0N/ACopyright (C) 2000 Internet Software Consortium.
0N/A BIND 8 to BIND 9 Migration Notes
0N/ABIND 9 is designed to be mostly upwards compatible with BIND 8, but
0N/Athere is still a number of caveats you should be aware of when
0N/Aupgrading an existing BIND 8 installation to use BIND 9.
0N/A1. Configuration File Compatibility
0N/A1.1. Unimplemented Options and Changed Defaults
0N/Aoptions of BIND 8. Unimplemented options include those for selective
0N/A(per-domain) forwarding, sortlists, statistics, and process limits;
0N/Awarning message. A message is also logged about each option whose
1879N/AIn particular, if you see a warning message about the default for the
1879N/A"auth-nxdomain" option having changed, you can suppress it by adding
935N/A auth-nxdomain no; # conform to RFC1035
935N/A auth-nxdomain yes; # do what BIND 8 did by default
935N/A1.2. Handling of Configuration File Errors
0N/AIn BIND 9, named refuses to start if it detects an error in
0N/Aserver to run with a partial configuration. Errors detected during
0N/Asubsequent reloads do not cause the server to exit.
935N/AThe set of logging categories in BIND 9 is different from that
935N/Ain BIND 8. If you have customized your logging on a per-category
935N/Abasis, you need to modify your logging statement to use the
935N/AAnother difference is that the "logging" statement only takes effect
935N/Athe server starts up, any messages about errors in the configuration
935N/Afile are always logged to the default destination (syslog) when the
993N/Aserver first starts up, regardless of the contents of the "logging"
989N/Astatement. In BIND 8, the new logging configuration took effect
989N/Aimmediately after the "logging" statement was read.
989N/AIn BIND 9, ACL names are case sensitive. In BIND 8 they were case
989N/A1.5. Notify messages and Refesh queries
989N/AThe source address and port for these is now controlled by
1483N/Atransfer-source rather that query-source.
989N/A2. Zone File Compatibility
989N/A2.1. Strict RFC1035 Interpretation of TTLs in Zone Files
989N/ABIND 8 allowed you to omit all TTLs from a zone file, and used the
989N/Avalue of the SOA MINTTL field as a default for missing TTL values.
989N/ABIND 9 enforces strict compliance with the RFC1035 and RFC2308 TTL
994N/Arules. The default TTL is the value specified with the $TTL
994N/Adirective, or the previous explicit TTL if there is no $TTL directive.
989N/AIf there is no $TTL directive and the first RR in the file does not
989N/Ahave an explicit TTL field, the error message "no TTL specified" is
989N/Alogged and loading the zone file fails.
1483N/ATo avoid problems, use a $TTL directive in each zone file.
989N/A2.2. Periods in SOA Serial Numbers Deprecated
989N/ASome versions of BIND allow SOA serial numbers with an embedded
1483N/Aperiod, like "3.002", and convert them into integers in a rather
1483N/Aunintuitive way. This feature is not supported by BIND 9; serial
989N/A2.3. Handling of Unbalanced Quotes
989N/ATXT records with unbalanced quotes, like 'host TXT "foo', were not
989N/Atreated as errors in some versions of BIND. If your zone files
989N/Acontain such records, you will get potentially confusing error
messages like "unexpected end of file" because BIND 9 will interpret
everything up to the next quote character as a literal string.
2.4. Handling of Line Breaks
Some versions of BIND accept RRs containing line breaks that are not
properly quoted with parentheses, like the following SOA:
( 1 3600 1800 1814400 3600 )
This is not legal master file syntax and will be treated as an error
by BIND 9. The fix is to move the opening parenthesis to the first
2.5. Unimplemented BIND 8 Extensions
$GENERATE: This deprecated form of getting a literal $ into a domain
name ($$) is no longer supported, use \$ instead.
3. Interoperability Impact of New Protocol Features
BIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size. It
also sets the AD bit in queries to indicate that it wishes to receive
DNSSEC responses (this usage of the AD bit is not yet standard, but
hopefully it will be soon).
Most older servers that do not support EDNS0
and/or DNSSEC, including
all known versions of BIND, will send a FORMERR or NOTIMP response to
these queries. When this happens, BIND 9 will automatically retry the
query without EDNS0 and AD.
Unfortunately, there exists at least one non-BIND name server
implementation that silently ignores these queries instead of sending
an error response. Resolving names in zones where all or most
authoritative servers use this server will be very slow or fail
completely. We have contacted the manufacturer of the name server in
case and are trying to resolve the issue with them.
4. Unrestricted Character Set
BIND 9 does not restrict the character set of domain names - it is
fully 8-bit clean in accordance with RFC2181 section 11.
It is strongly recommended that hostnames published in the DNS follow
the RFC952 rules, but BIND 9 will not enforce this restriction.
Historically, some applications have suffered from security flaws
where data originating from the network, such as names returned by
gethostbyaddr(), are used with insufficient checking and may cause a
breach of security when containing unexpected characters; see
for details. Some earlier versions of BIND attempt to protect these
flawed applications from attack by discarding data containing
characters deemed inappropriate in host names or mail addresses, under
no-check-names" in
resolv.conf. BIND 9 provides no such protection;
if applications with these flaws are still being used, they should
5. Server Administration Tools
The "ndc" program has been replaced by "rndc", which is capable of
remote operation. Unlike ndc, rndc requires a configuration file;
details. Many of the ndc commands are still unimplemented in rndc.
$Id: migration,v 1.15 2000/10/31 05:34:15 marka Exp $