migration revision 533df4efdafcf7a8b7292a298f45df9ab7f7f7f9
5cd4555ad444fd391002ae32450572054369fd42Rob AusteinCopyright (C) 2000 Internet Software Consortium.
5cd4555ad444fd391002ae32450572054369fd42Rob AusteinSee COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
9c49c394b4218cc9c743a372a8fcfb787f5ea8caAndreas Gustafsson BIND 8 to BIND 9 Migration Notes
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsBIND 9 is designed to be mostly upwards compatible with BIND 8, but
9c49c394b4218cc9c743a372a8fcfb787f5ea8caAndreas Gustafssonthere is still a number of caveats you should be aware of when
ec5347e2c775f027573ce5648b910361aa926c01Automatic Updaterupgrading an existing BIND 8 installation to use BIND 9.
9c49c394b4218cc9c743a372a8fcfb787f5ea8caAndreas Gustafsson1. Configuration File Compatibility
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews1.1. Unimplemented Options and Changed Defaults
dafcb997e390efa4423883dafd100c975c4095d6Mark AndrewsBIND 9.0.0 supports most, but not all but not of the named.conf
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrewsoptions of BIND 8. Unimplemented options include those for selective
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews(per-domain) forwarding, sortlists, statistics, and process limits;
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrewsfor a complete list, see doc/misc/options. We plan to implement most
9c49c394b4218cc9c743a372a8fcfb787f5ea8caAndreas Gustafssonof these in in BIND 9.1.
21d493fc392d472086ad3c7c4563b7cadcb06788Mark AndrewsIf your named.conf file uses an unimplemented option, named will log a
072440df4f65033eb058c06f2cc72be450606720Jeremy Reedwarning message. A message is also logged about each option whose
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeindefault has changed unless the option is set explicitly in named.conf.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob AusteinIn particular, if you see a warning message about the default for the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein"auth-nxdomain" option having changed, you can suppress it by adding
072440df4f65033eb058c06f2cc72be450606720Jeremy Reedone of the following lines to the named.conf options { } block:
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein auth-nxdomain no; # conform to RFC1035
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein auth-nxdomain yes; # do what BIND 8 did by default
072440df4f65033eb058c06f2cc72be450606720Jeremy Reed1.2. Handling of Configuration File Errors
268a4475065fe6a8cd7cc707820982cf5e98f430Rob AusteinIn BIND 9, named refuses to start if it detects an error in
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinnamed.conf. Earlier versions would start despite errors, causing the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinserver to run with a partial configuration. Errors detected during
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinsubsequent reloads do not cause the server to exit.
c1a883f2e04d94e99c433b1f6cfd0c0338f4ed85Mark AndrewsThe set of logging categories in BIND 9 is different from that
030aac3dbc57f99bad1d251b0783890ff0369952Automatic Updaterin BIND 8. If you have customized your logging on a per-category
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinbasis, you need to modify your logging statement to use the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinnew categories.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob AusteinAnother difference is that the "logging" statement only takes effect
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinafter the entire named.conf file has been read. This means that when
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinthe server starts up, any messages about errors in the configuration
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinfile are always logged to the default destination (syslog) when the
f5d30e2864e048a42c4dc1134993ae7efdb5d6c3Mark Andrewsserver first starts up, regardless of the contents of the "logging"
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinstatement. In BIND 8, the new logging configuration took effect
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinimmediately after the "logging" statement was read.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein1.4. Case sensitivity
268a4475065fe6a8cd7cc707820982cf5e98f430Rob AusteinIn BIND 9, ACL names are case sensitive. In BIND 8 they were case
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein1.5. Notify messages and Refesh queries
268a4475065fe6a8cd7cc707820982cf5e98f430Rob AusteinThe source address and port for these is now controlled by
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeintransfer-source rather that query-source.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein2. Zone File Compatibility
9a41f786b167a2a6df498d5e9c699f9835e1e9dcMark Andrews2.1. Strict RFC1035 Interpretation of TTLs in Zone Files
268a4475065fe6a8cd7cc707820982cf5e98f430Rob AusteinBIND 8 allowed you to omit all TTLs from a zone file, and used the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinvalue of the SOA MINTTL field as a default for missing TTL values.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob AusteinBIND 9 enforces strict compliance with the RFC1035 and RFC2308 TTL
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinrules. The default TTL is the value specified with the $TTL
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeindirective, or the previous explicit TTL if there is no $TTL directive.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob AusteinIf there is no $TTL directive and the first RR in the file does not
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinhave an explicit TTL field, the error message "no TTL specified" is
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinlogged and loading the zone file fails.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob AusteinTo avoid problems, use a $TTL directive in each zone file.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein2.2. Periods in SOA Serial Numbers Deprecated
268a4475065fe6a8cd7cc707820982cf5e98f430Rob AusteinSome versions of BIND allow SOA serial numbers with an embedded
