1BIND 9 2 3 BIND version 9 is a major rewrite of nearly all aspects of the 4 underlying BIND architecture. Some of the important features of 5 BIND 9 are: 6 7 - DNS Security 8 DNSSEC (signed zones) 9 TSIG (signed DNS requests) 10 11 - IP version 6 12 Answers DNS queries on IPv6 sockets 13 IPv6 resource records (AAAA) 14 Experimental IPv6 Resolver Library 15 16 - DNS Protocol Enhancements 17 IXFR, DDNS, Notify, EDNS0 18 Improved standards conformance 19 20 - Views 21 One server process can provide multiple "views" of 22 the DNS namespace, e.g. an "inside" view to certain 23 clients, and an "outside" view to others. 24 25 - Multiprocessor Support 26 27 - Improved Portability Architecture 28 29 30 BIND version 9 development has been underwritten by the following 31 organizations: 32 33 Sun Microsystems, Inc. 34 Hewlett Packard 35 Compaq Computer Corporation 36 IBM 37 Process Software Corporation 38 Silicon Graphics, Inc. 39 Network Associates, Inc. 40 U.S. Defense Information Systems Agency 41 USENIX Association 42 Stichting NLnet - NLnet Foundation 43 Nominum, Inc. 44 45 For a summary of functional enhancements in previous 46 releases, see the HISTORY file. 47 48 For a detailed list of user-visible changes from 49 previous releases, see the CHANGES file. 50 51 For up-to-date release notes and errata, see 52 http://www.isc.org/software/bind9/releasenotes 53 54BIND 9.10.2-P4 55 56 BIND 9.10.2-P4 is a security release addressing the flaws 57 described in CVE-2015-5722 and CVE-2015-5986. 58 59BIND 9.10.2-P3 60 61 BIND 9.10.2-P3 is a security release addressing the flaw 62 described in CVE-2015-5477. 63 64BIND 9.10.2-P2 65 66 BIND 9.10.2-P2 is a security release addressing the flaw 67 described in CVE-2015-4620. 68 69BIND 9.10.2-P1 70 71 BIND 9.10.2-P1 is a patch release addressing several 72 bugs recently found in the response-policy zones (RPZ) 73 implementation in BIND 9.10. These mostly affect servers 74 that have multiple frequently-updated response-policy 75 zones. 76 77BIND 9.10.2 78 79 BIND 9.10.2 is a maintenance release and addresses bugs 80 found in BIND 9.10.1 and earlier, as well as the security 81 flaws described in CVE-2014-8500, CVE-2014-8680 and 82 CVE-2015-1349. 83 84BIND 9.10.1 85 86 BIND 9.10.1 is a maintenance release and addresses bugs 87 found in BIND 9.10.0 and earlier. 88 89 This release addresses the security flaws described in 90 CVE-2014-3214 and CVE-2014-3859. 91 92BIND 9.10.0 93 94 BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier 95 releases. New features include: 96 97 - DNS Response-rate limiting (DNS RRL), which blunts the 98 impact of reflection and amplification attacks, is always 99 compiled in and no longer requires a compile-time option 100 to enable it. 101 - An experimental "Source Identity Token" (SIT) EDNS option 102 is now available. Similar to DNS Cookies as invented by 103 Donald Eastlake 3rd, these are designed to enable clients 104 to detect off-path spoofed responses, and to enable servers 105 to detect spoofed-source queries. Servers can be configured 106 to send smaller responses to clients that have not identified 107 themselves using a SIT option, reducing the effectiveness of 108 amplification attacks. RRL processing has also been updated; 109 clients proven to be legitimate via SIT are not subject to 110 rate limiting. Use "configure --enable-sit" to enable this 111 feature in BIND. 112 - A new zone file format, "map", stores zone data in a 113 format that can be mapped directly into memory, allowing 114 significantly faster zone loading. 115 - "delv" (domain entity lookup and validation) is a new tool 116 with dig-like semantics for looking up DNS data and performing 117 internal DNSSEC validation. This allows easy validation in 118 environments where the resolver may not be trustworthy, and 119 assists with troubleshooting of DNSSEC problems. (NOTE: 120 In previous development releases of BIND 9.10, this utility 121 was called "delve". The spelling has been changed to avoid 122 confusion with the "delve" utility included with the Xapian 123 search engine.) 124 - Improved EDNS(0) processing for better resolver performance 125 and reliability over slow or lossy connections. 126 - A new "configure --with-tuning=large" option tunes certain 127 compiled-in constants and default settings to values better 128 suited to large servers with abundant memory. This can 129 improve performance on such servers, but will consume more 130 memory and may degrade performance on smaller systems. 