1README 2 3BIND 9 4 5Contents 6 7 1. Introduction 8 2. Reporting bugs and getting help 9 3. Contributing to BIND 10 4. BIND 9.11 features 11 5. Building BIND 12 6. macOS 13 7. Dependencies 14 8. Compile-time options 15 9. Automated testing 1610. Documentation 1711. Change log 1812. Acknowledgments 19 20Introduction 21 22BIND (Berkeley Internet Name Domain) is a complete, highly portable 23implementation of the DNS (Domain Name System) protocol. 24 25The BIND name server, named, is able to serve as an authoritative name 26server, recursive resolver, DNS forwarder, or all three simultaneously. It 27implements views for split-horizon DNS, automatic DNSSEC zone signing and 28key management, catalog zones to facilitate provisioning of zone data 29throughout a name server constellation, response policy zones (RPZ) to 30protect clients from malicious data, response rate limiting (RRL) and 31recursive query limits to reduce distributed denial of service attacks, 32and many other advanced DNS features. BIND also includes a suite of 33administrative tools, including the dig and delv DNS lookup tools, 34nsupdate for dynamic DNS zone updates, rndc for remote name server 35administration, and more. 36 37BIND 9 is a complete re-write of the BIND architecture that was used in 38versions 4 and 8. Internet Systems Consortium (https://www.isc.org), a 501 39(c)(3) public benefit corporation dedicated to providing software and 40services in support of the Internet infrastructure, developed BIND 9 and 41is responsible for its ongoing maintenance and improvement. BIND is open 42source software licensed under the terms of ISC License for all versions 43up to and including BIND 9.10, and the Mozilla Public License version 2.0 44for all subsequent versions. 45 46For a summary of features introduced in past major releases of BIND, see 47the file HISTORY. 48 49For a detailed list of changes made throughout the history of BIND 9, see 50the file CHANGES. See below for details on the CHANGES file format. 51 52For up-to-date versions and release notes, see https://www.isc.org/ 53download/. 54 55Reporting bugs and getting help 56 57To report non-security-sensitive bugs or request new features, you may 58open an Issue in the BIND 9 project on the ISC GitLab server at https:// 59gitlab.isc.org/isc-projects/bind9. 60 61Please note that, unless you explicitly mark the newly created Issue as 62"confidential", it will be publicly readable. Please do not include any 63information in bug reports that you consider to be confidential unless the 64issue has been marked as such. In particular, if submitting the contents 65of your configuration file in a non-confidential Issue, it is advisable to 66obscure key secrets: this can be done automatically by using 67named-checkconf -px. 68 69If the bug you are reporting is a potential security issue, such as an 70assertion failure or other crash in named, please do NOT use GitLab to 71report it. Instead, send mail to security-officer@isc.org using our 72OpenPGP key to secure your message. (Information about OpenPGP and links 73to our key can be found at https://www.isc.org/pgpkey.) Please do not 74discuss the bug on any public mailing list. 75 76For a general overview of ISC security policies, read the Knowledge Base 77article at https://kb.isc.org/docs/aa-00861. 78 79Professional support and training for BIND are available from ISC at 80https://www.isc.org/support. 81 82To join the BIND Users mailing list, or view the archives, visit https:// 83lists.isc.org/mailman/listinfo/bind-users. 84 85If you're planning on making changes to the BIND 9 source code, you may 86also want to join the BIND Workers mailing list, at https://lists.isc.org/ 87mailman/listinfo/bind-workers. 88 89Contributing to BIND 90 91ISC maintains a public git repository for BIND; details can be found at 92http://www.isc.org/git/. 93 94Information for BIND contributors can be found in the following files: - 95General information: doc/dev/contrib.md - BIND 9 code style: doc/dev/ 96style.md - BIND architecture and developer guide: doc/dev/dev.md 97 98Patches for BIND may be submitted as merge requests in the ISC GitLab 99server at at https://gitlab.isc.org/isc-projects/bind9/merge_requests. 