migration revision a488e91e5dedfd055b6a6e6dc3018866478facce
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas GustafssonCopyright (C) 2000 Internet Software Consortium.
816e576f77e2c46df3e3d97d65822aa8aded7c4bDavid LawrenceSee COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
69b641bf31d95fd79a50dcea2cdb0fcb23fe22c6David Lawrence BIND 8 to BIND 9 Migration Notes
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas GustafssonBIND 9 is designed to be mostly upwards compatible with BIND 8, but
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas Gustafssonthere is still a number of caveats you should be aware of when
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas Gustafssonupgrading an existing BIND 8 installation to use BIND 9.
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafsson1. Configuration File Compatibility
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafsson1.1. Unimplemented Options and Changed Defaults
a488e91e5dedfd055b6a6e6dc3018866478facceAndreas GustafssonBIND 9.1 supports most, but not all but not of the named.conf options
a488e91e5dedfd055b6a6e6dc3018866478facceAndreas Gustafssonof BIND 8. For a complete list of implmented options, see
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas GustafssonIf your named.conf file uses an unimplemented option, named will log a
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafssonwarning message. A message is also logged about each option whose
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafssondefault has changed unless the option is set explicitly in named.conf.
7a3d7cb6cefdf1ce91ae6a294bd2abd76599d7daAndreas GustafssonIn particular, if you see a warning message about the default for the
7a3d7cb6cefdf1ce91ae6a294bd2abd76599d7daAndreas Gustafsson"auth-nxdomain" option having changed, you can suppress it by adding
7a3d7cb6cefdf1ce91ae6a294bd2abd76599d7daAndreas Gustafssonone of the following lines to the named.conf options { } block:
7a3d7cb6cefdf1ce91ae6a294bd2abd76599d7daAndreas Gustafsson auth-nxdomain no; # conform to RFC1035
7a3d7cb6cefdf1ce91ae6a294bd2abd76599d7daAndreas Gustafsson auth-nxdomain yes; # do what BIND 8 did by default
35b61b8fb1f377ec9b68bbc8e4e43fbd2756a04dAndreas Gustafsson1.2. Handling of Configuration File Errors
35b61b8fb1f377ec9b68bbc8e4e43fbd2756a04dAndreas GustafssonIn BIND 9, named refuses to start if it detects an error in
35b61b8fb1f377ec9b68bbc8e4e43fbd2756a04dAndreas Gustafssonnamed.conf. Earlier versions would start despite errors, causing the
35b61b8fb1f377ec9b68bbc8e4e43fbd2756a04dAndreas Gustafssonserver to run with a partial configuration. Errors detected during
35b61b8fb1f377ec9b68bbc8e4e43fbd2756a04dAndreas Gustafssonsubsequent reloads do not cause the server to exit.
074ae7bf0993ced96b32e3e85553a401f3f3eca9Andreas GustafssonThe set of logging categories in BIND 9 is different from that
074ae7bf0993ced96b32e3e85553a401f3f3eca9Andreas Gustafssonin BIND 8. If you have customized your logging on a per-category
074ae7bf0993ced96b32e3e85553a401f3f3eca9Andreas Gustafssonbasis, you need to modify your logging statement to use the
074ae7bf0993ced96b32e3e85553a401f3f3eca9Andreas Gustafssonnew categories.
074ae7bf0993ced96b32e3e85553a401f3f3eca9Andreas GustafssonAnother difference is that the "logging" statement only takes effect
074ae7bf0993ced96b32e3e85553a401f3f3eca9Andreas Gustafssonafter the entire named.conf file has been read. This means that when
074ae7bf0993ced96b32e3e85553a401f3f3eca9Andreas Gustafssonthe server starts up, any messages about errors in the configuration
074ae7bf0993ced96b32e3e85553a401f3f3eca9Andreas Gustafssonfile are always logged to the default destination (syslog) when the
074ae7bf0993ced96b32e3e85553a401f3f3eca9Andreas Gustafssonserver first starts up, regardless of the contents of the "logging"
074ae7bf0993ced96b32e3e85553a401f3f3eca9Andreas Gustafssonstatement. In BIND 8, the new logging configuration took effect
074ae7bf0993ced96b32e3e85553a401f3f3eca9Andreas Gustafssonimmediately after the "logging" statement was read.