131 - Substantial improvement in response-policy zone (RPZ) 132 performance. Up to 32 response-policy zones can be 133 configured with minimal performance loss. 134 - To improve recursive resolver performance, cache records 135 which are still being requested by clients can now be 136 automatically refreshed from the authoritative server 137 before they expire, reducing or eliminating the time 138 window in which no answer is available in the cache. 139 - New "rpz-client-ip" triggers and drop policies allowing 140 response policies based on the IP address of the client. 141 - ACLs can now be specified based on geographic location 142 using the MaxMind GeoIP databases. Use "configure 143 --with-geoip" to enable. 144 - Zone data can now be shared between views, allowing 145 multiple views to serve the same zones authoritatively 146 without storing multiple copies in memory. 147 - New XML schema (version 3) for the statistics channel 148 includes many new statistics and uses a flattened XML tree 149 for faster parsing. The older schema is now deprecated. 150 - A new stylesheet, based on the Google Charts API, displays 151 XML statistics in charts and graphs on javascript-enabled 152 browsers. 153 - The statistics channel can now provide data in JSON 154 format as well as XML. 155 - New stats counters track TCP and UDP queries received 156 per zone, and EDNS options received in total. 157 - The internal and export versions of the BIND libraries 158 (libisc, libdns, etc) have been unified so that external 159 library clients can use the same libraries as BIND itself. 160 - A new compile-time option, "configure --enable-native-pkcs11", 161 allows BIND 9 cryptography functions to use the PKCS#11 API 162 natively, so that BIND can drive a cryptographic hardware 163 service module (HSM) directly instead of using a modified 164 OpenSSL as an intermediary. (Note: This feature requires an 165 HSM to have a full implementation of the PKCS#11 API; many 166 current HSMs only have partial implementations. The new 167 "pkcs11-tokens" command can be used to check API completeness. 168 Native PKCS#11 is known to work with the Thales nShield HSM 169 and with SoftHSM version 2 from the Open DNSSEC project.) 170 - The new "max-zone-ttl" option enforces maximum TTLs for 171 zones. This can simplify the process of rolling DNSSEC keys 172 by guaranteeing that cached signatures will have expired 173 within the specified amount of time. 174 - "dig +subnet" sends an EDNS CLIENT-SUBNET option when 175 querying. 176 - "dig +expire" sends an EDNS EXPIRE option when querying. 177 When this option is sent with an SOA query to a server 178 that supports it, it will report the expiry time of 179 a slave zone. 180 - New "dnssec-coverage" tool to check DNSSEC key coverage 181 for a zone and report if a lapse in signing coverage has 182 been inadvertently scheduled. 183 - Signing algorithm flexibility and other improvements 184 for the "rndc" control channel. 185 - "named-checkzone" and "named-compilezone" can now read 186 journal files, allowing them to process dynamic zones. 187 - Multiple DLZ databases can now be configured. Individual 188 zones can be configured to be served from a specific DLZ 189 database. DLZ databases now serve zones of type "master" 190 and "redirect". 191 - "rndc zonestatus" reports information about a specified zone. 192 - "named" now listens on IPv6 as well as IPv4 interfaces 193 by default. 194 - "named" now preserves the capitalization of names 195 when responding to queries: for instance, a query for 196 "example.com" may be answered with "example.COM" if the 197 name was configured that way in the zone file. Some 198 clients have a bug causing them to depend on the older 199 behavior, in which the case of the answer always matched 200 the case of the query, rather than the case of the name 201 configured in the DNS. Such clients can now be specified 202 in the new "no-case-compress" ACL; this will restore the 203 older behavior of "named" for those clients only. 204 - new "dnssec-importkey" command allows the use of offline 205 DNSSEC keys with automatic DNSKEY management. 206 - New "named-rrchecker" tool to verify the syntactic 207 correctness of individual resource records. 208 - When re-signing a zone, the new "dnssec-signzone -Q" option 209 drops signatures from keys that are still published but are 210 no longer active. 211 - "named-checkconf -px" will print the contents of configuration 212 files with the shared secrets obscured, making it easier to 213 share configuration (e.g. when submitting a bug report) 214 without revealing private information. 