Reedto ask ordinary DNS questions. The new "allow-query-cache" option
59c0977bedf9af5a47682655d36c6000ac1a3a4aJeremy Reedis used to specify which hosts are allowed to get answers from the
59c0977bedf9af5a47682655d36c6000ac1a3a4aJeremy Reedcache. Since BIND 9.4.1, if "allow-query-cache" is not set then
59c0977bedf9af5a47682655d36c6000ac1a3a4aJeremy Reed"allow-recursion" is used if it is set, otherwise "allow-query" is
59c0977bedf9af5a47682655d36c6000ac1a3a4aJeremy Reedused if it is set, otherwise the default localnets and localhost
35b61b8fb1f377ec9b68bbc8e4e43fbd2756a04dAndreas Gustafsson1.2. Handling of Configuration File Errors
35b61b8fb1f377ec9b68bbc8e4e43fbd2756a04dAndreas GustafssonIn BIND 9, named refuses to start if it detects an error in
35b61b8fb1f377ec9b68bbc8e4e43fbd2756a04dAndreas Gustafssonnamed.conf. Earlier versions would start despite errors, causing the
35b61b8fb1f377ec9b68bbc8e4e43fbd2756a04dAndreas Gustafssonserver to run with a partial configuration. Errors detected during
35b61b8fb1f377ec9b68bbc8e4e43fbd2756a04dAndreas Gustafssonsubsequent reloads do not cause the server to exit.
a9568c0abbda42b95482d581647de0a950ed8438Andreas GustafssonErrors in master files do not cause the server to exit, but they
a9568c0abbda42b95482d581647de0a950ed8438Andreas Gustafssondo cause the zone not to load.
074ae7bf0993ced96b32e3e85553a401f3f3eca9Andreas GustafssonThe set of logging categories in BIND 9 is different from that
708477e4a5b87c9b6338c7d995392c070a78bd45Mark Andrewsin BIND 8. If you have customised your logging on a per-category
074ae7bf0993ced96b32e3e85553a401f3f3eca9Andreas Gustafssonbasis, you need to modify your logging statement to use the
074ae7bf0993ced96b32e3e85553a401f3f3eca9Andreas Gustafssonnew categories.
074ae7bf0993ced96b32e3e85553a401f3f3eca9Andreas GustafssonAnother difference is that the "logging" statement only takes effect
074ae7bf0993ced96b32e3e85553a401f3f3eca9Andreas Gustafssonafter the entire named.conf file has been read. This means that when
074ae7bf0993ced96b32e3e85553a401f3f3eca9Andreas Gustafssonthe server starts up, any messages about errors in the configuration
074ae7bf0993ced96b32e3e85553a401f3f3eca9Andreas Gustafssonfile are always logged to the default destination (syslog) when the
074ae7bf0993ced96b32e3e85553a401f3f3eca9Andreas Gustafssonserver first starts up, regardless of the contents of the "logging"
074ae7bf0993ced96b32e3e85553a401f3f3eca9Andreas Gustafssonstatement. In BIND 8, the new logging configuration took effect
074ae7bf0993ced96b32e3e85553a401f3f3eca9Andreas Gustafssonimmediately after the "logging" statement was read.
708477e4a5b87c9b6338c7d995392c070a78bd45Mark Andrews1.4. Notify messages and Refresh queries
533df4efdafcf7a8b7292a298f45df9ab7f7f7f9Mark AndrewsThe source address and port for these is now controlled by
a488e91e5dedfd055b6a6e6dc3018866478facceAndreas Gustafsson"notify-source" and "transfer-source", respectively, rather that
a488e91e5dedfd055b6a6e6dc3018866478facceAndreas Gustafssonquery-source as in BIND 8.
322445da85b6a318cb2506d216442b3e5af7c3c0Andreas Gustafsson1.5. Multiple Classes.
692f5c282d13b6a0276e5a60c87ab4af013d3b80Mark AndrewsMultiple classes have to be put into explicit views for each class.