e5dd56553e0e8db9a698bca931a9c9d356792844Andreas Gustafsson1.4. Case sensitivity
95940593a680fd37704b74849902ca7fd2ff8f2aAndreas GustafssonIn BIND 9, ACL names are case sensitive. In BIND 8 they were case
533df4efdafcf7a8b7292a298f45df9ab7f7f7f9Mark Andrews1.5. Notify messages and Refesh queries
533df4efdafcf7a8b7292a298f45df9ab7f7f7f9Mark AndrewsThe source address and port for these is now controlled by
a488e91e5dedfd055b6a6e6dc3018866478facceAndreas Gustafsson"notify-source" and "transfer-source", respectively, rather that
a488e91e5dedfd055b6a6e6dc3018866478facceAndreas Gustafssonquery-source as in BIND 8.
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafsson2. Zone File Compatibility
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafsson2.1. Strict RFC1035 Interpretation of TTLs in Zone Files
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas GustafssonBIND 8 allowed you to omit all TTLs from a zone file, and used the
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas Gustafssonvalue of the SOA MINTTL field as a default for missing TTL values.
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas GustafssonBIND 9 enforces strict compliance with the RFC1035 and RFC2308 TTL
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas Gustafssonrules. The default TTL is the value specified with the $TTL
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas Gustafssondirective, or the previous explicit TTL if there is no $TTL directive.
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas GustafssonIf there is no $TTL directive and the first RR in the file does not
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas Gustafssonhave an explicit TTL field, the error message "no TTL specified" is
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas Gustafssonlogged and loading the zone file fails.
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas GustafssonTo avoid problems, use a $TTL directive in each zone file.
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafsson2.2. Periods in SOA Serial Numbers Deprecated
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas GustafssonSome versions of BIND allow SOA serial numbers with an embedded
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafssonperiod, like "3.002", and convert them into integers in a rather
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafssonunintuitive way. This feature is not supported by BIND 9; serial
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafssonnumbers must be integers.
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafsson2.3. Handling of Unbalanced Quotes
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas GustafssonTXT records with unbalanced quotes, like 'host TXT "foo', were not
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafssontreated as errors in some versions of BIND. If your zone files
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafssoncontain such records, you will get potentially confusing error
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafssonmessages like "unexpected end of file" because BIND 9 will interpret
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafssoneverything up to the next quote character as a literal string.
4e0ab18258915b14c163aa9087390402f5ff599bAndreas Gustafsson2.4. Handling of Line Breaks
4e0ab18258915b14c163aa9087390402f5ff599bAndreas GustafssonSome versions of BIND accept RRs containing line breaks that are not
4e0ab18258915b14c163aa9087390402f5ff599bAndreas Gustafssonproperly quoted with parentheses, like the following SOA:
4e0ab18258915b14c163aa9087390402f5ff599bAndreas Gustafsson ( 1 3600 1800 1814400 3600 )
4e0ab18258915b14c163aa9087390402f5ff599bAndreas GustafssonThis is not legal master file syntax and will be treated as an error
4e0ab18258915b14c163aa9087390402f5ff599bAndreas Gustafssonby BIND 9. The fix is to move the opening parenthesis to the first
8011cb06c90d9b87e241b3efeb8a2eca2b8edddcAndreas Gustafsson2.5. Unimplemented BIND 8 Extensions
a488e91e5dedfd055b6a6e6dc3018866478facceAndreas Gustafsson$GENERATE: The "$$" construct for getting a literal $ into a domain
a488e91e5dedfd055b6a6e6dc3018866478facceAndreas Gustafssonname is deprecated. Use \$ instead.
