migration revision 705cc52bbf49bdeedbaf255e91af2e325fc79ba5
1633838b8255282d10af15c5c84cee5a51466712Bob HalleyCopyright (C) 2000, 2001 Internet Software Consortium.
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark AndrewsSee COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
1633838b8255282d10af15c5c84cee5a51466712Bob Halley BIND 8 to BIND 9 Migration Notes
1633838b8255282d10af15c5c84cee5a51466712Bob HalleyBIND 9 is designed to be mostly upwards compatible with BIND 8, but
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrencethere is still a number of caveats you should be aware of when
15a44745412679c30a6d022733925af70a38b715David Lawrenceupgrading an existing BIND 8 installation to use BIND 9.
15a44745412679c30a6d022733925af70a38b715David Lawrence1. Configuration File Compatibility
15a44745412679c30a6d022733925af70a38b715David Lawrence1.1. Unimplemented Options and Changed Defaults
15a44745412679c30a6d022733925af70a38b715David LawrenceBIND 9.2 supports most, but not all of the named.conf options of BIND 8.
1633838b8255282d10af15c5c84cee5a51466712Bob HalleyFor a complete list of implemented options, see doc/misc/options.
93d6dfaf66258337985427c86181f01fc51f0bb4Mark AndrewsIf your named.conf file uses an unimplemented option, named will log a
9c3531d72aeaad6c5f01efe6a1c82023e1379e4dDavid Lawrencewarning message. A message is also logged about each option whose
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halleydefault has changed unless the option is set explicitly in named.conf.
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob HalleyThe default of the "transfer-format" option has changed from
904a5734375869ffb504ed8cde6b68cafadb6d64Bob Halley"one-answer" to "many-answers". If you have slave servers that do not
e4e071ae12aee942fefc2c0a3280e402938669deBob Halleyunderstand the many-answers zone transfer format (e.g., BIND 4.9.5 or
904a5734375869ffb504ed8cde6b68cafadb6d64Bob Halleyolder) you need to explicitly specify "transfer-format one-answer;" in
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob Halleyeither the options block or a server statement.
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid Lawrence1.2. Handling of Configuration File Errors
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid LawrenceIn BIND 9, named refuses to start if it detects an error in
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid Lawrencenamed.conf. Earlier versions would start despite errors, causing the
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid Lawrenceserver to run with a partial configuration. Errors detected during
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid Lawrencesubsequent reloads do not cause the server to exit.
904a5734375869ffb504ed8cde6b68cafadb6d64Bob HalleyErrors in master files never cause the server to exit.
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian WellingtonThe set of logging categories in BIND 9 is different from that
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellingtonin BIND 8. If you have customized your logging on a per-category
b6309ed962c4988a314d61742c4fbc4935467d68Mark Andrewsbasis, you need to modify your logging statement to use the
b6309ed962c4988a314d61742c4fbc4935467d68Mark Andrewsnew categories.
b6309ed962c4988a314d61742c4fbc4935467d68Mark AndrewsAnother difference is that the "logging" statement only takes effect
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellingtonafter the entire named.conf file has been read. This means that when
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellingtonthe server starts up, any messages about errors in the configuration
b6309ed962c4988a314d61742c4fbc4935467d68Mark Andrewsfile are always logged to the default destination (syslog) when the
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellingtonserver first starts up, regardless of the contents of the "logging"
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellingtonstatement. In BIND 8, the new logging configuration took effect
bcff3198111e329e89cde7dac9d432b002477d80Mark Andrewsimmediately after the "logging" statement was read.
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellington1.4. Notify messages and Refesh queries
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian WellingtonThe source address and port for these is now controlled by
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellington"notify-source" and "transfer-source", respectively, rather that
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellingtonquery-source as in BIND 8.
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob Halley1.5. Multiple Classes.
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian WellingtonMultiple classes have to be put into explicit views for each class.
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellington2. Zone File Compatibility
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellington2.1. Strict RFC1035 Interpretation of TTLs in Zone Files
618e871c2eb80021673bedf083496ccd1bf65cd0Brian WellingtonBIND 9 strictly complies with the RFC1035 and RFC2308 rules regarding
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellingtonomitted TTLs in zone files. Omitted TTLs are replaced by the value
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellingtonspecified with the $TTL directive, or by the previous explicit TTL if
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellingtonthere is no $TTL directive.
