migration revision 708477e4a5b87c9b6338c7d995392c070a78bd45
1633838b8255282d10af15c5c84cee5a51466712Bob HalleyCopyright (C) 2000, 2001 Internet Software Consortium.
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark AndrewsSee COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
1633838b8255282d10af15c5c84cee5a51466712Bob Halley BIND 8 to BIND 9 Migration Notes
1633838b8255282d10af15c5c84cee5a51466712Bob HalleyBIND 9 is designed to be mostly upwards compatible with BIND 8, but
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrencethere is still a number of caveats you should be aware of when
15a44745412679c30a6d022733925af70a38b715David Lawrenceupgrading an existing BIND 8 installation to use BIND 9.
15a44745412679c30a6d022733925af70a38b715David Lawrence1. Configuration File Compatibility
15a44745412679c30a6d022733925af70a38b715David Lawrence1.1. Unimplemented Options and Changed Defaults
15a44745412679c30a6d022733925af70a38b715David LawrenceBIND 9 supports most, but not all of the named.conf options of BIND 8.
1633838b8255282d10af15c5c84cee5a51466712Bob HalleyFor a complete list of implemented options, see doc/misc/options.
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark AndrewsIf your named.conf file uses an unimplemented option, named will log a
9c3531d72aeaad6c5f01efe6a1c82023e1379e4dDavid Lawrencewarning message. A message is also logged about each option whose
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halleydefault has changed unless the option is set explicitly in named.conf.
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob HalleyThe default of the "transfer-format" option has changed from
904a5734375869ffb504ed8cde6b68cafadb6d64Bob Halley"one-answer" to "many-answers". If you have slave servers that do not
e4e071ae12aee942fefc2c0a3280e402938669deBob Halleyunderstand the many-answers zone transfer format (e.g., BIND 4.9.5 or
904a5734375869ffb504ed8cde6b68cafadb6d64Bob Halleyolder) you need to explicitly specify "transfer-format one-answer;" in
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob Halleyeither the options block or a server statement.
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid Lawrence1.2. Handling of Configuration File Errors
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid LawrenceIn BIND 9, named refuses to start if it detects an error in
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid Lawrencenamed.conf. Earlier versions would start despite errors, causing the
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid Lawrenceserver to run with a partial configuration. Errors detected during
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid Lawrencesubsequent reloads do not cause the server to exit.
904a5734375869ffb504ed8cde6b68cafadb6d64Bob HalleyErrors in master files do not cause the server to exit, but they
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob Halleydo cause the zone not to load.
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian WellingtonThe set of logging categories in BIND 9 is different from that
b6309ed962c4988a314d61742c4fbc4935467d68Mark Andrewsin BIND 8. If you have customised your logging on a per-category
b6309ed962c4988a314d61742c4fbc4935467d68Mark Andrewsbasis, you need to modify your logging statement to use the
b6309ed962c4988a314d61742c4fbc4935467d68Mark Andrewsnew categories.
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian WellingtonAnother difference is that the "logging" statement only takes effect
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellingtonafter the entire named.conf file has been read. This means that when
b6309ed962c4988a314d61742c4fbc4935467d68Mark Andrewsthe server starts up, any messages about errors in the configuration
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellingtonfile are always logged to the default destination (syslog) when the
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellingtonserver first starts up, regardless of the contents of the "logging"
bcff3198111e329e89cde7dac9d432b002477d80Mark Andrewsstatement. In BIND 8, the new logging configuration took effect
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellingtonimmediately after the "logging" statement was read.
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellington1.4. Notify messages and Refresh queries
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian WellingtonThe source address and port for these is now controlled by
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellington"notify-source" and "transfer-source", respectively, rather that
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellingtonquery-source as in BIND 8.
84cb41f729e2a8526300dd7a6cffaa66da5cf6cdMark Andrews1.5. Multiple Classes.
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian WellingtonMultiple classes have to be put into explicit views for each class.
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellington2. Zone File Compatibility
618e871c2eb80021673bedf083496ccd1bf65cd0Brian Wellington2.1. Strict RFC1035 Interpretation of TTLs in Zone Files
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian WellingtonBIND 9 strictly complies with the RFC1035 and RFC2308 rules regarding
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellingtonomitted TTLs in zone files. Omitted TTLs are replaced by the value
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellingtonspecified with the $TTL directive, or by the previous explicit TTL if
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellingtonthere is no $TTL directive.
