1BIND 9 2 3 BIND version 9 is a major rewrite of nearly all aspects of the 4 underlying BIND architecture. Some of the important features of 5 BIND 9 are: 6 7 - DNS Security 8 DNSSEC (signed zones) 9 TSIG (signed DNS requests) 10 11 - IP version 6 12 Answers DNS queries on IPv6 sockets 13 IPv6 resource records (AAAA) 14 Experimental IPv6 Resolver Library 15 16 - DNS Protocol Enhancements 17 IXFR, DDNS, Notify, EDNS0 18 Improved standards conformance 19 20 - Views 21 One server process can provide multiple "views" of 22 the DNS namespace, e.g. an "inside" view to certain 23 clients, and an "outside" view to others. 24 25 - Multiprocessor Support 26 27 - Improved Portability Architecture 28 29 30 BIND version 9 development has been underwritten by the following 31 organizations: 32 33 Sun Microsystems, Inc. 34 Hewlett Packard 35 Compaq Computer Corporation 36 IBM 37 Process Software Corporation 38 Silicon Graphics, Inc. 39 Network Associates, Inc. 40 U.S. Defense Information Systems Agency 41 USENIX Association 42 Stichting NLnet - NLnet Foundation 43 Nominum, Inc. 44 45 For a summary of functional enhancements in previous 46 releases, see the HISTORY file. 47 48 For a detailed list of user-visible changes from 49 previous releases, see the CHANGES file. 50 51 For up-to-date release notes and errata, see 52 http://www.isc.org/software/bind9/releasenotes 53 54BIND 9.8.3 55 56 BIND 9.8.3 is a maintenance release. 57 58BIND 9.8.2 59 60 BIND 9.8.2 includes a number of bug fixes and prevents a security 61 problem described in CVE-2011-4313 62 63BIND 9.8.1 64 65 BIND 9.8.1 includes a number of bug fixes and enhancements from 66 BIND 9.8 and earlier releases. New features include: 67 68 - The DLZ "dlopen" driver is now built by default. 69 - Added a new include file with function typedefs 70 for the DLZ "dlopen" driver. 71 - Made "--with-gssapi" default. 72 - More verbose error reporting from DLZ LDAP. 73 74BIND 9.8.0 75 76 BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier 77 releases. New features include: 78 79 - Built-in trust anchor for the root zone, which can be 80 switched on via "dnssec-validation auto;" 81 - Support for DNS64. 82 - Support for response policy zones (RPZ). 83 - Support for writable DLZ zones. 84 - Improved ease of configuration of GSS/TSIG for 85 interoperability with Active Directory 86 - Support for GOST signing algorithm for DNSSEC. 87 - Removed RTT Banding from server selection algorithm. 88 - New "static-stub" zone type. 89 - Allow configuration of resolver timeouts via 90 "resolver-query-timeout" option. 91 92BIND 9.7.0 93 94 BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier 95 releases. Most are intended to simplify DNSSEC configuration. 96 97 New features include: 98 99 - Fully automatic signing of zones by "named". 100 - Simplified configuration of DNSSEC Lookaside Validation (DLV). 101 - Simplified configuration of Dynamic DNS, using the "ddns-confgen" 102 command line tool or the "local" update-policy option. (As a side 103 effect, this also makes it easier to configure automatic zone 104 re-signing.) 105 - New named option "attach-cache" that allows multiple views to 106 share a single cache. 107 - DNS rebinding attack prevention. 108 - New default values for dnssec-keygen parameters. 109 - Support for RFC 5011 automated trust anchor maintenance 110 - Smart signing: simplified tools for zone signing and key 111 maintenance. 112 - The "statistics-channels" option is now available on Windows. 113 - A new DNSSEC-aware libdns API for use by non-BIND9 applications 114 - On some platforms, named and other binaries can now print out 115 a stack backtrace on assertion failure, to aid in debugging. 116 - A "tools only" installation mode on Windows, which only installs 117 dig, host, nslookup and nsupdate. 118 - Improved PKCS#11 support, including Keyper support and explicit 119 OpenSSL engine selection. 120 121 Known issues in this release: 122 123 - In rare cases, DNSSEC validation can leak memory. When this 124 happens, it will cause an assertion failure when named exits, 125 but is otherwise harmless. A fix exists, but was too late for 126 this release; it will be included in BIND 9.7.1. 127 128 Compatibility notes: 129 130 - If you had built BIND 9.6 with any of ALLOW_NSEC3PARAM_UPDATE, 131 ALLOW_SECURE_TO_INSECURE or ALLOW_INSECURE_TO_SECURE defined, then 132 you should ensure that all changes that are in progress have 133 completed prior to upgrading to BIND 9.7. BIND 9.7 implements 134 those features in a way which is not backwards compatible. 135 136 - Prior releases had a bug which caused HMAC-SHA* keys with long 137 secrets to be used incorrectly. Fixing this bug means that older 138 versions of BIND 9 may fail to interoperate with this version 139 when using TSIG keys. If this occurs, the new "isc-hmac-fixup" 140 tool will convert a key with a long secret into a form that works 141 correctly with all versions of BIND 9. See the "isc-hmac-fixup" 142 man page for additional details. 