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafsson2. Zone File Compatibility
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafsson2.1. Strict RFC1035 Interpretation of TTLs in Zone Files
8f9d22f92aae318244392e217bd53c6173ee6079Andreas GustafssonBIND 9 strictly complies with the RFC1035 and RFC2308 rules regarding
8f9d22f92aae318244392e217bd53c6173ee6079Andreas Gustafssonomitted TTLs in zone files. Omitted TTLs are replaced by the value
8f9d22f92aae318244392e217bd53c6173ee6079Andreas Gustafssonspecified with the $TTL directive, or by the previous explicit TTL if
8f9d22f92aae318244392e217bd53c6173ee6079Andreas Gustafssonthere is no $TTL directive.
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas GustafssonIf there is no $TTL directive and the first RR in the file does not
8f9d22f92aae318244392e217bd53c6173ee6079Andreas Gustafssonhave an explicit TTL field, the zone file is illegal according to
8f9d22f92aae318244392e217bd53c6173ee6079Andreas GustafssonRFC1035 since the TTL of the first RR is undefined. Unfortunately,
8f9d22f92aae318244392e217bd53c6173ee6079Andreas GustafssonBIND 4 and many versions of BIND 8 accept such files without warning
8f9d22f92aae318244392e217bd53c6173ee6079Andreas Gustafssonand use the value of the SOA MINTTL field as a default for missing TTL
8f9d22f92aae318244392e217bd53c6173ee6079Andreas GustafssonBIND 9.0 and 9.1 completely refused to load such files. BIND 9.2
708477e4a5b87c9b6338c7d995392c070a78bd45Mark Andrewsemulates the nonstandard BIND 4/8 SOA MINTTL behaviour and loads the
8f9d22f92aae318244392e217bd53c6173ee6079Andreas Gustafssonfiles anyway (provided the SOA is the first record in the file), but
8f9d22f92aae318244392e217bd53c6173ee6079Andreas Gustafssonwill issue the warning message "no TTL specified; using SOA MINTTL
8f9d22f92aae318244392e217bd53c6173ee6079Andreas GustafssonTo avoid problems, we recommend that you use a $TTL directive in each
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafsson2.2. Periods in SOA Serial Numbers Deprecated
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas GustafssonSome versions of BIND allow SOA serial numbers with an embedded
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafssonperiod, like "3.002", and convert them into integers in a rather
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafssonunintuitive way. This feature is not supported by BIND 9; serial
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafssonnumbers must be integers.
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafsson2.3. Handling of Unbalanced Quotes
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas GustafssonTXT records with unbalanced quotes, like 'host TXT "foo', were not
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafssontreated as errors in some versions of BIND. If your zone files
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafssoncontain such records, you will get potentially confusing error
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafssonmessages like "unexpected end of file" because BIND 9 will interpret
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafssoneverything up to the next quote character as a literal string.
4e0ab18258915b14c163aa9087390402f5ff599bAndreas Gustafsson2.4. Handling of Line Breaks
4e0ab18258915b14c163aa9087390402f5ff599bAndreas GustafssonSome versions of BIND accept RRs containing line breaks that are not
4e0ab18258915b14c163aa9087390402f5ff599bAndreas Gustafssonproperly quoted with parentheses, like the following SOA:
4e0ab18258915b14c163aa9087390402f5ff599bAndreas Gustafsson ( 1 3600 1800 1814400 3600 )
4e0ab18258915b14c163aa9087390402f5ff599bAndreas GustafssonThis is not legal master file syntax and will be treated as an error
4e0ab18258915b14c163aa9087390402f5ff599bAndreas Gustafssonby BIND 9. The fix is to move the opening parenthesis to the first
8011cb06c90d9b87e241b3efeb8a2eca2b8edddcAndreas Gustafsson2.5. Unimplemented BIND 8 Extensions
a488e91e5dedfd055b6a6e6dc3018866478facceAndreas Gustafsson$GENERATE: The "$$" construct for getting a literal $ into a domain
a488e91e5dedfd055b6a6e6dc3018866478facceAndreas Gustafssonname is deprecated. Use \$ instead.
