migration revision 59ddb53fd74be6c4d76536e45465f34f1a08b834
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas GustafssonCopyright (C) 2000, 2001 Internet Software Consortium.
b7e6fc2a4cca2c07bca1aa122a9105786b282743Tinderbox UserSee COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence BIND 8 to BIND 9 Migration Notes
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas GustafssonBIND 9 is designed to be mostly upwards compatible with BIND 8, but
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssonthere is still a number of caveats you should be aware of when
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrenceupgrading an existing BIND 8 installation to use BIND 9.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews1. Configuration File Compatibility
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews1.1. Unimplemented Options and Changed Defaults
dafcb997e390efa4423883dafd100c975c4095d6Mark AndrewsBIND 9.1 supports most, but not all of the named.conf options of BIND 8.
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas GustafssonFor a complete list of implemented options, see doc/misc/options.
26696386938e70e93d7dde509d7bc45ead5870b7Mark AndrewsIf your named.conf file uses an unimplemented option, named will log a
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austeinwarning message. A message is also logged about each option whose
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austeindefault has changed unless the option is set explicitly in named.conf.
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas GustafssonThe default of the "transfer-format" option has changed from
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafsson"one-answer" to "many-answers". If you have slave servers that do not
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssonunderstand the many-answers zone transfer format (e.g., BIND 4.9.5 or
9779deddba39f1ccc5e73e3c0d721f2253bcaccaBob Halleyolder) you need to explicitly specify "transfer-format one-answer;" in
0d32cdd9a07819b03f2b07fc8fdcdb0a227eee0bMark Andrewseither the options block or a server statement.
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence1.2. Handling of Configuration File Errors
e01ecff4b1562a24e6de7e9396c60e9dffdb78ceAndreas GustafssonIn BIND 9, named refuses to start if it detects an error in
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssonnamed.conf. Earlier versions would start despite errors, causing the
7829fad4093f2c1985b1efb7cea00287ff015d2bckbserver to run with a partial configuration. Errors detected during
63bb6b854b6db073856b0f2b2924d1af33e0eaf6Andreas Gustafssonsubsequent reloads do not cause the server to exit.
63bb6b854b6db073856b0f2b2924d1af33e0eaf6Andreas GustafssonErrors in master files never cause the server to exit.
f4e4111795ceb13066d09c38723afacb04e33ad4Mark AndrewsThe set of logging categories in BIND 9 is different from that
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssonin BIND 8. If you have customized your logging on a per-category
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssonbasis, you need to modify your logging statement to use the
63bb6b854b6db073856b0f2b2924d1af33e0eaf6Andreas Gustafssonnew categories.
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas GustafssonAnother difference is that the "logging" statement only takes effect
ba6fd2580863759baedd9c47153602b19006a324Andreas Gustafssonafter the entire named.conf file has been read. This means that when
0f78de4d61441acbb0af7088c2dfda60a7ed5500Brian Wellingtonthe server starts up, any messages about errors in the configuration
63bb6b854b6db073856b0f2b2924d1af33e0eaf6Andreas Gustafssonfile are always logged to the default destination (syslog) when the
81ce556e020e7f51adfb4eae6b31659f59b0fc4bAndreas Gustafssonserver first starts up, regardless of the contents of the "logging"
d60f5b9bc8c1e1f7ddebc6c7834f7550a8e8be6fBob Halleystatement. In BIND 8, the new logging configuration took effect
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssonimmediately after the "logging" statement was read.
