migration revision 59ddb53fd74be6c4d76536e45465f34f1a08b834
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox UserCopyright (C) 2000, 2001 Internet Software Consortium.
d458ef4acb25b66d39525cca3ab5a64c4f210a0bTinderbox UserSee COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User BIND 8 to BIND 9 Migration Notes
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox UserBIND 9 is designed to be mostly upwards compatible with BIND 8, but
d458ef4acb25b66d39525cca3ab5a64c4f210a0bTinderbox Userthere is still a number of caveats you should be aware of when
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userupgrading an existing BIND 8 installation to use BIND 9.
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User1. Configuration File Compatibility
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User1.1. Unimplemented Options and Changed Defaults
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox UserBIND 9.1 supports most, but not all of the named.conf options of BIND 8.
d458ef4acb25b66d39525cca3ab5a64c4f210a0bTinderbox UserFor a complete list of implemented options, see doc/misc/options.
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox UserIf your named.conf file uses an unimplemented option, named will log a
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userwarning message. A message is also logged about each option whose
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userdefault has changed unless the option is set explicitly in named.conf.
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox UserThe default of the "transfer-format" option has changed from
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User"one-answer" to "many-answers". If you have slave servers that do not
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userunderstand the many-answers zone transfer format (e.g., BIND 4.9.5 or
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userolder) you need to explicitly specify "transfer-format one-answer;" in
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Usereither the options block or a server statement.
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User1.2. Handling of Configuration File Errors
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox UserIn BIND 9, named refuses to start if it detects an error in
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Usernamed.conf. Earlier versions would start despite errors, causing the
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox Userserver to run with a partial configuration. Errors detected during
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Usersubsequent reloads do not cause the server to exit.
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox UserErrors in master files never cause the server to exit.
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox UserThe set of logging categories in BIND 9 is different from that
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userin BIND 8. If you have customized your logging on a per-category
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userbasis, you need to modify your logging statement to use the
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Usernew categories.
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox UserAnother difference is that the "logging" statement only takes effect
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userafter the entire named.conf file has been read. This means that when
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userthe server starts up, any messages about errors in the configuration
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userfile are always logged to the default destination (syslog) when the
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userserver first starts up, regardless of the contents of the "logging"
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userstatement. In BIND 8, the new logging configuration took effect
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userimmediately after the "logging" statement was read.
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User1.4. Notify messages and Refesh queries
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox UserThe source address and port for these is now controlled by
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User"notify-source" and "transfer-source", respectively, rather that
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userquery-source as in BIND 8.
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User1.5. Multiple Classes.
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox UserMultiple classes have to be put into explicit views for each class.
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User2. Zone File Compatibility
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User2.1. Strict RFC1035 Interpretation of TTLs in Zone Files
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox UserBIND 8 allowed you to omit all TTLs from a zone file, and used the
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox Uservalue of the SOA MINTTL field as a default for missing TTL values.
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox UserBIND 9 enforces strict compliance with the RFC1035 and RFC2308 TTL
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userrules. The default TTL is the value specified with the $TTL
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userdirective, or the previous explicit TTL if there is no $TTL directive.
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox UserIf there is no $TTL directive and the first RR in the file does not
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userhave an explicit TTL field, the error message "no TTL specified" is
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userlogged and loading the zone file fails.
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox UserTo avoid problems, use a $TTL directive in each zone file.
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User2.2. Periods in SOA Serial Numbers Deprecated
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox UserSome versions of BIND allow SOA serial numbers with an embedded
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox Userperiod, like "3.002", and convert them into integers in a rather
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox Userunintuitive way. This feature is not supported by BIND 9; serial
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox Usernumbers must be integers.
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User2.3. Handling of Unbalanced Quotes
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox UserTXT records with unbalanced quotes, like 'host TXT "foo', were not
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox Usertreated as errors in some versions of BIND. If your zone files
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox Usercontain such records, you will get potentially confusing error
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox Usermessages like "unexpected end of file" because BIND 9 will interpret
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox Usereverything up to the next quote character as a literal string.