b9f6bf5fdfbaaf2bd9a62af0ce6d358c9905ab77Mark Andrews2.6. TXT records are no longer automatically split.
b9f6bf5fdfbaaf2bd9a62af0ce6d358c9905ab77Mark AndrewsSome versions of BIND accepted strings in TXT RDATA consisting of more
b9f6bf5fdfbaaf2bd9a62af0ce6d358c9905ab77Mark Andrewsthan 255 characters and silently split them to be able to encode the
b9f6bf5fdfbaaf2bd9a62af0ce6d358c9905ab77Mark Andrewsstrings in a protocol conformant way. You may now see errors like this
b9f6bf5fdfbaaf2bd9a62af0ce6d358c9905ab77Mark Andrews dns_rdata_fromtext: local.db:119: ran out of space
b9f6bf5fdfbaaf2bd9a62af0ce6d358c9905ab77Mark Andrewsif you have TXT RRs with too longs strings. Make sure to split the
b9f6bf5fdfbaaf2bd9a62af0ce6d358c9905ab77Mark Andrewsstring in the zone data file at or before a single one reaches 255
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafsson3. Interoperability Impact of New Protocol Features
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas GustafssonBIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size. It
64b0479a910055c6e16843fbd80897ac926e69e0Mark Andrewsalso sets DO EDNS flag bit in queries to indicate that it wishes to
64b0479a910055c6e16843fbd80897ac926e69e0Mark Andrewsreceive DNSSEC responses.
a488e91e5dedfd055b6a6e6dc3018866478facceAndreas GustafssonMost older servers that do not support EDNS0, including prior versions
a488e91e5dedfd055b6a6e6dc3018866478facceAndreas Gustafssonof BIND, will send a FORMERR or NOTIMP response to these queries.
a488e91e5dedfd055b6a6e6dc3018866478facceAndreas GustafssonWhen this happens, BIND 9 will automatically retry the query without
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas GustafssonUnfortunately, there exists at least one non-BIND name server
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas Gustafssonimplementation that silently ignores these queries instead of sending
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas Gustafssonan error response. Resolving names in zones where all or most
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas Gustafssonauthoritative servers use this server will be very slow or fail
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas Gustafssoncompletely. We have contacted the manufacturer of the name server in
a488e91e5dedfd055b6a6e6dc3018866478facceAndreas Gustafssoncase, and they are working on a solution.
2e28950b721fcdd29dac6bf306b444ee7642cdf6Andreas GustafssonWhen BIND 9 communicates with a server that does support EDNS0, such as
2e28950b721fcdd29dac6bf306b444ee7642cdf6Andreas Gustafssonanother BIND 9 server, responses of up to 4096 bytes may be
2e28950b721fcdd29dac6bf306b444ee7642cdf6Andreas Gustafssontransmitted as a single UDP datagram which is subject to fragmentation
2e28950b721fcdd29dac6bf306b444ee7642cdf6Andreas Gustafssonat the IP level. If a firewall incorrectly drops IP fragments, it can
2e28950b721fcdd29dac6bf306b444ee7642cdf6Andreas Gustafssoncause resolution to slow down dramatically or fail.
4fd7e256467539b0486c1ffac9dcea7a3c9d1d5bAndreas Gustafsson3.2. Zone Transfers
5dbccb84737c96fef00663919c83ee8f3d6e887aAndreas GustafssonOutgoing zone transfers now use the "many-answers" format by default.
5dbccb84737c96fef00663919c83ee8f3d6e887aAndreas GustafssonThis format is not understood by certain old versions of BIND 4.
5dbccb84737c96fef00663919c83ee8f3d6e887aAndreas GustafssonYou can work around this problem using the option "transfer-format
5dbccb84737c96fef00663919c83ee8f3d6e887aAndreas Gustafssonone-answer;", but since these old versions all have known security
5dbccb84737c96fef00663919c83ee8f3d6e887aAndreas Gustafssonproblems, the correct fix is to upgrade the slave servers.
