mirror of
https://github.com/isc-projects/bind9.git
synced 2026-02-10 22:33:07 -05:00
478 lines
16 KiB
Text
478 lines
16 KiB
Text
BIND 9
|
|
|
|
BIND version 9 is a major rewrite of nearly all aspects of the
|
|
underlying BIND architecture. Some of the important features of
|
|
BIND 9 are:
|
|
|
|
- DNS Security
|
|
DNSSEC (signed zones)
|
|
TSIG (signed DNS requests)
|
|
|
|
- IP version 6
|
|
Answers DNS queries on IPv6 sockets
|
|
IPv6 resource records (AAAA)
|
|
Experimental IPv6 Resolver Library
|
|
|
|
- DNS Protocol Enhancements
|
|
IXFR, DDNS, Notify, EDNS0
|
|
Improved standards conformance
|
|
|
|
- Views
|
|
One server process can provide multiple "views" of
|
|
the DNS namespace, e.g. an "inside" view to certain
|
|
clients, and an "outside" view to others.
|
|
|
|
- Multiprocessor Support
|
|
|
|
- Improved Portability Architecture
|
|
|
|
|
|
BIND version 9 development has been underwritten by the following
|
|
organizations:
|
|
|
|
Sun Microsystems, Inc.
|
|
Hewlett Packard
|
|
Compaq Computer Corporation
|
|
IBM
|
|
Process Software Corporation
|
|
Silicon Graphics, Inc.
|
|
Network Associates, Inc.
|
|
U.S. Defense Information Systems Agency
|
|
USENIX Association
|
|
Stichting NLnet - NLnet Foundation
|
|
Nominum, Inc.
|
|
|
|
For a summary of functional enhancements in previous
|
|
releases, see the HISTORY file.
|
|
|
|
For a detailed list of user-visible changes from
|
|
previous releases, see the CHANGES file.
|
|
|
|
For up-to-date release notes and errata, see
|
|
http://www.isc.org/software/bind9/releasenotes
|
|
|
|
BIND 9.9.10
|
|
|
|
BIND 9.9.10 is a maintenance release and addresses the security
|
|
flaws disclosed in CVE-2016-2775, CVE-2016-2776, CVE-2016-6170,
|
|
CVE-2016-8864, CVE-2016-9131, CVE-2016-9147, CVE-2016-9444,
|
|
CVE-2017-3135, CVE-2017-3136, CVE-2017-3137, and CVE-2017-3138.
|
|
|
|
BIND 9.9.9
|
|
|
|
BIND 9.9.9 is a maintenance release and addresses bugs found
|
|
in BIND 9.9.8 and earlier, as well as the security flaws
|
|
described in CVE-2015-8000, CVE-2015-8461, CVE-2015-8704,
|
|
CVE-2016-1285, CVE-2016-1286, CVE-2016-2775 and CVE-2016-2776.
|
|
|
|
BIND 9.9.8
|
|
|
|
BIND 9.9.8 is a maintenance release and addresses bugs
|
|
found in BIND 9.9.7 and earlier, as well as the security
|
|
flaws described in CVE-2015-4620, CVE-2015-5477,
|
|
CVE-2015-5722, and CVE-2015-5986.
|
|
|
|
It also makes the following new features available via a
|
|
compile-time option:
|
|
|
|
- New "fetchlimit" quotas are now available for the use of
|
|
recursive resolvers that are are under high query load for
|
|
domains whose authoritative servers are nonresponsive or are
|
|
experiencing a denial of service attack.
|
|
|
|
+ "fetches-per-server" limits the number of simultaneous queries
|
|
that can be sent to any single authoritative server. The
|
|
configured value is a starting point; it is automatically
|
|
adjusted downward if the server is partially or completely
|
|
non-responsive. The algorithm used to adjust the quota can be
|
|
configured via the "fetch-quota-params" option.
|
|
+ "fetches-per-zone" limits the number of simultaneous queries
|
|
that can be sent for names within a single domain. (Note:
|
|
Unlike "fetches-per-server", this value is not self-tuning.)
