migration revision bd084426372655b443136243cfa5202b7a339b79
7f007e36bec06aba6b3a0f84a64f2abf99edfcd8gsteinCopyright (C) 2000, 2001 Internet Software Consortium.
2a4b7a53f3573605d4f5686f03a67c37425dc22bgregamesSee COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj BIND 8 to BIND 9 Migration Notes
5751f7da0bbdde92dedf21a6c9d743de752e310drbbBIND 9 is designed to be mostly upwards compatible with BIND 8, but
b876b7bcf0ce3d232da723246d709e8dbbfe8762rbbthere is still a number of caveats you should be aware of when
b876b7bcf0ce3d232da723246d709e8dbbfe8762rbbupgrading an existing BIND 8 installation to use BIND 9.
6f6f4a4bca281779d196acbdd5c017bb90858305trawick1. Configuration File Compatibility
09bd86d0db1114ee23eda0a6eb76ca055877a1cftrawick1.1. Unimplemented Options and Changed Defaults
bd929c73ef04789b7183b840d8db6e01d03a4d86rbbBIND 9 supports most, but not all of the named.conf options of BIND 8.
70f6f32765cfaadd6da8de6f0fea97ddd72d8fadmanojFor a complete list of implemented options, see doc/misc/options.
2a4b7a53f3573605d4f5686f03a67c37425dc22bgregamesIf your named.conf file uses an unimplemented option, named will log a
2a4b7a53f3573605d4f5686f03a67c37425dc22bgregameswarning message. A message is also logged about each option whose
2a4b7a53f3573605d4f5686f03a67c37425dc22bgregamesdefault has changed unless the option is set explicitly in named.conf.
2a4b7a53f3573605d4f5686f03a67c37425dc22bgregamesThe default of the "transfer-format" option has changed from
2a4b7a53f3573605d4f5686f03a67c37425dc22bgregames"one-answer" to "many-answers". If you have slave servers that do not
2a4b7a53f3573605d4f5686f03a67c37425dc22bgregamesunderstand the many-answers zone transfer format (e.g., BIND 4.9.5 or
2a4b7a53f3573605d4f5686f03a67c37425dc22bgregamesolder) you need to explicitly specify "transfer-format one-answer;" in
2a4b7a53f3573605d4f5686f03a67c37425dc22bgregameseither the options block or a server statement.
2a4b7a53f3573605d4f5686f03a67c37425dc22bgregames1.2. Handling of Configuration File Errors
2a4b7a53f3573605d4f5686f03a67c37425dc22bgregamesIn BIND 9, named refuses to start if it detects an error in
2a4b7a53f3573605d4f5686f03a67c37425dc22bgregamesnamed.conf. Earlier versions would start despite errors, causing the
2a4b7a53f3573605d4f5686f03a67c37425dc22bgregamesserver to run with a partial configuration. Errors detected during
2a6c49cfaef5979a5a06098f3ce987cd76769409manojsubsequent reloads do not cause the server to exit.
50298555098049d0ebddd539668502fb5b796de0wroweErrors in master files do not cause the server to exit, but they
50298555098049d0ebddd539668502fb5b796de0wrowedo cause the zone not to load.
50298555098049d0ebddd539668502fb5b796de0wrowe1.3. Logging
50298555098049d0ebddd539668502fb5b796de0wroweThe set of logging categories in BIND 9 is different from that
50298555098049d0ebddd539668502fb5b796de0wrowein BIND 8. If you have customized your logging on a per-category
50298555098049d0ebddd539668502fb5b796de0wrowebasis, you need to modify your logging statement to use the
50298555098049d0ebddd539668502fb5b796de0wrowenew categories.