7969572891fbaf3e6d34998b80978e6520f4f823Mark AndrewsZone transfers to Windows 2000 DNS servers sometimes fail due to a
7969572891fbaf3e6d34998b80978e6520f4f823Mark Andrewsbug in the Windows 2000 DNS server where DNS messages larger than
7969572891fbaf3e6d34998b80978e6520f4f823Mark Andrews16K are not handled properly. Obtain the latest service pack for
7969572891fbaf3e6d34998b80978e6520f4f823Mark AndrewsWindows 2000 from Microsoft to address this issue. In the meantime,
7969572891fbaf3e6d34998b80978e6520f4f823Mark Andrewsthe problem can be worked around by setting "transfer-format one-answer;".
7969572891fbaf3e6d34998b80978e6520f4f823Mark Andrewshttp://support.microsoft.com/default.aspx?scid=kb;en-us;297936
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas Gustafsson4. Unrestricted Character Set
64b0479a910055c6e16843fbd80897ac926e69e0Mark Andrews BIND 9.2 only
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas GustafssonBIND 9 does not restrict the character set of domain names - it is
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas Gustafssonfully 8-bit clean in accordance with RFC2181 section 11.
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas GustafssonIt is strongly recommended that hostnames published in the DNS follow
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas Gustafssonthe RFC952 rules, but BIND 9 will not enforce this restriction.
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas GustafssonHistorically, some applications have suffered from security flaws
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas Gustafssonwhere data originating from the network, such as names returned by
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas Gustafssongethostbyaddr(), are used with insufficient checking and may cause a
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas Gustafssonbreach of security when containing unexpected characters; see
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas Gustafsson<http://www.cert.org/advisories/CA-96.04.corrupt_info_from_servers.html>
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas Gustafssonfor details. Some earlier versions of BIND attempt to protect these
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas Gustafssonflawed applications from attack by discarding data containing
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas Gustafssoncharacters deemed inappropriate in host names or mail addresses, under
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas Gustafssonthe control of the "check-names" option in named.conf and/or "options
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas Gustafssonno-check-names" in resolv.conf. BIND 9 provides no such protection;
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas Gustafssonif applications with these flaws are still being used, they should
64b0479a910055c6e16843fbd80897ac926e69e0Mark Andrews BIND 9.3 onwards implements check-names.
923cbf79eb621bb82f8a648f4ecb947667a1e5d3Andreas Gustafsson5. Server Administration Tools
bd084426372655b443136243cfa5202b7a339b79Andreas Gustafsson5.1 Ndc Replaced by Rndc
923cbf79eb621bb82f8a648f4ecb947667a1e5d3Andreas GustafssonThe "ndc" program has been replaced by "rndc", which is capable of
a3ec9e6c3b560cd69d675645c9f8cdb2e467a1fbAndreas Gustafssonremote operation. Unlike ndc, rndc requires a configuration file.
a3ec9e6c3b560cd69d675645c9f8cdb2e467a1fbAndreas GustafssonThe easiest way to generate a configuration file is to run
a3ec9e6c3b560cd69d675645c9f8cdb2e467a1fbAndreas Gustafsson"rndc-confgen -a"; see the man pages for rndc(8), rndc-confgen(8),
a3ec9e6c3b560cd69d675645c9f8cdb2e467a1fbAndreas Gustafssonand rndc.conf(5) for details.
bd084426372655b443136243cfa5202b7a339b79Andreas Gustafsson5.2. Nsupdate Differences
bd084426372655b443136243cfa5202b7a339b79Andreas GustafssonThe BIND 8 implementation of nsupdate had an undocumented feature
bd084426372655b443136243cfa5202b7a339b79Andreas Gustafssonwhere an update request would be broken down into multiple requests
bd084426372655b443136243cfa5202b7a339b79Andreas Gustafssonbased upon the discovered zones that contained the records. This
bd084426372655b443136243cfa5202b7a339b79Andreas Gustafssonbehaviour has not been implemented in BIND 9. Each update request
bd084426372655b443136243cfa5202b7a339b79Andreas Gustafssonmust pertain to a single zone, but it is still possible to do multiple
bd084426372655b443136243cfa5202b7a339b79Andreas Gustafssonupdates in a single invocation of nsupdate by terminating each update
bd084426372655b443136243cfa5202b7a339b79Andreas Gustafssonwith an empty line or a "send" command.
