mirror of
https://github.com/isc-projects/bind9.git
synced 2026-02-18 10:08:13 -05:00
540 lines
22 KiB
Text
540 lines
22 KiB
Text
Summary of functional enhancements from prior major releases of BIND 9:
|
|
|
|
BIND 9.10.0
|
|
|
|
BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
|
|
releases. New features include:
|
|
|
|
- DNS Response-rate limiting (DNS RRL), which blunts the
|
|
impact of reflection and amplification attacks, is always
|
|
compiled in and no longer requires a compile-time option
|
|
to enable it.
|
|
- An experimental "Source Identity Token" (SIT) EDNS option
|
|
is now available. Similar to DNS Cookies as invented by
|
|
Donald Eastlake 3rd, these are designed to enable clients
|
|
to detect off-path spoofed responses, and to enable servers
|
|
to detect spoofed-source queries. Servers can be configured
|
|
to send smaller responses to clients that have not identified
|
|
themselves using a SIT option, reducing the effectiveness of
|
|
amplification attacks. RRL processing has also been updated;
|
|
clients proven to be legitimate via SIT are not subject to
|
|
rate limiting. Use "configure --enable-sit" to enable this
|
|
feature in BIND.
|
|
- A new zone file format, "map", stores zone data in a
|
|
format that can be mapped directly into memory, allowing
|
|
significantly faster zone loading.
|
|
- "delv" (domain entity lookup and validation) is a new tool
|
|
with dig-like semantics for looking up DNS data and performing
|
|
internal DNSSEC validation. This allows easy validation in
|
|
environments where the resolver may not be trustworthy, and
|
|
assists with troubleshooting of DNSSEC problems. (NOTE:
|
|
In previous development releases of BIND 9.10, this utility
|
|
was called "delve". The spelling has been changed to avoid
|
|
confusion with the "delve" utility included with the Xapian
|
|
search engine.)
|
|
- Improved EDNS(0) processing for better resolver performance
|
|
and reliability over slow or lossy connections.
|
|
- A new "configure --with-tuning=large" option tunes certain
|
|
compiled-in constants and default settings to values better
|
|
suited to large servers with abundant memory. This can
|
|
improve performance on such servers, but will consume more
|
|
memory and may degrade performance on smaller systems.
|
|
- Substantial improvement in response-policy zone (RPZ)
|
|
performance. Up to 32 response-policy zones can be
|
|
configured with minimal performance loss.
|
|
- To improve recursive resolver performance, cache records
|
|
which are still being requested by clients can now be
|
|
automatically refreshed from the authoritative server
|
|
before they expire, reducing or eliminating the time
|
|
window in which no answer is available in the cache.
|
|
- New "rpz-client-ip" triggers and drop policies allowing
|
|
response policies based on the IP address of the client.
|
|
- ACLs can now be specified based on geographic location
|
|
using the MaxMind GeoIP databases. Use "configure
|
|
--with-geoip" to enable.
|
|
- Zone data can now be shared between views, allowing
|
|
multiple views to serve the same zones authoritatively
|
|
without storing multiple copies in memory.
|
|
- New XML schema (version 3) for the statistics channel
|
|
includes many new statistics and uses a flattened XML tree
|
|
for faster parsing. The older schema is now deprecated.
|
|
- A new stylesheet, based on the Google Charts API, displays
|
|
XML statistics in charts and graphs on javascript-enabled
|
|
browsers.
|
|
- The statistics channel can now provide data in JSON
|
|
format as well as XML.
|
|
- New stats counters track TCP and UDP queries received
|
|
per zone, and EDNS options received in total.
|
|
- The internal and export versions of the BIND libraries
|
|
(libisc, libdns, etc) have been unified so that external
|
|
library clients can use the same libraries as BIND itself.