|
|
+ New stats counters have been added to count
|
|
queries spilled due to these quotas.
|
|
|
|
NOTE: These options are NOT built in by default; use
|
|
"configure --enable-fetchlimit" to enable them.
|
|
|
|
BIND 9.9.7
|
|
|
|
BIND 9.9.7 is a maintenance release and addresses bugs
|
|
found in BIND 9.9.6 and earlier, as well as the security
|
|
flaws described in CVE-2014-8500 and CVE-2015-1349.
|
|
|
|
BIND 9.9.6
|
|
|
|
BIND 9.9.6 is a maintenance release, and also includes
|
|
the following new functionality.
|
|
|
|
- The former behavior with respect to capitalization of names
|
|
(prior to BIND 9.9.5) can be restored for specific clients via
|
|
the new "no-case-compress" ACL.
|
|
|
|
BIND 9.9.5
|
|
|
|
BIND 9.9.5 is a maintenance release, and patches the security
|
|
flaws described in CVE-2013-6320 and CVE-2014-0591. It also
|
|
includes the following functional enhancements:
|
|
|
|
- "named" now preserves the capitalization of names when
|
|
responding to queries.
|
|
- new "dnssec-importkey" command allows the use of offline
|
|
DNSSEC keys with automatic DNSKEY management.
|
|
- When re-signing a zone, the new "dnssec-signzone -Q" option
|
|
drops signatures from keys that are still published but are
|
|
no longer active.
|
|
- "named-checkconf -px" will print the contents of configuration
|
|
files with the shared secrets obscured, making it easier to
|
|
share configuration (e.g. when submitting a bug report)
|
|
without revealing private information.
|
|
|
|
BIND 9.9.4
|
|
|
|
BIND 9.9.4 is a maintenance release, and patches the security
|
|
flaws described in CVE-2013-3919 and CVE-2013-4854. It also
|
|
introduces DNS Response Rate Limiting (DNS RRL) as a
|
|
compile-time option. To use this feature, configure with
|
|
the "--enable-rrl" option.
|
|
|
|
BIND 9.9.3
|
|
|
|
BIND 9.9.3 is a maintenance release and patches the security
|
|
flaws described in CVE-2012-5688, CVE-2012-5689 and CVE-2013-2266.
|
|
|
|
BIND 9.9.2
|
|
|
|
BIND 9.9.2 is a maintenance release and patches the security
|
|
flaw described in CVE-2012-4244.
|
|
|
|
BIND 9.9.1
|
|
|
|
BIND 9.9.1 is a maintenance release.
|
|
|
|
BIND 9.9.0
|
|
|
|
BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
|
|
releases. New features include:
|
|
|
|
- Inline signing, allowing automatic DNSSEC signing of
|
|
master zones without modification of the zonefile, or
|
|
"bump in the wire" signing in slaves.
|
|
- NXDOMAIN redirection.
|
|
- New 'rndc flushtree' command clears all data under a given
|
|
name from the DNS cache.
|
|
- New 'rndc sync' command dumps pending changes in a dynamic
|
|
zone to disk without a freeze/thaw cycle.
|
|
- New 'rndc signing' command displays or clears signing status
|
|
records in 'auto-dnssec' zones.
|
|
- NSEC3 parameters for 'auto-dnssec' zones can now be set prior
|
|
to signing, eliminating the need to initially sign with NSEC.
|
|
- Startup time improvements on large authoritative servers.
|
|
- Slave zones are now saved in raw format by default.
|
|
- Several improvements to response policy zones (RPZ).
|
|
- Improved hardware scalability by using multiple threads
|
|
to listen for queries and using finer-grained client locking
|
|
- The 'also-notify' option now takes the same syntax as
|
|
'masters', so it can used named masterlists and TSIG keys.
|
|
- 'dnssec-signzone -D' writes an output file containing only DNSSEC
|
|
data, which can be included by the primary zone file.
|
|
- 'dnssec-signzone -R' forces removal of signatures that are
|
|
not expired but were created by a key which no longer exists.
