1Copyright (C) 2004, 2005, 2007-2009, 2012-2014 Internet Systems Consortium, Inc. ("ISC") 2Copyright (C) 2001, 2003 Internet Software Consortium. 3See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. 4 5NOTES ON BIND 9.10 FOR WINDOWS: 6 7BIND 9.10 is known to run on Windows XP, Vista, Windows 7, 8and Windows Server 2003 and higher. 9 10KIT INSTALLATION: 11 12Unpack the kit into any convenient directory and run the BINDInstall 13program. This will install the named and associated programs into 14the correct directories and set up the required registry keys. 15 16BINDInstall requires that you install it under an account with 17restricted privileges. The installer will prompt you for an account 18name (the default is "named") and a password for that account. It 19will also check for the existence of that account. If it does not 20exist is will create it with only the privileges required to run 21BIND. If the account does exist it will check that it has only the 22one privilege required: "Log on as a service". If it has too many 23privileges it will prompt you if you want to continue. 24 25With BIND running under an account name, it is necessary for all 26files and directories that BIND uses to have permissions set up for 27the named account if the files are on an NTFS disk. BIND requires 28that the account have read and write access to the directory for 29the pid file, any files that are maintained either for slave zones 30or for master zones supporting dynamic updates. The account will 31also need read access to the named.conf and any other file that it 32needs to read. 33 34"NT AUTHORITY\LocalService" is also an acceptable account 35(and the only acceptable on some recent versions of Windows). 36This account is built into Windows and no password is required. 37Appropriate file permissions will also need to be set for "NT 38AUTHORITY\LocalService" similar to those that would have been 39required for the "named" account. 40 41It is important that on Windows the directory directive is used in 42the options section to tell BIND where to find the files used in 43named.conf (default "%ProgramFiles%\ISC BIND 9\etc\named.conf"). For 44example: 45 46 options { 47 directory "C:\Program Files (x86)\ISC BIND 9\etc"; 48 }; 49 50for a 32 bit BIND on a 64 bit US Domestic Windows system. 51Messages are logged to the Application log in the EventViewer. 52 53CONTROLLING BIND: 54 55Windows uses the same rndc program as is used on Unix systems. The 56rndc.conf file must be configured for your system in order to work. 57You will need to generate a key for this. To do this use the 58rndc-confgen program. The program will be installed in the same 59directory as named: "%ProgramFiles%\ISC BIND 9\bin". From the DOS 60prompt, use the command this way: 61 62rndc-confgen -a 63 64which will create a rndc.key file in the "%ProgramFiles%\ISC BIND 9\etc" 65directory. This will allow you to run rndc without an explicit 66rndc.conf file or key and control entry in named.conf file. See 67section 3.4.1.2 of the ARM for details of this. An rndc.conf can 68also be generated by running: 69 70rndc-confgen > rndc.conf 71 72which will create the rndc.conf file in the current directory, but 73not copy it to the "%ProgramFiles%\ISC BIND 9\etc" directory where 74it needs to reside. If you create rndc.conf this way you will need 75to copy the same key statement into named.conf. 76 77The additions look like the following: 78 79key "rndc-key" { algorithm hmac-sha256; secret "xxxxxxxxx=="; }; 80 81controls { 82 inet 127.0.0.1 port 953 allow { localhost; } keys { "rndc-key"; }; 83}; 84 85Note that the value of the secret must come from the key generated 86above for rndc and must be the same key value for both. Details of 87this may be found in section 3.4.1.2 of the ARM. If you have rndc 88on a Unix box you can use it to control BIND on the Windows box as 89well as using the Windows version of rndc to control a BIND 9 daemon 90on a Unix box. However you must have key statements valid for the 91servers you wish to control, specifically the IP address and key 92in both named.conf and rndc.conf. Again see section 3.4.1.2 of the 93ARM for details. 94 95In order to run rndc from a different system it is important to 96ensure that the clocks are synchronized. The clocks must be kept 97within 5 minutes of each other or the rndc commands will fail 98authentication. Use NTP or other time synchronization software to 99keep your clocks accurate. NTP can be found at http://www.ntp.org/. 100 101In addition BIND is installed as a win32 system service, can be 102started and stopped in the same way as any other service and 103automatically starts whenever the system is booted. Signals are not 104supported and are in fact ignored. 105 106Note: Unlike most Windows applications, named does not, change its 107working directory when started as a service. If you wish to use 108relative files in named.conf you will need to specify a working 109directory using the directory directive options. 110 111DOCUMENTATION: 112 113This kit includes Documentation in HTML format. The documentation 114is not copied during the installation process so you should move 115it to any convenient location for later reference. Of particular 116importance is the BIND 9 Administrator's Reference Manual (Bv9ARM*.html) 117which provides detailed information on BIND 9. In addition, there 118are HTML pages for each of the BIND 9 applications. 119 120INCLUDED TOOLS: 121 122The following tools have been built for Windows: dig, nslookup, 123host, nsupdate, ddns-confgen, rndc, rndc-confgen, named-checkconf, 124named-checkzone, named-compilezone, named-journalprint, 125named-rrchecker, dnssec-importkey, dnssec-keygen, dnssec-signzone, 126dnssec-dsfromkey, dnssec-keyfromlabel, dnssec-revoke, dnssec-settime 127and dnssec-verify. The latter tools are for use with DNSSEC. All tools 128are installed in the "%ProgramFiles%\ISC BIND 9\bin" directory. 129 130IMPORTANT NOTE ON USING THE TOOLS: 131 132It is no longer necessary to create a resolv.conf file on Windows 133as the tools will look in the registry for the required name server 134information. However, if you do create a resolv.conf file as follows, 135the tools will use it in preference to the registry name server 136entries. 137 138Place resolv.conf the "%ProgramFiles%\ISC BIND 9\etc" directory. 139It must contain a list of recursive server addresses. The format 140of this file is: 141 142nameserver 1.2.3.4 143nameserver 5.6.7.8 144 145Replace the above IP addresses with the real name server addresses. 146127.0.0.1 is a valid address if you are running a recursive name 147server on the localhost. 148 149PROBLEMS: 150 151Please report bugs to bind9-bugs@isc.org. Other questions can go 152to the bind-users@isc.org mailing list. 153