|
|
- A new compile-time option, "configure --enable-native-pkcs11",
|
|
allows BIND 9 cryptography functions to use the PKCS#11 API
|
|
natively, so that BIND can drive a cryptographic hardware
|
|
service module (HSM) directly instead of using a modified
|
|
OpenSSL as an intermediary. (Note: This feature requires an
|
|
HSM to have a full implementation of the PKCS#11 API; many
|
|
current HSMs only have partial implementations. The new
|
|
"pkcs11-tokens" command can be used to check API completeness.
|
|
Native PKCS#11 is known to work with the Thales nShield HSM
|
|
and with SoftHSM version 2 from the Open DNSSEC project.)
|
|
- The new "max-zone-ttl" option enforces maximum TTLs for
|
|
zones. This can simplify the process of rolling DNSSEC keys
|
|
by guaranteeing that cached signatures will have expired
|
|
within the specified amount of time.
|
|
- "dig +subnet" sends an EDNS CLIENT-SUBNET option when
|
|
querying.
|
|
- "dig +expire" sends an EDNS EXPIRE option when querying.
|
|
When this option is sent with an SOA query to a server
|
|
that supports it, it will report the expiry time of
|
|
a slave zone.
|
|
- New "dnssec-coverage" tool to check DNSSEC key coverage
|
|
for a zone and report if a lapse in signing coverage has
|
|
been inadvertently scheduled.
|
|
- Signing algorithm flexibility and other improvements
|
|
for the "rndc" control channel.
|
|
- "named-checkzone" and "named-compilezone" can now read
|
|
journal files, allowing them to process dynamic zones.
|
|
- Multiple DLZ databases can now be configured. Individual
|
|
zones can be configured to be served from a specific DLZ
|
|
database. DLZ databases now serve zones of type "master"
|
|
and "redirect".
|
|
- "rndc zonestatus" reports information about a specified zone.
|
|
- "named" now listens on IPv6 as well as IPv4 interfaces
|
|
by default.
|
|
- "named" now preserves the capitalization of names
|
|
when responding to queries: for instance, a query for
|
|
"example.com" may be answered with "example.COM" if the
|
|
name was configured that way in the zone file. Some
|
|
clients have a bug causing them to depend on the older
|
|
behavior, in which the case of the answer always matched
|
|
the case of the query, rather than the case of the name
|
|
configured in the DNS. Such clients can now be specified
|
|
in the new "no-case-compress" ACL; this will restore the
|
|
older behavior of "named" for those clients only.
|
|
- new "dnssec-importkey" command allows the use of offline
|
|
DNSSEC keys with automatic DNSKEY management.
|
|
- New "named-rrchecker" tool to verify the syntactic
|
|
correctness of individual resource records.
|
|
- When re-signing a zone, the new "dnssec-signzone -Q" option
|
|
drops signatures from keys that are still published but are
|
|
no longer active.
|
|
- "named-checkconf -px" will print the contents of configuration
|
|
files with the shared secrets obscured, making it easier to
|
|
share configuration (e.g. when submitting a bug report)
|
|
without revealing private information.
|
|
- "rndc scan" causes named to re-scan network interfaces for
|
|
changes in local addresses.
|
|
- On operating systems with support for routing sockets,
|
|
network interfaces are re-scanned automatically whenever
|
|
they change.
|
|
- "tsig-keygen" is now available as an alternate command
|
|
name to use for "ddns-confgen".
|
|
|
|
BIND 9.9.0
|
|
|
|
BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
|
|
releases. New features include:
|
|
|
|
- Inline signing, allowing automatic DNSSEC signing of
|
|
master zones without modification of the zonefile, or
|
|
"bump in the wire" signing in slaves.
|
|
- NXDOMAIN redirection.
|
|
- New 'rndc flushtree' command clears all data under a given
|
|
name from the DNS cache.
|
|
- New 'rndc sync' command dumps pending changes in a dynamic
|
|
zone to disk without a freeze/thaw cycle.
|
|
- New 'rndc signing' command displays or clears signing status
|
|
records in 'auto-dnssec' zones.
|
|
- NSEC3 parameters for 'auto-dnssec' zones can now be set prior
|
|
to signing, eliminating the need to initially sign with NSEC.
|
|
- Startup time improvements on large authoritative servers.