|
|
- 'dnssec-signzone -X' allows a separate expiration date to
|
|
be specified for DNSKEY signatures from other signatures.
|
|
- New '-L' option to dnssec-keygen, dnssec-settime, and
|
|
dnssec-keyfromlabel sets the default TTL for the key.
|
|
- dnssec-dsfromkey now supports reading from standard input,
|
|
to make it easier to convert DNSKEY to DS.
|
|
- RFC 1918 reverse zones have been added to the empty-zones
|
|
table per RFC 6303.
|
|
- Dynamic updates can now optionally set the zone's SOA serial
|
|
number to the current UNIX time.
|
|
- DLZ modules can now retrieve the source IP address of
|
|
the querying client.
|
|
- 'request-ixfr' option can now be set at the per-zone level.
|
|
- 'dig +rrcomments' turns on comments about DNSKEY records,
|
|
indicating their key ID, algorithm and function
|
|
- Simplified nsupdate syntax and added readline support
|
|
|
|
Building
|
|
|
|
BIND 9 currently requires a UNIX system with an ANSI C compiler,
|
|
basic POSIX support, and a 64 bit integer type.
|
|
|
|
We've had successful builds and tests on the following systems:
|
|
|
|
COMPAQ Tru64 UNIX 5.1B
|
|
Fedora Core 6
|
|
FreeBSD 4.10, 5.2.1, 6.2
|
|
HP-UX 11.11
|
|
Mac OS X 10.5
|
|
NetBSD 3.x, 4.0-beta, 5.0-beta
|
|
OpenBSD 3.3 and up
|
|
Solaris 8, 9, 9 (x86), 10
|
|
Ubuntu 7.04, 7.10
|
|
Windows XP/2003/2008
|
|
|
|
NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
|
|
Windows, including Windows NT and Windows 2000, are no longer
|
|
supported.
|
|
|
|
We have recent reports from the user community that a supported
|
|
version of BIND will build and run on the following systems:
|
|
|
|
AIX 4.3, 5L
|
|
CentOS 4, 4.5, 5
|
|
Darwin 9.0.0d1/ARM
|
|
Debian 4, 5, 6
|
|
Fedora Core 5, 7, 8
|
|
FreeBSD 6, 7, 8
|
|
HP-UX 11.23 PA
|
|
MacOS X 10.5, 10.6, 10.7
|
|
Red Hat Enterprise Linux 4, 5, 6
|
|
SCO OpenServer 5.0.6
|
|
Slackware 9, 10
|
|
SuSE 9, 10
|
|
|
|
To build, just
|
|
|
|
./configure
|
|
make
|
|
|
|
Do not use a parallel "make".
|
|
|
|
Several environment variables that can be set before running
|
|
configure will affect compilation:
|
|
|
|
CC
|
|
The C compiler to use. configure tries to figure
|
|
out the right one for supported systems.
|
|
|
|
CFLAGS
|
|
C compiler flags. Defaults to include -g and/or -O2
|
|
as supported by the compiler. Please include '-g'
|
|
if you need to set CFLAGS.
|
|
|
|
STD_CINCLUDES
|
|
System header file directories. Can be used to specify
|
|
where add-on thread or IPv6 support is, for example.
|
|
Defaults to empty string.
|
|
|
|
STD_CDEFINES
|
|
Any additional preprocessor symbols you want defined.
|
|
Defaults to empty string.
|
|
|
|
Possible settings:
|
|
Change the default syslog facility of named/lwresd.
|
|
-DISC_FACILITY=LOG_LOCAL0
|
|
Enable DNSSEC signature chasing support in dig.
|
|
-DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
|
|
-DDIG_SIGCHASE_BU=1)
|
|
Disable dropping queries from particular well known ports.
|
|
-DNS_CLIENT_DROPPORT=0
|
|
Sibling glue checking in named-checkzone is enabled by default.
|
|
To disable the default check set. -DCHECK_SIBLING=0
|
|
named-checkzone checks out-of-zone addresses by default.