447c6ce3ff08073c44f6785d5256271fcb877512wroweAnother difference is that the "logging" statement only takes effect
447c6ce3ff08073c44f6785d5256271fcb877512wroweafter the entire named.conf file has been read. This means that when
447c6ce3ff08073c44f6785d5256271fcb877512wrowethe server starts up, any messages about errors in the configuration
85cbdc16ac57fa68ce1358a308269abcd417f4d9stoddardfile are always logged to the default destination (syslog) when the
50298555098049d0ebddd539668502fb5b796de0wroweserver first starts up, regardless of the contents of the "logging"
85cbdc16ac57fa68ce1358a308269abcd417f4d9stoddardstatement. In BIND 8, the new logging configuration took effect
d208bda4a893cc81ed5d3ed1cdd7d706e012bd42stoddardimmediately after the "logging" statement was read.
d208bda4a893cc81ed5d3ed1cdd7d706e012bd42stoddard1.4. Notify messages and Refesh queries
10b386767f6c87b45937244371cb751f0b454d16wroweThe source address and port for these is now controlled by
10b386767f6c87b45937244371cb751f0b454d16wrowe"notify-source" and "transfer-source", respectively, rather that
863ec32e13d6c9619414c48b51109f3dca99cbc6wrowequery-source as in BIND 8.
75960f20f88dad6bc67892c711c429946063d133stoddard1.5. Multiple Classes.
75960f20f88dad6bc67892c711c429946063d133stoddardMultiple classes have to be put into explicit views for each class.
75960f20f88dad6bc67892c711c429946063d133stoddard2. Zone File Compatibility
10b386767f6c87b45937244371cb751f0b454d16wrowe2.1. Strict RFC1035 Interpretation of TTLs in Zone Files
10b386767f6c87b45937244371cb751f0b454d16wroweBIND 9 strictly complies with the RFC1035 and RFC2308 rules regarding
10b386767f6c87b45937244371cb751f0b454d16wroweomitted TTLs in zone files. Omitted TTLs are replaced by the value
10b386767f6c87b45937244371cb751f0b454d16wrowespecified with the $TTL directive, or by the previous explicit TTL if
10b386767f6c87b45937244371cb751f0b454d16wrowethere is no $TTL directive.
10b386767f6c87b45937244371cb751f0b454d16wroweIf there is no $TTL directive and the first RR in the file does not
a9e07e4f90adcc7bc768db3055431c3dcd560cd1manojhave an explicit TTL field, the zone file is illegal according to
f6a6245816cd866361da8c576b1f47c7a54b6610fanfRFC1035 since the TTL of the first RR is undefined. Unfortunately,
f6a6245816cd866361da8c576b1f47c7a54b6610fanfBIND 4 and many versions of BIND 8 accept such files without warning
97b758d0b174d7b7c5a1de1a583f5840ec3fc910trawickand use the value of the SOA MINTTL field as a default for missing TTL
79d5106a9b65b956d646f5daae4b94bc79e315b8trawickBIND 9.0 and 9.1 completely refused to load such files. BIND 9.2
79d5106a9b65b956d646f5daae4b94bc79e315b8trawickemulates the nonstandard BIND 4/8 SOA MINTTL behavior and loads the
79d5106a9b65b956d646f5daae4b94bc79e315b8trawickfiles anyway (provided the SOA is the first record in the file), but
79d5106a9b65b956d646f5daae4b94bc79e315b8trawickwill issue the warning message "no TTL specified; using SOA MINTTL
9eccc0a669a3e711629345b357c46acce5fefdb4gsteinTo avoid problems, we recommend that you use a $TTL directive in each
750fcd3495b59eff6d4844409ae1dfb46d026059gstein2.2. Periods in SOA Serial Numbers Deprecated
750fcd3495b59eff6d4844409ae1dfb46d026059gsteinSome versions of BIND allow SOA serial numbers with an embedded
750fcd3495b59eff6d4844409ae1dfb46d026059gsteinperiod, like "3.002", and convert them into integers in a rather
750fcd3495b59eff6d4844409ae1dfb46d026059gsteinunintuitive way. This feature is not supported by BIND 9; serial
750fcd3495b59eff6d4844409ae1dfb46d026059gsteinnumbers must be integers.
750fcd3495b59eff6d4844409ae1dfb46d026059gstein2.3. Handling of Unbalanced Quotes
e9cfc70fceb74521ba0814cdc88808c7d4d00c97gsteinTXT records with unbalanced quotes, like 'host TXT "foo', were not
e9cfc70fceb74521ba0814cdc88808c7d4d00c97gsteintreated as errors in some versions of BIND. If your zone files
e9cfc70fceb74521ba0814cdc88808c7d4d00c97gsteincontain such records, you will get potentially confusing error
e9cfc70fceb74521ba0814cdc88808c7d4d00c97gsteinmessages like "unexpected end of file" because BIND 9 will interpret
e9cfc70fceb74521ba0814cdc88808c7d4d00c97gsteineverything up to the next quote character as a literal string.