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian WellingtonIf there is no $TTL directive and the first RR in the file does not
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellingtonhave an explicit TTL field, the zone file is illegal according to
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian WellingtonRFC1035 since the TTL of the first RR is undefined. Unfortunately,
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian WellingtonBIND 4 and many versions of BIND 8 accept such files without warning
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellingtonand use the value of the SOA MINTTL field as a default for missing TTL
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob HalleyBIND 9.0 and 9.1 completely refused to load such files. BIND 9.2
b55c30f2de6e1baaa3a9ba69b92f428f2c255ac3Mark Andrewsemulates the nonstandard BIND 4/8 SOA MINTTL behavior and loads the
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob Halleyfiles anyway (provided the SOA is the first record in the file), but
308c7ad5f68301d19f023af616f62f3e7cbce632Andreas Gustafssonwill issue the warning message "no TTL specified; using SOA MINTTL
ccad3c9ecbe8a1060ff7b407a318ccd592de536eBrian WellingtonTo avoid problems, we recommend that you use a $TTL directive in each
ccad3c9ecbe8a1060ff7b407a318ccd592de536eBrian Wellington2.2. Periods in SOA Serial Numbers Deprecated
8224be5129daebea8f0f5e8be5f925679ec893f1Brian WellingtonSome versions of BIND allow SOA serial numbers with an embedded
8224be5129daebea8f0f5e8be5f925679ec893f1Brian Wellingtonperiod, like "3.002", and convert them into integers in a rather
a413f94248ceed48a6b7aaa2fa1d2401fb8b9f30Brian Wellingtonunintuitive way. This feature is not supported by BIND 9; serial
d14b749789121d9d502fa1348e9e73270e9b039fBob Halleynumbers must be integers.
659175b7d430afe13b439e499442a964e2c9110fMark Andrews2.3. Handling of Unbalanced Quotes
cd02757774252fe5b92dbd59a24b34721fb49ff4Bob HalleyTXT records with unbalanced quotes, like 'host TXT "foo', were not
7b4dcbb89b71b17f5c16ca19a0e705e09509f063Bob Halleytreated as errors in some versions of BIND. If your zone files
73af6575e00f8cf4942abce177f435797b9cfe41Brian Wellingtoncontain such records, you will get potentially confusing error
322b0fb39dd1538c9f5021cd2f54d4c12684ecdbBrian Wellingtonmessages like "unexpected end of file" because BIND 9 will interpret
3864eb0e9a73148ac744893b5367169761184db5Mark Andrewseverything up to the next quote character as a literal string.
afbc02482008c58af2c98000209165f6880835f7Mark Andrews2.4. Handling of Line Breaks
93d6dfaf66258337985427c86181f01fc51f0bb4Mark AndrewsSome versions of BIND accept RRs containing line breaks that are not
2ee24549b3dddd4046ee14257e1207cf2e34f29cBrian Wellingtonproperly quoted with parentheses, like the following SOA:
20a313a4581e7f85fb2ce37430a146b3538da841Mark Andrews ( 1 3600 1800 1814400 3600 )
b20ee662a7c847c9ef7b96ab9e5e34543efe5c0dMark AndrewsThis is not legal master file syntax and will be treated as an error
b55c30f2de6e1baaa3a9ba69b92f428f2c255ac3Mark Andrewsby BIND 9. The fix is to move the opening parenthesis to the first
1275a72e8db349ce249c84804b2b4861d33d4db7Brian Wellington2.5. Unimplemented BIND 8 Extensions
15af30dfc1c54a02d252dcf4c6f3b8759eaf0327Bob Halley$GENERATE: The "$$" construct for getting a literal $ into a domain
58cbc05eb0b80510182496ad905cd407f3624dbeBrian Wellingtonname is deprecated. Use \$ instead.