215 - "rndc scan" causes named to re-scan network interfaces for 216 changes in local addresses. 217 - On operating systems with support for routing sockets, 218 network interfaces are re-scanned automatically whenever 219 they change. 220 - "tsig-keygen" is now available as an alternate command 221 name to use for "ddns-confgen". 222 223BIND 9.9.0 224 225 BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier 226 releases. New features include: 227 228 - Inline signing, allowing automatic DNSSEC signing of 229 master zones without modification of the zonefile, or 230 "bump in the wire" signing in slaves. 231 - NXDOMAIN redirection. 232 - New 'rndc flushtree' command clears all data under a given 233 name from the DNS cache. 234 - New 'rndc sync' command dumps pending changes in a dynamic 235 zone to disk without a freeze/thaw cycle. 236 - New 'rndc signing' command displays or clears signing status 237 records in 'auto-dnssec' zones. 238 - NSEC3 parameters for 'auto-dnssec' zones can now be set prior 239 to signing, eliminating the need to initially sign with NSEC. 240 - Startup time improvements on large authoritative servers. 241 - Slave zones are now saved in raw format by default. 242 - Several improvements to response policy zones (RPZ). 243 - Improved hardware scalability by using multiple threads 244 to listen for queries and using finer-grained client locking 245 - The 'also-notify' option now takes the same syntax as 246 'masters', so it can used named masterlists and TSIG keys. 247 - 'dnssec-signzone -D' writes an output file containing only DNSSEC 248 data, which can be included by the primary zone file. 249 - 'dnssec-signzone -R' forces removal of signatures that are 250 not expired but were created by a key which no longer exists. 251 - 'dnssec-signzone -X' allows a separate expiration date to 252 be specified for DNSKEY signatures from other signatures. 253 - New '-L' option to dnssec-keygen, dnssec-settime, and 254 dnssec-keyfromlabel sets the default TTL for the key. 255 - dnssec-dsfromkey now supports reading from standard input, 256 to make it easier to convert DNSKEY to DS. 257 - RFC 1918 reverse zones have been added to the empty-zones 258 table per RFC 6303. 259 - Dynamic updates can now optionally set the zone's SOA serial 260 number to the current UNIX time. 261 - DLZ modules can now retrieve the source IP address of 262 the querying client. 263 - 'request-ixfr' option can now be set at the per-zone level. 264 - 'dig +rrcomments' turns on comments about DNSKEY records, 265 indicating their key ID, algorithm and function 266 - Simplified nsupdate syntax and added readline support 267 268Building 269 270 BIND 9 currently requires a UNIX system with an ANSI C compiler, 271 basic POSIX support, and a 64 bit integer type. 272 273 We've had successful builds and tests on the following systems: 274 275 COMPAQ Tru64 UNIX 5.1B 276 Fedora Core 6 277 FreeBSD 4.10, 5.2.1, 6.2 278 HP-UX 11.11 279 Mac OS X 10.5 280 NetBSD 3.x, 4.0-beta, 5.0-beta 281 OpenBSD 3.3 and up 282 Solaris 8, 9, 9 (x86), 10 283 Ubuntu 7.04, 7.10 284 Windows XP/2003/2008 285 286 NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of 287 Windows, including Windows NT and Windows 2000, are no longer 288 supported. 289 290 We have recent reports from the user community that a supported 291 version of BIND will build and run on the following systems: 292 293 AIX 4.3, 5L 294 CentOS 4, 4.5, 5 295 Darwin 9.0.0d1/ARM 296 Debian 4, 5, 6 297 Fedora Core 5, 7, 8 298 FreeBSD 6, 7, 8 299 HP-UX 11.23 PA 300 MacOS X 10.5, 10.6, 10.7 301 Red Hat Enterprise Linux 4, 5, 6 302 SCO OpenServer 5.0.6 303 Slackware 9, 10 304 SuSE 9, 10 305 306 To build, just 307 308 ./configure 309 make 310 311 Do not use a parallel "make". 312 313 Several environment variables that can be set before running 314 configure will affect compilation: 315 316 CC 317 The C compiler to use. configure tries to figure 318 out the right one for supported systems. 319 320 CFLAGS 321 C compiler flags. Defaults to include -g and/or -O2 322 as supported by the compiler. Please include '-g' 323 if you need to set CFLAGS. 324 325 STD_CINCLUDES 326 System header file directories. Can be used to specify 327 where add-on thread or IPv6 support is, for example. 328 Defaults to empty string. 329 330 STD_CDEFINES 331 Any additional preprocessor symbols you want defined. 332 Defaults to empty string. 333 334 Possible settings: 335 Change the default syslog facility of named/lwresd. 