|
|
To disable this default set. -DCHECK_LOCAL=0
|
|
To create the default pid files in ${localstatedir}/run rather
|
|
than ${localstatedir}/run/{named,lwresd}/ set.
|
|
-DNS_RUN_PID_DIR=0
|
|
Enable workaround for Solaris kernel bug about /dev/poll
|
|
-DISC_SOCKET_USE_POLLWATCH=1
|
|
The watch timeout is also configurable, e.g.,
|
|
-DISC_SOCKET_POLLWATCH_TIMEOUT=20
|
|
|
|
LDFLAGS
|
|
Linker flags. Defaults to empty string.
|
|
|
|
The following need to be set when cross compiling.
|
|
|
|
BUILD_CC
|
|
The native C compiler.
|
|
BUILD_CFLAGS (optional)
|
|
BUILD_CPPFLAGS (optional)
|
|
Possible Settings:
|
|
-DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
|
|
BUILD_LDFLAGS (optional)
|
|
BUILD_LIBS (optional)
|
|
|
|
To build shared libraries, specify "--with-libtool" on the
|
|
configure command line.
|
|
|
|
For the server to support DNSSEC, you need to build it
|
|
with crypto support. You must have OpenSSL 1.0.1t
|
|
or newer installed and specify "--with-openssl" on the
|
|
configure command line. If OpenSSL is installed under
|
|
a nonstandard prefix, you can tell configure where to
|
|
look for it using "--with-openssl=/prefix".
|
|
|
|
Python requires 'argparse' to be available. 'argparse' is
|
|
a standard module as of Python 2.7 and Python 3.2.
|
|
|
|
On some platforms it is necessary to explicitly request large
|
|
file support to handle files bigger than 2GB. This can be
|
|
done by "--enable-largefile" on the configure command line.
|
|
|
|
On some platforms, BIND 9 can be built with multithreading
|
|
support, allowing it to take advantage of multiple CPUs.
|
|
You can specify whether to build a multithreaded BIND 9
|
|
by specifying "--enable-threads" or "--disable-threads"
|
|
on the configure command line. The default is operating
|
|
system dependent.
|
|
|
|
Support for the "fixed" rrset-order option can be enabled
|
|
or disabled by specifying "--enable-fixed-rrset" or
|
|
"--disable-fixed-rrset" on the configure command line.
|
|
The default is "disabled", to reduce memory footprint.
|
|
|
|
If your operating system has integrated support for IPv6, it
|
|
will be used automatically. If you have installed KAME IPv6
|
|
separately, use "--with-kame[=PATH]" to specify its location.
|
|
|
|
"make install" will install "named" and the various BIND 9 libraries.
|
|
By default, installation is into /usr/local, but this can be changed
|
|
with the "--prefix" option when running "configure".
|
|
|
|
You may specify the option "--sysconfdir" to set the directory
|
|
where configuration files like "named.conf" go by default,
|
|
and "--localstatedir" to set the default parent directory
|
|
of "run/named.pid". For backwards compatibility with BIND 8,
|
|
--sysconfdir defaults to "/etc" and --localstatedir defaults to
|
|
"/var" if no --prefix option is given. If there is a --prefix
|
|
option, sysconfdir defaults to "$prefix/etc" and localstatedir
|
|
defaults to "$prefix/var".
|
|
|
|
To see additional configure options, run "configure --help".
|
|
Note that the help message does not reflect the BIND 8
|
|
compatibility defaults for sysconfdir and localstatedir.
|
|
|
|
If you're planning on making changes to the BIND 9 source, you
|
|
should also "make depend". If you're using Emacs, you might find
|
|
"make tags" helpful.
|
|
|
|
If you need to re-run configure please run "make distclean" first.
|
|
This will ensure that all the option changes take.
|
|
|
|
Building with gcc is not supported, unless gcc is the vendor's usual
|
|
compiler (e.g. the various BSD systems, Linux).
|
|
|
|
Known compiler issues:
|
|
* gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
|
|
* gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
|
|
* gcc-3.3.5 powerpc generates incorrect code at -02.