100 101By default, external contributors don't have ability to fork BIND in the 102GitLab server, but if you wish to contribute code to BIND, you may request 103permission to do so. Thereafter, you can create git branches and directly 104submit requests that they be reviewed and merged. 105 106If you prefer, you may also submit code by opening a GitLab Issue and 107including your patch as an attachment, preferably generated by git 108format-patch. 109 110BIND 9.11 features 111 112BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier 113releases. New features include: 114 115 • Added support for Catalog Zones, a new method for provisioning 116 servers: a list of zones to be served is stored in a DNS zone, along 117 with their configuration parameters. Changes to the catalog zone are 118 propagated to slaves via normal AXFR/IXFR, whereupon the zones that 119 are listed in it are automatically added, deleted or reconfigured. 120 • Added support for "dnstap", a fast and flexible method of capturing 121 and logging DNS traffic. 122 • Added support for "dyndb", a new API for loading zone data from an 123 external database, developed by Red Hat for the FreeIPA project. 124 • "fetchlimit" quotas are now compiled in by default. These are for the 125 use of recursive resolvers that are are under high query load for 126 domains whose authoritative servers are nonresponsive or are 127 experiencing a denial of service attack: 128 □ fetches-per-server limits the number of simultaneous queries that 129 can be sent to any single authoritative server. The configured 130 value is a starting point; it is automatically adjusted downward 131 if the server is partially or completely non-responsive. The 132 algorithm used to adjust the quota can be configured via the 133 "fetch-quota-params" option. 134 □ fetches-per-zone limits the number of simultaneous queries that 135 can be sent for names within a single domain. (Note: Unlike 136 fetches-per-server, this value is not self-tuning.) 137 □ New stats counters have been added to count queries spilled due to 138 these quotas. 139 • Added a new dnssec-keymgr key maintenance utility, which can generate 140 or update keys as needed to ensure that a zone's keys match a defined 141 DNSSEC policy. 142 • The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE" 143 and is no longer optional. EDNS COOKIE is a mechanism enabling clients 144 to detect off-path spoofed responses, and servers to detect 145 spoofed-source queries. Clients that identify themselves using COOKIE 146 options are not subject to response rate limiting (RRL) and can 147 receive larger UDP responses. 148 • SERVFAIL responses can now be cached for a limited time (defaulting to 149 1 second, with an upper limit of 30). This can reduce the frequency of 150 retries when a query is persistently failing. 151 • Added an nsip-wait-recurse switch to RPZ. This causes NSIP rules to be 152 skipped if a name server IP address isn't in the cache yet; the 153 address will be looked up and the rule will be applied on future 154 queries. 155 • Added a Python RNDC module. This allows multiple commands to sent over 156 a persistent RNDC channel, which saves time. 157 • The controls block in named.conf can now grant read-only rndc access 158 to specified clients or keys. Read-only clients could, for example, 159 check rndc status but could not reconfigure or shut down the server. 160 • rndc commands can now return arbitrarily large amounts of text to the 161 caller. 162 • The zone serial number of a dynamically updatable zone can now be set 163 via rndc signing -serial <number> <zonename>. This allows 164 inline-signing zones to be set to a specific serial number. 165 • The new rndc nta command can be used to set a Negative Trust Anchor 166 (NTA), disabling DNSSEC validation for a specific domain; this can be 167 used when responses from a domain are known to be failing validation 168 due to administrative error rather than because of a spoofing attack. 169 Negative trust anchors are strictly temporary; by default they expire 170 after one hour, but can be configured to last up to one week. 171 • rndc delzone can now be used on zones that were not originally created 172 by "rndc addzone". 