143 144 - Revoking a DNSSEC key with "dnssec-revoke" changes its key ID. 145 It is possible for the new key ID to collide with that of a 146 different key. Newly generated keys will not have this problem, 147 as "dnssec-keygen" looks for potential collisions before 148 generating keys, but exercise caution if using key revokation 149 with keys that were generated by older versions of BIND 9. See 150 the Administrator's Reference Manual, section 4.10 ("Dynamic 151 Trust Anchor Management") for more details. 152 153 - A bug was fixed in which a key's scheduled inactivity date was 154 stored incorectly. Users who participated in the 9.7.0 BETA test 155 and had DNSSEC keys with scheduled inactivity dates will need to 156 reset those keys' dates using "dnssec-settime -I". 157 158Building 159 160 BIND 9 currently requires a UNIX system with an ANSI C compiler, 161 basic POSIX support, and a 64 bit integer type. 162 163 We've had successful builds and tests on the following systems: 164 165 COMPAQ Tru64 UNIX 5.1B 166 Fedora Core 6 167 FreeBSD 4.10, 5.2.1, 6.2 168 HP-UX 11.11 169 Mac OS X 10.5 170 NetBSD 3.x, 4.0-beta, 5.0-beta 171 OpenBSD 3.3 and up 172 Solaris 8, 9, 9 (x86), 10 173 Ubuntu 7.04, 7.10 174 Windows XP/2003/2008 175 176 NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of 177 Windows, including Windows NT and Windows 2000, are no longer 178 supported. 179 180 We have recent reports from the user community that a supported 181 version of BIND will build and run on the following systems: 182 183 AIX 4.3, 5L 184 CentOS 4, 4.5, 5 185 Darwin 9.0.0d1/ARM 186 Debian 4 187 Fedora Core 5, 7 188 FreeBSD 6.1 189 HP-UX 11.23 PA 190 MacOS X 10.4, 10.5 191 Red Hat Enterprise Linux 4, 5 192 SCO OpenServer 5.0.6 193 Slackware 9, 10 194 SuSE 9, 10 195 196 To build, just 197 198 ./configure 199 make 200 201 Do not use a parallel "make". 202 203 Several environment variables that can be set before running 204 configure will affect compilation: 205 206 CC 207 The C compiler to use. configure tries to figure 208 out the right one for supported systems. 209 210 CFLAGS 211 C compiler flags. Defaults to include -g and/or -O2 212 as supported by the compiler. 213 214 STD_CINCLUDES 215 System header file directories. Can be used to specify 216 where add-on thread or IPv6 support is, for example. 217 Defaults to empty string. 218 219 STD_CDEFINES 220 Any additional preprocessor symbols you want defined. 221 Defaults to empty string. 222 223 Possible settings: 224 Change the default syslog facility of named/lwresd. 225 -DISC_FACILITY=LOG_LOCAL0 226 Enable DNSSEC signature chasing support in dig. 227 -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and 228 -DDIG_SIGCHASE_BU=1) 229 Disable dropping queries from particular well known ports. 230 -DNS_CLIENT_DROPPORT=0 231 Sibling glue checking in named-checkzone is enabled by default. 232 To disable the default check set. -DCHECK_SIBLING=0 233 named-checkzone checks out-of-zone addresses by default. 234 To disable this default set. -DCHECK_LOCAL=0 235 To create the default pid files in ${localstatedir}/run rather 236 than ${localstatedir}/run/{named,lwresd}/ set. 237 -DNS_RUN_PID_DIR=0 238 Enable workaround for Solaris kernel bug about /dev/poll 239 -DISC_SOCKET_USE_POLLWATCH=1 240 The watch timeout is also configurable, e.g., 241 -DISC_SOCKET_POLLWATCH_TIMEOUT=20 242 243 LDFLAGS 244 Linker flags. Defaults to empty string. 245 246 The following need to be set when cross compiling. 247 248 BUILD_CC 249 The native C compiler. 250 BUILD_CFLAGS (optional) 251 BUILD_CPPFLAGS (optional) 252 Possible Settings: 253 -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>) 254 BUILD_LDFLAGS (optional) 255 BUILD_LIBS (optional) 256 257 To build shared libraries, specify "--with-libtool" on the 258 configure command line. 259 260 For the server to support DNSSEC, you need to build it 261 with crypto support. You must have OpenSSL 0.9.5a 262 or newer installed and specify "--with-openssl" on the 263 configure command line. If OpenSSL is installed under 264 a nonstandard prefix, you can tell configure where to 265 look for it using "--with-openssl=/prefix". 266 267 On some platforms it is necessary to explictly request large 268 file support to handle files bigger than 2GB. This can be 269 done by "--enable-largefile" on the configure command line. 270 271 On some platforms, BIND 9 can be built with multithreading 272 support, allowing it to take advantage of multiple CPUs. 273 You can specify whether to build a multithreaded BIND 9 274 by specifying "--enable-threads" or "--disable-threads" 275 on the configure command line. The default is operating 276 system dependent. 