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian WellingtonIf there is no $TTL directive and the first RR in the file does not
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellingtonhave an explicit TTL field, the zone file is illegal according to
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian WellingtonRFC1035 since the TTL of the first RR is undefined. Unfortunately,
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian WellingtonBIND 4 and many versions of BIND 8 accept such files without warning
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob Halleyand use the value of the SOA MINTTL field as a default for missing TTL
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob HalleyBIND 9.0 and 9.1 completely refused to load such files. BIND 9.2
308c7ad5f68301d19f023af616f62f3e7cbce632Andreas Gustafssonemulates the nonstandard BIND 4/8 SOA MINTTL behaviour and loads the
04b8111f2137a9cf9b0b71228f76b3e40ffa1173Brian Wellingtonfiles anyway (provided the SOA is the first record in the file), but
04b8111f2137a9cf9b0b71228f76b3e40ffa1173Brian Wellingtonwill issue the warning message "no TTL specified; using SOA MINTTL
ccad3c9ecbe8a1060ff7b407a318ccd592de536eBrian WellingtonTo avoid problems, we recommend that you use a $TTL directive in each
8224be5129daebea8f0f5e8be5f925679ec893f1Brian Wellington2.2. Periods in SOA Serial Numbers Deprecated
a413f94248ceed48a6b7aaa2fa1d2401fb8b9f30Brian WellingtonSome versions of BIND allow SOA serial numbers with an embedded
d14b749789121d9d502fa1348e9e73270e9b039fBob Halleyperiod, like "3.002", and convert them into integers in a rather
63d1ef9e771b748ca9bf241dfc1f07d3730203faBob Halleyunintuitive way. This feature is not supported by BIND 9; serial
659175b7d430afe13b439e499442a964e2c9110fMark Andrewsnumbers must be integers.
cd02757774252fe5b92dbd59a24b34721fb49ff4Bob Halley2.3. Handling of Unbalanced Quotes
73af6575e00f8cf4942abce177f435797b9cfe41Brian WellingtonTXT records with unbalanced quotes, like 'host TXT "foo', were not
322b0fb39dd1538c9f5021cd2f54d4c12684ecdbBrian Wellingtontreated as errors in some versions of BIND. If your zone files
3864eb0e9a73148ac744893b5367169761184db5Mark Andrewscontain such records, you will get potentially confusing error
f53e43c37f2c978ccec0b49ed829426b213f9933Bob Halleymessages like "unexpected end of file" because BIND 9 will interpret
afbc02482008c58af2c98000209165f6880835f7Mark Andrewseverything up to the next quote character as a literal string.
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews2.4. Handling of Line Breaks
9ac7076ebad044afb15e9e2687e3696868778538Mark AndrewsSome versions of BIND accept RRs containing line breaks that are not
6850cdd4497424c9d42ade487edfde9fb9a47de9Brian Wellingtonproperly quoted with parentheses, like the following SOA:
b20ee662a7c847c9ef7b96ab9e5e34543efe5c0dMark Andrews ( 1 3600 1800 1814400 3600 )
e21d199dca95aff5d50f133d6b064309e209af00Brian WellingtonThis is not legal master file syntax and will be treated as an error
6a56be50dd11702cb65347a57894ffd96a7e3501Andreas Gustafssonby BIND 9. The fix is to move the opening parenthesis to the first
15af30dfc1c54a02d252dcf4c6f3b8759eaf0327Bob Halley2.5. Unimplemented BIND 8 Extensions
a93cf7e83be621d3d68f51e37121a47a70a6757bMark Andrews$GENERATE: The "$$" construct for getting a literal $ into a domain
9ac7076ebad044afb15e9e2687e3696868778538Mark Andrewsname is deprecated. Use \$ instead.
2c64908ae0d5b5a1cfead295d7526e7be550d3d3Mark Andrews3. Interoperability Impact of New Protocol Features
231ffa6c85cd04d5d83f80643e26fdc3ff510138Brian WellingtonBIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size. It
4b171ebd702d72200a4d7609f11c5f79d6b6f964Brian Wellingtonalso sets an EDNS flag bit in queries to indicate that it wishes to
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrewsreceive DNSSEC responses; this flag bit usage is not yet standardised,
4d9f3f00d93fcb8743b1105e8cf82e862be220d1Mark Andrewsbut we hope it will be.