336 -DISC_FACILITY=LOG_LOCAL0 337 Enable DNSSEC signature chasing support in dig. 338 -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and 339 -DDIG_SIGCHASE_BU=1) 340 Disable dropping queries from particular well known ports. 341 -DNS_CLIENT_DROPPORT=0 342 Sibling glue checking in named-checkzone is enabled by default. 343 To disable the default check set. -DCHECK_SIBLING=0 344 named-checkzone checks out-of-zone addresses by default. 345 To disable this default set. -DCHECK_LOCAL=0 346 To create the default pid files in ${localstatedir}/run rather 347 than ${localstatedir}/run/{named,lwresd}/ set. 348 -DNS_RUN_PID_DIR=0 349 Enable workaround for Solaris kernel bug about /dev/poll 350 -DISC_SOCKET_USE_POLLWATCH=1 351 The watch timeout is also configurable, e.g., 352 -DISC_SOCKET_POLLWATCH_TIMEOUT=20 353 354 LDFLAGS 355 Linker flags. Defaults to empty string. 356 357 The following need to be set when cross compiling. 358 359 BUILD_CC 360 The native C compiler. 361 BUILD_CFLAGS (optional) 362 BUILD_CPPFLAGS (optional) 363 Possible Settings: 364 -DNEED_OPTARG=1 (optarg is not declared in <unistd.h>) 365 BUILD_LDFLAGS (optional) 366 BUILD_LIBS (optional) 367 368 On most platforms, BIND 9 is built with multithreading 369 support, allowing it to take advantage of multiple CPUs. 370 You can configure this by specifying "--enable-threads" or 371 "--disable-threads" on the configure command line. The default 372 is to enable threads, except on some older operating systems 373 on which threads are known to have had problems in the past. 374 (Note: Prior to BIND 9.10, the default was to disable threads on 375 Linux systems; this has been reversed. On Linux systems, the 376 threaded build is known to change BIND's behavior with respect 377 to file permissions; it may be necessary to specify a user with 378 the -u option when running named.) 379 380 To build shared libraries, specify "--with-libtool" on the 381 configure command line. 382 383 Certain compiled-in constants and default settings can be 384 increased to values better suited to large servers with abundant 385 memory resources (e.g, 64-bit servers with 12G or more of memory) 386 by specifying "--with-tuning=large" on the configure command 387 line. This can improve performance on big servers, but will 388 consume more memory and may degrade performance on smaller 389 systems. 390 391 For the server to support DNSSEC, you need to build it 392 with crypto support. You must have OpenSSL 0.9.5a 393 or newer installed and specify "--with-openssl" on the 394 configure command line. If OpenSSL is installed under 395 a nonstandard prefix, you can tell configure where to 396 look for it using "--with-openssl=/prefix". 397 398 To support the HTTP statistics channel, the server must 399 be linked with at least one of the following: libxml2 400 (http://xmlsoft.org) or json-c (https://github.com/json-c). 401 If these are installed at a nonstandard prefix, use 402 "--with-libxml2=/prefix" or "--with-libjson=/prefix". 403 404 On some platforms it is necessary to explicitly request large 405 file support to handle files bigger than 2GB. This can be 406 done by "--enable-largefile" on the configure command line. 407 408 Support for the "fixed" rrset-order option can be enabled 409 or disabled by specifying "--enable-fixed-rrset" or 410 "--disable-fixed-rrset" on the configure command line. 411 The default is "disabled", to reduce memory footprint. 412 413 If your operating system has integrated support for IPv6, it 414 will be used automatically. If you have installed KAME IPv6 415 separately, use "--with-kame[=PATH]" to specify its location. 416 417 "make install" will install "named" and the various BIND 9 libraries. 418 By default, installation is into /usr/local, but this can be changed 419 with the "--prefix" option when running "configure". 420 421 You may specify the option "--sysconfdir" to set the directory 422 where configuration files like "named.conf" go by default, 423 and "--localstatedir" to set the default parent directory 424 of "run/named.pid". For backwards compatibility with BIND 8, 425 --sysconfdir defaults to "/etc" and --localstatedir defaults to 426 "/var" if no --prefix option is given. If there is a --prefix 427 option, sysconfdir defaults to "$prefix/etc" and localstatedir 428 defaults to "$prefix/var". 429 430 To see additional configure options, run "configure --help". 431 Note that the help message does not reflect the BIND 8 432 compatibility defaults for sysconfdir and localstatedir. 