migration revision 2e28950b721fcdd29dac6bf306b444ee7642cdf6
dfd576109cb676448a2c4574150060aa3d8626bavboxsyncCopyright (C) 2000, 2001 Internet Software Consortium.
dfd576109cb676448a2c4574150060aa3d8626bavboxsyncSee COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
dfd576109cb676448a2c4574150060aa3d8626bavboxsync BIND 8 to BIND 9 Migration Notes
dfd576109cb676448a2c4574150060aa3d8626bavboxsyncBIND 9 is designed to be mostly upwards compatible with BIND 8, but
dfd576109cb676448a2c4574150060aa3d8626bavboxsyncthere is still a number of caveats you should be aware of when
dfd576109cb676448a2c4574150060aa3d8626bavboxsyncupgrading an existing BIND 8 installation to use BIND 9.
dfd576109cb676448a2c4574150060aa3d8626bavboxsync1. Configuration File Compatibility
dfd576109cb676448a2c4574150060aa3d8626bavboxsync1.1. Unimplemented Options and Changed Defaults
dfd576109cb676448a2c4574150060aa3d8626bavboxsyncBIND 9.1 supports most, but not all of the named.conf options of BIND 8.
dfd576109cb676448a2c4574150060aa3d8626bavboxsyncFor a complete list of implemented options, see doc/misc/options.
dfd576109cb676448a2c4574150060aa3d8626bavboxsyncIf your named.conf file uses an unimplemented option, named will log a
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncwarning message. A message is also logged about each option whose
dfd576109cb676448a2c4574150060aa3d8626bavboxsyncdefault has changed unless the option is set explicitly in named.conf.
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncThe default of the "transfer-format" option has changed from
dfd576109cb676448a2c4574150060aa3d8626bavboxsync"one-answer" to "many-answers". If you have slave servers that do not
dfd576109cb676448a2c4574150060aa3d8626bavboxsyncunderstand the many-answers zone transfer format (e.g., BIND 4.9.5 or
dfd576109cb676448a2c4574150060aa3d8626bavboxsyncolder) you need to explicitly specify "transfer-format one-answer;" in
dfd576109cb676448a2c4574150060aa3d8626bavboxsynceither the options block or a server statement.
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync1.2. Handling of Configuration File Errors
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncIn BIND 9, named refuses to start if it detects an error in
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncnamed.conf. Earlier versions would start despite errors, causing the
8d8dfc00d014a62894327907a04f148b00a08529vboxsyncserver to run with a partial configuration. Errors detected during
9f4ab406d222cd081a1522169822c3e7c2d6a718vboxsyncsubsequent reloads do not cause the server to exit.
8d8dfc00d014a62894327907a04f148b00a08529vboxsyncErrors in master files never cause the server to exit.
8d8dfc00d014a62894327907a04f148b00a08529vboxsync1.3. Logging
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncThe set of logging categories in BIND 9 is different from that
8d8dfc00d014a62894327907a04f148b00a08529vboxsyncin BIND 8. If you have customized your logging on a per-category
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncbasis, you need to modify your logging statement to use the
5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsyncnew categories.
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncAnother difference is that the "logging" statement only takes effect
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncafter the entire named.conf file has been read. This means that when
5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsyncthe server starts up, any messages about errors in the configuration
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncfile are always logged to the default destination (syslog) when the
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncserver first starts up, regardless of the contents of the "logging"
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncstatement. In BIND 8, the new logging configuration took effect
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncimmediately after the "logging" statement was read.
5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync1.4. Notify messages and Refesh queries
5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsyncThe source address and port for these is now controlled by
5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync"notify-source" and "transfer-source", respectively, rather that
5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsyncquery-source as in BIND 8.
8d8dfc00d014a62894327907a04f148b00a08529vboxsync1.5. Multiple Classes.
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncMultiple classes have to be put into explicit views for each class.
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync2. Zone File Compatibility
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync2.1. Strict RFC1035 Interpretation of TTLs in Zone Files
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncBIND 8 allowed you to omit all TTLs from a zone file, and used the
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncvalue of the SOA MINTTL field as a default for missing TTL values.
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncBIND 9 enforces strict compliance with the RFC1035 and RFC2308 TTL
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncrules. The default TTL is the value specified with the $TTL
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncdirective, or the previous explicit TTL if there is no $TTL directive.