26ef89f716a43048630e73f527dd2f0ee84f72c2rbb2.4. Handling of Line Breaks
26ef89f716a43048630e73f527dd2f0ee84f72c2rbbSome versions of BIND accept RRs containing line breaks that are not
9eccc0a669a3e711629345b357c46acce5fefdb4gsteinproperly quoted with parentheses, like the following SOA:
281da4c02cf40c663298ded7e4e5b913a8f8b814gstein ( 1 3600 1800 1814400 3600 )
ec75f189410513ab8f6e1173a9d9d277ebec9ce7gsteinThis is not legal master file syntax and will be treated as an error
ec75f189410513ab8f6e1173a9d9d277ebec9ce7gsteinby BIND 9. The fix is to move the opening parenthesis to the first
ec75f189410513ab8f6e1173a9d9d277ebec9ce7gstein2.5. Unimplemented BIND 8 Extensions
ec75f189410513ab8f6e1173a9d9d277ebec9ce7gstein$GENERATE: The "$$" construct for getting a literal $ into a domain
2a6c49cfaef5979a5a06098f3ce987cd76769409manojname is deprecated. Use \$ instead.
164a65065e0e61efa779c3a66c2242be6d88b9e2rbb3. Interoperability Impact of New Protocol Features
164a65065e0e61efa779c3a66c2242be6d88b9e2rbbBIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size. It
164a65065e0e61efa779c3a66c2242be6d88b9e2rbbalso sets an EDNS flag bit in queries to indicate that it wishes to
0b54edee18a0ec095640e1038ff6da7d35042b44rbbreceive DNSSEC responses; this flag bit usage is not yet standardized,
0b54edee18a0ec095640e1038ff6da7d35042b44rbbbut we hope it will be.
0b54edee18a0ec095640e1038ff6da7d35042b44rbbMost older servers that do not support EDNS0, including prior versions
b187d568e1507d75139ebc13ca945b38fc05d55cstoddardof BIND, will send a FORMERR or NOTIMP response to these queries.
b187d568e1507d75139ebc13ca945b38fc05d55cstoddardWhen this happens, BIND 9 will automatically retry the query without
1c6fb1e726ce22694de0e9a957adb67b929e5d4fstoddardUnfortunately, there exists at least one non-BIND name server
8bed76428f56e5c643174a2d6807c3f18016af5cbjhimplementation that silently ignores these queries instead of sending
8bed76428f56e5c643174a2d6807c3f18016af5cbjhan error response. Resolving names in zones where all or most
8bed76428f56e5c643174a2d6807c3f18016af5cbjhauthoritative servers use this server will be very slow or fail
8bed76428f56e5c643174a2d6807c3f18016af5cbjhcompletely. We have contacted the manufacturer of the name server in
8bed76428f56e5c643174a2d6807c3f18016af5cbjhcase, and they are working on a solution.
2aae6faee508221efbeaba5547ca79b7a20ef047stoddardWhen BIND 9 communicates with a server that does support EDNS0, such as
10b386767f6c87b45937244371cb751f0b454d16wroweanother BIND 9 server, responses of up to 4096 bytes may be
10b386767f6c87b45937244371cb751f0b454d16wrowetransmitted as a single UDP datagram which is subject to fragmentation
50298555098049d0ebddd539668502fb5b796de0wroweat the IP level. If a firewall incorrectly drops IP fragments, it can
50298555098049d0ebddd539668502fb5b796de0wrowecause resolution to slow down dramatically or fail.
10b386767f6c87b45937244371cb751f0b454d16wrowe3.2. Zone Transfers
10b386767f6c87b45937244371cb751f0b454d16wroweOutgoing zone transfers now use the "many-answers" format by default.
50298555098049d0ebddd539668502fb5b796de0wroweThis format is not understood by certain old versions of BIND 4.