4fe8755480c108a1232b7189fd5434ab35a6b623Brian Wellington1.4. Notify messages and Refesh queries
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas GustafssonThe source address and port for these is now controlled by
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafsson"notify-source" and "transfer-source", respectively, rather that
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssonquery-source as in BIND 8.
f2fdfe7c42f3b10f3653f851ce5a0a90ee5ac1f9David Lawrence1.5. Multiple Classes.
f2fdfe7c42f3b10f3653f851ce5a0a90ee5ac1f9David LawrenceMultiple classes have to be put into explicit views for each class.
f2fdfe7c42f3b10f3653f851ce5a0a90ee5ac1f9David Lawrence2. Zone File Compatibility
f2fdfe7c42f3b10f3653f851ce5a0a90ee5ac1f9David Lawrence2.1. Strict RFC1035 Interpretation of TTLs in Zone Files
f2fdfe7c42f3b10f3653f851ce5a0a90ee5ac1f9David LawrenceBIND 8 allowed you to omit all TTLs from a zone file, and used the
f2fdfe7c42f3b10f3653f851ce5a0a90ee5ac1f9David Lawrencevalue of the SOA MINTTL field as a default for missing TTL values.
f2fdfe7c42f3b10f3653f851ce5a0a90ee5ac1f9David LawrenceBIND 9 enforces strict compliance with the RFC1035 and RFC2308 TTL
f2fdfe7c42f3b10f3653f851ce5a0a90ee5ac1f9David Lawrencerules. The default TTL is the value specified with the $TTL
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssondirective, or the previous explicit TTL if there is no $TTL directive.
ab023a65562e62b85a824509d829b6fad87e00b1Rob AusteinIf there is no $TTL directive and the first RR in the file does not
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssonhave an explicit TTL field, the error message "no TTL specified" is
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssonlogged and loading the zone file fails.
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas GustafssonTo avoid problems, use a $TTL directive in each zone file.
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafsson2.2. Periods in SOA Serial Numbers Deprecated
2db8db63992d081c75d664340866e2a21913705dMark AndrewsSome versions of BIND allow SOA serial numbers with an embedded
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssonperiod, like "3.002", and convert them into integers in a rather
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssonunintuitive way. This feature is not supported by BIND 9; serial
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssonnumbers must be integers.
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafsson2.3. Handling of Unbalanced Quotes
63b1c80af8916465cf6537abfc8e9a61e793bca1Evan HuntTXT records with unbalanced quotes, like 'host TXT "foo', were not
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssontreated as errors in some versions of BIND. If your zone files
63b1c80af8916465cf6537abfc8e9a61e793bca1Evan Huntcontain such records, you will get potentially confusing error
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssonmessages like "unexpected end of file" because BIND 9 will interpret
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssoneverything up to the next quote character as a literal string.
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafsson2.4. Handling of Line Breaks
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas GustafssonSome versions of BIND accept RRs containing line breaks that are not
897ba5e12014b2001dba9ef7fceeec7d9182e447Andreas Gustafssonproperly quoted with parentheses, like the following SOA:
9d34fb782676f3cc5fccc2e50468549934110f1cAndreas Gustafsson ( 1 3600 1800 1814400 3600 )
897ba5e12014b2001dba9ef7fceeec7d9182e447Andreas GustafssonThis is not legal master file syntax and will be treated as an error
897ba5e12014b2001dba9ef7fceeec7d9182e447Andreas Gustafssonby BIND 9. The fix is to move the opening parenthesis to the first
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafsson2.5. Unimplemented BIND 8 Extensions
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein$GENERATE: The "$$" construct for getting a literal $ into a domain
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austeinname is deprecated. Use \$ instead.
35b22d104a60d8f2305100e00ae0d6cb5efe1722Andreas Gustafsson3. Interoperability Impact of New Protocol Features
ab023a65562e62b85a824509d829b6fad87e00b1Rob AusteinBIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size. It
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssonalso sets an EDNS flag bit in queries to indicate that it wishes to
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssonreceive DNSSEC responses; this flag bit usage is not yet standardized,
0d32cdd9a07819b03f2b07fc8fdcdb0a227eee0bMark Andrewsbut we hope it will be.
0d32cdd9a07819b03f2b07fc8fdcdb0a227eee0bMark AndrewsMost older servers that do not support EDNS0, including prior versions
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austeinof BIND, will send a FORMERR or NOTIMP response to these queries.