173 • rndc modzone reconfigures a single zone, without requiring the entire 174 server to be reconfigured. 175 • rndc showzone displays the current configuration of a zone. 176 • rndc managed-keys can be used to check the status of RFC 5001 managed 177 trust anchors, or to force trust anchors to be refreshed. 178 • max-cache-size can now be set to a percentage of available memory. The 179 default is 90%. 180 • Update forwarding performance has been improved by allowing a single 181 TCP connection to be shared by multiple updates. 182 • The EDNS Client Subnet (ECS) option is now supported for authoritative 183 servers; if a query contains an ECS option then ACLs containing geoip 184 or ecs elements can match against the the address encoded in the 185 option. This can be used to select a view for a query, so that 186 different answers can be provided depending on the client network. 187 • The EDNS EXPIRE option has been implemented on the client side, 188 allowing a slave server to set the expiration timer correctly when 189 transferring zone data from another slave server. 190 • The key generation and manipulation tools (dnssec-keygen, 191 dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now take -Psync 192 and -Dsync options to set the publication and deletion times of CDS 193 and CDNSKEY parent-synchronization records. Both named and 194 dnssec-signzone can now publish and remove these records at the 195 scheduled times. 196 • A new minimal-any option reduces the size of UDP responses for query 197 type ANY by returning a single arbitrarily selected RRset instead of 198 all RRsets. 199 • A new masterfile-style zone option controls the formatting of text 200 zone files: When set to full, a zone file is dumped in 201 single-line-per-record format. 202 • serial-update-method can now be set to date. On update, the serial 203 number will be set to the current date in YYYYMMDDNN format. 204 • dnssec-signzone -N date sets the serial number to YYYYMMDDNN. 205 • named -L <filename> causes named to send log messages to the specified 206 file by default instead of to the system log. 207 • dig +ttlunits prints TTL values with time-unit suffixes: w, d, h, m, s 208 for weeks, days, hours, minutes, and seconds. 209 • dig +unknownformat prints dig output in RFC 3597 "unknown record" 210 presentation format. 211 • dig +ednsopt allows dig to set arbitrary EDNS options on requests. 212 • dig +ednsflags allows dig to set yet-to-be-defined EDNS flags on 213 requests. 214 • mdig is an alternate version of dig which sends multiple pipelined TCP 215 queries to a server. Instead of waiting for a response after sending a 216 query, it sends all queries immediately and displays responses in the 217 order received. 218 • serial-query-rate no longer controls NOTIFY messages. These are 219 separately controlled by notify-rate and startup-notify-rate. 220 • nsupdate now performs check-names processing by default on records to 221 be added. This can be disabled with check-names no. 222 • The statistics channel now supports DEFLATE compression, reducing the 223 size of the data sent over the network when querying statistics. 224 • New counters have been added to the statistics channel to track the 225 sizes of incoming queries and outgoing responses in histogram buckets, 226 as specified in RSSAC002. 227 • A new NXDOMAIN redirect method (option nxdomain-redirect) has been 228 added, allowing redirection to a specified DNS namespace instead of a 229 single redirect zone. 230 • When starting up, named now ensures that no other named process is 231 already running. 232 • Files created by named to store information, including mkeys and nzf 233 files, are now named after their corresponding views unless the view 234 name contains characters incompatible with use as a filename. Old 235 style filenames (based on the hash of the view name) will still work. 236 237BIND 9.11.1 238 239BIND 9.11.1 is a maintenance release, and addresses the security flaws 240disclosed in CVE-2016-6170, CVE-2016-8864, CVE-2016-9131, CVE-2016-9147, 241CVE-2016-9444, CVE-2016-9778, CVE-2017-3135, CVE-2017-3136, CVE-2017-3137 242and CVE-2017-3138. 