|
|
- Slave zones are now saved in raw format by default.
|
|
- Several improvements to response policy zones (RPZ).
|
|
- Improved hardware scalability by using multiple threads
|
|
to listen for queries and using finer-grained client locking
|
|
- The 'also-notify' option now takes the same syntax as
|
|
'masters', so it can used named masterlists and TSIG keys.
|
|
- 'dnssec-signzone -D' writes an output file containing only DNSSEC
|
|
data, which can be included by the primary zone file.
|
|
- 'dnssec-signzone -R' forces removal of signatures that are
|
|
not expired but were created by a key which no longer exists.
|
|
- 'dnssec-signzone -X' allows a separate expiration date to
|
|
be specified for DNSKEY signatures from other signatures.
|
|
- New '-L' option to dnssec-keygen, dnssec-settime, and
|
|
dnssec-keyfromlabel sets the default TTL for the key.
|
|
- dnssec-dsfromkey now supports reading from standard input,
|
|
to make it easier to convert DNSKEY to DS.
|
|
- RFC 1918 reverse zones have been added to the empty-zones
|
|
table per RFC 6303.
|
|
- Dynamic updates can now optionally set the zone's SOA serial
|
|
number to the current UNIX time.
|
|
- DLZ modules can now retrieve the source IP address of
|
|
the querying client.
|
|
- 'request-ixfr' option can now be set at the per-zone level.
|
|
- 'dig +rrcomments' turns on comments about DNSKEY records,
|
|
indicating their key ID, algorithm and function
|
|
- Simplified nsupdate syntax and added readline support
|
|
|
|
BIND 9.8.0
|
|
|
|
BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
|
|
releases. New features include:
|
|
|
|
- Built-in trust anchor for the root zone, which can be
|
|
switched on via "dnssec-validation auto;"
|
|
- Support for DNS64.
|
|
- Support for response policy zones (RPZ).
|
|
- Support for writable DLZ zones.
|
|
- Improved ease of configuration of GSS/TSIG for
|
|
interoperability with Active Directory
|
|
- Support for GOST signing algorithm for DNSSEC.
|
|
- Removed RTT Banding from server selection algorithm.
|
|
- New "static-stub" zone type.
|
|
- Allow configuration of resolver timeouts via
|
|
"resolver-query-timeout" option.
|
|
- The DLZ "dlopen" driver is now built by default.
|
|
- Added a new include file with function typedefs
|
|
for the DLZ "dlopen" driver.
|
|
- Made "--with-gssapi" default.
|
|
- More verbose error reporting from DLZ LDAP.
|
|
|
|
BIND 9.7.0
|
|
|
|
BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
|
|
releases. Most are intended to simplify DNSSEC configuration.
|
|
New features include:
|
|
|
|
- Fully automatic signing of zones by "named".
|
|
- Simplified configuration of DNSSEC Lookaside Validation (DLV).
|
|
- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
|
|
command line tool or the "local" update-policy option. (As a side
|
|
effect, this also makes it easier to configure automatic zone
|
|
re-signing.)
|
|
- New named option "attach-cache" that allows multiple views to
|
|
share a single cache.
|
|
- DNS rebinding attack prevention.
|
|
- New default values for dnssec-keygen parameters.
|
|
- Support for RFC 5011 automated trust anchor maintenance
|
|
- Smart signing: simplified tools for zone signing and key
|
|
maintenance.
|
|
- The "statistics-channels" option is now available on Windows.
|
|
- A new DNSSEC-aware libdns API for use by non-BIND9 applications
|
|
- On some platforms, named and other binaries can now print out
|
|
a stack backtrace on assertion failure, to aid in debugging.
|
|
- A "tools only" installation mode on Windows, which only installs
|
|
dig, host, nslookup and nsupdate.
|
|
- Improved PKCS#11 support, including Keyper support and explicit
|
|
OpenSSL engine selection.