|
|
* Irix, MipsPRO 7.4.1m is known to cause problems.
|
|
|
|
A limited test suite can be run with "make test". Many of
|
|
the tests require you to configure a set of virtual IP addresses
|
|
on your system, and some require Perl; see bin/tests/system/README
|
|
for details.
|
|
|
|
SunOS 4 requires "printf" to be installed to make the shared
|
|
libraries. sh-utils-1.16 provides a "printf" which compiles
|
|
on SunOS 4.
|
|
|
|
Known limitations
|
|
|
|
Linux requires kernel build 2.6.39 or later to get the
|
|
performance benefits from using multiple sockets.
|
|
|
|
Documentation
|
|
|
|
The BIND 9 Administrator Reference Manual is included with the
|
|
source distribution in DocBook XML and HTML format, in the
|
|
doc/arm directory.
|
|
|
|
Some of the programs in the BIND 9 distribution have man pages
|
|
in their directories. In particular, the command line
|
|
options of "named" are documented in /bin/named/named.8.
|
|
There is now also a set of man pages for the lwres library.
|
|
|
|
If you are upgrading from BIND 8, please read the migration
|
|
notes in doc/misc/migration. If you are upgrading from
|
|
BIND 4, read doc/misc/migration-4to9.
|
|
|
|
Frequently asked questions and their answers can be found in
|
|
FAQ.
|
|
|
|
Additional information on various subjects can be found
|
|
in the other README files.
|
|
|
|
|
|
Change Log
|
|
|
|
A detailed list of all changes to BIND 9 is included in the
|
|
file CHANGES, with the most recent changes listed first.
|
|
Change notes include tags indicating the category of the
|
|
change that was made; these categories are:
|
|
|
|
[func] New feature
|
|
|
|
[bug] General bug fix
|
|
|
|
[security] Fix for a significant security flaw
|
|
|
|
[experimental] Used for new features when the syntax
|
|
or other aspects of the design are still
|
|
in flux and may change
|
|
|
|
[port] Portability enhancement
|
|
|
|
[maint] Updates to built-in data such as root
|
|
server addresses and keys
|
|
|
|
[tuning] Changes to built-in configuration defaults
|
|
and constants to improve performance
|
|
|
|
[performance] Other changes to improve server performance
|
|
|
|
[protocol] Updates to the DNS protocol such as new
|
|
RR types
|
|
|
|
[test] Changes to the automatic tests, not
|
|
affecting server functionality
|
|
|
|
[cleanup] Minor corrections and refactoring
|
|
|
|
[doc] Documentation
|
|
|
|
[contrib] Changes to the contributed tools and
|
|
libraries in the 'contrib' subdirectory
|
|
|
|
[placeholder] Used in the master development branch to
|
|
reserve change numbers for use in other
|
|
branches, e.g. when fixing a bug that only
|
|
exists in older releases
|
|
|
|
In general, [func] and [experimental] tags will only appear
|
|
in new-feature releases (i.e., those with version numbers
|
|
ending in zero). Some new functionality may be backported to
|
|
older releases on a case-by-case basis. All other change
|
|
types may be applied to all currently-supported releases.
|
|
|
|
|
|
Bug Reports and Mailing Lists
|
|
|
|
Bug reports should be sent to:
|
|
|
|
bind9-bugs@isc.org
|
|
|
|
Feature requests can be sent to:
|
|
|
|
bind-suggest@isc.org
|
|
|
|
To join or view the archives of the BIND Users mailing list,
|
|
visit:
|
|
|
|
https://lists.isc.org/mailman/listinfo/bind-users
|
|
|
|
If you're planning on making changes to the BIND 9 source
|
|
code, you may also want to join the BIND Workers mailing
|
|
list:
|
|
|
|
https://lists.isc.org/mailman/listinfo/bind-workers
|
|
|
|
Information on read-only Git access, coding style and developer
|
|
guidelines can be found at:
|
|
|
|
http://www.isc.org/git/
|
|
|
|
|