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User2.4. Handling of Line Breaks
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox UserSome versions of BIND accept RRs containing line breaks that are not
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userproperly quoted with parentheses, like the following SOA:
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User ( 1 3600 1800 1814400 3600 )
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox UserThis is not legal master file syntax and will be treated as an error
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userby BIND 9. The fix is to move the opening parenthesis to the first
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User2.5. Unimplemented BIND 8 Extensions
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User$GENERATE: The "$$" construct for getting a literal $ into a domain
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Username is deprecated. Use \$ instead.
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User3. Interoperability Impact of New Protocol Features
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox UserBIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size. It
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Useralso sets an EDNS flag bit in queries to indicate that it wishes to
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userreceive DNSSEC responses; this flag bit usage is not yet standardized,
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userbut we hope it will be.
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox UserMost older servers that do not support EDNS0, including prior versions
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userof BIND, will send a FORMERR or NOTIMP response to these queries.
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox UserWhen this happens, BIND 9 will automatically retry the query without
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox UserUnfortunately, there exists at least one non-BIND name server
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userimplementation that silently ignores these queries instead of sending
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Useran error response. Resolving names in zones where all or most
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userauthoritative servers use this server will be very slow or fail
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Usercompletely. We have contacted the manufacturer of the name server in
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Usercase, and they are working on a solution.
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User4. Unrestricted Character Set
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox UserBIND 9 does not restrict the character set of domain names - it is
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userfully 8-bit clean in accordance with RFC2181 section 11.
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox UserIt is strongly recommended that hostnames published in the DNS follow
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userthe RFC952 rules, but BIND 9 will not enforce this restriction.
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox UserHistorically, some applications have suffered from security flaws
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userwhere data originating from the network, such as names returned by
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Usergethostbyaddr(), are used with insufficient checking and may cause a
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userbreach of security when containing unexpected characters; see
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User<http://www.cert.org/advisories/CA-96.04.corrupt_info_from_servers.html>
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userfor details. Some earlier versions of BIND attempt to protect these
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userflawed applications from attack by discarding data containing
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Usercharacters deemed inappropriate in host names or mail addresses, under
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userthe control of the "check-names" option in named.conf and/or "options
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userno-check-names" in resolv.conf. BIND 9 provides no such protection;
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userif applications with these flaws are still being used, they should
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User5. Server Administration Tools
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox UserThe "ndc" program has been replaced by "rndc", which is capable of
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userremote operation. Unlike ndc, rndc requires a configuration file;
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Usersee the man pages in doc/man/bin/rndc.1 and doc/man/bin/rndc.conf.5 for
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userdetails. Some of the ndc commands are still unimplemented in rndc.
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox User6. No Information Leakage between Zones
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox UserBIND 9 stores the authoritative data for each zone in a separate data
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox Userstructure, as recommended in RFC1035 and as required by DNSSEC and
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox UserIXFR. When a BIND 9 server is authoritative for both a child zone and
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox Userits parent, it will have two distinct sets of NS records at the
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox Userdelegation point: the authoritative NS records at the child's apex,
9c8c1a04853db32f2578a269cab9239c4f4c8b9bTinderbox Userand a set of glue NS records in the parent.
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox UserBIND 8 was unable to properly distinguish between these two sets of NS
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userrecords and would "leak" the child's NS records into the parent,
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Usereffectively causing the parent zone to be silently modified: responses
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userand zone transfers from the parent contained the child's NS records
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userrather than the glue configured into the parent (if any). In the case
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userof children of type "stub", this behavior was documented as a feature,
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userallowing the glue NS records to be omitted from the parent
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userconfiguration.
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox UserSites that were relying on this BIND 8 behavior need to add any
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Useromitted glue NS records, and any necessary glue A records, to the
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox UserAlthough stub zones can no longer be used as a mechanism for injecting
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox UserNS records into their parent zones, they are still useful as a way of
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox Userdirecting queries for a given domain to a particular set of name
49f29a1d550c15d691b5a9162bc089d0fba12adfTinderbox User$Id: migration,v 1.27 2001/03/19 18:07:32 gson Exp $