migration revision 1593eff60a5efda85f97f819c3b1ed8aafc56c60
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan FriedelCopyright (C) 2000, 2001 Internet Software Consortium.
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan FriedelSee COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel BIND 8 to BIND 9 Migration Notes
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan FriedelBIND 9 is designed to be mostly upwards compatible with BIND 8, but
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedelthere is still a number of caveats you should be aware of when
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedelupgrading an existing BIND 8 installation to use BIND 9.
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel1. Configuration File Compatibility
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel1.1. Unimplemented Options and Changed Defaults
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan FriedelBIND 9.1 supports most, but not all but not of the named.conf options
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedelof BIND 8. For a complete list of implmented options, see
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedeldoc/misc/options.
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan FriedelIf your named.conf file uses an unimplemented option, named will log a
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedelwarning message. A message is also logged about each option whose
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedeldefault has changed unless the option is set explicitly in named.conf.
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan FriedelIn particular, if you see a warning message about the default for the
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel"auth-nxdomain" option having changed, you can suppress it by adding
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedelone of the following lines to the named.conf options { } block:
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel auth-nxdomain no; # conform to RFC1035
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel auth-nxdomain yes; # do what BIND 8 did by default
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel1.2. Handling of Configuration File Errors
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan FriedelIn BIND 9, named refuses to start if it detects an error in
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedelnamed.conf. Earlier versions would start despite errors, causing the
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedelserver to run with a partial configuration. Errors detected during
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedelsubsequent reloads do not cause the server to exit.
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan FriedelErrors in master files never cause the server to exit.
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel1.3. Logging
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan FriedelThe set of logging categories in BIND 9 is different from that
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedelin BIND 8. If you have customized your logging on a per-category
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedelbasis, you need to modify your logging statement to use the
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedelnew categories.
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan FriedelAnother difference is that the "logging" statement only takes effect
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedelafter the entire named.conf file has been read. This means that when
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedelthe server starts up, any messages about errors in the configuration
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedelfile are always logged to the default destination (syslog) when the
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedelserver first starts up, regardless of the contents of the "logging"
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedelstatement. In BIND 8, the new logging configuration took effect
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedelimmediately after the "logging" statement was read.
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel1.4. Case sensitivity
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan FriedelIn BIND 9, ACL names are case sensitive. In BIND 8 they were case
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedelinsensitive.
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel1.5. Notify messages and Refesh queries
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan FriedelThe source address and port for these is now controlled by
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel"notify-source" and "transfer-source", respectively, rather that
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedelquery-source as in BIND 8.
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel1.6. Multiple Classes.
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan FriedelMultiple classes have to be put into explicit views for each class.
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel2. Zone File Compatibility
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
2.1. Strict RFC1035 Interpretation of TTLs in Zone Files
BIND 8 allowed you to omit all TTLs from a zone file, and used the
value of the SOA MINTTL field as a default for missing TTL values.
BIND 9 enforces strict compliance with the RFC1035 and RFC2308 TTL
rules. The default TTL is the value specified with the $TTL
directive, or the previous explicit TTL if there is no $TTL directive.
If there is no $TTL directive and the first RR in the file does not
have an explicit TTL field, the error message "no TTL specified" is
logged and loading the zone file fails.
To avoid problems, use a $TTL directive in each zone file.
2.2. Periods in SOA Serial Numbers Deprecated
Some versions of BIND allow SOA serial numbers with an embedded
period, like "3.002", and convert them into integers in a rather
unintuitive way. This feature is not supported by BIND 9; serial
numbers must be integers.
2.3. Handling of Unbalanced Quotes
TXT records with unbalanced quotes, like 'host TXT "foo', were not
treated as errors in some versions of BIND. If your zone files
contain such records, you will get potentially confusing error
messages like "unexpected end of file" because BIND 9 will interpret
everything up to the next quote character as a literal string.
2.4. Handling of Line Breaks
Some versions of BIND accept RRs containing line breaks that are not
properly quoted with parentheses, like the following SOA:
@ IN SOA ns.example. hostmaster.example.
( 1 3600 1800 1814400 3600 )
This is not legal master file syntax and will be treated as an error
by BIND 9. The fix is to move the opening parenthesis to the first
line.
2.5. Unimplemented BIND 8 Extensions
$GENERATE: The "$$" construct for getting a literal $ into a domain
name is deprecated. Use \$ instead.
3. Interoperability Impact of New Protocol Features
BIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size. It
also sets an EDNS flag bit in queries to indicate that it wishes to
receive DNSSEC responses; this flag bit usage is not yet standardized,
but we hope it will be.
Most older servers that do not support EDNS0, including prior versions
of BIND, will send a FORMERR or NOTIMP response to these queries.
When this happens, BIND 9 will automatically retry the query without
EDNS0.
Unfortunately, there exists at least one non-BIND name server
implementation that silently ignores these queries instead of sending
an error response. Resolving names in zones where all or most
authoritative servers use this server will be very slow or fail
completely. We have contacted the manufacturer of the name server in
case, and they are working on a solution.
4. Unrestricted Character Set
BIND 9 does not restrict the character set of domain names - it is
fully 8-bit clean in accordance with RFC2181 section 11.
It is strongly recommended that hostnames published in the DNS follow
the RFC952 rules, but BIND 9 will not enforce this restriction.
Historically, some applications have suffered from security flaws
where data originating from the network, such as names returned by
gethostbyaddr(), are used with insufficient checking and may cause a
breach of security when containing unexpected characters; see
<http://www.cert.org/advisories/CA-96.04.corrupt_info_from_servers.html>
for details. Some earlier versions of BIND attempt to protect these
flawed applications from attack by discarding data containing
characters deemed inappropriate in host names or mail addresses, under
the control of the "check-names" option in named.conf and/or "options
no-check-names" in resolv.conf. BIND 9 provides no such protection;
if applications with these flaws are still being used, they should
be upgraded.
5. Server Administration Tools
The "ndc" program has been replaced by "rndc", which is capable of
remote operation. Unlike ndc, rndc requires a configuration file;
see the man pages in doc/man/bin/rndc.1 and doc/man/bin/rndc.conf.5 for
details. Some of the ndc commands are still unimplemented in rndc.
6. No Information Leakage between Zones
BIND 9 stores the authoritative data for each zone in a separate data
structure, as recommended in RFC1035 and as required by DNSSEC and
IXFR. When a BIND 9 server is authoritative for both a child zone and
its parent, it will have two distinct sets of NS records at the
delegation point: the authoritative NS records at the child's apex,
and a set of glue NS records in the parent.
BIND 8 was unable to properly distinguish between these two sets of NS
records and would "leak" the child's NS records into the parent,
effectively causing the parent zone to be silently modified: responses
and zone transfers from the parent contained the child's NS records
rather than the glue configured into the parent (if any). In the case
of children of type "stub", this behavior was documented as a feature,
allowing the glue NS records to be omitted from the parent
configuration.
Sites that were relying on this BIND 8 behavior need to add any
omitted glue NS records, and any necessary glue A records, to the
parent zone.
Although stub zones can no longer be used as a mechanism for injecting
NS records into their parent zones, they are still useful as a way of
directing queries for a given domain to a particular set of name
servers.
$Id: migration,v 1.20 2001/01/16 20:35:31 gson Exp $