|
|
|
|
BIND 9.6.0
|
|
|
|
Full NSEC3 support
|
|
|
|
Automatic zone re-signing
|
|
|
|
New update-policy methods tcp-self and 6to4-self
|
|
|
|
The BIND 8 resolver library, libbind, has been removed from the
|
|
BIND 9 distribution and is now available as a separate download.
|
|
|
|
Change the default pid file location from /var/run to
|
|
/var/run/{named,lwresd} for improved chroot/setuid support.
|
|
|
|
BIND 9.5.0
|
|
|
|
GSS-TSIG support (RFC 3645).
|
|
|
|
DHCID support.
|
|
|
|
Experimental http server and statistics support for named via xml.
|
|
|
|
More detailed statistics counters including those supported in BIND 8.
|
|
|
|
Faster ACL processing.
|
|
|
|
Use Doxygen to generate internal documentation.
|
|
|
|
Efficient LRU cache-cleaning mechanism.
|
|
|
|
NSID support.
|
|
|
|
BIND 9.4.0
|
|
|
|
Implemented "additional section caching (or acache)", an
|
|
internal cache framework for additional section content to
|
|
improve response performance. Several configuration options
|
|
were provided to control the behavior.
|
|
|
|
New notify type 'master-only'. Enable notify for master
|
|
zones only.
|
|
|
|
Accept 'notify-source' style syntax for query-source.
|
|
|
|
rndc now allows addresses to be set in the server clauses.
|
|
|
|
New option "allow-query-cache". This lets "allow-query"
|
|
be used to specify the default zone access level rather
|
|
than having to have every zone override the global value.
|
|
"allow-query-cache" can be set at both the options and view
|
|
levels. If "allow-query-cache" is not set then "allow-recursion"
|
|
is used if set, otherwise "allow-query" is used if set
|
|
unless "recursion no;" is set in which case "none;" is used,
|
|
otherwise the default (localhost; localnets;) is used.
|
|
|
|
rndc: the source address can now be specified.
|
|
|
|
ixfr-from-differences now takes master and slave in addition
|
|
to yes and no at the options and view levels.
|
|
|
|
Allow the journal's name to be changed via named.conf.
|
|
|
|
'rndc notify zone [class [view]]' resend the NOTIFY messages
|
|
for the specified zone.
|
|
|
|
'dig +trace' now randomly selects the next servers to try.
|
|
Report if there is a bad delegation.
|
|
|
|
Improve check-names error messages.
|
|
|
|
Make public the function to read a key file, dst_key_read_public().
|
|
|
|
dig now returns the byte count for axfr/ixfr.
|
|
|
|
allow-update is now settable at the options / view level.
|
|
|
|
named-checkconf now checks the logging configuration.
|
|
|
|
host now can turn on memory debugging flags with '-m'.
|
|
|
|
Don't send notify messages to self.
|
|
|
|
Perform sanity checks on NS records which refer to 'in zone' names.
|
|
|
|
New zone option "notify-delay". Specify a minimum delay
|
|
between sets of NOTIFY messages.
|
|
|
|
Extend adjusting TTL warning messages.
|
|
|
|
Named and named-checkzone can now both check for non-terminal
|
|
wildcard records.
|
|
|
|
"rndc freeze/thaw" now freezes/thaws all zones.
|
|
|
|
named-checkconf now check acls to verify that they only
|
|
refer to existing acls.
|
|
|
|
The server syntax has been extended to support a range of
|
|
servers.
|
|
|
|
Report differences between hints and real NS rrset and
|
|
associated address records.
|
|
|
|
Preserve the case of domain names in rdata during zone
|
|
transfers.
|
|
|
|
Restructured the data locking framework using architecture
|
|
dependent atomic operations (when available), improving
|
|
response performance on multi-processor machines significantly.
|
|
x86, x86_64, alpha, powerpc, and mips are currently supported.
|
|
|
|
UNIX domain controls are now supported.
|
|
|
|
Add support for additional zone file formats for improving
|
|
loading performance. The masterfile-format option in
|
|
named.conf can be used to specify a non-default format. A
|
|
separate command named-compilezone was provided to generate
|
|
zone files in the new format. Additionally, the -I and -O
|
|
options for dnssec-signzone specify the input and output
|
|
formats.