243 244BIND 9.11.2 245 246BIND 9.11.2 is a maintenance release, and addresses the security flaws 247disclosed in CVE-2017-3140, CVE-2017-3141, CVE-2017-3142 and 248CVE-2017-3143. It also addresses several bugs related to the use of an 249LMDB database to store data related to zones added via rndc addzone or 250catalog zones. 251 252BIND 9.11.3 253 254BIND 9.11.3 is a maintenance release, and addresses the security flaw 255disclosed in CVE-2017-3145. 256 257BIND 9.11.4 258 259BIND 9.11.4 is a maintenance release, and addresses the security flaw 260disclosed in CVE-2018-5738. It also introduces "root key sentinel" 261support, enabling validating resolvers to indicate via a special query 262which trust anchors are configured for the root zone. 263 264BIND 9.11.5 265 266BIND 9.11.5 is a maintenance release, and also addresses CVE-2018-5741 by 267correcting faulty documentation and introducing the following new feature: 268 269 • New krb5-selfsub and ms-selfsub rule types for update-policy 270 statements allow updating of subdomains based on a Kerberos or Active 271 Directory machine principal. 272 273BIND 9.11.6 274 275BIND 9.11.6 is a maintenance release, and also addresses the security 276flaws disclosed in CVE-2018-5743, CVE-2018-5745, CVE-2018-5744, and 277CVE-2019-6465. 278 279BIND 9.11.7 280 281BIND 9.11.7 is a maintenance release, and also addresses the security flaw 282disclosed in CVE-2018-5743. 283 284BIND 9.11.8 285 286BIND 9.11.8 is a maintenance release, and also addresses the security flaw 287disclosed in CVE-2019-6471. 288 289BIND 9.11.9 290 291BIND 9.11.9 is a maintenance release, and also adds support for the new 292MaxMind GeoIP2 geolocation API when built with configure --with-geoip2. 293 294BIND 9.11.10 295 296BIND 9.11.10 is a maintenance release. 297 298BIND 9.11.11 299 300BIND 9.11.11 is a maintenance release. 301 302BIND 9.11.12 303 304BIND 9.11.12 is a maintenance release. 305 306BIND 9.11.13 307 308BIND 9.11.13 is a maintenance release, and also addresses the security 309vulnerability disclosed in CVE-2019-6477. 310 311BIND 9.11.14 312 313BIND 9.11.14 is a maintenance release. 314 315BIND 9.11.15 316 317BIND 9.11.15 is a maintenance release. 318 319BIND 9.11.16 320 321BIND 9.11.16 is a maintenance release. 322 323BIND 9.11.17 324 325BIND 9.11.17 is a maintenance release. 326 327BIND 9.11.18 328 329BIND 9.11.18 is a maintenance release. 330 331BIND 9.11.19 332 333BIND 9.11.19 is a maintenance release, and also addresses the security 334vulnerabilities disclosed in CVE-2020-8616 and CVE-2020-8617. 335 336BIND 9.11.20 337 338BIND 9.11.20 is a maintenance release, and also addresses the security 339vulnerability disclosed in CVE-2020-8619. 340 341BIND 9.11.21 342 343BIND 9.11.21 is a maintenance release. 344 345BIND 9.11.22 346 347BIND 9.11.22 is a maintenance release, and also addresses the security 348vulnerabilities disclosed in CVE-2020-8622, CVE-2020-8623, and 349CVE-2020-8624. 350 351BIND 9.11.23 352 353BIND 9.11.23 is a maintenance release. 354 355BIND 9.11.24 356 357BIND 9.11.24 is a maintenance release. 358 359BIND 9.11.25 360 361BIND 9.11.25 is a maintenance release. 362 363BIND 9.11.26 364 365BIND 9.11.26 is a maintenance release. 366 367BIND 9.11.27 368 369BIND 9.11.27 is a maintenance release. 370 371BIND 9.11.28 372 373BIND 9.11.28 is a maintenance release, and also addresses the security 374vulnerability disclosed in CVE-2020-8625. 375 376BIND 9.11.29 377 378BIND 9.11.29 is a maintenance release. 379 380BIND 9.11.30 381 382This release was withdrawn. 383 384BIND 9.11.31 385 386BIND 9.11.31 is a maintenance release, and also addresses the security 387vulnerabilities disclosed in CVE-2021-25214, CVE-2021-25215, and 388CVE-2021-25216. 389 390BIND 9.11.32 391 392BIND 9.11.32 is a maintenance release. 393 394BIND 9.11.33 395 396BIND 9.11.33 is a maintenance release. 397 398BIND 9.11.34 399 400BIND 9.11.34 is a maintenance release. 401 402BIND 9.11.35 403 404BIND 9.11.35 is a maintenance release. 405 406BIND 9.11.36 407 408BIND 9.11.36 is a maintenance release, and also addresses the security 409vulnerability disclosed in CVE-2021-25219. 410 411BIND 9.11.37 412 413BIND 9.11.37 is a maintenance release, and also addresses the security 414vulnerability disclosed in CVE-2021-25220. 