d8417b5f3406f4ace0f3bdb228b05a7b701976d6Andreas Gustafsson3. Interoperability Impact of New Protocol Features
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas GustafssonBIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size. It
a488e91e5dedfd055b6a6e6dc3018866478facceAndreas Gustafssonalso sets an EDNS flag bit in queries to indicate that it wishes to
a488e91e5dedfd055b6a6e6dc3018866478facceAndreas Gustafssonreceive DNSSEC responses; this flag bit usage is not yet standardized,
a488e91e5dedfd055b6a6e6dc3018866478facceAndreas Gustafssonbut we hope it will be.
a488e91e5dedfd055b6a6e6dc3018866478facceAndreas GustafssonMost older servers that do not support EDNS0, including prior versions
a488e91e5dedfd055b6a6e6dc3018866478facceAndreas Gustafssonof BIND, will send a FORMERR or NOTIMP response to these queries.
a488e91e5dedfd055b6a6e6dc3018866478facceAndreas GustafssonWhen this happens, BIND 9 will automatically retry the query without
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas GustafssonUnfortunately, there exists at least one non-BIND name server
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas Gustafssonimplementation that silently ignores these queries instead of sending
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas Gustafssonan error response. Resolving names in zones where all or most
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas Gustafssonauthoritative servers use this server will be very slow or fail
9769d3146777ca71af80b459ecec1ef8e2d05950Andreas Gustafssoncompletely. We have contacted the manufacturer of the name server in
a488e91e5dedfd055b6a6e6dc3018866478facceAndreas Gustafssoncase, and they are working on a solution.
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas Gustafsson4. Unrestricted Character Set
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas GustafssonBIND 9 does not restrict the character set of domain names - it is
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas Gustafssonfully 8-bit clean in accordance with RFC2181 section 11.
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas GustafssonIt is strongly recommended that hostnames published in the DNS follow
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas Gustafssonthe RFC952 rules, but BIND 9 will not enforce this restriction.
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas GustafssonHistorically, some applications have suffered from security flaws
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas Gustafssonwhere data originating from the network, such as names returned by
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas Gustafssongethostbyaddr(), are used with insufficient checking and may cause a
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas Gustafssonbreach of security when containing unexpected characters; see
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas Gustafsson<http://www.cert.org/advisories/CA-96.04.corrupt_info_from_servers.html>
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas Gustafssonfor details. Some earlier versions of BIND attempt to protect these
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas Gustafssonflawed applications from attack by discarding data containing
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas Gustafssoncharacters deemed inappropriate in host names or mail addresses, under
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas Gustafssonthe control of the "check-names" option in named.conf and/or "options
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas Gustafssonno-check-names" in resolv.conf. BIND 9 provides no such protection;
ecbe731ce428d243b0c7eea5d2d2b24732a698a1Andreas Gustafssonif applications with these flaws are still being used, they should
923cbf79eb621bb82f8a648f4ecb947667a1e5d3Andreas Gustafsson5. Server Administration Tools
923cbf79eb621bb82f8a648f4ecb947667a1e5d3Andreas GustafssonThe "ndc" program has been replaced by "rndc", which is capable of
923cbf79eb621bb82f8a648f4ecb947667a1e5d3Andreas Gustafssonremote operation. Unlike ndc, rndc requires a configuration file;
923cbf79eb621bb82f8a648f4ecb947667a1e5d3Andreas Gustafssonsee the man pages in doc/man/bin/rndc.1 and doc/man/bin/rndc.conf.5 for
a488e91e5dedfd055b6a6e6dc3018866478facceAndreas Gustafssondetails. Some of the ndc commands are still unimplemented in rndc.
a488e91e5dedfd055b6a6e6dc3018866478facceAndreas Gustafsson$Id: migration,v 1.16 2000/11/30 23:24:01 gson Exp $