|
|
|
|
dnssec-signzone can now randomize signature end times
|
|
(dnssec-signzone -j jitter).
|
|
|
|
Add support for CH A record.
|
|
|
|
Add additional zone data constancy checks. named-checkzone
|
|
has extended checking of NS, MX and SRV record and the hosts
|
|
they reference. named has extended post zone load checks.
|
|
New zone options: check-mx and integrity-check.
|
|
|
|
|
|
edns-udp-size can now be overridden on a per server basis.
|
|
|
|
dig can now specify the EDNS version when making a query.
|
|
|
|
Added framework for handling multiple EDNS versions.
|
|
|
|
Additional memory debugging support to track size and mctx
|
|
arguments.
|
|
|
|
Detect duplicates of UDP queries we are recursing on and
|
|
drop them. New stats category "duplicates".
|
|
|
|
"USE INTERNAL MALLOC" is now runtime selectable.
|
|
|
|
The lame cache is now done on a <qname,qclass,qtype> basis
|
|
as some servers only appear to be lame for certain query
|
|
types.
|
|
|
|
Limit the number of recursive clients that can be waiting
|
|
for a single query (<qname,qtype,qclass>) to resolve. New
|
|
options clients-per-query and max-clients-per-query.
|
|
|
|
dig: report the number of extra bytes still left in the
|
|
packet after processing all the records.
|
|
|
|
Support for IPSECKEY rdata type.
|
|
|
|
Raise the UDP recieve buffer size to 32k if it is less than 32k.
|
|
|
|
x86 and x86_64 now have seperate atomic locking implementations.
|
|
|
|
named-checkconf now validates update-policy entries.
|
|
|
|
Attempt to make the amount of work performed in a iteration
|
|
self tuning. The covers nodes clean from the cache per
|
|
iteration, nodes written to disk when rewriting a master
|
|
file and nodes destroyed per iteration when destroying a
|
|
zone or a cache.
|
|
|
|
ISC string copy API.
|
|
|
|
Automatic empty zone creation for D.F.IP6.ARPA and friends.
|
|
Note: RFC 1918 zones are not yet covered by this but are
|
|
likely to be in a future release.
|
|
|
|
New options: empty-server, empty-contact, empty-zones-enable
|
|
and disable-empty-zone.
|
|
|
|
dig now has a '-q queryname' and '+showsearch' options.
|
|
|
|
host/nslookup now continue (default)/fail on SERVFAIL.
|
|
|
|
dig now warns if 'RA' is not set in the answer when 'RD'
|
|
was set in the query. host/nslookup skip servers that fail
|
|
to set 'RA' when 'RD' is set unless a server is explicitly
|
|
set.
|
|
|
|
Integrate contibuted DLZ code into named.
|
|
|
|
Integrate contibuted IDN code from JPNIC.
|
|
|
|
libbind: corresponds to that from BIND 8.4.7.
|
|
|
|
BIND 9.3.0
|
|
|
|
DNSSEC is now DS based (RFC 3658).
|
|
See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
|
|
|
|
DNSSEC lookaside validation.
|
|
|
|
check-names is now implemented.
|
|
rrset-order in more complete.
|
|
|
|
IPv4/IPv6 transition support, dual-stack-servers.
|
|
|
|
IXFR deltas can now be generated when loading master files,
|
|
ixfr-from-differences.
|
|
|
|
It is now possible to specify the size of a journal, max-journal-size.
|
|
|
|
It is now possible to define a named set of master servers to be
|
|
used in masters clause, masters.
|
|
|
|
The advertised EDNS UDP size can now be set, edns-udp-size.
|
|
|
|
allow-v6-synthesis has been obsoleted.
|
|
|
|
NOTE:
|
|
* Zones containing MD and MF will now be rejected.
|
|
* dig, nslookup name. now report "Not Implemented" as
|
|
NOTIMP rather than NOTIMPL. This will have impact on scripts
|
|
that are looking for NOTIMPL.