415 416Building BIND 417 418Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler, 419basic POSIX support, and a 64-bit integer type. Successful builds have 420been observed on many versions of Linux and UNIX, including RHEL/CentOS/ 421Oracle Linux, Fedora, Debian, Ubuntu, SLES, openSUSE, Slackware, Alpine, 422FreeBSD, NetBSD, OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE, HP-UX, 423and OpenWRT. 424 425BIND is also available for Windows Server 2008 and higher. See win32utils/ 426build.txt for details on building for Windows systems. 427 428To build on a UNIX or Linux system, use: 429 430 $ ./configure 431 $ make 432 433If you're planning on making changes to the BIND 9 source, you should run 434make depend. If you're using Emacs, you might find make tags helpful. 435 436Several environment variables that can be set before running configure 437will affect compilation. Significant ones are: 438 439 Variable Description 440CC The C compiler to use. configure tries to figure out the 441 right one for supported systems. 442 C compiler flags. Defaults to include -g and/or -O2 as 443CFLAGS supported by the compiler. Please include '-g' if you need 444 to set CFLAGS. 445 System header file directories. Can be used to specify 446STD_CINCLUDES where add-on thread or IPv6 support is, for example. 447 Defaults to empty string. 448 Any additional preprocessor symbols you want defined. 449STD_CDEFINES Defaults to empty string. For a list of possible settings, 450 see the file OPTIONS. 451LDFLAGS Linker flags. Defaults to empty string. 452BUILD_CC Needed when cross-compiling: the native C compiler to use 453 when building for the target system. 454BUILD_CFLAGS CFLAGS for the target system during cross-compiling. 455BUILD_CPPFLAGS CPPFLAGS for the target system during cross-compiling. 456BUILD_LDFLAGS LDFLAGS for the target system during cross-compiling. 457BUILD_LIBS LIBS for the target system during cross-compiling. 458 459Additional environment variables affecting the build are listed at the end 460of the configure help text, which can be obtained by running the command: 461 462$ ./configure --help 463 464On platforms where neither the C11 Atomic operations library nor custom 465ISC atomic operations are available, updating the statistics counters is 466not locked due to performance reasons and therefore the counters might be 467inaccurate. Anybody building BIND 9 is strongly advised to use a modern 468C11 compiler with C11 Atomic operations library support. 469 470macOS 471 472Building on macOS assumes that the "Command Tools for Xcode" is installed. 473This can be downloaded from https://developer.apple.com/download/more/ or, 474if you have Xcode already installed, you can run xcode-select --install. 475(Note that an Apple ID may be required to access the download page.) 476 477Dependencies 478 479Portions of BIND that are written in Python, including dnssec-keymgr, 480dnssec-coverage, dnssec-checkds, and some of the system tests, require the 481argparse, ply and distutils.core modules to be available. argparse is a 482standard module as of Python 2.7 and Python 3.2. ply is available from 483https://pypi.python.org/pypi/ply. distutils.core is required for 484installation. 485 486Compile-time options 487 488To see a full list of configuration options, run configure --help. 489 490On most platforms, BIND 9 is built with multithreading support, allowing 491it to take advantage of multiple CPUs. You can configure this by 492specifying --enable-threads or --disable-threads on the configure command 493line. The default is to enable threads, except on some older operating 494systems on which threads are known to have had problems in the past. 495(Note: Prior to BIND 9.10, the default was to disable threads on Linux 496systems; this has now been reversed. On Linux systems, the threaded build 497is known to change BIND's behavior with respect to file permissions; it 498may be necessary to specify a user with the -u option when running named.) 