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncIf there is no $TTL directive and the first RR in the file does not
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsynchave an explicit TTL field, the error message "no TTL specified" is
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsynclogged and loading the zone file fails.
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncTo avoid problems, use a $TTL directive in each zone file.
1960568d96ad2cc533d6a2c9b3a4de93c5188710vboxsync2.2. Periods in SOA Serial Numbers Deprecated
1960568d96ad2cc533d6a2c9b3a4de93c5188710vboxsyncSome versions of BIND allow SOA serial numbers with an embedded
1960568d96ad2cc533d6a2c9b3a4de93c5188710vboxsyncperiod, like "3.002", and convert them into integers in a rather
1960568d96ad2cc533d6a2c9b3a4de93c5188710vboxsyncunintuitive way. This feature is not supported by BIND 9; serial
1960568d96ad2cc533d6a2c9b3a4de93c5188710vboxsyncnumbers must be integers.
1960568d96ad2cc533d6a2c9b3a4de93c5188710vboxsync2.3. Handling of Unbalanced Quotes
1960568d96ad2cc533d6a2c9b3a4de93c5188710vboxsyncTXT records with unbalanced quotes, like 'host TXT "foo', were not
1960568d96ad2cc533d6a2c9b3a4de93c5188710vboxsynctreated as errors in some versions of BIND. If your zone files
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsynccontain such records, you will get potentially confusing error
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncmessages like "unexpected end of file" because BIND 9 will interpret
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsynceverything up to the next quote character as a literal string.
1960568d96ad2cc533d6a2c9b3a4de93c5188710vboxsync2.4. Handling of Line Breaks
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncSome versions of BIND accept RRs containing line breaks that are not
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncproperly quoted with parentheses, like the following SOA:
2af83f845f4d566e97a557a88d47a24d27194c07vboxsync ( 1 3600 1800 1814400 3600 )
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncThis is not legal master file syntax and will be treated as an error
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncby BIND 9. The fix is to move the opening parenthesis to the first
2af83f845f4d566e97a557a88d47a24d27194c07vboxsync2.5. Unimplemented BIND 8 Extensions
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync$GENERATE: The "$$" construct for getting a literal $ into a domain
2af83f845f4d566e97a557a88d47a24d27194c07vboxsyncname is deprecated. Use \$ instead.
2af83f845f4d566e97a557a88d47a24d27194c07vboxsync3. Interoperability Impact of New Protocol Features
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncBIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size. It
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncalso sets an EDNS flag bit in queries to indicate that it wishes to
2af83f845f4d566e97a557a88d47a24d27194c07vboxsyncreceive DNSSEC responses; this flag bit usage is not yet standardized,
2af83f845f4d566e97a557a88d47a24d27194c07vboxsyncbut we hope it will be.
b4e89d495c2988c10068923397d31fd27112b9ebvboxsyncMost older servers that do not support EDNS0, including prior versions
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncof BIND, will send a FORMERR or NOTIMP response to these queries.
2af83f845f4d566e97a557a88d47a24d27194c07vboxsyncWhen this happens, BIND 9 will automatically retry the query without
dfd576109cb676448a2c4574150060aa3d8626bavboxsyncUnfortunately, there exists at least one non-BIND name server
dfd576109cb676448a2c4574150060aa3d8626bavboxsyncimplementation that silently ignores these queries instead of sending
dfd576109cb676448a2c4574150060aa3d8626bavboxsyncan error response. Resolving names in zones where all or most
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncauthoritative servers use this server will be very slow or fail
dfd576109cb676448a2c4574150060aa3d8626bavboxsynccompletely. We have contacted the manufacturer of the name server in
8d8dfc00d014a62894327907a04f148b00a08529vboxsynccase, and they are working on a solution.
5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsyncWhen BIND 9 communicates with a server that does support EDNS0, such as
8d8dfc00d014a62894327907a04f148b00a08529vboxsyncanother BIND 9 server, responses of up to 4096 bytes may be
5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsynctransmitted as a single UDP datagram which is subject to fragmentation
5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsyncat the IP level. If a firewall incorrectly drops IP fragments, it can
5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsynccause resolution to slow down dramatically or fail.
5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync3.2. Zone transfers
5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsyncOutgoing zone transfers now use the "many-answers" format by default.
5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsyncThis format is not understood by certain old versions of BIND 4.
8d8dfc00d014a62894327907a04f148b00a08529vboxsyncYou can work around this problem using the option "transfer-format
4d5a2d10140117cca0a93d7e1b4d71304701d6e1vboxsyncone-answer;", but since these old versions all have known security
5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsyncproblems, the correct fix is to upgrade the slave servers.