5bd76af084edfdcd1cb4db9453ac781d32dde6f7Mark AndrewsMost older servers that do not support EDNS0, including prior versions
5bd76af084edfdcd1cb4db9453ac781d32dde6f7Mark Andrewsof BIND, will send a FORMERR or NOTIMP response to these queries.
5bd76af084edfdcd1cb4db9453ac781d32dde6f7Mark AndrewsWhen this happens, BIND 9 will automatically retry the query without
421e4cf66e4cba0b0751a34a9c027e39fe0474f9Mark AndrewsUnfortunately, there exists at least one non-BIND name server
8b5de9701428e2b5eb50aba96af23dc1186124ddMark Andrewsimplementation that silently ignores these queries instead of sending
182a34004c7c48e2c1626f3ce7e787f413955126Mark Andrewsan error response. Resolving names in zones where all or most
35541328a8c18ba1f984300dfe30ec8713c90031Mark Andrewsauthoritative servers use this server will be very slow or fail
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrewscompletely. We have contacted the manufacturer of the name server in
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark Andrewscase, and they are working on a solution.
2047977ce2dfcfe3a0fa2d638c3242841310fad3Mark AndrewsWhen BIND 9 communicates with a server that does support EDNS0, such as
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob Halleyanother BIND 9 server, responses of up to 4096 bytes may be
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob Halleytransmitted as a single UDP datagram which is subject to fragmentation
894a2f61c9e3e51463bf21957c003d7c5636bdc5David Lawrenceat the IP level. If a firewall incorrectly drops IP fragments, it can
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob Halleycause resolution to slow down dramatically or fail.
894a2f61c9e3e51463bf21957c003d7c5636bdc5David Lawrence3.2. Zone Transfers
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob HalleyOutgoing zone transfers now use the "many-answers" format by default.
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob HalleyThis format is not understood by certain old versions of BIND 4.
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob HalleyYou can work around this problem using the option "transfer-format
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob Halleyone-answer;", but since these old versions all have known security
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob Halleyproblems, the correct fix is to upgrade the slave servers.
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob HalleyZone transfers to Windows 2000 DNS servers sometimes fail due to a bug
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob Halleyin the Windows 2000 DNS server where DNS messages larger than 16K are
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob Halleynot handled properly. There will be a hot fix available from
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob HalleyMicrosoft to address this issue. In the meantime, the problem can
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob Halleybe worked around by setting "transfer-format one-answer;".
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob Halley[As of May 4 2001 the hotfix was still being prepared]
125d72976ab6b8fa6629a5ace276a86e9fef91acBrian Wellington4. Unrestricted Character Set
25e43e68b7431d5e4ff8b5427108cd7f5f9bcf3eBob HalleyBIND 9 does not restrict the character set of domain names - it is
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halleyfully 8-bit clean in accordance with RFC2181 section 11.
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid LawrenceIt is strongly recommended that hostnames published in the DNS follow
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrencethe RFC952 rules, but BIND 9 will not enforce this restriction.
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid LawrenceHistorically, some applications have suffered from security flaws
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid Lawrencewhere data originating from the network, such as names returned by
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid Lawrencegethostbyaddr(), are used with insufficient checking and may cause a
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid Lawrencebreach of security when containing unexpected characters; see
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid Lawrence<http://www.cert.org/advisories/CA-96.04.corrupt_info_from_servers.html>
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid Lawrencefor details. Some earlier versions of BIND attempt to protect these
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halleyflawed applications from attack by discarding data containing
904a5734375869ffb504ed8cde6b68cafadb6d64Bob Halleycharacters deemed inappropriate in host names or mail addresses, under
904a5734375869ffb504ed8cde6b68cafadb6d64Bob Halleythe control of the "check-names" option in named.conf and/or "options
c50fd34a4e0e6978f8ca5f6f3ad8545549c3cfeeBob Halleyno-check-names" in resolv.conf. BIND 9 provides no such protection;
and rndc.conf(5) for details.