433 434 If you're planning on making changes to the BIND 9 source, you 435 should also "make depend". If you're using Emacs, you might find 436 "make tags" helpful. 437 438 If you need to re-run configure please run "make distclean" first. 439 This will ensure that all the option changes take. 440 441 Building with gcc is not supported, unless gcc is the vendor's usual 442 compiler (e.g. the various BSD systems, Linux). 443 444 Known compiler issues: 445 * gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86. 446 * gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02. 447 * gcc-3.3.5 powerpc generates incorrect code at -02. 448 * Irix, MipsPRO 7.4.1m is known to cause problems. 449 450 A limited test suite can be run with "make test". Many of 451 the tests require you to configure a set of virtual IP addresses 452 on your system, and some require Perl; see bin/tests/system/README 453 for details. 454 455 SunOS 4 requires "printf" to be installed to make the shared 456 libraries. sh-utils-1.16 provides a "printf" which compiles 457 on SunOS 4. 458 459Known limitations 460 461 Linux requires kernel build 2.6.39 or later to get the 462 performance benefits from using multiple sockets. 463 464Documentation 465 466 The BIND 9 Administrator Reference Manual is included with the 467 source distribution in DocBook XML and HTML format, in the 468 doc/arm directory. 469 470 Some of the programs in the BIND 9 distribution have man pages 471 in their directories. In particular, the command line 472 options of "named" are documented in /bin/named/named.8. 473 There is now also a set of man pages for the lwres library. 474 475 If you are upgrading from BIND 8, please read the migration 476 notes in doc/misc/migration. If you are upgrading from 477 BIND 4, read doc/misc/migration-4to9. 478 479 Frequently asked questions and their answers can be found in 480 FAQ. 481 482 Additional information on various subjects can be found 483 in the other README files. 484 485 486Change Log 487 488 A detailed list of all changes to BIND 9 is included in the 489 file CHANGES, with the most recent changes listed first. 490 Change notes include tags indicating the category of the 491 change that was made; these categories are: 492 493 [func] New feature 494 495 [bug] General bug fix 496 497 [security] Fix for a significant security flaw 498 499 [experimental] Used for new features when the syntax 500 or other aspects of the design are still 501 in flux and may change 502 503 [port] Portability enhancement 504 505 [maint] Updates to built-in data such as root 506 server addresses and keys 507 508 [tuning] Changes to built-in configuration defaults 509 and constants to improve performance 510 511 [protocol] Updates to the DNS protocol such as new 512 RR types 513 514 [test] Changes to the automatic tests, not 515 affecting server functionality 516 517 [cleanup] Minor corrections and refactoring 518 519 [doc] Documentation 520 521 [contrib] Changes to the contributed tools and 522 libraries in the 'contrib' subdirectory 523 524 [placeholder] Used in the master development branch to 525 reserve change numbers for use in other 526 branches, e.g. when fixing a bug that only 527 exists in older releases 528 529 In general, [func] and [experimental] tags will only appear 530 in new-feature releases (i.e., those with version numbers 531 ending in zero). Some new functionality may be backported to 532 older releases on a case-by-case basis. All other change 533 types may be applied to all currently-supported releases. 534 535 536Bug Reports and Mailing Lists 537 538 Bug reports should be sent to: 539 540 bind9-bugs@isc.org 541 542 Feature requests can be sent to: 543 544 bind-suggest@isc.org 545 546 To join or view the archives of the BIND Users mailing list, 547 visit: 548 549 https://lists.isc.org/mailman/listinfo/bind-users 550 551 If you're planning on making changes to the BIND 9 source 552 code, you may also want to join the BIND Workers mailing 553 list: 554 555 https://lists.isc.org/mailman/listinfo/bind-workers 556 557 Information on read-only Git access, coding style and developer 558 guidelines can be found at: 559 560 http://www.isc.org/git/ 561 562 563Acknowledgments 564 565 - This product includes software developed by the OpenSSL Project 566 for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/). 567 - This product includes cryptographic software written by Eric 568 Young (eay@cryptsoft.com). 569 - This product includes software written by Tim Hudson 570 (tjh@cryptsoft.com). 571