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas GustafssonWhen this happens, BIND 9 will automatically retry the query without
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas GustafssonUnfortunately, there exists at least one non-BIND name server
80afc68f7784868d68f544df4be0e9f9711323a5Andreas Gustafssonimplementation that silently ignores these queries instead of sending
67adc03ef81fb610f8df093b17f55275ee816754Evan Huntan error response. Resolving names in zones where all or most
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssonauthoritative servers use this server will be very slow or fail
4b887af61910a8d7ed1d2d013d956f56e54c0e23Andreas Gustafssoncompletely. We have contacted the manufacturer of the name server in
4b887af61910a8d7ed1d2d013d956f56e54c0e23Andreas Gustafssoncase, and they are working on a solution.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein4. Unrestricted Character Set
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas GustafssonBIND 9 does not restrict the character set of domain names - it is
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssonfully 8-bit clean in accordance with RFC2181 section 11.
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas GustafssonIt is strongly recommended that hostnames published in the DNS follow
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssonthe RFC952 rules, but BIND 9 will not enforce this restriction.
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas GustafssonHistorically, some applications have suffered from security flaws
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssonwhere data originating from the network, such as names returned by
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austeingethostbyaddr(), are used with insufficient checking and may cause a
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austeinbreach of security when containing unexpected characters; see
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence<http://www.cert.org/advisories/CA-96.04.corrupt_info_from_servers.html>
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssonfor details. Some earlier versions of BIND attempt to protect these
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssonflawed applications from attack by discarding data containing
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssoncharacters deemed inappropriate in host names or mail addresses, under
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssonthe control of the "check-names" option in named.conf and/or "options
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austeinno-check-names" in resolv.conf. BIND 9 provides no such protection;
7314547af7aa1dd25d690dd3f034d49e5cc8fa9dMark Andrewsif applications with these flaws are still being used, they should
7314547af7aa1dd25d690dd3f034d49e5cc8fa9dMark Andrews5. Server Administration Tools
ab023a65562e62b85a824509d829b6fad87e00b1Rob AusteinThe "ndc" program has been replaced by "rndc", which is capable of
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austeinremote operation. Unlike ndc, rndc requires a configuration file;
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austeinsee the man pages in doc/man/bin/rndc.1 and doc/man/bin/rndc.conf.5 for
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austeindetails. Some of the ndc commands are still unimplemented in rndc.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein6. No Information Leakage between Zones
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David LawrenceBIND 9 stores the authoritative data for each zone in a separate data
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrencestructure, as recommended in RFC1035 and as required by DNSSEC and
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas GustafssonIXFR. When a BIND 9 server is authoritative for both a child zone and
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssonits parent, it will have two distinct sets of NS records at the
7829fad4093f2c1985b1efb7cea00287ff015d2bckbdelegation point: the authoritative NS records at the child's apex,
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrenceand a set of glue NS records in the parent.
80afc68f7784868d68f544df4be0e9f9711323a5Andreas GustafssonBIND 8 was unable to properly distinguish between these two sets of NS
ca70688bf60b4f50c4e3ec7d40567341c9962fafMark Andrewsrecords and would "leak" the child's NS records into the parent,
6cd4630de6946cb9d9e35f3603af11219b9353a1Brian Wellingtoneffectively causing the parent zone to be silently modified: responses
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrenceand zone transfers from the parent contained the child's NS records
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssonrather than the glue configured into the parent (if any). In the case
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssonof children of type "stub", this behavior was documented as a feature,
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssonallowing the glue NS records to be omitted from the parent
92ef1a9b9dbd48ecb507b42ac62c15afefdaf838David Lawrenceconfiguration.
4c2ed12aaa258590a1b889463c1421ff9c38cc0aAndreas GustafssonSites that were relying on this BIND 8 behavior need to add any
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafssonomitted glue NS records, and any necessary glue A records, to the
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas GustafssonAlthough stub zones can no longer be used as a mechanism for injecting
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas GustafssonNS records into their parent zones, they are still useful as a way of
3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graffdirecting queries for a given domain to a particular set of name
4cd3d6df39927315e3fadc07a8da3788175f4195Andreas Gustafsson$Id: migration,v 1.27 2001/03/19 18:07:32 gson Exp $