5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsyncSome BIND 9 users have reported interoperability problems with zone
5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsynctransfers to Microsoft DNS servers that were solved by specifying
5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync"transfer-format one-answer;", but we are still lacking detailed
17c97778b6d189200ba110f10f016b3d973c5595vboxsyncinformation about this issue.
5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync4. Unrestricted Character Set
5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsyncBIND 9 does not restrict the character set of domain names - it is
5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsyncfully 8-bit clean in accordance with RFC2181 section 11.
5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsyncIt is strongly recommended that hostnames published in the DNS follow
5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsyncthe RFC952 rules, but BIND 9 will not enforce this restriction.
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncHistorically, some applications have suffered from security flaws
8d8dfc00d014a62894327907a04f148b00a08529vboxsyncwhere data originating from the network, such as names returned by
dfd576109cb676448a2c4574150060aa3d8626bavboxsyncgethostbyaddr(), are used with insufficient checking and may cause a
dfd576109cb676448a2c4574150060aa3d8626bavboxsyncbreach of security when containing unexpected characters; see
5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsync<http://www.cert.org/advisories/CA-96.04.corrupt_info_from_servers.html>
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncfor details. Some earlier versions of BIND attempt to protect these
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncflawed applications from attack by discarding data containing
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsynccharacters deemed inappropriate in host names or mail addresses, under
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncthe control of the "check-names" option in named.conf and/or "options
dfd576109cb676448a2c4574150060aa3d8626bavboxsyncno-check-names" in resolv.conf. BIND 9 provides no such protection;
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncif applications with these flaws are still being used, they should
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncbe upgraded.
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync5. Server Administration Tools
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncThe "ndc" program has been replaced by "rndc", which is capable of
dfd576109cb676448a2c4574150060aa3d8626bavboxsyncremote operation. Unlike ndc, rndc requires a configuration file;
dfd576109cb676448a2c4574150060aa3d8626bavboxsyncsee the man pages in bin/rndc/rndc.1 and bin/rndc/rndc.conf.5 for
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncdetails. Some of the ndc commands are still unimplemented in rndc.
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsync6. No Information Leakage between Zones
8d8dfc00d014a62894327907a04f148b00a08529vboxsyncBIND 9 stores the authoritative data for each zone in a separate data
8d8dfc00d014a62894327907a04f148b00a08529vboxsyncstructure, as recommended in RFC1035 and as required by DNSSEC and
dfd576109cb676448a2c4574150060aa3d8626bavboxsyncIXFR. When a BIND 9 server is authoritative for both a child zone and
dfd576109cb676448a2c4574150060aa3d8626bavboxsyncits parent, it will have two distinct sets of NS records at the
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncdelegation point: the authoritative NS records at the child's apex,
dfd576109cb676448a2c4574150060aa3d8626bavboxsyncand a set of glue NS records in the parent.
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncBIND 8 was unable to properly distinguish between these two sets of NS
dfd576109cb676448a2c4574150060aa3d8626bavboxsyncrecords and would "leak" the child's NS records into the parent,
dfd576109cb676448a2c4574150060aa3d8626bavboxsynceffectively causing the parent zone to be silently modified: responses
dfd576109cb676448a2c4574150060aa3d8626bavboxsyncand zone transfers from the parent contained the child's NS records
dfd576109cb676448a2c4574150060aa3d8626bavboxsyncrather than the glue configured into the parent (if any). In the case
dfd576109cb676448a2c4574150060aa3d8626bavboxsyncof children of type "stub", this behavior was documented as a feature,
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncallowing the glue NS records to be omitted from the parent
dfd576109cb676448a2c4574150060aa3d8626bavboxsyncconfiguration.
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncSites that were relying on this BIND 8 behavior need to add any
b3a643fa111c6f3a826cf2e84e0806e4d19e3ba9vboxsyncomitted glue NS records, and any necessary glue A records, to the
5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsyncparent zone.
5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsyncAlthough stub zones can no longer be used as a mechanism for injecting
5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsyncNS records into their parent zones, they are still useful as a way of
5d74c7672f6c2d1f2ab95efcb6713e97ca361113vboxsyncdirecting queries for a given domain to a particular set of name
a3d33059b39a600e1e4595dc37b58104840f0910vboxsync$Id: migration,v 1.30 2001/05/08 21:46:11 gson Exp $