9ac7076ebad044afb15e9e2687e3696868778538Mark Andrews3. Interoperability Impact of New Protocol Features
01446841be2b73f9a2ead74056df2d5342414041Andreas GustafssonBIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size. It
ff1b064f5e2bf19c8e25f8927d23df5714e666edMark Andrewsalso sets an EDNS flag bit in queries to indicate that it wishes to
b6279d0b4b19f041b29775e637074e09f38e5e11Brian Wellingtonreceive DNSSEC responses; this flag bit usage is not yet standardized,
231ffa6c85cd04d5d83f80643e26fdc3ff510138Brian Wellingtonbut we hope it will be.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark AndrewsMost older servers that do not support EDNS0, including prior versions
4d9f3f00d93fcb8743b1105e8cf82e862be220d1Mark Andrewsof BIND, will send a FORMERR or NOTIMP response to these queries.
5bd76af084edfdcd1cb4db9453ac781d32dde6f7Mark AndrewsWhen this happens, BIND 9 will automatically retry the query without
5bd76af084edfdcd1cb4db9453ac781d32dde6f7Mark AndrewsUnfortunately, there exists at least one non-BIND name server
5bd76af084edfdcd1cb4db9453ac781d32dde6f7Mark Andrewsimplementation that silently ignores these queries instead of sending
c86eed4bdecad9df12f992f9d743dfee3a6c5bdcMark Andrewsan error response. Resolving names in zones where all or most
421e4cf66e4cba0b0751a34a9c027e39fe0474f9Mark Andrewsauthoritative servers use this server will be very slow or fail
8b5de9701428e2b5eb50aba96af23dc1186124ddMark Andrewscompletely. We have contacted the manufacturer of the name server in
182a34004c7c48e2c1626f3ce7e787f413955126Mark Andrewscase, and they are working on a solution.
182a34004c7c48e2c1626f3ce7e787f413955126Mark AndrewsWhen BIND 9 communicates with a server that does support EDNS0, such as
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob Halleyanother BIND 9 server, responses of up to 4096 bytes may be
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob Halleytransmitted as a single UDP datagram which is subject to fragmentation
894a2f61c9e3e51463bf21957c003d7c5636bdc5David Lawrenceat the IP level. If a firewall incorrectly drops IP fragments, it can
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob Halleycause resolution to slow down dramatically or fail.
894a2f61c9e3e51463bf21957c003d7c5636bdc5David Lawrence3.2. Zone Transfers
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob HalleyOutgoing zone transfers now use the "many-answers" format by default.
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob HalleyThis format is not understood by certain old versions of BIND 4.
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob HalleyYou can work around this problem using the option "transfer-format
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob Halleyone-answer;", but since these old versions all have known security
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob Halleyproblems, the correct fix is to upgrade the slave servers.
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob HalleyZone transfers to Windows 2000 DNS servers sometimes fail due to a bug
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob Halleyin the Windows 2000 DNS server where DNS messages larger than 16K are
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob Halleynot handled properly. There will be a hot fix available from
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob HalleyMicrosoft to address this issue. In the meantime, the problem can
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob Halleybe worked around by setting "transfer-format one-answer;".
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob Halley[As of May 4 2001 the hotfix was still being prepared]
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellington4. Unrestricted Character Set
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob HalleyBIND 9 does not restrict the character set of domain names - it is
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halleyfully 8-bit clean in accordance with RFC2181 section 11.
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid LawrenceIt is strongly recommended that hostnames published in the DNS follow
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrencethe RFC952 rules, but BIND 9 will not enforce this restriction.
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid LawrenceHistorically, some applications have suffered from security flaws
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid Lawrencewhere data originating from the network, such as names returned by
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid Lawrencegethostbyaddr(), are used with insufficient checking and may cause a
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid Lawrencebreach of security when containing unexpected characters; see
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid Lawrence<http://www.cert.org/advisories/CA-96.04.corrupt_info_from_servers.html>
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid Lawrencefor details. Some earlier versions of BIND attempt to protect these
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halleyflawed applications from attack by discarding data containing
904a5734375869ffb504ed8cde6b68cafadb6d64Bob Halleycharacters deemed inappropriate in host names or mail addresses, under
904a5734375869ffb504ed8cde6b68cafadb6d64Bob Halleythe control of the "check-names" option in named.conf and/or "options
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halleyno-check-names" in resolv.conf. BIND 9 provides no such protection;