499 500To build shared libraries, specify --with-libtool on the configure command 501line. 502 503For the server to support DNSSEC, you need to build it with crypto 504support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer 505installed. If the OpenSSL library is installed in a nonstandard location, 506specify the prefix using --with-openssl=<PREFIX> on the configure command 507line. To use a PKCS#11 hardware service module for cryptographic 508operations, specify the path to the PKCS#11 provider library using 509--with-pkcs11=<PREFIX>, and configure BIND with "--enable-native-pkcs11". 510 511To support the HTTP statistics channel, the server must be linked with at 512least one of the following libraries: libxml2 http://xmlsoft.org or json-c 513https://github.com/json-c/json-c. If these are installed at a nonstandard 514location, then: 515 516 • for libxml2, specify the prefix using --with-libxml2=/prefix, 517 • for json-c, adjust PKG_CONFIG_PATH. 518 519To support compression on the HTTP statistics channel, the server must be 520linked against libzlib. If this is installed in a nonstandard location, 521specify the prefix using --with-zlib=/prefix. 522 523To support storing configuration data for runtime-added zones in an LMDB 524database, the server must be linked with liblmdb. If this is installed in 525a nonstandard location, specify the prefix using with-lmdb=/prefix. 526 527To support GeoIP location-based ACLs, the server must be linked with 528libGeoIP. This is not turned on by default; BIND must be configured with 529"--with-geoip". If the library is installed in a nonstandard location, use 530specify the prefix using "--with-geoip=/prefix". 531 532For DNSTAP packet logging, you must have installed libfstrm https:// 533github.com/farsightsec/fstrm and libprotobuf-c https:// 534developers.google.com/protocol-buffers, and BIND must be configured with 535--enable-dnstap. 536 537Certain compiled-in constants and default settings can be increased to 538values better suited to large servers with abundant memory resources (e.g, 53964-bit servers with 12G or more of memory) by specifying --with-tuning= 540large on the configure command line. This can improve performance on big 541servers, but will consume more memory and may degrade performance on 542smaller systems. 543 544On some platforms it is necessary to explicitly request large file support 545to handle files bigger than 2GB. This can be done by using 546--enable-largefile on the configure command line. 547 548Support for the "fixed" rrset-order option can be enabled or disabled by 549specifying --enable-fixed-rrset or --disable-fixed-rrset on the configure 550command line. By default, fixed rrset-order is disabled to reduce memory 551footprint. 552 553If your operating system has integrated support for IPv6, it will be used 554automatically. If you have installed KAME IPv6 separately, use --with-kame 555[=PATH] to specify its location. 556 557The --enable-querytrace option causes named to log every step of 558processing every query. This should only be enabled when debugging, 559because it has a significant negative impact on query performance. 560 561make install will install named and the various BIND 9 libraries. By 562default, installation is into /usr/local, but this can be changed with the 563--prefix option when running configure. 564 565You may specify the option --sysconfdir to set the directory where 566configuration files like named.conf go by default, and --localstatedir to 567set the default parent directory of run/named.pid. For backwards 568compatibility with BIND 8, --sysconfdir defaults to /etc and 569--localstatedir defaults to /var if no --prefix option is given. If there 570is a --prefix option, sysconfdir defaults to $prefix/etc and localstatedir 571defaults to $prefix/var. 572 573Automated testing 574 575A system test suite can be run with make test. The system tests require 576you to configure a set of virtual IP addresses on your system (this allows 577multiple servers to run locally and communicate with one another). These 578IP addresses can be configured by running the command bin/tests/system/ 579ifconfig.sh up as root. 580 581Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules, 582and will be skipped if these are not available. Some tests require Python 583and the dnspython module and will be skipped if these are not available. 584See bin/tests/system/README for further details. 