|
|
|
|
libbind: corresponds to that from BIND 8.4.5.
|
|
|
|
BIND 9.2.0
|
|
|
|
The size of the cache can now be limited using the
|
|
"max-cache-size" option.
|
|
|
|
The server can now automatically convert RFC1886-style recursive
|
|
lookup requests into RFC2874-style lookups, when enabled using the
|
|
new option "allow-v6-synthesis". This allows stub resolvers that
|
|
support AAAA records but not A6 record chains or binary labels to
|
|
perform lookups in domains that make use of these IPv6 DNS
|
|
features.
|
|
|
|
Performance has been improved.
|
|
|
|
The man pages now use the more portable "man" macros rather than
|
|
the "mandoc" macros, and are installed by "make install".
|
|
|
|
The named.conf parser has been completely rewritten. It now
|
|
supports "include" directives in more places such as inside "view"
|
|
statements, and it no longer has any reserved words.
|
|
|
|
The "rndc status" command is now implemented.
|
|
|
|
rndc can now be configured automatically.
|
|
|
|
A BIND 8 compatible stub resolver library is now included in
|
|
lib/bind.
|
|
|
|
OpenSSL has been removed from the distribution. This means that to
|
|
use DNSSEC, OpenSSL must be installed and the --with-openssl option
|
|
must be supplied to configure. This does not apply to the use of
|
|
TSIG, which does not require OpenSSL.
|
|
|
|
The source distribution now builds on Windows. See
|
|
win32utils/readme1.txt and win32utils/win32-build.txt for details.
|
|
|
|
This distribution also includes a new lightweight stub
|
|
resolver library and associated resolver daemon that fully
|
|
support forward and reverse lookups of both IPv4 and IPv6
|
|
addresses. This library is considered experimental and
|
|
is not a complete replacement for the BIND 8 resolver library.
|
|
Applications that use the BIND 8 res_* functions to perform
|
|
DNS lookups or dynamic updates still need to be linked against
|
|
the BIND 8 libraries. For DNS lookups, they can also use the
|
|
new "getrrsetbyname()" API.
|
|
|
|
BIND 9.2 is capable of acting as an authoritative server
|
|
for DNSSEC secured zones. This functionality is believed to
|
|
be stable and complete except for lacking support for
|
|
verifications involving wildcard records in secure zones.
|
|
|
|
When acting as a caching server, BIND 9.2 can be configured
|
|
to perform DNSSEC secure resolution on behalf of its clients.
|
|
This part of the DNSSEC implementation is still considered
|
|
experimental. For detailed information about the state of the
|
|
DNSSEC implementation, see the file doc/misc/dnssec.
|
|
|
|
There are a few known bugs:
|
|
|
|
On some systems, IPv6 and IPv4 sockets interact in
|
|
unexpected ways. For details, see doc/misc/ipv6.
|
|
To reduce the impact of these problems, the server
|
|
no longer listens for requests on IPv6 addresses
|
|
by default. If you need to accept DNS queries over
|
|
IPv6, you must specify "listen-on-v6 { any; };"
|
|
in the named.conf options statement.
|
|
|
|
FreeBSD prior to 4.2 (and 4.2 if running as non-root)
|
|
and OpenBSD prior to 2.8 log messages like
|
|
"fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
|
|
This is due to a bug in "/dev/random" and impacts the
|
|
server's DNSSEC support.
|
|
|
|
OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
|
|
OS X 10.2 (Darwin 6.0) reports errors like
|
|
"fcntl(3, F_SETFL, 4): Operation not supported by device".
|
|
This is due to a bug in "/dev/random" and impacts the
|
|
server's DNSSEC support.
|
|
|
|
--with-libtool does not work on AIX.
|
|
|
|
A bug in some versions of the Microsoft DNS server can cause zone
|
|
transfers from a BIND 9 server to a W2K server to fail. For details,
|
|
see the "Zone Transfers" section in doc/misc/migration.
|