75960f20f88dad6bc67892c711c429946063d133stoddardYou can work around this problem using the option "transfer-format
a5ed555df952c85bc1b179f5981e8a6c54ba16e6stoddardone-answer;", but since these old versions all have known security
d2f8b010487ffa990a9c268df5a25579e7291bcdrbbproblems, the correct fix is to upgrade the slave servers.
a5ed555df952c85bc1b179f5981e8a6c54ba16e6stoddardZone transfers to Windows 2000 DNS servers sometimes fail due to a bug
0bff2f28ef945280c17099c142126178a78e1e54manojin the Windows 2000 DNS server where DNS messages larger than 16K are
0bff2f28ef945280c17099c142126178a78e1e54manojnot handled properly. There will be a hot fix available from
0bff2f28ef945280c17099c142126178a78e1e54manojMicrosoft to address this issue. In the meantime, the problem can
1e585ba09ea32272e63c4c39c35491e975d21d98stoddardbe worked around by setting "transfer-format one-answer;".
0bff2f28ef945280c17099c142126178a78e1e54manoj[As of May 4 2001 the hotfix was still being prepared]
9c09943bad734ebd5c7cc10bd6d63b75c4c6e056stoddard4. Unrestricted Character Set
302dc1f7b3feee23a91ad8f3cf3cb2edd95a557bmanojBIND 9 does not restrict the character set of domain names - it is
ff849e4163ed879288f0df15f78b6c9d278ec804fanffully 8-bit clean in accordance with RFC2181 section 11.
447c6ce3ff08073c44f6785d5256271fcb877512wroweIt is strongly recommended that hostnames published in the DNS follow
447c6ce3ff08073c44f6785d5256271fcb877512wrowethe RFC952 rules, but BIND 9 will not enforce this restriction.
447c6ce3ff08073c44f6785d5256271fcb877512wroweHistorically, some applications have suffered from security flaws
447c6ce3ff08073c44f6785d5256271fcb877512wrowewhere data originating from the network, such as names returned by
447c6ce3ff08073c44f6785d5256271fcb877512wrowegethostbyaddr(), are used with insufficient checking and may cause a
cf6bf6c34c936e6a6fe731dbce4a5c3c8bf8e9a3gsteinbreach of security when containing unexpected characters; see
cf6bf6c34c936e6a6fe731dbce4a5c3c8bf8e9a3gstein<http://www.cert.org/advisories/CA-96.04.corrupt_info_from_servers.html>
c03566fa0156d3a1500a42e4fe539e3e0fc8a11dgsteinfor details. Some earlier versions of BIND attempt to protect these
db3ccce11afac4fc1d4f51a65424412f7480c46cgsteinflawed applications from attack by discarding data containing
dd4713dc5b186f4d1be7b88f86608fdb84cbe5d5gsteincharacters deemed inappropriate in host names or mail addresses, under
0eb7ca6cf812d98c534661ac474e873a32bf6325gsteinthe control of the "check-names" option in named.conf and/or "options
cf6bf6c34c936e6a6fe731dbce4a5c3c8bf8e9a3gsteinno-check-names" in resolv.conf. BIND 9 provides no such protection;
8d07897b52e3b7055874501f8a499e75800db206gsteinif applications with these flaws are still being used, they should
8d07897b52e3b7055874501f8a499e75800db206gsteinbe upgraded.
79d5106a9b65b956d646f5daae4b94bc79e315b8trawick5. Server Administration Tools
cf6bf6c34c936e6a6fe731dbce4a5c3c8bf8e9a3gstein5.1 Ndc Replaced by Rndc
cf6bf6c34c936e6a6fe731dbce4a5c3c8bf8e9a3gsteinThe "ndc" program has been replaced by "rndc", which is capable of
6fa71a1bd8c61518b05f5798a7a1594c270e78afrbbremote operation. Unlike ndc, rndc requires a configuration file;
93c5cba06b623ebe8e4372e886eece12d9a80c3egsteinsee the man pages in bin/rndc/rndc.1 and bin/rndc/rndc.conf.5 for
14cccaddba3a9263cf0d0ddc311e18f3e3dc9b0fgsteindetails. Some of the ndc commands are still unimplemented in rndc.