585 586Unit tests are implemented using the CMocka unit testing framework. To 587build them, use configure --with-cmocka. Execution of tests is done by the 588Kyua test execution engine; if the kyua command is available, then unit 589tests can be run via make test or make unit. 590 591Documentation 592 593The BIND 9 Administrator Reference Manual is included with the source 594distribution, in DocBook XML, HTML, and PDF format, in the doc/arm 595directory. 596 597Some of the programs in the BIND 9 distribution have man pages in their 598directories. In particular, the command line options of named are 599documented in bin/named/named.8. 600 601Frequently (and not-so-frequently) asked questions and their answers can 602be found in the ISC Knowledge Base at https://kb.isc.org. 603 604Additional information on various subjects can be found in other README 605files throughout the source tree. 606 607Change log 608 609A detailed list of all changes that have been made throughout the 610development BIND 9 is included in the file CHANGES, with the most recent 611changes listed first. Change notes include tags indicating the category of 612the change that was made; these categories are: 613 614 Category Description 615[func] New feature 616[bug] General bug fix 617[security] Fix for a significant security flaw 618[experimental] Used for new features when the syntax or other aspects of 619 the design are still in flux and may change 620[port] Portability enhancement 621[maint] Updates to built-in data such as root server addresses and 622 keys 623[tuning] Changes to built-in configuration defaults and constants to 624 improve performance 625[performance] Other changes to improve server performance 626[protocol] Updates to the DNS protocol such as new RR types 627[test] Changes to the automatic tests, not affecting server 628 functionality 629[cleanup] Minor corrections and refactoring 630[doc] Documentation 631[contrib] Changes to the contributed tools and libraries in the 632 'contrib' subdirectory 633 Used in the master development branch to reserve change 634[placeholder] numbers for use in other branches, e.g. when fixing a bug 635 that only exists in older releases 636 637In general, [func] and [experimental] tags will only appear in new-feature 638releases (i.e., those with version numbers ending in zero). Some new 639functionality may be backported to older releases on a case-by-case basis. 640All other change types may be applied to all currently-supported releases. 641 642Bug report identifiers 643 644Most notes in the CHANGES file include a reference to a bug report or 645issue number. Prior to 2018, these were usually of the form [RT #NNN] and 646referred to entries in the "bind9-bugs" RT database, which was not open to 647the public. More recent entries use the form [GL #NNN] or, less often, [GL 648!NNN], which, respectively, refer to issues or merge requests in the 649GitLab database. Most of these are publicly readable, unless they include 650information which is confidential or security sensitive. 651 652To look up a GitLab issue by its number, use the URL https:// 653gitlab.isc.org/isc-projects/bind9/issues/NNN. To look up a merge request, 654use https://gitlab.isc.org/isc-projects/bind9/merge_requests/NNN. 655 656In rare cases, an issue or merge request number may be followed with the 657letter "P". This indicates that the information is in the private ISC 658GitLab instance, which is not visible to the public. 659 660Acknowledgments 661 662 • The original development of BIND 9 was underwritten by the following 663 organizations: 664 665 Sun Microsystems, Inc. 666 Hewlett Packard 667 Compaq Computer Corporation 668 IBM 669 Process Software Corporation 670 Silicon Graphics, Inc. 671 Network Associates, Inc. 672 U.S. Defense Information Systems Agency 673 USENIX Association 674 Stichting NLnet - NLnet Foundation 675 Nominum, Inc. 676 677 • This product includes software developed by the OpenSSL Project for 678 use in the OpenSSL Toolkit. http://www.OpenSSL.org/ 679 680 • This product includes cryptographic software written by Eric Young 681 (eay@cryptsoft.com) 682 683 • This product includes software written by Tim Hudson 684 (tjh@cryptsoft.com) 685