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinperiod, like "3.002", and convert them into integers in a rather
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinunintuitive way. This feature is not supported by BIND 9; serial
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinnumbers must be integers.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein2.3. Handling of Unbalanced Quotes
268a4475065fe6a8cd7cc707820982cf5e98f430Rob AusteinTXT records with unbalanced quotes, like 'host TXT "foo', were not
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeintreated as errors in some versions of BIND. If your zone files
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeincontain such records, you will get potentially confusing error
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinmessages like "unexpected end of file" because BIND 9 will interpret
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeineverything up to the next quote character as a literal string.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein2.4. Handling of Line Breaks
268a4475065fe6a8cd7cc707820982cf5e98f430Rob AusteinSome versions of BIND accept RRs containing line breaks that are not
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinproperly quoted with parentheses, like the following SOA:
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein ( 1 3600 1800 1814400 3600 )
268a4475065fe6a8cd7cc707820982cf5e98f430Rob AusteinThis is not legal master file syntax and will be treated as an error
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinby BIND 9. The fix is to move the opening parenthesis to the first
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews2.5. Unimplemented BIND 8 Extensions
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews$GENERATE: This deprecated form of getting a literal $ into a domain
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinname ($$) is no longer supported, use \$ instead.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein3. Interoperability Impact of New Protocol Features
268a4475065fe6a8cd7cc707820982cf5e98f430Rob AusteinBIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size. It
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinalso sets the AD bit in queries to indicate that it wishes to receive
268a4475065fe6a8cd7cc707820982cf5e98f430Rob AusteinDNSSEC responses (this usage of the AD bit is not yet standard, but
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinhopefully it will be soon).
268a4475065fe6a8cd7cc707820982cf5e98f430Rob AusteinMost older servers that do not support EDNS0 and/or DNSSEC, including
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinall known versions of BIND, will send a FORMERR or NOTIMP response to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinthese queries. When this happens, BIND 9 will automatically retry the
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrewsquery without EDNS0 and AD.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob AusteinUnfortunately, there exists at least one non-BIND name server
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinimplementation that silently ignores these queries instead of sending
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinan error response. Resolving names in zones where all or most
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinauthoritative servers use this server will be very slow or fail
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeincompletely. We have contacted the manufacturer of the name server in
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeincase and are trying to resolve the issue with them.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein4. Unrestricted Character Set
268a4475065fe6a8cd7cc707820982cf5e98f430Rob AusteinBIND 9 does not restrict the character set of domain names - it is
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinfully 8-bit clean in accordance with RFC2181 section 11.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob AusteinIt is strongly recommended that hostnames published in the DNS follow
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrewsthe RFC952 rules, but BIND 9 will not enforce this restriction.
c6d4f781529d2f28693546b25b2967d44ec89e60Mark AndrewsHistorically, some applications have suffered from security flaws
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrewswhere data originating from the network, such as names returned by
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrewsgethostbyaddr(), are used with insufficient checking and may cause a
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrewsbreach of security when containing unexpected characters; see
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<http://www.cert.org/advisories/CA-96.04.corrupt_info_from_servers.html>
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrewsfor details. Some earlier versions of BIND attempt to protect these
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrewsflawed applications from attack by discarding data containing
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrewscharacters deemed inappropriate in host names or mail addresses, under
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrewsthe control of the "check-names" option in named.conf and/or "options
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrewsno-check-names" in resolv.conf. BIND 9 provides no such protection;
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrewsif applications with these flaws are still being used, they should
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews5. Server Administration Tools
c6d4f781529d2f28693546b25b2967d44ec89e60Mark AndrewsThe "ndc" program has been replaced by "rndc", which is capable of
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austeinremote operation. Unlike ndc, rndc requires a configuration file;
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrewssee the man pages in doc/man/bin/rndc.1 and doc/man/bin/rndc.conf.5 for
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrewsdetails. Many of the ndc commands are still unimplemented in rndc.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein$Id: migration,v 1.15 2000/10/31 05:34:15 marka Exp $