14cccaddba3a9263cf0d0ddc311e18f3e3dc9b0fgstein5.2. Nsupdate Differences
14cccaddba3a9263cf0d0ddc311e18f3e3dc9b0fgsteinThe BIND 8 implementation of nsupdate had an undocumented feature
14cccaddba3a9263cf0d0ddc311e18f3e3dc9b0fgsteinwhere an update request would be broken down into multiple requests
823c303d33c9e637a83d82208bcbafaf5f532d7bgsteinbased upon the discovered zones that contained the records. This
823c303d33c9e637a83d82208bcbafaf5f532d7bgsteinbehaviour has not been implemented in BIND 9. Each update request
e636eba7474e0010b5c7198af1c2fe5ad8652dbbmanojmust pertain to a single zone, but it is still possible to do multiple
e636eba7474e0010b5c7198af1c2fe5ad8652dbbmanojupdates in a single invocation of nsupdate by terminating each update
e636eba7474e0010b5c7198af1c2fe5ad8652dbbmanojwith an empty line or a "send" command.
531c23ff01a2489646f0a2029097013b328d935agstein6. No Information Leakage between Zones
531c23ff01a2489646f0a2029097013b328d935agsteinBIND 9 stores the authoritative data for each zone in a separate data
281da4c02cf40c663298ded7e4e5b913a8f8b814gsteinstructure, as recommended in RFC1035 and as required by DNSSEC and
281da4c02cf40c663298ded7e4e5b913a8f8b814gsteinIXFR. When a BIND 9 server is authoritative for both a child zone and
333eac96e4fb7d6901cb75e6ca7bb22b2ccb84cetrawickits parent, it will have two distinct sets of NS records at the
333eac96e4fb7d6901cb75e6ca7bb22b2ccb84cetrawickdelegation point: the authoritative NS records at the child's apex,
64ad864fa0f4493eebb181e393b40a8a90beccb9coarand a set of glue NS records in the parent.
64ad864fa0f4493eebb181e393b40a8a90beccb9coarBIND 8 was unable to properly distinguish between these two sets of NS
64ad864fa0f4493eebb181e393b40a8a90beccb9coarrecords and would "leak" the child's NS records into the parent,
64ad864fa0f4493eebb181e393b40a8a90beccb9coareffectively causing the parent zone to be silently modified: responses
28d1da9ca818f831ea491f110dafcc10f7f07050coarand zone transfers from the parent contained the child's NS records
64ad864fa0f4493eebb181e393b40a8a90beccb9coarrather than the glue configured into the parent (if any). In the case
64ad864fa0f4493eebb181e393b40a8a90beccb9coarof children of type "stub", this behavior was documented as a feature,
64ad864fa0f4493eebb181e393b40a8a90beccb9coarallowing the glue NS records to be omitted from the parent
28d1da9ca818f831ea491f110dafcc10f7f07050coarconfiguration.
64ad864fa0f4493eebb181e393b40a8a90beccb9coarSites that were relying on this BIND 8 behavior need to add any
64ad864fa0f4493eebb181e393b40a8a90beccb9coaromitted glue NS records, and any necessary glue A records, to the
28d1da9ca818f831ea491f110dafcc10f7f07050coarparent zone.
64ad864fa0f4493eebb181e393b40a8a90beccb9coarAlthough stub zones can no longer be used as a mechanism for injecting
64ad864fa0f4493eebb181e393b40a8a90beccb9coarNS records into their parent zones, they are still useful as a way of
28d1da9ca818f831ea491f110dafcc10f7f07050coardirecting queries for a given domain to a particular set of name
64ad864fa0f4493eebb181e393b40a8a90beccb9coar7. Umask not Modified
64ad864fa0f4493eebb181e393b40a8a90beccb9coarThe BIND 8 named unconditionally sets the umask to 022. BIND 9 does
64ad864fa0f4493eebb181e393b40a8a90beccb9coarnot; the umask inherited from the parent process remains in effect.
64ad864fa0f4493eebb181e393b40a8a90beccb9coarThis may cause files created by named, such as journal files, to be
28d1da9ca818f831ea491f110dafcc10f7f07050coarcreated with different file permissions than they did in BIND 8. If
64ad864fa0f4493eebb181e393b40a8a90beccb9coarnecessary, the umask should be set explicitly in the script used to
64ad864fa0f4493eebb181e393b40a8a90beccb9coarstart the named process.
64ad864fa0f4493eebb181e393b40a8a90beccb9coar$Id: migration,v 1.41 2001/09/21 17:36:35 gson Exp $