277 278 Support for the "fixed" rrset-order option can be enabled 279 or disabled by specifying "--enable-fixed-rrset" or 280 "--disable-fixed-rrset" on the configure command line. 281 The default is "disabled", to reduce memory footprint. 282 283 If your operating system has integrated support for IPv6, it 284 will be used automatically. If you have installed KAME IPv6 285 separately, use "--with-kame[=PATH]" to specify its location. 286 287 "make install" will install "named" and the various BIND 9 libraries. 288 By default, installation is into /usr/local, but this can be changed 289 with the "--prefix" option when running "configure". 290 291 You may specify the option "--sysconfdir" to set the directory 292 where configuration files like "named.conf" go by default, 293 and "--localstatedir" to set the default parent directory 294 of "run/named.pid". For backwards compatibility with BIND 8, 295 --sysconfdir defaults to "/etc" and --localstatedir defaults to 296 "/var" if no --prefix option is given. If there is a --prefix 297 option, sysconfdir defaults to "$prefix/etc" and localstatedir 298 defaults to "$prefix/var". 299 300 To see additional configure options, run "configure --help". 301 Note that the help message does not reflect the BIND 8 302 compatibility defaults for sysconfdir and localstatedir. 303 304 If you're planning on making changes to the BIND 9 source, you 305 should also "make depend". If you're using Emacs, you might find 306 "make tags" helpful. 307 308 If you need to re-run configure please run "make distclean" first. 309 This will ensure that all the option changes take. 310 311 Building with gcc is not supported, unless gcc is the vendor's usual 312 compiler (e.g. the various BSD systems, Linux). 313 314 Known compiler issues: 315 * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86. 316 * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02. 317 * gcc-3.3.5 powerpc generates incorrect code at -02. 318 * Irix, MipsPRO 7.4.1m is known to cause problems. 319 320 A limited test suite can be run with "make test". Many of 321 the tests require you to configure a set of virtual IP addresses 322 on your system, and some require Perl; see bin/tests/system/README 323 for details. 324 325 SunOS 4 requires "printf" to be installed to make the shared 326 libraries. sh-utils-1.16 provides a "printf" which compiles 327 on SunOS 4. 328 329 330Documentation 331 332 The BIND 9 Administrator Reference Manual is included with the 333 source distribution in DocBook XML and HTML format, in the 334 doc/arm directory. 335 336 Some of the programs in the BIND 9 distribution have man pages 337 in their directories. In particular, the command line 338 options of "named" are documented in /bin/named/named.8. 339 There is now also a set of man pages for the lwres library. 340 341 If you are upgrading from BIND 8, please read the migration 342 notes in doc/misc/migration. If you are upgrading from 343 BIND 4, read doc/misc/migration-4to9. 344 345 Frequently asked questions and their answers can be found in 346 FAQ. 347 348 Additional information on various subjects can be found 349 in the other README files. 350 351 352Change Log 353 354 A detailed list of all changes to BIND 9 is included in the 355 file CHANGES, with the most recent changes listed first. 356 Change notes include tags indicating the category of the 357 change that was made; these categories are: 358 359 [func] New feature 360 361 [bug] General bug fix 362 363 [security] Fix for a significant security flaw 364 365 [experimental] Used for new features when the syntax 366 or other aspects of the design are still 367 in flux and may change 368 369 [port] Portability enhancement 370 371 [maint] Updates to built-in data such as root 372 server addresses and keys 373 374 [tuning] Changes to built-in configuration defaults 375 and constants to improve performanceo 376 377 [protocol] Updates to the DNS protocol such as new 378 RR types 379 380 [test] Changes to the automatic tests, not 381 affecting server functionality 382 383 [cleanup] Minor corrections and refactoring 384 385 [doc] Documentation 386 387 In general, [func] and [experimental] tags will only appear 388 in new-feature releases (i.e., those with version numbers 389 ending in zero). Some new functionality may be backported to 390 older releases on a case-by-case basis. All other change 391 types may be applied to all currently-supported releases. 392 393 394Bug Reports and Mailing Lists 395 396 Bugs reports should be sent to 397 398 bind9-bugs@isc.org 399 400 To join the BIND Users mailing list, send mail to 401 402 bind-users-request@isc.org 403 404 archives of which can be found via 405 406 http://www.isc.org/ops/lists/ 407 408 If you're planning on making changes to the BIND 9 source 409 code, you might want to join the BIND Workers mailing list. 410 Send mail to 411 412 bind-workers-request@isc.org 413 414 415