1593eff60a5efda85f97f819c3b1ed8aafc56c60Andreas Gustafsson6. No Information Leakage between Zones
1593eff60a5efda85f97f819c3b1ed8aafc56c60Andreas GustafssonBIND 9 stores the authoritative data for each zone in a separate data
1593eff60a5efda85f97f819c3b1ed8aafc56c60Andreas Gustafssonstructure, as recommended in RFC1035 and as required by DNSSEC and
1593eff60a5efda85f97f819c3b1ed8aafc56c60Andreas GustafssonIXFR. When a BIND 9 server is authoritative for both a child zone and
1593eff60a5efda85f97f819c3b1ed8aafc56c60Andreas Gustafssonits parent, it will have two distinct sets of NS records at the
1593eff60a5efda85f97f819c3b1ed8aafc56c60Andreas Gustafssondelegation point: the authoritative NS records at the child's apex,
1593eff60a5efda85f97f819c3b1ed8aafc56c60Andreas Gustafssonand a set of glue NS records in the parent.
1593eff60a5efda85f97f819c3b1ed8aafc56c60Andreas GustafssonBIND 8 was unable to properly distinguish between these two sets of NS
1593eff60a5efda85f97f819c3b1ed8aafc56c60Andreas Gustafssonrecords and would "leak" the child's NS records into the parent,
1593eff60a5efda85f97f819c3b1ed8aafc56c60Andreas Gustafssoneffectively causing the parent zone to be silently modified: responses
1593eff60a5efda85f97f819c3b1ed8aafc56c60Andreas Gustafssonand zone transfers from the parent contained the child's NS records
1593eff60a5efda85f97f819c3b1ed8aafc56c60Andreas Gustafssonrather than the glue configured into the parent (if any). In the case
708477e4a5b87c9b6338c7d995392c070a78bd45Mark Andrewsof children of type "stub", this behaviour was documented as a feature,
1593eff60a5efda85f97f819c3b1ed8aafc56c60Andreas Gustafssonallowing the glue NS records to be omitted from the parent
708477e4a5b87c9b6338c7d995392c070a78bd45Mark AndrewsSites that were relying on this BIND 8 behaviour need to add any
1593eff60a5efda85f97f819c3b1ed8aafc56c60Andreas Gustafssonomitted glue NS records, and any necessary glue A records, to the
1593eff60a5efda85f97f819c3b1ed8aafc56c60Andreas GustafssonAlthough stub zones can no longer be used as a mechanism for injecting
1593eff60a5efda85f97f819c3b1ed8aafc56c60Andreas GustafssonNS records into their parent zones, they are still useful as a way of
1593eff60a5efda85f97f819c3b1ed8aafc56c60Andreas Gustafssondirecting queries for a given domain to a particular set of name
562c601b21750c64e98fdd3fe8a5d18aa17b48b4Andreas Gustafsson7. Umask not Modified
562c601b21750c64e98fdd3fe8a5d18aa17b48b4Andreas GustafssonThe BIND 8 named unconditionally sets the umask to 022. BIND 9 does
562c601b21750c64e98fdd3fe8a5d18aa17b48b4Andreas Gustafssonnot; the umask inherited from the parent process remains in effect.
562c601b21750c64e98fdd3fe8a5d18aa17b48b4Andreas GustafssonThis may cause files created by named, such as journal files, to be
562c601b21750c64e98fdd3fe8a5d18aa17b48b4Andreas Gustafssoncreated with different file permissions than they did in BIND 8. If
562c601b21750c64e98fdd3fe8a5d18aa17b48b4Andreas Gustafssonnecessary, the umask should be set explicitly in the script used to
562c601b21750c64e98fdd3fe8a5d18aa17b48b4Andreas Gustafssonstart the named process.
59c0977bedf9af5a47682655d36c6000ac1a3a4aJeremy Reed$Id: migration,v 1.49 2008/03/18 15:42:53 jreed Exp $